Yes. We passed the audit with flying colors! :) On Wed, Oct 26, 2016, at 11:54 AM, Hans-Christoph Steiner wrote: > > Wait, what? Did they really just include this sentence in their > abstract: > > "we devise a technique able to decrypt them when the secret passphrase, > chosen by the user as the initial step of the encryption process, is > known. " > > Am I wrong in reading this as: > "we can unlock chatsecure when we know the password" > > .hc > > Chris Ballinger: > > This looks like a silly report, and would apply to any other app using > > SQLCipher in a long running process, and in this case it's required to > > receive messages in the background. From a quick read it looks like the > > same passphrase is stored twice in memory for both the media and message > > store which helps their recovery process, but once you have physical access > > to a decrypted device in USB debugger mode there's all sorts of other ways > > you can recover it. > > > > > >> we devise > >> a technique able to decrypt them when the secret passphrase, chosen by > >> the user as the initial step of the encryption process, is known. > > > > > > It's pretty obvious how you'd decrypt a SQLCipher database when the > > passphrase is known. > > > > Furthermore, we show how this passphrase can be identified and extracted > >> from the volatile memory of the device, where it persists for the entire > >> execution of ChatSecure after having been entered by the user, thus > >> allowing one to carry out decryption even if the passphrase is not > >> revealed by the user. > > > > > > This is how encrypted databases work and there's not really a way around > > it. You can encrypt the key in memory, but then you gotta keep the key for > > the key somewhere else in memory. Even on iOS where you can store keys in > > the device keychain, when the database is active the key needs to be in > > memory somewhere. > > > > Finally, we discuss how to analyze and correlate the data stored in the > >> databases used by ChatSecure to identify the IM accounts used by the > >> user and his/her buddies to communicate, as well as to reconstruct the > >> chronology and contents of the messages and files that have been > >> exchanged among them. > > > > > > It's pretty easy to dump SQL tables.. > > > > > > > > > > > > > > On Wed, Oct 26, 2016 at 10:23 AM, Nathan of Guardian < > > [email protected]> wrote: > > > >> A great publication that really looks into detail on how we use > >> SQLCipher, IOCipher and CacheWord in ChatSecure Android, and many other > >> apps. > >> > >> Any thoughts on possible improvements to key management, data > >> reducation, etc, would be great to hear. > >> > >> *** > >> > >> Tweet: https://twitter.com/arxiv_org/status/790671148002398208 > >> > >> and publication: > >> https://arxiv.org/abs/1610.06721 > >> > >> Forensic Analysis of the ChatSecure Instant Messaging Application on > >> Android Smartphones > >> > >> Cosimo Anglano, Massimo Canonico, Marco Guazzone > >> (Submitted on 21 Oct 2016) > >> We present the forensic analysis of the artifacts generated on Android > >> smartphones by ChatSecure, a secure Instant Messaging application that > >> provides strong encryption for transmitted and locally-stored data to > >> ensure the privacy of its users. > >> We show that ChatSecure stores local copies of both exchanged messages > >> and files into two distinct, AES-256 encrypted databases, and we devise > >> a technique able to decrypt them when the secret passphrase, chosen by > >> the user as the initial step of the encryption process, is known. > >> Furthermore, we show how this passphrase can be identified and extracted > >> from the volatile memory of the device, where it persists for the entire > >> execution of ChatSecure after having been entered by the user, thus > >> allowing one to carry out decryption even if the passphrase is not > >> revealed by the user. > >> Finally, we discuss how to analyze and correlate the data stored in the > >> databases used by ChatSecure to identify the IM accounts used by the > >> user and his/her buddies to communicate, as well as to reconstruct the > >> chronology and contents of the messages and files that have been > >> exchanged among them. > >> For our study we devise and use an experimental methodology, based on > >> the use of emulated devices, that provides a very high degree of > >> reproducibility of the results, and we validate the results it yields > >> against those obtained from real smartphones. > >> > >> > >> > >> -- > >> Nathan of Guardian > >> [email protected] > >> _______________________________________________ > >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > >> To unsubscribe, email: [email protected] > >> > > > > > > > > _______________________________________________ > > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > To unsubscribe, email: [email protected] > > > > -- > PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 > https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556 > _______________________________________________ > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > To unsubscribe, email: [email protected]
-- Nathan of Guardian [email protected] _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
