Métriques du dépôt
- Stars
- (30 157 stars)
- Métriques de merge PR
- (Aucune PR mergée en 30 j)
Description
As a security enhancement to OpenSSL we request the option to encrypt memory used to store private key variables. We believe this can be implemented with a modification to the BIGNUM API to include a "secure BIGNUM" which will encrypt the raw data in memory. When the BIGNUM data is required for operations, it can be (quickly) decrypted, used for the operation, then the memory holding the decrypted data can be cleared.
We have developed a production OpenSSL Provider that performs in-place decryption for Asymmetric Keys that relies on the Provider export function, see https://www.jettechlabs.com/securekey for details. We are willing to work with the OpenSSL engineering team to design the right interfaces and implementation if desired.
This feature will enhance overall security of the OpenSSL library by protecting critical security parameters from unintended disclosure due to memory safety issues, side-channel attacks, and other threats - both in the library and the user application code.
Note that some applications that use OpenSSL, including OpenSSH, have implemented ad-hoc versions of Key Shielding where the private keys are encrypted using AES-256. Instead of requiring all applications to implement versions of this protection, we believe the crypto library itself can and should perform these protections.
Thanks
Jason Thomas www.JETtechlabs.com