CryptProtectMemory function (dpapi.h) "The CryptProtectMemory function encrypts <https://learn.microsoft.com/en-us/windows/desktop/SecGloss/e-gly> memory to prevent others from viewing sensitive information in your process. For example, use the CryptProtectMemory function to encrypt memory that contains a password. Encrypting the password prevents others from viewing it when the process is paged out to the swap file.
"Encrypt and decrypt memory in the same process. An application running in a different process will not be able to decrypt the data." This is not a generic c library function, which makes cross-platform code more complex, but that's no excuse. Simple memory-recovery exploits have been demonstrated so often in the last 40 years that there is pretty much no excuse for not using CryptProtectMemory or RtlEncryptMemory for memory storage of passwords on Windows. On Tue, 13 Aug 2024 at 22:26, Gert Doering <g...@greenie.muc.de> wrote: > Hi > > On Tue, Aug 13, 2024 at 12:57:49PM +0200, Jakob Curdes wrote: > > The original seccuvera article states that OpenVPN (I assume they mean > the > > Windows client) is "vulnerable" to this weakness and leaves data like > > emails, passwords and 2FA codes in the main memory after the program is > > closed. I have not tested this myself so I canot say if that is true. > > Whether or not OpenVPN retains information used to log into the server > depends on the "--auth-nocache" setting. There is no "correct" solution > here - you want to reauth frequently to renegotiate new session keys, and > if you do not want to re-enter your username + password every time, it > needs to be cached... (in-memory-encryption could be used, but if OpenVPN > can decrypt it, a process that can read OpenVPN's memory can do so as > well). > > On Program *close*, this data should be cleared (as well as "the OS > needs to clear the memory and make it inaccessible"), but it's not clear > what the researchers did here - they logged off, but depending on the > way they started OpenVPN, it might still be running in the background > (and in which case, these credentials will still be there). > > > (OpenVPN will, of course, never retain "emails" passing through the VPN > - I understand the article to mean "the e-mail address used as username > for logging into the VPN server") > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users >
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
