You want to minimize the odds of someone getting your raw key material, particularly if they end up with local access to the machine.
There are a number of things you can do to reduce these risks:
Securely erase keys as soon as you have finished using them. Use the
spc_memzero( )function from Recipe 13.2.When you need to store key material, password-protect it, preferably using a scheme to provide encryption and message integrity so that you can detect it if the encrypted key file is ever modified. For example, you can use PBKD2 (see Recipe 4.10) to generate a key from a password and then use that key to encrypt using a mode that also provides integrity, such as CWC (see Recipe 5.10). For secret keys in public key cryptosystems, use PEM-encoding, which affords password protection (see Recipe 7.17).
Store differentiating information with your medium- or long-term symmetric keys to make sure you don’t reuse keys. (See Recipe 4.11.)
Get Secure Programming Cookbook for C and C++ now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
