[Cryptography] Security weakness in iCloud keychain
Bill Frantz
frantz at pwpconsult.com
Mon May 7 09:11:33 EDT 2018
I'm reading the comments about the evils of storing passwords
with somewhat rye amusement. Here we have what is generally
considered a really bad authentication mechanism where you don't
need to have the computer store the secret. When we go to
stronger authentication, it is much more likely that we will
need to have the computer store the secret. Consider:
(1) Signed challange with public key crypto, user certs, or
other similar trickery. The secret key probably needs to be
stored in the computer because very very few people could
remember it, or even copy it correctly from a piece of paper
into the computer. If the secret is in an enclave/TCM, you have
authenticated the computer and not the user -- which may be the
correct behavior for some applications.
(2) Two factor authentication using a cell phone: These schemes
usually use a password + a nonce sent to the cell phone. Good
for low and medium security applications, but a nation state
attacker could intercept the call.
Are there any schemes that we should consider?
Cheers - Bill
---------------------------------------------------------------------------
Bill Frantz |"Web security is like medicine - trying to
do good for
408-356-8506 |an evolved body of kludges" - Mark Miller
www.pwpconsult.com |
More information about the cryptography
mailing list