openssl/openssl

Encrypt Memory used to hold Private Keys

Open

#26 366 ouverte le 9 janv. 2025

Voir sur GitHub
 (12 commentaires) (0 réactions) (0 assignés)C (11 262 forks)batch import
branch: masterhelp wantedtriaged: feature

Métriques du dépôt

Stars
 (30 157 stars)
Métriques de merge PR
 (Aucune PR mergée en 30 j)

Description

As a security enhancement to OpenSSL we request the option to encrypt memory used to store private key variables. We believe this can be implemented with a modification to the BIGNUM API to include a "secure BIGNUM" which will encrypt the raw data in memory. When the BIGNUM data is required for operations, it can be (quickly) decrypted, used for the operation, then the memory holding the decrypted data can be cleared.

We have developed a production OpenSSL Provider that performs in-place decryption for Asymmetric Keys that relies on the Provider export function, see https://www.jettechlabs.com/securekey for details. We are willing to work with the OpenSSL engineering team to design the right interfaces and implementation if desired.

This feature will enhance overall security of the OpenSSL library by protecting critical security parameters from unintended disclosure due to memory safety issues, side-channel attacks, and other threats - both in the library and the user application code.

Note that some applications that use OpenSSL, including OpenSSH, have implemented ad-hoc versions of Key Shielding where the private keys are encrypted using AES-256. Instead of requiring all applications to implement versions of this protection, we believe the crypto library itself can and should perform these protections.

Thanks

Jason Thomas www.JETtechlabs.com

Guide contributeur