Would there by any security added to a web application by putting the encryption keys into a Zephir extension? Instead of needing to read the encryption key from a file (which may accidentally be leaked or stolen), the keys would be available only through the extension. Or is this just security through obscurity without any real benefit?
Any raw-string in a .so library or DLL can be easily viewed using an utility like 'strings' on Linux/Mac or Hexdump on Windows:
strings ext/modules/test.soSo putting your passwords there would only protect you against newbies. However you can create the passwords by using some algorithm that builds the strings at runtime:
let map = [0x77, 0x7e, 0x7d, 0x6a, 0x6d, 0x77, 0x6f, 0x79], password = "";
for key, value in map {
if (key + 1) & 1 {
let password .= value - 10;
} else {
let password .= value - 5;
}
}The above algorithm is very basic, however it requires a disassembler to find the password out which increases the level of those who want to read it.
Great help and advice. Thank you.