Rockbox Development > Feature Ideas
OTP
saratoga:
--- Quote from: monoid on January 27, 2013, 09:42:06 PM ---The seed could be stored encrypted. So, just copying the file with the seed would not harm anyone.
--- End quote ---
Then were do you store the decryption key? On a second MP3 player :)
I guess a pin number to decrypt the key is better then nothing, but it seems like a phone would be a lot more secure, since you can tie the key to the cell network and use the device's secure element/coprocessor.
monoid:
That's right. On the oher side, the phone might be even much more insecure, if it is smartphone with internet connection. Viruses, troyans, worms... sooner or later.
It seems to me that mp3 player with no internet and whose seed is protected by encryption using a password or at least PIN is more secure than almost any smartphone which connects to internet at least from time to time...
Generaly it may be even more secure to have OTP in mp3 in software than normal physical token. I have physical token without PIN, so if I loose it or it is stolen, there is no problem to use it.
But, OK. I am not sure, if having OTP in mp3 player is that good idea. ;)
[Saint]:
--- Quote from: monoid on January 27, 2013, 11:12:30 PM ---It seems to me that mp3 player with no internet and whose seed is protected by encryption using a password or at least PIN is more secure than almost any smartphone which connects to internet at least from time to time...
--- End quote ---
No. Seven different kinds of no. All kinds of no in fact. Or, if you prefer, just plain 'ol Vanilla No.
[Saint]
saratoga:
--- Quote from: monoid on January 27, 2013, 11:12:30 PM ---That's right. On the oher side, the phone might be even much more insecure, if it is smartphone with internet connection. Viruses, troyans, worms... sooner or later.
--- End quote ---
Unless there is some flaw in the phone, there is no way for something like that to access the key though.
OTP:
Hi,
--- Quote from: torne on January 27, 2013, 05:47:06 PM ---Using Rockbox as an OTP device isn't very secure as we don't have any way to store the seed that prevents it from being trivially copied. Software OTP tokens generally run on systems that can protect application data. Someone having access to your player for a few seconds would be enough to duplicate the seed without you knowing.
--- End quote ---
This is true -- but as always, with physical access, it is game over on almost any device (evil maid and even hw tokens http://secgroup.ext.dsi.unive.it/projects/security-apis/tookan/).
I think the merits/application depend case-by-case according to the scenario; ie. in case of gmail, most of the threats will be from very remote continents, and anybody in your environment will also be able to sniff and log.
I have understood, that people wanted crypto support on rockbox and it has not been approved. Would it be possible to have a crypto plugin instead to protect the seed?
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version