Cryptographic applications need extreme caution when dealing with private keys. They often, for example, leave those encrypted on disk as long as possible. When needed, they decrypt a key, do what is required, and then completely erase it from memory (by cleaning buffers).
On JavaScript, buffers can, too, be used for private keys, but strings are, in general, more convenient. Storing private keys on strings could be a bad idea, because you can't actively erase strings from memory, you must wait for a garbage collection. Moreover, all it takes is a single memory leak for your private key to remain uncollected; and then there is string interning.
Am I being overcautious and, with enough caution, it is safe to use strings to store private keys, or am I right and it is a terrible idea overall?
via MaiaVictor
No comments:
Post a Comment