On Fri, Mar 2, 2012 at 3:58 PM, Arturo Filastò hellais@torproject.org wrote:
We were discussing last night with George about deployability of python application on multiple platforms.
[....]
By talking to some of the core python developers my understanding is that there is a way of securely storing keys in memory and wiping that memory region in python. It involves using bytearray. We you override a cell in a byte array you are not simply dereferencing the pointer to the python struct, you are actually overwriting that portion of memory. I think I might write a blog post about this and illustrate what other python crypto software is using to solve this problem (PyCrypto etc.).
What's the threat model here? On a single-user machine access to memory usually means game over anyway: you can be rooted and the keys read out. Or is this a matter of making 1 application that works for all threat models so that we can discover and root out bugs faster?
Sincerely, Watson Ladd