On Sat, 30 Sep 2006, Tom Phoenix wrote:
On 9/30/06, Jorge Almeida <[EMAIL PROTECTED]> wrote:
Is there some way to keep a string in RAM, not allowing it to go to
swap? Just like gnupg does with passphrases, and for similar reasons.
(Linux only, no portability required!)
Not in pure Perl. And extensions don't help much: You could write a
simple extension that keeps a string for you, but how will you get the
data into it (and out again) without potentially leaking data that
will show up in swapfiles or coredumps?
Making an extension would be way beyond my skills! (No C here, only some
Perl and less Bash). What I hoped for was the gnupg-like behaviour.
One idea (which may not work for your application) might be that the
Perl code wouldn't know the passphrase, but only some data derived by
a one-way hash function from the passphrase. An extension would ask
the user for the passphrase and return the result of the hash
function.
Maybe. What I have is several files (CDB databases) with digests kept in
a symetricaly encrypted file. The idea is to detect tampering with the
data, not keep the data really secret. At the beginning of a session
the user provides a passphrase to decrypt the file via system("gpg -d
..."). This part is safe, as far as I can see, since gnupg uses locked
memory. But if the decrypted file is kept the setup is vulnerable during
the session (call me paranoid). And asking for the passphrase each time
the user wants to access a database within the same session is too heavy
on the user. It would be nice to keep the passphrase in RAM to use when
necessary.
Of course, I could read all digests at the beginning and keep the
digests, not the passphrase, and update the encrypted file at the end of
the session. But the same user may need to start more than one session,
and that requires that the digests be updated, so that the second
session won't use a stale encrypted file.
An approach I thought of first was to forget about digests and just keep
all files signed with gnupg. But it is slow!
There are some modules on CPAN that may do something similar to that.
Maybe something there can help you:
http://search.cpan.org/search?query=passphrase&mode=all
I'll have a look at it.
Good luck with it!
Thanks,
Jorge Almeida
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
