blob: c31e6f435b67a4a902878a0176bf16826665c4ab (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
<strong>Nofuture.go - debian 12 install</strong><br><br>
<strong>Core Components Build Process</strong>
<pre><code>sudo apt-get update && sudo apt-get install -y \
cmake ninja-build gcc ligit clone --depth 1 https://github.com/open-quantum-safe/liboqs && cd liboqs
mkdir build && cd build
cmake -GNinja -DCMAKE_BUILD_TYPE=Release \
-DOQS_USE_OPENSSL=ON \
-DOQS_DIST_BUILD=ON \
-DOQS_OPTIMIZED_BUILD=ON \
-DCMAKE_INSTALL_PREFIX=/usr/local \
-DOQS_BUILD_ONLY_LIB=ON ..bssl-dev libtool autoconf
</code></pre>
<pre><code>ninja
sudo ninja install
sudo ldconfig
# 4. Configurazione Go environment
export CGO_CFLAGS="-O3 -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=2"
export CGO_LDFLAGS="-Wl,-z,relro,-z,now -loqs -lssl -lcrypto"
export GOFLAGS="-buildvcs=false"
# 5. Inizializzazione modulo Go
sudo -u www-data /usr/local/go/bin/go mod init nofuture
sudo -u www-data /usr/local/go/bin/go get -v \
github.com/awnumar/memguard@v0.22.3 \
github.com/open-quantum-safe/liboqs-go@latest \
golang.org/x/crypto@latest \
golang.org/x/sys@latest</code></pre>
<strong>MemGuard Initialization & Configuration:</strong><br>
<pre><code>
memguard.CatchInterrupt()
memguard.Purge()
unix.Mlockall(unix.MCL_CURRENT | unix.MCL_FUTURE)</code>
</pre>
<ul>
<li><strong>Secure Memory Locking:</strong> Prevents swapping sensitive data to disk</li>
<li><strong>Interrupt Handling:</strong> Automatic memory purge on SIGINT/SIGTERM</li>
<li><strong>Deep Memory Purge:</strong> Secure wiping of allocated buffers</li>
</ul>
<strong>MemGuard in Key Lifecycle Management:</strong><br>
<pre><code>passphrase, _ := memguard.NewImmutableRandom(32)
defer passphrase.Destroy()</code></pre>
<ul>
<li><strong>Immutable Buffers:</strong> Write-protected memory regions</li>
<li><strong>Ephemeral Storage:</strong> Keys exist only in protected memory</li>
<li><strong>Automatic Destruction:</strong> Guaranteed wipe with defer</li>
</ul>
<strong>Enclave-Based Cryptography:</strong><br>
<pre><code>func deriveEnclaveKey(passphrase *memguard.Enclave) {
passBuf, _ := passphrase.Open()
defer passBuf.Destroy()
}</code></pre>
<ul>
<li><strong>Double-Layer Protection:</strong> Enclave wrapping + locked buffers</li>
<li><strong>Controlled Exposure:</strong> Temporary buffer access patterns</li>
<li><strong>Zero-Copy Architecture:</strong> Minimize memory exposure</li>
</ul>
<strong>Quantum-Safe Key Exchange:</strong><br>
<pre><code>pubKey, secKey, _ := quantumKEMKeyPair()
defer pubKey.Destroy()
defer secKey.Destroy()</code></pre>
<ul>
<li><strong>MemGuard-Protected Keys:</strong>
<ul>
<li>Public Key: Immutable locked buffer</li>
<li>Private Key: Enclave-wrapped storage</li>
</ul>
</li>
<li><strong>Zeroization on Completion:</strong> Guaranteed key destruction</li>
</ul>
<strong>Secure Session Management:</strong><br>
<pre><code>type QuantumSession struct {
sessionKey *memguard.Enclave
remotePubKey *memguard.Enclave
}</code></pre>
<ul>
<li><strong>Enclave-Wrapped Session Keys:</strong> Encrypted memory storage</li>
<li><strong>Forward Secrecy:</strong> Ephemeral session keys</li>
<li><strong>Compartmentalization:</strong> Isolated memory regions per session</li>
</ul>
<strong>Memory-Hardened Cryptography:</strong><br>
<pre><code>lockedKey, _ := memguard.NewImmutableFromBytes(key)
defer lockedKey.Destroy()</code></pre>
<ul>
<li><strong>Argon2 in Protected Memory:</strong>
<ul>
<li>Memory-hard derivation in locked buffers</li>
<li>Secure salt handling</li>
</ul>
</li>
<li><strong>Multi-Layer Protection:</strong>
<ul>
<li>mlock() system calls</li>
<li>MADV_DONTDUMP flags</li>
<li>Guard pages</li>
</ul>
</li>
</ul>
<strong>MemGuard Best Practices</strong></b>
<ul>
<li>๐ Always use <code>defer .Destroy()</code> with LockedBuffers</li>
<li>๐ก๏ธ Prefer <code>NewImmutable</code> for long-lived secrets</li>
<li>โ ๏ธ Never expose Enclave contents to logging</li>
<li>๐ Use rolling buffers for repeated operations</li>
<li>๐งน Explicit <code>Purge()</code> after critical operations</li>
</ul>
|