search

paragonie / halite

High-level cryptography interface powered by libsodium
https://paragonie.com/project/halite
Mozilla Public License 2.0
1.13k stars 85 forks source link

How to Wipe Security Key Objects from Halite? #144

Closed raghuveerdendukuri-is closed 4 years ago

raghuveerdendukuri-is commented 4 years ago

How can we wipe Security Key Objects, those that are loaded using loadEncryptionKey, loadAuthenticationKey kind of methods, along with specific Public Key & Private keys?

I am not able to Wipe keys irrespective of whether I use \Sodium\memzero or sodium_memzero

Example: Loading Symmetric Encryption Key

======== $symmetric_encryption_key = \ParagonIE\Halite\KeyFactory::loadEncryptionKey("symmetric_encryption_key.key");

\Sodium\memzero($symmetric_encryption_key );

or

sodium_memzero($symmetric_encryption_key );

===========

Error Message:

`
Fatal error: Uncaught TypeError: Argument 1 must be a string, object given. in /home/api-dev4-fp/webapps/dev4-rest-api/vendor/paragonie/sodium_compat/src/Core/Util.php:218 Stack trace:

0 /home/api-dev4-fp/webapps/dev4-rest-api/vendor/paragonie/sodium_compat/src/Compat.php(3195): ParagonIE_Sodium_Core_Util::declareScalarType(Object(ParagonIE\Halite\Symmetric\EncryptionKey), 'string', 1)

1 /home/api-dev4-fp/webapps/dev4-rest-api/vendor/paragonie/sodium_compat/lib/sodium_compat.php(783): ParagonIE_Sodium_Compat::memzero(Object(ParagonIE\Halite\Symmetric\EncryptionKey))

2 /home/api-dev4-fp/webapps/dev4-rest-api/app/includes/halite-functions.php(478): Sodium\memzero(Object(ParagonIE\Halite\Symmetric\EncryptionKey))

3 /home/api-dev4-fp/webapps/dev4-rest-api/public_html/rest-apis/rest-login.php(541): wipeSecurityKeys()

4 /home/api-dev4-fp/webapps/dev4-rest-api/public_html/index.php(1176): include('/home/api-dev4-...')

5 {main}

thrown in /home/api-dev4-fp/webapps/dev4-rest-api/vendor/paragonie/sodium_compat/src/Core/Util.php on line 218
`

paragonie-security commented 4 years ago

Just unset the object. HiddenString will wipe its buffer on destruct.

raghuveerdendukuri-is commented 4 years ago

Thanks Scott

when used through a function, I did unset($GLOBALS['symmetric_encryption_key ']);

it worked, while I will use unset() function, when unsetting specific variables/objects directly, instead of through a php function.

paragonie-security commented 4 years ago

It's Robyn, actually. :)

Glad to hear it worked.