Remediate SAF-01-001 Crypto: Secure Key Deletion Ineffective (Medium)

README.md

@@ -110,6 +110,20 @@ Should any of these properties _not_ be required, the user has to intentionally
 
 There is some more detail in [SPEC.md](./SPEC.md).
 
+### Known Issues
+
+#### Secure Key Deletion
+
+Go currently does not provide functionality to securely handle sensitive data, such as key material, in memory. Thus, it cannot be guaranteed that key material is correctly wiped from memory and won't leak when swapping memory to disk.
+
+There is an [issue in the Golang project](https://github.com/golang/go/issues/21865) about this.
+
+We evaluated two existing workarounds for this:
+1) Using `reflect` to dive into the internals of all algorithms to (possibly) delete key material. This is used in the Go implementation of Wireguard, for example. This still does not guarantee that Go internally deletes the key material.
+2) Use of the [Go memguard package](https://github.com/awnumar/memguard). While this would improve handling of key material that we directly manage, it will still not solve protecting all the intermediate values used in the implementations of the algorithms.
+
+We currently settled on waiting for further progress on the issue by the Go development team, and will reevaluate the progress regularly.
+
 ### Testing
 
 Basically, tests are run like this:

core-wire.go

@@ -418,7 +418,7 @@ func (w *WireSession) unwrapKeys(keyMaterial [][]byte) ([][]byte, error) {
 	return keyMaterial, nil
 }
 
-// burnEphemeralKeys burns all the ephemeral key material in the session.
+// burnEphemeralKeys burns all the ephemeral key material in the session. This is currently ineffective, see known issues in the project's README.
 func (w *WireSession) burnEphemeralKeys() error {
 	var lastErr error
 

helper.go

@@ -70,7 +70,7 @@ func (h *Helper) RandomBytes(n int) ([]byte, error) {
 	return RandomBytes(n)
 }
 
-// Burn gets rid of the given []byte slice(s).
+// Burn gets rid of the given []byte slice(s). This is currently ineffective, see known issues in the project's README.
 func (h *Helper) Burn(data ...[]byte) {
 	Burn(data...)
 }
@@ -99,7 +99,7 @@ func (h *Helper) MaxSecurityLevel() int {
 	return defaultSecurityLevel
 }
 
-// Burn gets rid of the given []byte slice(s).
+// Burn gets rid of the given []byte slice(s). This is currently ineffective, see known issues in the project's README.
 func Burn(data ...[]byte) {
 	for _, slice := range data {
 		for i := 0; i < len(slice); i++ {

signet.go

@@ -224,7 +224,7 @@ func (signet *Signet) Verify() error {
 	return errors.New("NIY")
 }
 
-// Burn destroys all the key material and renders the Signet unusable.
+// Burn destroys all the key material and renders the Signet unusable. This is currently ineffective, see known issues in the project's README.
 func (signet *Signet) Burn() error {
 	// load tool
 	err := signet.loadTool()

tools/ecdh/nist.go

@@ -147,7 +147,7 @@ func (ec *NistCurve) GenerateKey(signet tools.SignetInt) error {
 	return nil
 }
 
-// BurnKey implements the ToolLogic interface.
+// BurnKey implements the ToolLogic interface. This is currently ineffective, see known issues in the project's README.
 func (ec *NistCurve) BurnKey(signet tools.SignetInt) error {
 	pubKey := signet.PublicKey()
 	privKey := signet.PrivateKey()

tools/ecdh/x25519.go

@@ -115,7 +115,7 @@ func (ec *X25519Curve) GenerateKey(signet tools.SignetInt) error {
 	return nil
 }
 
-// BurnKey implements the ToolLogic interface.
+// BurnKey implements the ToolLogic interface. This is currently ineffective, see known issues in the project's README.
 func (ec *X25519Curve) BurnKey(signet tools.SignetInt) error {
 	pubKey := signet.PublicKey()
 	privKey := signet.PrivateKey()

tools/gostdlib/ed25519.go

@@ -148,7 +148,7 @@ func (ed *Ed25519) GenerateKey(signet tools.SignetInt) error {
 	return nil
 }
 
-// BurnKey implements the ToolLogic interface.
+// BurnKey implements the ToolLogic interface. This is currently ineffective, see known issues in the project's README.
 func (ed *Ed25519) BurnKey(signet tools.SignetInt) error {
 	pubKey := signet.PublicKey()
 	privKey := signet.PrivateKey()

tools/gostdlib/rsa-keys.go

@@ -104,7 +104,7 @@ func (base *rsaBase) GenerateKey(signet tools.SignetInt) error {
 	return nil
 }
 
-// BurnKey implements the ToolLogic interface.
+// BurnKey implements the ToolLogic interface. This is currently ineffective, see known issues in the project's README.
 func (base *rsaBase) BurnKey(signet tools.SignetInt) error {
 	pubKey := signet.PublicKey()
 	privKey := signet.PrivateKey()

tools/interfaces.go

@@ -22,7 +22,7 @@ type HelperInt interface {
 	// RandomBytes returns the specified amount of random bytes in a []byte slice.
 	RandomBytes(n int) ([]byte, error)
 
-	// Burn gets rid of the given []byte slice(s).
+	// Burn gets rid of the given []byte slice(s). This is currently ineffective, see known issues in the project's README.
 	Burn(data ...[]byte)
 
 	// DefaultSymmetricKeySize returns the default key size for this session.

tools/toollogic.go

@@ -119,6 +119,7 @@ type ToolLogic interface {
 	// BurnKey deletes the loaded keys in the Signet.
 	// Must work with a static (no Setup()) ToolLogic.
 	// Must be overridden by tools that declare FeatureKeyExchange, FeatureKeyEncapsulation or FeatureSigning.
+	// Implementations of this are currently ineffective, see known issues in the project's README.
 	BurnKey(signet SignetInt) error
 
 	// SecurityLevel returns the security level (approximate attack complexity as 2^n) of the given tool.
@@ -289,7 +290,7 @@ func (tlb *ToolLogicBase) GenerateKey(signet SignetInt) error {
 	return ErrNotImplemented
 }
 
-// BurnKey implements the ToolLogic interface.
+// BurnKey implements the ToolLogic interface. This is currently ineffective, see known issues in the project's README.
 func (tlb *ToolLogicBase) BurnKey(signet SignetInt) error {
 	return ErrNotImplemented
 }