Hi Brian, On Fri, Sep 7, 2012 at 5:15 PM, Brian Carlstrom <[email protected]> wrote: > https://android.googlesource.com/platform/frameworks/base/+/HEAD/core/java/com/android/internal/widget/LockPatternUtils.java > seems to be a good place to start reading the source. Thanks for the link.
Is there any chance to have Google Security review the file in 2012 (it was originally relased in 2007)? Some items are like sticking ice picks in a security professional's eye :) For example, checkPassword(String password) takes a String rather than a Char[]. The EditText that the password is retireved will provide the Char[]. I've actually been on the conference calls where the artifacts are found in memory by the Pen Testers (both iOS and Android). "Using Password-Based Encryption." http://docs.oracle.com/javase/1.4.2/docs/guide/security/jce/JCERefGuide.html#PBEEx. I'm not sure the password history with a small, static salt is a good idea. The history with static salt turns a single-instance problem into multiple single-instance problems rather than a multi-instance problem. Also, if any of the past passwords hve been reused elsewhere (face it...), other external sites might be compromised due to a trail of no-longer-used passwords. "Multi-Instance Security and its Application to Password-Based Cryptography," eprint.iacr.org/2012/196.pdf. MD5. Verbum sapienti. SHA-1 is no longer approved for Federal use, and the algorithm is wounded. It provided 80-bits of theorretical bits of security way back when, but its closer to 50-bits now. This affects both Federal and Enterpise in the US. "SHA-1 collisions now 2^52," http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf (Flame FTW!). getLockoutAttemptDeadline depends upon a accurate clock. What happens if the someone pulls the SIM card so the phone cannot get a time update? Is the result an uncaught exception, a date of 2005, or -1 cast to the year 2038 (or some other future value)? Jeff > On Fri, Sep 7, 2012 at 12:43 PM, Pandit <[email protected]> wrote: >> >> Hello, >> >> I believe the user PIN/password is stored in hash form with salt >> included. I have some questions around this area below: >> >> What is the size of the salt? >> How is salt generated (random etc.)? >> Where is the salt kept? >> Where is the result hashed kept? >> >> Thank you, >> -Pandit >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/android-security-discuss/-/ApKte4P9q00J. >> To post to this group, send email to >> [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/android-security-discuss?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
