[guardian-dev] "securely" stored on the SIM
Tom Ritter
tom at ritter.vg
Fri Mar 14 02:45:36 EDT 2014
On 11 March 2014 14:39, Aaron Lux <a at aaronlux.com> wrote:
> I saw this about the Vodafone Secure SIM and it's cool because Vodafone
> is enabling encryption by default. Saying the digital private key and
> corresponding certificates are "securely" stored on the SIM doesn't make
> sense to me. SIM storage capacity is limited and keys are likely small
> enough to be vulnerable to brute force attacks.
So I don't know anything special about Vodafone's implementation - but
I did want to point out that this is a misnomer. You can fit a good
amount of data on a SIM Card -
http://en.wikipedia.org/wiki/Subscriber_identity_module#Data
The recent BH talk about the DES keys on SIM cards was about how
network operators are still using old SIMs with weak keys and that
some operators have upgraded to secure (I believe 128-bit AES) keys.
You can write whole programs to run on the SIM card, that's what
https://code.google.com/p/seek-for-android/ is doing, including
putting your Two Factor Auth secret and generation code there:
https://code.google.com/p/seek-for-android/wiki/GoogleOtpAuthenticator
-tom
More information about the Guardian-dev
mailing list