密码学:内存中密钥的最佳实践? [英] Cryptography: best practices for keys in memory?
问题描述
背景:我在数据库中使用 AES(即对称加密)加密了一些数据.在(假定的)安全且隔离的 Linux 机器上运行的服务器端应用程序使用此数据.它从数据库中读取加密数据,并写回加密数据,只处理内存中未加密的数据.因此,为了做到这一点,应用程序需要将密钥存储在内存中.
Background: I got some data encrypted with AES (ie symmetric crypto) in a database. A server side application, running on a (assumed) secure and isolated Linux box, uses this data. It reads the encrypted data from the DB, and writes back encrypted data, only dealing with the unencrypted data in memory. So, in order to do this, the app is required to have the key stored in memory.
问题是,有什么好的最佳实践吗?保护内存中的密钥.
The question is, is there any good best practices for this? Securing the key in memory.
一些想法:
- 将其保存在不可交换的内存中(对于 linux:使用
shmctl(2)设置SHM_LOCK?) - 将密钥拆分到多个内存位置.
- 加密密钥.用什么以及如何保证...key key..的安全?
- 每次需要时从文件中加载密钥(速度慢,如果作恶者可以读取我们的内存,他可能也可以读取我们的文件)
key 可能泄露的一些场景:evildoer 获取了 mem dump/core dump;错误的代码边界检查导致信息泄露;
Some scenarios on why the key might leak: evildoer getting hold of mem dump/core dump; bad bounds checking in code leading to information leakage;
第一个看起来不错,而且很简单,但是剩下的呢?其他想法?任何标准规范/最佳实践?
The first one seems like a good and pretty simple thing to do, but how about the rest? Other ideas? Any standard specifications/best practices?
感谢您的任何意见!
推荐答案
一切都取决于你的偏执程度和关键/数据的敏感性.在极端情况下,只要您在内存中有未加密的密钥,就可以使用 coldboot 技术.frozencache 有一个有趣的开发尝试来解决这个问题.我只是随便读了一遍,没有在实践中尝试过,但这似乎是一种有趣的尝试方式.
All depends on the level of your paranoia and the sensitivity of the key/data. In the extreme cases, as soon as you have an unencrypted key in memory, one can retrieve it using coldboot techniques. There is an interesting development at frozencache to try to defeat that. I merely casually read it, did not try it in practice, but it seems like an interesting approach to try.
尽管摘下锡箔帽,但 - (1)、(2)、(3) 似乎是合理的.(4)不会因为你提到的原因而精确切割它.(不仅速度很慢,而且假设您读入堆栈,不同的堆栈深度,键可能不止一次可见).
With the tinfoil hat off, though - (1), (2), (3) do seem reasonable. (4) won't cut it precisely for the reason you mentioned. (Not only it is slow, but assuming you read into the stack, with different stack depths the key might become visible more than once).
假设解密的数据是值得的,并且它会在可交换的内存中,你当然也应该加密交换本身.此外,根、/tmp 分区也应该加密.这是一个相当标准的设置,在大多数操作系统指南中都很容易找到.
Assuming the decrypted data is worth it, and it would be in the swappable memory, you definitely should encrypt the swap itself as well. Also, the root, /tmp partitions should also be encrypted. This is a fairly standard setup which is readily available in most guides for the OSes.
然后,当然,您希望确保机器本身的高水平物理安全并尽量减少它执行的功能 - 运行的代码越少,暴露的越少.您可能还想看看如何绝对最小化远程访问这台机器的可能性 - 即使用基于 RSA 密钥的 ssh,这将被另一个主机控制的另一个 ACL 阻止.portknocking 可以用作身份验证的附加向量之一,然后才能登录到那一秒主持人.为确保如果主机受到威胁,则更难以将数据取出,请确保该主机没有与互联网的直接可路由连接.一般来说,获取敏感数据的过程越痛苦,有人去那里的机会就越小,但这也会让普通用户的生活变得痛苦 - 所以需要有一个平衡.
And then, of course, you want to ensure the high level of physical security for the machine itself and minimize the functions that it performs - the less code runs, the less the exposure is. You also might want to see how you can absolutely minimize the possibilities for the remote access to this machine as well - i.e. use the RSA-keys based ssh, which would be blocked by another ACL controlled from another host. portknocking can be used as one of the additional vectors of authentications before being able to log in to that second host. To ensure that if the host is compromised, it is more difficult to get the data out, ensure this host does not have the direct routable connection to the internet. In general, the more painful you make it to get to the sensitive data, the less chance someone is going to going to get there, however there this is also going to make the life painful for the regular users - so there needs to be a balance.
如果应用程序很严重并且风险很高,最好构建更明确的整体威胁模型,看看您可以预见哪些可能的攻击向量,并验证您的设置是否有效处理他们.(别忘了包括 人为因素 :-)
In case the application is serious and the amount of things at stake is high, it is best to build the more explicit overall threat model and see what are the possible attack vectors that you can foresee, and verify that your setup effectively handles them. (and don't forget to include the human factor :-)
更新:确实,您可以使用专用硬件来处理加密/解密.然后您不必处理密钥的存储 - 请参阅 Hamish 的答案.
Update: and indeed, you might use the specialized hardware to deal with the encryption/decryption. Then you don't have to deal with the storage of the keys - See Hamish' answer.
这篇关于密码学:内存中密钥的最佳实践?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
