/
palm-passwords.html
276 lines (263 loc) · 13 KB
/
palm-passwords.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
<html>
<head>
<title>Password Storing Programs on Palm-based PDAs</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body bgcolor="#FFFFFF">
<center><font size="+2"<b>
Password Storing Programs on Palm-based PDAs</b></font></center><br>
<center><font size="+2"<b>March 18, 2002</b></font></center><br>
A common use for PDAs is store useful passwords (and similar
kinds of confidential information, such as credit card numbers).
Ideally, of course, you wouldn't use a PDA <i>or</i> paper to
store passwords - you should memorize all your passwords.
For many this is impractical, because they have too many passwords to remember.
<p>
Here are some suggestions for
<a href="https://dwheeler.com/oss_fs_refs.html">open source software / free
software (OSS/FS)</a>
available for the Palm,
For more information on the advantages of OSS/FS, see
<a href="https://dwheeler.com/oss_fs_why.html"><i>Why OSS/FS?
Look at the Numbers!</i></a>
<p>
If you choose to store passwords on a PDA, there is the risk of someone
else getting your passwords by stealing the PDA or reading the PDA's
database backups.
Thus, if you use a PDA to store important passwords, you <i>must</i>
use a program specifically designed to store passwords.
You should <i>not</i> store important passwords on your PDA using the ``hide''
command, because these can be easily unhidden.
The built-in password protection for hidden text is useless, because
the data isn't actually encrypted.
Password protecting the entire PDA doesn't really help either - most PalmOS
systems support a ``debug'' command that bypasses the PalmOS login screen
(for more about this and other PalmOS security weaknesses, see
<a href="http://www.usenix.org/events/sec01/kingpin.html">
<i>Security Analysis of the Palm Operating System
and its Weaknesses Against Malicious Code Threats </i></a>
by Kingpin and Mudge, Usenix Security 2001).
<p>
For storing passwords, there's a wonderful problem - there are <i>three</i>
programs that meet this need reasonably well.
They all work the same way: they encrypt all the passwords and related
data using a single ``master'' password, so instead of having to remember
many passwords you only need to remember one.
This means that the major weakness for any of these programs is the
master password - you <i>must</i> choose a good, hard-to-guess master
password or any of these programs can be quickly subverted, and you
<i>must</i> remember the master password!
A good password has at least 8 characters, includes uppercase, lowercase,
a digit, and a punctuation mark, and isn't a dictionary word.
Computers can rapidly try out different passwords, which is why short
passwords are usually vulnerable to attackers.
<p>
Here are the three OSS/FS programs that do this, with
some comments about each.
These programs are worthless if they're not secure, so I'll particularly
emphasize any clues to how secure they are:
<ul>
<li>
<a href="http://www.zetetic.net">Strip</a> (GPL license).
This program (version 1.0 AES), short for
Secure Tool for Recalling Important Passwords,
uses the 256-bit AES algorithm to encrypt all the data.
AES is a relatively new encryption algorithm, but it's been heavily examined
and it's been recently selected as the new U.S. encryption standard, so
this is a very good choice.
By default, Strip will automatically re-lock all the passwords when you
turn off the PDA, and it always locks the passwords when you switch
to another application; this is good, because it's safe and easy to understand.
Strip also supports S/Key one-time-use passwords, which is very nice
if you ever use S/Key.
Strip has some clever mechanisms for sharing certain sets of
passwords with other PDA users by beaming them (if you want to);
see the documentation for more information.
I don't recommend sharing passwords, actually, but you might want to
conveniently share other confidential pieces of information this way.
You can download ``StripCS'' to upgrade from older versions of Strip;
new users don't need StripCS.
<p>
The user interface is easy to understand, but it's not quite as
convenient as the other two programs' interfaces.
When you start up Strip and enter the master password,
you have to select the category and then the specific entry before
you can see a given entry's password.
This is very un-Palm-like; the other programs handle categories like the
To-do application, letting you select categories to view on the top right
and including an ``all' category to show all the entries.
If you want to see or edit the notes, you
have to hit yet another option; the other programs show notes along
with the other data and don't require yet another action.
Also, when you use the program for the first time, there's no confirmation
of the master password: be <i>sure</i> to correctly
enter the master password you intend to use!
<p>
In spite of these minor weaknesses, I like Strip the best.
I'm not alone in this view;
<a href="http://www.onmagazine.com/on-mag/reviews/article/0,9985,52283,00.html">
an article in Time Digital</a> declared back in August 2000 that
Strip is one of the ``Top Five Palm Programs You Should Grab''.
Not just one of the top five OSS/FS programs - the top five, period.
<li>
<a href="http://gnukeyring.sourceforge.net">Keyring</a> (GPL license).
This program uses the Triple-DES algorithm to encrypt the passwords.
Triple-DES is a very well-tested algorithm, and is a very good choice
as an encryption algorithm.
It also uses the MD5 algorithm; recently MD5 has been shown to have weaknesses,
so this might be a source of weakness for the program.
When you first start up the Keyring program
(version 1.1, 2002-03-11) you get a big warning
that this is still beta software -
while it's true that some beta software is better than some other
released software, this doesn't inspire confidence!
Its warning to save all data first was unfortunately true -
when I selected one of its debugging options, my PDA crashed and
lost all its data (note to self: don't use the debugging options!).
To be fair, I didn't have this problem as long as I didn't use the
optional debugging options.
I'd use the older version, but one of the fixes removed a bug that might
reveal passwords; hopefully by the time you read this that bug has been
removed.
<p>
Keyring does <i>not</i> require users to enter the master
password to see the categories or the names of the entries.
While this doesn't give away the passwords or comments, in my opinion this
is <i>way</i> too much information to give away to an attacker without
the master password, and I view this as a minor security problem.
