Zeroization of sensitive data in Erlang
Amit K
klg.amit@REDACTED
Sat Oct 26 22:38:11 CEST 2019
Hi all,
Concerning the security practice of Zeroizing sensitive data from memory
after you're finished with it, such as Cryptographic keys, passwords, etc,
I wanted to ask if any of you ever had to implement such a thing in Erlang,
and if so, how? :)
Also note that often this is a requirement that you must fulfill if you
want your product to pass a security standard evaluation such as the
"Common Criteria" one (As an example requirement see FCS_CKM_EXT.4 here:
https://www.commoncriteriaportal.org/files/ppfiles/pp_nd_v1.0.pdf).
The problem of course is that in Erlang (and I suppose - FP in general)
once a variable gets assigned, you are not allowed to change its value, and
in particular of course overwrite it with zero bytes.
One option I thought about is doing it with a NIF, but from my
understanding a NIF isn't supposed to change its input values, it should
treat them as constants, which understandable as well (basic FP language
property).
Any feedback can be helpful :)
Regards,
Amit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20191026/bfeb131e/attachment.htm>
More information about the erlang-questions
mailing list