从 Ruby 内存中安全擦除密码 [英] Secure erasing of password from memory in Ruby

问题描述

我正在编写一个需要处理用户企业密码的 Ruby 应用程序.我想尽量减少密码在内存中的时间，以减少密码暴露的可能性.

I'm writing a Ruby application that will need to handle a user's enterprise password. I'd like to minimize the time the password is in memory to reduce the likelihood of the password being exposed.

在母语中，我会直接删除数据.在 C# 中，我会使用 SecureString类.在 Java 中，我会使用 char[].但我能找到的最好的 Ruby 是旧功能请求，它似乎已经死了.

In a native language, I would directly erase the data. In C#, I would use the SecureString class. In Java, I'd use char[]. But the best that I can find for Ruby is an old feature request that seems dead.

在 Ruby 内存中安全存储和擦除密码的标准是什么?有这样的课程吗?一种类似于Java的char[]的编码模式?

What is the standard for securely storing and erasing passwords from memory in Ruby? Is there a class that does this? A coding pattern similar to the char[] of Java?

推荐答案

一个 ruby​​ 问题已经存在 5 年了 (5741)，关于从内存中安全擦除机密.该问题还包含一些链接，这些链接解释了为什么从内存中擦除密码是一件好事.最近MacOs 确实遇到了 FileVault2 的问题，因为密码被存储在内存中.

A ruby issue exists for 5 years now (5741), regarding secure erasure of secrets from memory. That issue contains also some links which explain, why it is a good thing to erase passwords from memory. Lately MacOs did have an issue with FileVault2, because the password was stored within memory.

问题 5741 中显示的一种可能的解决方案是:

One possible solution shown within issue 5741 is:

pass = ""
$stdin.sysread(256, pass) # assuming a line-buffered terminal
io = StringIO.new("\0" * pass.bytesize)
io.read(pass.bytesize, pass)

它似乎适用于 ruby​​ 2.3.1p112，但我不能保证.

It seems to work with ruby 2.3.1p112, but I can't promise it.

这篇关于从 Ruby 内存中安全擦除密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！