On Wed, Apr 4, 2012 at 5:06 PM, Adam Back <[email protected]> wrote:
> Surely one cant think of the limitations (requirement for cooperation from
> the OS to test the PIN) as if they are cryptographic limitations...
Yes, I'm thinking its probably close to a degenerate case of cracking
a password from the desktop. Perhaps the wrinkle is getting the
password file or a file that will one can test with (try the decrypt,
and if the HMAC is wrong then its the wrong password).

> Apple probably supplies such a service themself to law enforcement as a
> private apple approved ready-to-go app.
I know its been rumored, but I don't recall seeing it in print from
Apple (or a tool leaked). I suspect Zdziarski, Miller or Morrissey
have some custom stuff ready for use.

I was hoping Solar Designer had some unique insights (he usually does
when it comes to passwords).

Jeff

> On Wed, Apr 04, 2012 at 03:45:09PM -0400, Jeffrey Walton wrote:
>>
>> Hi All,
>>
>> Older iOS devices used a 4 digit PIN code, which was next to no
>> protection. Newer iOS allow passcodes which consist of a full
>> (fuller?) alphabet.
>>
>> Assuming a weak password policy (for example, 4 or 6 characters) are
>> there any real benefits over PINs?
>>
>> What is the state of the art for mobile password cracking on iOS and
>> Android?
>>
>> PS, I am aware of XRY software
>>
>> (http://www.forbes.com/sites/andygreenberg/2012/03/27/heres-how-law-enforcement-cracks-your-iphones-security-code-video/)
>> and its limitation
>>
>> (http://9to5mac.com/2012/04/02/xrys-two-minute-iphone-passcode-exploit-debunked/)
>> (thanks LW).
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to