tailieunhanh - cryptography for developers PHẦN 9

Trong hầu hết các hệ điều hành hiện đại, bộ nhớ được sử dụng bởi một chương trình (hay quá trình) được biết đến như là bộ nhớ ảo. Bộ nhớ không có địa chỉ cố định vật lý và có thể được di chuyển giữa các địa điểm và thậm chí trao đổi vào đĩa (thông qua trang huỷ bỏ hiệu lực). | 338 Chapter 7 Encrypt and Authenticate Modes In most modern operating systems the memory used by a program or process is known as virtual memory. The memory has no fixed physical address and can be moved between locations and even swapped to disk through page invalidation . This latter action is typically known as swap memory as it allows users to emulate having more physical memory than they really do. The downside to swap memory however is that the process memory could contain sensitive information such as private keys usernames passwords and other credentials. To prevent this an application can lock memory. In operating systems such as those based on the NT kernel . Win2K WinXP locking is entirely voluntary and the OS can choose to later swap nonkernel data out. In POSIX compatible operating systems such as those based on the Linux and the BSD kernels a set of functions such as mlock munlock mlockall and so forth have been provided to facilitate locking. Physical memory in most systems can be costly so the polite and proper application will request to lock as little memory as possible. In most cases locked memory will span a region that contains pages of memory. On the x86 series of processors a page is four kilobytes. This means that all locked memory will actually lock a multiple of four kilobytes. Ideally an application will pool its related credentials to reduce the number of physical pages required to lock them in memory. 345 error 346 if skey uskey 347 XFREE skey 348 349 350 return err 351 Upon successful completion of this function the user now has the ciphertext or plaintext depending on the direction and the CCM tag. While the function may be a tad long it is nicely bundled up in a single function call making its deployment rather trivial. Putting It All Together This chapter introduced the two standard encrypt and authenticate modes as specified by both NIST and IEEE. They are both designed to take a single key and IV nonce and produce a ciphertext