<p>
Once you enter a master password into Keyring, it's remembered for
a (settable) period of time; you can also press a command to
immediately lock the program.
This means that you can leave the Keyring program, run another program,
turn the PDA off and on, and still have the passwords available
until the time limit is set.
This approach works, but I think this approach greatly weakens its security.
Allowing other programs to run while the passwords are vulnerable
is asking for trouble;
PalmOS doesn't have memory protection, and this approach appears to me to
increase the risk of allowing the passwords to unintentionally leak.
I'm not referring so much to intentionally malicious programs, but simply
programs that might unintentionally create copies of secret data while they
do other things.
I also worry that the timers to re-lock the passwords might be
circumventable (again, by secret debug commands or other faulty
software in the Palm).
You can set the memorized time to zero, but this makes the program
harder to use than the other programs - you then
have to re-enter the master password for every entry.
At any time you can re-lock all the passwords, but it's easy to forget
to do this.
In short, developers seem to have made several design choices in the
name of convenience that put the data at greater risk.
With different user interface design choices, they could have made it
as easy to use without the risks.
<p>
On the positive side, there is clearly an active development community
that works to keep this program secure.
Additions to version 1.1 (from version 1.0)
improved the randomness of generated keys,
and they made worked to destroy encryption keys in memory
(a critical issue for this kind of program, and especially so since their
design makes leakage more likely).
<li>
<a href="http://www.codecubed.com/lockbox">Lockbox</a>
(old-BSD-like license with required acknowledgement).
Lockbox uses the RC4 encryption algorithm;
I'm not aware of any fundamental breaks of in this algorithm, but
it's not a very good choice as the underlying encryption algorithm.
First, there is the potential for legal hassles
(RSA has often claimed that it will sue unlicensed users; there
seems to be no good legal grounds for this, but simply filing a suit could
cause serious problems).
RC4 is a stream cipher designed for communications, not for encrypting a
block of data, so RC4 doesn't take advantage
of the values of later bytes when it encrypts a byte
(block cipher algorithms like triple-DES and AES can do a better job
scrambling data across a larger block).
RC4 is also hard to use correctly, and many systems have been
exploited through these subtle errors
(see my
<a href="https://dwheeler.com/secure-programs">book on
writing secure programs</a> for some information about this).
Lockbox's choice of RC4 makes me suspect that it might have a weaker
designs in other areas too.
<p>
Lockbox has limited functionality, too.
It can't generate random passwords (the other two can).
It also can't hide the characters of the master password while you're
entering it (the other two can optionally do this, and I recommend
using this option).
The Lockbox license on the website says that
the source code can be redistributed,
but the source code doesn't seem to be easily accessible.
The vendor sells a ``Lockbox Pro'' edition, which has more features, and
that probably explains why the source code has quietly ``disappeared.''
I see little evidence of an active
community reviewing its code for security problems, so that gives me
little confidence in the security of Lockbox.
</ul>
<p>
I have <i>not</i> spent the time to do a thorough security analysis
of the programs' actual code, because such analyses take a long time.
Fundamentally,
developers of these kinds of programs have to make sure that certain
things are done right.
For example, they need to make sure that they erase any memory that
ever had passwords.
This is why having the source code and an active community that reviews it
is so important, to find and resolve such things.
<p>
Now, for those of you who think one of these programs will make you
the next James Bond: forget it.
Triple-DES and AES algorithms probably won't be broken in the near-term
given current technology, but these programs won't
counter assailants with many resources.
The program in your PDA could be modified (e.g., by another program on the
PDA, by someone briefly stealing your PDA, or
via the computer the PDA syncs to).
Someone could observe you entering your password (say through a
micro video camera), or specialized equipment could get that information
using the PDA's electromagnetic emissions.
And of course, if an assailant pointed a gun to your head, you'd probably
give them the password!
But all of these attacks require more effort or gaul than the
typical attacker most people are worried about.
So for most people, these kinds of programs are good enough.
<p>
The bottom line is that I think Strip is the best.
Strip's user interface isn't quite as convenient as the others
(requiring 2-3 selections instead of one to see an entry), but
it's easy to understand, has the most features, and doesn't have
the more concerning security issues of the other two programs.
In general Keyring is a close second and very worthy alternative, but
its warning about being beta, its lose-everything crash that I experienced,
and its way of leaving passwords open while the
program isn't running causes me to rank it lower.
Lockbox is the worst of the three; you'd be better off using
one of the other two.
Lockbox's inability to generate random passwords and hide the master password
while you're entering it are serious weaknesses, and the ``disappearance''
of its source code gives me more concerns.
If you use any of these programs, be paranoid (for example,
turn off beaming by default and limit what programs you load onto your PDA).
<p>
<h1>About the Author</h1>
<a href="https://dwheeler.com">David A. Wheeler</a>
is an expert in computer security
and has written several articles on
<a href="https://dwheeler.com/oss_fs_refs.html">open source software /
free software (OSS/FS)</a>.
He's the author of
<a href="https://dwheeler.com/secure-programs"><i>Secure Programming
for Linux and Unix HOWTO</i></a>,
<a href="https://dwheeler.com/oss_fs_why.html"><i>Why Open Source Software /
Free Software (OSS/FS)? Look at the Numbers!</i></a>,
<a href="https://dwheeler.com/sloc"><i>More than a Gigabuck:
Estimating GNU/Linux's Size</i></a>, and
<a href="https://dwheeler.com/innovation"><i>The Most Important Software Innovations</i></a>.
Mr. Wheeler's web site is at
<a href="https://dwheeler.com">https://dwheeler.com</a>.
<p>
</body>
</html>