[guardian-dev] info about master password
mex at di.unipmn.it
Sun May 1 05:25:08 EDT 2016
I'll have a third question, than I'll stop, I promise.
Does ZOM use cacheword too? Since the last commit of cacheword is quite
old (Sept 2015), I thought that maybe Zom uses another library to manage
the master password.
I was looking for some technical report concerning my three questions,
but I did not find any.
Thanks for you patience and time.
On 28/04/16 19:04, Massimo Canonico wrote:
> Dear Nathan,
> thank for your answer, very interesting. I didn't know about this
> Looking at the readme I saw:
> "Passphrase Caching: store the passphrase in memory to avoid
> constantly prompting the user"
> It comes to my mind two questions:
> - which is the format used to store the passphrase into the memory?
> - (considering my recent activity on memory dump) Having a memory dump
> of the android device, is it possible to retrieve this passphrase?
> On 28/04/16 18:46, Nathan of Guardian wrote:
>> On Thu, Apr 28, 2016, at 12:05 PM, Massimo Canonico wrote:
>>> I was looking at the source code of ChatSecure (downloaded from git
>>> repo) in order to figure out how the master password is managed.
>> The master password is managed by our CacheWord library:
>> CacheWord is an Android library project for passphrase caching and
>> management. It helps app developers securely generate, store, and access
>> secrets derived from a user's passphrase.
>> CacheWord is still under development. Proceed with caution
>> Broadly speaking this library assists developers with two related
>> Secrets Management: how the secret key material for your app is
>> generated, stored, and accessed
>> Passphrase Caching: store the passphrase in memory to avoid constantly
>> prompting the user
>> CacheWord manages key derivation, verification, persistence, passphrase
>> resetting, and caching secret key material in memory.
>> Strong key derivation (PBKDF2)
>> Secure secret storage (AES-256 GCM)
>> Persistent notification: informs the user the app data is unlocked
>> Configurable timeout: after a specified time of inactivity the app locks
>> Manual clearing: the user can forcibly lock the application
More information about the guardian-dev