[guardian-dev] info about master password

Hans-Christoph Steiner hans at guardianproject.info
Sun May 1 10:33:08 EDT 2016

yes, Zom still uses cacehword.


Massimo Canonico:
> Hi all,
> I'll have a third question, than I'll stop, I promise.
> Does ZOM use cacheword too? Since the last commit of cacheword is quite
> old (Sept 2015), I thought that maybe Zom uses another library to manage
> the master password.
> I was looking for some technical report concerning my three questions,
> but I did not find any.
> Thanks for you patience and time.
> Massimo
> On 28/04/16 19:04, Massimo Canonico wrote:
>> Dear Nathan,
>> thank for your answer, very interesting. I didn't know about this
>> library.
>> Looking at the readme I saw:
>> "Passphrase Caching: store the passphrase in memory to avoid
>> constantly prompting the user"
>> It comes to my mind two questions:
>> - which is the format used to store the passphrase into the memory?
>> - (considering my recent activity on memory dump) Having a memory dump
>> of the android device, is it possible to retrieve this passphrase?
>> Best,
>>     Massimo
>> On 28/04/16 18:46, Nathan of Guardian wrote:
>>> On Thu, Apr 28, 2016, at 12:05 PM, Massimo Canonico wrote:
>>>> I was looking at the source code of ChatSecure (downloaded from git
>>>> repo) in order to figure out how the master password is managed.
>>> The master password is managed by our CacheWord library:
>>> https://github.com/guardianproject/cacheword
>>> CacheWord is an Android library project for passphrase caching and
>>> management. It helps app developers securely generate, store, and access
>>> secrets derived from a user's passphrase.
>>> CacheWord is still under development. Proceed with caution
>>> Broadly speaking this library assists developers with two related
>>> problems:
>>> Secrets Management: how the secret key material for your app is
>>> generated, stored, and accessed
>>> Passphrase Caching: store the passphrase in memory to avoid constantly
>>> prompting the user
>>> CacheWord manages key derivation, verification, persistence, passphrase
>>> resetting, and caching secret key material in memory.
>>> Features:
>>> Strong key derivation (PBKDF2)
>>> Secure secret storage (AES-256 GCM)
>>> Persistent notification: informs the user the app data is unlocked
>>> Configurable timeout: after a specified time of inactivity the app locks
>>> itself
>>> Manual clearing: the user can forcibly lock the application
> _______________________________________________
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org

PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556

More information about the guardian-dev mailing list