[guardian-dev] info about master password

Massimo Canonico mex at di.unipmn.it
Sun May 1 05:25:08 EDT 2016

Hi all,

I'll have a third question, than I'll stop, I promise.

Does ZOM use cacheword too? Since the last commit of cacheword is quite 
old (Sept 2015), I thought that maybe Zom uses another library to manage 
the master password.

I was looking for some technical report concerning my three questions, 
but I did not find any.

Thanks for you patience and time.


On 28/04/16 19:04, Massimo Canonico wrote:
> Dear Nathan,
> thank for your answer, very interesting. I didn't know about this 
> library.
> Looking at the readme I saw:
> "Passphrase Caching: store the passphrase in memory to avoid 
> constantly prompting the user"
> It comes to my mind two questions:
> - which is the format used to store the passphrase into the memory?
> - (considering my recent activity on memory dump) Having a memory dump 
> of the android device, is it possible to retrieve this passphrase?
> Best,
>     Massimo
> On 28/04/16 18:46, Nathan of Guardian wrote:
>> On Thu, Apr 28, 2016, at 12:05 PM, Massimo Canonico wrote:
>>> I was looking at the source code of ChatSecure (downloaded from git
>>> repo) in order to figure out how the master password is managed.
>> The master password is managed by our CacheWord library:
>> https://github.com/guardianproject/cacheword
>> CacheWord is an Android library project for passphrase caching and
>> management. It helps app developers securely generate, store, and access
>> secrets derived from a user's passphrase.
>> CacheWord is still under development. Proceed with caution
>> Broadly speaking this library assists developers with two related
>> problems:
>> Secrets Management: how the secret key material for your app is
>> generated, stored, and accessed
>> Passphrase Caching: store the passphrase in memory to avoid constantly
>> prompting the user
>> CacheWord manages key derivation, verification, persistence, passphrase
>> resetting, and caching secret key material in memory.
>> Features:
>> Strong key derivation (PBKDF2)
>> Secure secret storage (AES-256 GCM)
>> Persistent notification: informs the user the app data is unlocked
>> Configurable timeout: after a specified time of inactivity the app locks
>> itself
>> Manual clearing: the user can forcibly lock the application

More information about the guardian-dev mailing list