[guardian-dev] Progress on SQLCipher for Android
jonathan.lideskold at gmail.com
Wed Aug 31 07:53:56 EDT 2011
I think this is very relevant for password security on smartphones:
On Wed, Aug 31, 2011 at 05:20, Nathan of Guardian
<nathan at guardianproject.info> wrote:
> On 08/30/2011 10:54 PM, Moritz Bartl wrote:
>> I looked at it and was wondering: Doesn't a PIN protection give the
>> impression of false security in regard to simple brute force attacks?
> I would love to brainstorm on effective usable designs for long
> passphrase entry on a mobile device. Perhaps an open-ended passphrase
> field makes more sense, so the user can device how strong they want it
> to be. I've also though about using a QRCode scanner to read a very long
> key in the form of QR Code you print out, and keep in your wallet.
> In terms of what SQLCipher does with the short passphrase (aka "PIN")
> once you enter it, I do feel comfortable there:
> from http://sqlcipher.net/design/
> "When initialized with a passphrase SQLCipher derives the key data using
> PBKDF2 (OpenSSL’s PKCS5_PBKDF2_HMAC_SHA1). Each database is initialized
> with a unique pseduo-random salt in the first 16 bytes of the file. This
> salt is used for key derivation and it ensures that even if two
> databases are created using the same password will not have the same
> encryption key."
>> Also, I think a lot of users might confuse the "Enter PIN" dialog with a
>> dialog requesting them to enter their phone/SIM pin.
> Right.. okay, well I think we will change to using "passphrase" or some
> other mechanism in our demo app.
> Thanks for the feedback!
> Guardian-dev mailing list
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/jonathan.lideskold%40gmail.com
> You are subscribed as: jonathan.lideskold at gmail.com
More information about the Guardian-dev