Security of Mac Keychain, Filevault
Jeffrey I. Schiller
jis at mit.edu
Mon Nov 2 17:36:07 EST 2009
----- "Jerry Leichter" <leichter at lrw.com> wrote:
> for iPhone's and iPod Touches, which are regularly used to hold
> passwords (for mail, at the least).
I would not (do not) trust the iPhone (or iPod Touch) to protect a
high value password. Or more to the point I would change any such
password if my iPhone went unaccounted for.
In the case of the Mac Keychain and Filevault, if implemented
correctly, the security hinges on a secret that you know. Pick a good
secret (high entropy) and you are good. Pick a poor one, well...
However the iPhone’s keychain is not encrypted in a password. Instead
it is encrypted in a key derived from the hardware. The iPhone
Dev-Team, the folks who regularly jail break the iPhone, seem to have
little problem deriving keys from the phone! Note: Setting a phone
lock password doesn’t prevent me from accessing the phone using the
various jail breaking tools. Presumably once I have control of the
phone, I have access to any of the keys on it.
-Jeff
--
========================================================================
Jeffrey I. Schiller
MIT Network Manager/Security Architect
PCI Compliance Officer
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue Room W92-190
Cambridge, MA 02139-4307
617.253.0161 - Voice
jis at mit.edu
========================================================================
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list