Re^4: Is it possible to sanitize Perl memory that holds sensitive data? (crypto implications)

That Tk app is cool. ++. I'm inspired to learn Tk now.

I don't want to let you get away with speaking ex cathedra, so... which experts and where? :)

Probably should have mentioned earlier that I'm familiar with Linux (this is not to say your answer wasn't helpful). As far as I know, you can do better than using losetup's encryption facilities. According to this paper (PDF), CBC mode (used by - correct me if wrong - losetup) has a few known problems. Whether these are more than academic is likely dependent on whom you're trying to hide data from. :) In any case (as I perceive it), the state of the art with Linux disk encryption right now is LUKS and dm-crypt.

Nevertheless, I think you're right... encrypted loopback is the best solution. The "far more complex" situation means that

memset(sensitive_buf, 0, sizeof sensitive_buf);

... is not sufficient, because to assert it is would be assuming the code is running on some ethereal Turing machine in the sky. But it's not. You must also consider the broader environment this code runs in (namely, one which includes modern OSs with virtual memory systems), which means taking into account memory being swapped out, etc.

I think I have more of a handle on the problem now. Cheers. :)

email: perl -e 'print reverse map { chr( ord($_)-1 ) } split //, "\x0bufo/hojsfufqAofc";'

Comment on Re^4: Is it possible to sanitize Perl memory that holds sensitive data? (crypto implications) Download Code

Replies are listed 'Best First'.
Re^5: Is it possible to sanitize Perl memory that holds sensitive data? (crypto implications) by zentara (Cardinal) on Aug 31, 2008 at 12:45 UTC
*so... which experts and where? :)* Slashdot of course!!! :-) Slashdot on encryption Seriously though, there are newsgroups devoted to encryption security, and it usually comes down to "who are you trying to hide data from?".....because at some level, they can crack you with enough work and money. The AES encryption usually used is based on a finite key length. The question is " are you worth them spending a million dollars of their limited budgets?" For a divorce case.....no; .......to implicate Clinton and Monica Lewinski.... oh yeah. :-) They have ways of attacking encrypted disks. One of the most recent is Freezing Computers I'm not really a human, but I play one on earth Remember How Lucky You Are	[reply]
Re^6: Is it possible to sanitize Perl memory that holds sensitive data? (crypto implications) by Anonymous Monk on Aug 31, 2008 at 13:42 UTC
Nice dodge. Now could you please give a good reference that cites the "experts" you referred to in your other node? A google search against "loopback file system expert opinion" returns nothing helpful. You seem to be "in the know" on this, so please share with us lowly morons not so privileged.	[reply]
Re^7: Is it possible to sanitize Perl memory that holds sensitive data? (crypto implications) by zentara (Cardinal) on Sep 01, 2008 at 12:47 UTC
First, since I will never convince you of my expertise, ( as well I shouldn't, since I have none in the math of encryption), read the following for yourself and decide Google articles on linux encryption . Second, there is no security on MSWindows..... it is designed to help the NSA develope backdoors.... every month some new backdoor into MSWindows is discovered, ranging from hidden keystroke recorders to hidden copies of all deleted files. Third, use your common sense. If you had something you want to keep secret, you would think "obviously encrypt it". Thinking you could keep it as plaintext, hidden by obscurity in a mess of files, is a poor solution compared to encryption. As a matter of fact, one of the first thing law enforcement does when trying to crack an encrypted filesystem, is to filter your harddrive for every text string, then use those strings as a dictionary in a password attack on your encrypted filesystem. I guess most people are stupid enough to use phrases that are familiar to them, or they hide a reminder somewhere, and the success rate of cracking is pretty high. So just use your common sense, an encrypted filesystem is more secure than a plain text filesystem, the question becomes the strength of the encryption algorithm, and consequently "who are you defending against". So if you don't believe what the "experts" in the above Google results say, what are YOUR alternatives? I'm not really a human, but I play one on earth Remember How Lucky You Are	[reply]