You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This fix proposes changing the BaseKeyPair object so that instead of having an option to the PrivateKey, it has as an option an encryptor object that encrypts the secret key in memory when creating the key pair and decrypts it on demand when signing is needed.
We can use the memsec crate, which implements the same functions as the OpenSSH libsodium library, and enforce our encryptor based on an efficient symmetric algorithm (with chacha20poly1305), or use the memsecurity crate that has already implemented it. I attach a proof of concept with memsecurity.
Example BaseKeyPair:
use memsecurity::EncryptedMem;/// Base key pair.////// This type contains the public key and some `EncryptedMem` object with the/// secret key or none.///pubstructBaseKeyPair<K>{pubpublic:K,pubsecret:Option<EncryptedMem>,}
This fix proposes changing the BaseKeyPair object so that instead of having an option to the PrivateKey, it has as an option an encryptor object that encrypts the secret key in memory when creating the key pair and decrypts it on demand when signing is needed.
We can use the memsec crate, which implements the same functions as the OpenSSH libsodium library, and enforce our encryptor based on an efficient symmetric algorithm (with chacha20poly1305), or use the memsecurity crate that has already implemented it. I attach a proof of concept with memsecurity.
Example
BaseKeyPair
:Example type
ed25519
:Example build from secret bytes:
Example sign:
The verification would remain the same as before.
The text was updated successfully, but these errors were encountered: