When I break in and steal your swap disk (or get it from a container after you have replaced it). As you say, it's futile to try to protect oneself against a real time attack that requires root privs.
But why not steal the system disk where the key is in it's "key.txt" or similar file? Not many server systems requires keys external to the system (ie passphrases and magnetic cards) to get going.
Of course, session keys could be interesting if you want to know what was said in a session, I guess.
Still, if I had that sensitive transmissions I wouldn't leak swap disks. I recall some military installation with a remotely controlled explosive bolt to blow up the sensitive HDD.
To me, the only sane way to handle the non-real time attack is to make sure that pages are encrypted before they are swapped to disk. Using temporay keys that are destroyed regularly, preferably directly at process death.
It seems simpler that have one random key per up period, and it would work just as well - all swap data gets worthless once the system goes down, and no non-root system process can read out the key from the kernal anyway.
/ Mirar
Previous text:
2003-01-28 14:07: Subject: Re: OpenSSL wrapper vs Pike's SSL (Was: Bz2)
When is that applicable? I'm not saying it's not an issue, I'm just curious.
When I break in and steal your swap disk (or get it from a container after you have replaced it). As you say, it's futile to try to protect oneself against a real time attack that requires root privs.
To me, the only sane way to handle the non-real time attack is to make sure that pages are encrypted before they are swapped to disk. Using temporay keys that are destroyed regularly, preferably directly at process death. It's not entirely trivial to do, but at least somebody (Niels Provos?) implemented it for openbsd a few years ago.
It's insane to make application programs responsible for figuring out which of their data need extra protection, and "protect" it. If I'm sending a secret message using pgp, it's not enough that the memory where the keys are stored is protected in various kludgy ways, I also want the emacs buffer where I write my message to be protected.
The issue of memory protection should be addressed by the operating system.
But, *why not* have an OpenSSL glue in Pike?
Sure, I wouldn't object to that, as long as I can continue bashing it ;-)
/ Niels Möller ()