来自 KMS 操作的文档GenerateDataKey https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.htmlWe recommend that you use the following pattern to encrypt data locally in your application:Use the GenerateDataKey operation to get a data encryption key.Use the plaintext data key (returned in the Plaintext field of the response) to encrypt data locally, then erase the plaintext data key from memory.这段代码是否足以确保明文密钥在使用完毕后已从内存中删除。const aws = require("aws-sdk");const kms = new aws.KMS({...config});(async () => { /** {Plaintext: Buffer, CiphertextBlob: Buffer} **/ let dataKey = await kms.generateDataKey({...options}).promise(); let encryptedString = MyEncryptionFunction(dataKey.Plaintext, "Hello World"); dataKey.Plaintext.fill(0); //overwrite the buffer with zeroes to erase from memory;})();function MyEncryptionFunction(key, dataString) { let iv = crypto.randomBytes(16); let cipher = crypto.createCipheriv("aes256", key, iv); return cipher.update(dataString, "utf8", "hex") + cipher.final("hex");}假设 aws sdk 不会将密钥泄漏/复制到内存的其他部分是否安全,并且与createCipheriv内置加密库的功能相同,因此只需Plaintext用零覆盖缓冲区就足以从内存中擦除密钥?
1 回答
潇潇雨雨
TA贡献1833条经验 获得超4个赞
这就是适用于 JavaScript 的 AWS 加密开发工具包所做的 [1]。事实上,如果加密 SDK 提供了您需要的功能,我会建议您使用它。
aws-sdk 将此值视为敏感值,并在 Node.js[2] 中创建一个隔离的 Buffer。这意味着明文密钥的作用域是这个函数,只要它不共享它,就没有其他副本,也没有人可以访问。(通常的“没有坏人可以访问您的服务器”适用)
跟踪节点 [3]..[4] 中的调用 createCipheriv 它将密钥的引用传递给 openSSL,而不是副本。
[1] https://github.com/aws/aws-encryption-sdk-javascript/blob/master/modules/material-management/src/cryptographic_material.ts#L343
[2] https://github.com/aws/aws-sdk-js/pull/2622/files
[3] https://github.com/nodejs/node/blob/master/lib/crypto.js#L114
[4] https://github.com/nodejs/node/blob/master/src/node_crypto.cc#L4099
添加回答
举报
0/150
提交
取消