All geek questions in one place

Securely protect passwords in your application

I found a similar question here Saving passwords inside the application , but in fact it did not answer my problems.

I am dealing with an application that will receive a password (securely) from a user. As soon as I get the password, I will need to save it in some variable and send it through transactions to other systems (this logic is safe and secure and is already implemented).

My concern is that I do not want to see the password in the kernel dump, so I would like to encrypt any password before storing it in any variable.

Questions:

  • Is it enough to encrypt it before storing it in a variable? Or am I missing some security loopholes?

  • Are there simple headers only for headers that can do encryption? Can you direct me to where I can start looking?

Note for commenters comment:

  • Password will not be stored for a long time; For transaction duration only.

  • Unfortunately, transaction participants cannot decrypt the password, so I will need to decrypt it before sending it to them.

  • My main problem is to find a way to encrypt and decrypt the password locally - in a simple way ...

  • I found the OpenSSL library and crypto ++, but these are the seams that I will need to associate with them, I can’t just include and call them (i.e. not just the header libraries) ...

Thanks,

+4
source share
1 answer

(Note. I am sure that there are strict checklists and official instructions on how to handle passwords in secure software from people and authorities who really know something about security. This is not one of them!)

I don’t think that there is a cryptographically secure way to have passwords in your processes memory, to be able to use them, but not to provide access to it to a user who can run your application under a debugger or check your kernel dumps.

What you can do is an obscure password. Here are some methods you can use:

  • Do not store the password as a simple line anywhere in the memory (scatter characters around, etc.).
  • Scrub all the variables that are stored in the password after they are used (for example, if you pass the password to a function, you must set all the characters of this variable to NUL inside the function after you finish with it.
  • Encrypt password.
  • Replace the encryption key each time the application starts (or periodically if it is a long application.)
  • Create an encryption key procedurally based on some aspect of the system / hardware, rather than saving the encryption key for the password anywhere in your process memory.
  • Use hardware, such as a Trusted Platform Module (TPM), if available.

Implementing the above sequentially and effectively is quite complex and affects all your code that deals with the password. And sometimes you even have to deliberately make your code more obscure and go against all your instincts as a programmer (for example, do not pass the password to functions as a parameter, but use hard-coded addresses inside the function.)

Once again, I want to emphasize that it may not be possible to protect your passwords only in software, when the adversary has full access to the physical machine.

As for the second part of your question, I don’t know a single encryption library for the header only, but for encrypting the password you probably only need a cipher and probably a hash. And all the best algorithms have public or other free implementations in the wild. You can get one of them and copy / paste into your application. Remember to seriously check it out though!

+1
source

Source: https://habr.com/ru/post/1485828/

More articles:


All Articles