Protecting Source Code
John Wilson
tug at wilson.co.uk
Fri May 9 12:41:50 EDT 2003
----- Original Message -----
From: "Lulu of the Lotus-Eaters" <mertz at gnosis.cx>
Newsgroups: comp.lang.python
To: "Pythonistas" <python-list at python.org>
Sent: Friday, May 09, 2003 5:28 PM
Subject: Re: Protecting Source Code
> "John Wilson" <tug at wilson.co.uk> wrote previously:
> |There are several solutions. One that I have used is the Dallas
> |Semiconductor Crypto iButton (http://www.ibutton.com/ibuttons/java.html).
> |The private key is held on the tamper proof token and *never* appears in
the
> |memory of the computer. The decryption occurs on the iButton and the
> |cleartext comes back.
>
> And the cleartext is stored on... oh, the memory of the computer?!
Quite so - however it is transient. You risks are limited to an attacker
getting a subset of the data you are trying to protect. If the attacker can
steal the key then all the information you are trying to protect is
compromised. Additionally the cleartext is not held in a file. It is, of
course, always possible to get at the data in RAM or on the swap device, but
it's pretty hard compared to getting the keyfile from the file system (some
web servers will do this for you if you ask them nicely enough).
Security is not an absolute attribute of the system. You can never make it
impossible to steal the information you just make it more expensive and make
it take longer.
John Wilson
The Wilson Partnership
http://www.wilson.co.uk
More information about the Python-list
mailing list