[liberationtech] cellebrite report
Douglas Lucas
dal at riseup.net
Fri Mar 8 19:57:58 PST 2013
These alternative passcode systems are really neat. Is there a way,
though, to quantify, for the different systems, how plausibly the
passcode can be 1) remembered or 2) forgotten or 3) "forgotten"?
On 02/27/2013 09:42 AM, R. Jason Cronk wrote:
> You could play Guitar Hero to get in your phone...
>
> http://bojinov.org/professional/usenixsec2012-rubberhose.pdf
>
> Another option would be to use animal species. There are some 3-30
> million different species of animals. Even restricting oneself to
> vertebrates, you have about 50,000 species (a five fold increase over a
> 4 digit pin). The user would be presented with a series of reducing
> questions. Question 1) Amphibian, Reptile, Bird, Mammal, Fish, etc....
> The user need only remember how to get to their one animal choice.
> Additional orders of magnitude could be had by adding invertebrates,
> plants, minerals on the front end or subspecies on the back end.
>
> Jason
>
>
> On Wed, Feb 27, 2013 at 9:06 AM, Tom Ritter <tom at ritter.vg
> <mailto:tom at ritter.vg>> wrote:
>
> The Passcode section of the report is blank, I guess indicating the
> user did not have a passcode?
>
> The article does mention passcodes:
>
> > All modern smartphones can be locked with a PIN or password, which
> can slow down,
> > or in some cases, completely thwart forensic analysis by the
> police (as well as a phone
> > thief or a prying partner). Make sure to pick a sufficiently long
> password: a 4 character
> > numeric PIN can be cracked in a few minutes, and the pattern-based
> unlock screen
> > offered by Android can be bypassed by Google if forced to by the
> government. Finally,
> > if your mobile operating system offers a disk encryption option
> (such as with Android
> > 4.0 and above), it is important to turn it on.
>
> The iPhone has a class of data that is encrypted when the device is
> locked, and decrypted based off a key derived in part by the passcode
> when unlocked. I think this, combined with separate passwords for FDE
> and screen unlocking would be good classes of improvements we can make
> in all mobile platforms (not just phones).
>
> I'd also love to see some research into alternative, higher entropy
> but simple-to-use screen unlock systems. At first I was thinking
> something akin to a pattern unlock, but a path through a 3D maze: your
> password is a series of turns, but even presented with five choices
> five times the keyspace is too small. What keyspaces present a large
> number of easy-to-parse options that fit nicely on a phone screen?
> Maybe a map? I've seen a few attempts[0,1, and others] but I've not
> been convinced they wind up with an order of magnitude more choices
> that the baseline 10000 of a 4-digit passcode.
>
> -tom
>
> [0] http://www.youtube.com/watch?v=kHBjzlFalvA
> [1] http://clam.rutgers.edu/~birget/grPssw/authSueE.pdf
> --
> Too many emails? Unsubscribe, change to digest, or change password
> by emailing moderator at companys at stanford.edu
> <mailto:companys at stanford.edu> or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
>
> --
> *R. Jason Cronk,* *Esq., CIPP*
> (828) 4RJCESQ
> rjc at privacymaverick.com <mailto:rjc at privacymaverick.com>
> blog.privacymaverick.com <http://blog.privacymaverick.com/>
>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
More information about the liberationtech
mailing list