[guardian-dev] SQLCipher and ElcomSoft Presentation at BlackHatEU

Stephen Lombardo sjlombardo at zetetic.net
Fri Mar 16 18:06:52 EDT 2012


Hi Folks,

During the third day of the BlackHatEU conference, Andrey Belenko and
Dmitry Sklyarov of ElcomSoft presented an analysis of iOS and Blackberry
password managers entitled “Secure Password Managers” and “Military-Grade
Encryption” on Smartphones: Oh, Really?. It was a complete analysis of 17
of the most popular password management programs showing that many password
managers store data in an unencrypted format, "encrypted so poorly that
they can be recovered instantly", or are susceptible to basic cracking
techniques.

One of the apps reviewed in the paper was Zetetic's Strip Lite, which as
you may know, is backed entirely by SQLCipher. As such, the results of
their findings hold true for all apps using SQLCipher. From the reports
we've heard it was noted as the one exception that properly implemented
strong cryptography, was "by far the most resilient app to password
cracking", and the most secure app for iOS.

However, the paper includes some brute force cracking estimates that serve
as an important reminder about the need to use a strong passphrase when
encrypting data. Their estimates show clearly that given suitably fast GPUs
it would be possible to brute force standard numeric PIN numbers due to
their low entropy / small search space.

This topic has been discussed exhaustively on this list in the past, but
the security of SQLCipher is highly dependent on the security of the key
used. Even though we take great pains to increase the difficulty of brute
force attacks using PBKDF2, and avoid dictionary / rainbow table attacks
with the per database salt, these techniques can only be successful if
a suitably strong key is chosen.

Here are links to the presentation [
http://www.elcomsoft.com/WP/BH-EU-2012.pdf], whitepaper [
http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf] and our initial thoughts on
the analysis [
http://zetetic.net/blog/2012/3/16/elcomsofts-password-manager-shakedown.html
].

If there was anyone in attendance at the conference we'd love to hear from
someone who was there and listening to the presentation live.

Cheers,
Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20120316/9421210c/attachment.htm>


More information about the Guardian-dev mailing list