----- "Jerry Leichter" <leich...@lrw.com> wrote: > for iPhone's and iPod Touches, which are regularly used to hold > passwords (for mail, at the least).
I would not (do not) trust the iPhone (or iPod Touch) to protect a high value password. Or more to the point I would change any such password if my iPhone went unaccounted for. In the case of the Mac Keychain and Filevault, if implemented correctly, the security hinges on a secret that you know. Pick a good secret (high entropy) and you are good. Pick a poor one, well... However the iPhone’s keychain is not encrypted in a password. Instead it is encrypted in a key derived from the hardware. The iPhone Dev-Team, the folks who regularly jail break the iPhone, seem to have little problem deriving keys from the phone! Note: Setting a phone lock password doesn’t prevent me from accessing the phone using the various jail breaking tools. Presumably once I have control of the phone, I have access to any of the keys on it. -Jeff -- ======================================================================== Jeffrey I. Schiller MIT Network Manager/Security Architect PCI Compliance Officer Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice j...@mit.edu ======================================================================== --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com