Re: Let's share some useful Python code
Your points are very reasonable ones.
"2, They just *might* be able to capture packets if they were determined enough. It might be possible to decrypt them, and then they have a key." Not necessarily true. Given that AWS requires taht you use HTTPS and TLS, the likelihood of someone being able to extract anything useful out of the data stream between the client and server is just as likely as someone managing to break AES-256 in GCM mode (or ChaCha20+poly1305) within the next hour of this post being written, with all of the cryptographic parameters set to their most secure settings.
"Also, I'm curious. What's to stop someone from freezing the Python program and pulling out the key, AWS or not, right as you're passing it to the decrypt function?" Nothing. This is one of those instances where timing is the key though. Someone would need to know:
* how long it takes the key to be retrieved; and
* the exact time -- down to the nanosecond -- when the key is in memory but has not been wiped and just before it is passed into the initialization function.
You could also debug the interpeter or the code using PDB, but that's assuming that you call breakpoint() somewhere. There are other factors I'm forgetting though.
"Also, do you think it's a good idea to scatter bytes of the key or other required data in certain locations?" In what way? Usually I would say no, purely because it increases the attack surface, which in return means you have more regions to protect.
-- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
