On Fri, Mar 4, 2011 at 12:43 PM, sebastian nielsen <[email protected]> wrote:
> Nikolay: In this case, the security is about singulary. The key should > be copy protected, but it does not need to be use-protected because I > want to be sure, that if I leave the phone on a table, go on toilet, > come back and take it back, I can be sure that nobody has access to my > key, even if they impersonated me in that little brief amount of time > that I was on toilet for example. > Having the key stored in "software" (eg software token or in standard > phone memory), the key is no longer secure, since if I leave my phone > out of sight even for a brief amount of time, its possible that > somebody just copied my key. > If I store the key in software, I would need to have 100 % of sight of > the phone all the times, else the key could be regarded as > "compromised". I know that you mean, but if someone has physical access to your phone, unless the hardware you store the key in is tamper resistance (i.e. a smart card), they can still extract it. The usual solution is to have the key encrypted by another key that is derived from a passphrase. That way, if the passphrase is sufficiently good, your key is protected even if they have access to your phone. If they copied the key, they still wouldn't be able to use it without the passpharase. Whether this level of security is sufficient for you is another matter. What I fail to see is, how is it OK if they used your key? You want to protect it from copying, but not from being used by a third party. Maybe you have some special requirement, but it just doesn't make sense to me at this point. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
