summaryrefslogtreecommitdiffstats
path: root/README.md
blob: 8b311c6ec8230f6321532d8b7470c17fc5aa7cf0 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
<strong>Nofuture.go - Post-Quantum Cryptographic System</strong><br><br>

<strong>MemGuard Initialization & Configuration:</strong><br>

<pre>
        memguard.CatchInterrupt()
               memguard.Purge()
                 unix.Mlockall(unix.MCL_CURRENT | unix.MCL_FUTURE)
</pre>

 <strong>Secure Memory Locking:</strong> Prevents swapping sensitive data to disk
<strong>Interrupt Handling:</strong> Automatic memory purge on SIGINT/SIGTERM
<strong>Deep Memory Purge:</strong> Secure wiping of allocated buffers
        

<strong>MemGuard in Key Lifecycle Management:</strong><br>
        <pre><code>passphrase, _ := memguard.NewImmutableRandom(32)
defer passphrase.Destroy()</code></pre>
        <ul>
            <li><strong>Immutable Buffers:</strong> Write-protected memory regions</li>
            <li><strong>Ephemeral Storage:</strong> Keys exist only in protected memory</li>
            <li><strong>Automatic Destruction:</strong> Guaranteed wipe with defer</li>
        </ul>

<strong>Enclave-Based Cryptography:</strong><br>
        <pre><code>func deriveEnclaveKey(passphrase *memguard.Enclave) {
    passBuf, _ := passphrase.Open()
    defer passBuf.Destroy()
}</code></pre>
        <ul>
            <li><strong>Double-Layer Protection:</strong> Enclave wrapping + locked buffers</li>
            <li><strong>Controlled Exposure:</strong> Temporary buffer access patterns</li>
            <li><strong>Zero-Copy Architecture:</strong> Minimize memory exposure</li>
        </ul>


<strong>Quantum-Safe Key Exchange:</strong><br>
        <pre><code>pubKey, secKey, _ := quantumKEMKeyPair()
defer pubKey.Destroy()
defer secKey.Destroy()</code></pre>
        <ul>
            <li><strong>MemGuard-Protected Keys:</strong>
                <ul>
                    <li>Public Key: Immutable locked buffer</li>
                    <li>Private Key: Enclave-wrapped storage</li>
                </ul>
            </li>
            <li><strong>Zeroization on Completion:</strong> Guaranteed key destruction</li>
        </ul>

<strong>Secure Session Management:</strong><br>
        <pre><code>type QuantumSession struct {
    sessionKey   *memguard.Enclave
    remotePubKey *memguard.Enclave
}</code></pre>
        <ul>
            <li><strong>Enclave-Wrapped Session Keys:</strong> Encrypted memory storage</li>
            <li><strong>Forward Secrecy:</strong> Ephemeral session keys</li>
            <li><strong>Compartmentalization:</strong> Isolated memory regions per session</li>
        </ul>


<strong>Memory-Hardened Cryptography:</strong><br>
        <pre><code>lockedKey, _ := memguard.NewImmutableFromBytes(key)
defer lockedKey.Destroy()</code></pre>
        <ul>
            <li><strong>Argon2 in Protected Memory:</strong>
                <ul>
                    <li>Memory-hard derivation in locked buffers</li>
                    <li>Secure salt handling</li>
                </ul>
            </li>
            <li><strong>Multi-Layer Protection:</strong>
                <ul>
                    <li>mlock() system calls</li>
                    <li>MADV_DONTDUMP flags</li>
                    <li>Guard pages</li>
                </ul>
            </li>
        </ul>

<strong>MemGuard Best Practices</strong></b>
        <ul>
            <li>๐Ÿ”’ Always use <code>defer .Destroy()</code> with LockedBuffers</li>
            <li>๐Ÿ›ก๏ธ Prefer <code>NewImmutable</code> for long-lived secrets</li>
            <li>โš ๏ธ Never expose Enclave contents to logging</li>
            <li>๐Ÿ”„ Use rolling buffers for repeated operations</li>
            <li>๐Ÿงน Explicit <code>Purge()</code> after critical operations</li>
        </ul>