← Back to team overview

ubuntu-phone team mailing list archive

Re: [Development] Solution for a password/secret storage

 

Dear Sam
I am sure many people follow the Guardian Project, but for those who don't here is a repost that may be worth considering.


QUOTE 
Hey folks,

I'm inviting Android app developers to check out a new library from
Guardian Project that aims to solve your password handling woes.

Password handling is not a trivial task. This is especially so in
security and privacy conscious applications. Prompting the user for the
pass is the easiest part, after that there are a myriad of questions,

* How do you store the password?
* Do you hash it?
* With which hash function?
* How many iterations?
* How do you verify the password?
* Reset it?
* How often do I prompt the user for the password?
* How do you use it to actually encrypt things?

.. to name a few.

We see this regularly issue across apps using SQLCipher and IOCipher.

I present CacheWord, a library that aims to answer and implement as many
of those questions as possible.

Source Code & Simple Sample
   https://github.com/guardianproject/cacheword/

Security Notes
  https://github.com/guardianproject/cacheword/edit/master/SECURITY.md

Complex Sample
   https://github.com/guardianproject/notepadbot/tree/cacheword


NOTE: Development is still under way and this library IS NOT ready for
production use.

However, I'd like it to start getting some exposure and getting feedback
from developers regarding the API.

Cheers,

~abel
UNQUOTE


On 20 Mar, 2013, at 1:36 AM, Sam Bull <sam.hacking@xxxxxxxx> wrote:

> Hey guys,
> 
> Having a seamless security system, is something I think is very
> important and have been thinking a lot about this recently.
> 
> I recently wrote a proposal for desktop security, and maybe this might
> give you something to think about when designing security on the phone.
> http://blog.sambull.org/security-design
> 
> As a quick thought about what I'd like to see. I would like to keep the
> current design, with no lock screen. Then have a settings page where you
> can choose which applications to lock. If you try to open one of the
> locked applications, it unlocks it with your keyring, asking for your
> password if needed.
> 
> It would be even better if we could also allow more fine-grained
> control, as supported by each application. So, for example, the
> telephony application could allow you to access it and view everything,
> but require a password from the keyring in order to make a phone call or
> send a message. This fine-grained control should be available in the
> same settings page.
> 
> As the phone is used differently to a desktop, I would suggest that the
> keyring would automatically re-lock after a time delay (like 10 mins),
> when the screen is switched off, or a combination of both.
> 
> I might make a mock-up of the settings page when I get back later. What
> do people think about this design?
> 
> -- 
> Mailing list: https://launchpad.net/~ubuntu-phone
> Post to     : ubuntu-phone@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ubuntu-phone
> More help   : https://help.launchpad.net/ListHelp

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail


Follow ups

References