Fraunhofer-Gesellschaft

Publica

Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

A note on the security of code memo

 
: Wolf, R.; Schneider, M.

:

Cheok, A.D. ; Association for Computing Machinery -ACM-, Special Interest Group on Mobility of Systems, Users, Data and Computing:
Mobility Conference. International Conference on Mobile Technology, Applications and Systems 2007 : The 1st International Symposium on Computer Human Interaction in Mobile Technology (IS-CHI 2007), 10-12 September 2007, Singapore Polytechnic, Singapore
Singapore: Research Publishing, 2007
ISBN: 978-1-59593-819-0
ISBN: 1-59593-819-2
pp.261-267
International Symposium on Computer Human Interaction in Mobile Technology (IS-CHI) <1, 2007, Singapore>
International Conference on Mobile Technology, Applications, and Systems <4, 2007, Singapore>
English
Conference Paper
Fraunhofer SIT ()
mobile application; password management; security analysis

Abstract
Today, secret codes such as passwords and PINs are the most prevalent means for user authentication. Because of the constantly growing number of required secret codes, computer users are increasingly overtaxed. This leads to many problems in daily use, e.g., costs due to forgotten passwords in enterprises and security problems through bad password practice. Storing secret codes on mobile phones seems to be some kind of panacea to have secret codes always available since mobile phones are todays permanent companions. Code Memo is a software that is used on mobile phones to store secret codes in a safe way; it is provided as firmware on Sony Ericsson mobile phones. We assume that the intention of the Code Memo designers was to provide an ideal cipher system according to Shannons classifi cation, i.e., it leaves an adversary with uncertainty w.r.t. the correct decryption key. In this paper we show how to break Code Memo. For our attack, we have identified feedback channels in Code Memo that can be exploited for distinguishing correct master passwords from incorrect ones, and thereby, sieving candidates of master passwords. This weakness allows attackers in a realistic setting to identify the correct master password, and thus, to obtain all the stored passwords and PINs.

: http://publica.fraunhofer.de/documents/N-128946.html