Geek Answers Handbook

Safely storing strings in memory from node.js applications

In this question, Mubashar asks to safely store sensitive information in memory using C # and points to the SecureString class from .NET. Is there an existing comparable tool that will do this in node.js? Otherwise, how to do this using available node resources?

+11
security memory
source share
2 answers

you can use a closure for the private key and salt area and inside this closure there is another closure that you create with a hashed password that has an internal closure, return a function that accepts the call (for example, your password to unlock it).

function outer (key, salt) { return function generator (password) { var hash = gen_hash(key, salt, password); password = undefined; return function (challenge) { var response = test_challenge(challenge, hash, key, salt); return repsonse; } } }

use it like:

var challenger = outer('my-key','salt')('password')

then when you want to recover the encrypted password, you will have to transfer the call

var password = challenger('my-unlock-code');

use any cryptography library that you would like is not a working example, this is just an example of how to use closure to access sensitive data.

+1
source share

The only way is to use a typed array, for example, Uint8Array (the Buffer class is just a thin shell), and fill it with null or any other value after use.

But there are a few things to consider:

When you get credentials, for example, you most likely get them as JSON. In this case, any efforts will be in vain if you do not intercept, so the request body is not stored inside the string, as any web structure does.

When you read API keys from text files, it should be obvious why memory security may not be the biggest problem. To do this, consider the keystore.

But even then you cannot be sure that there are no leaks. For example, I doubt that node.js streams will clean up after themselves. And even if you override them manually, leaks from copying or system APIs are possible. Even password managers have problems with password leaks.

To summarize: even if you consider everything, there are likely to be leaks that you cannot prevent.

0
source share

More articles:


All Articles