[cryptography] Keyspace: client-side encryption for key/value stores

Thierry Moreau thierry.moreau at connotech.com
Thu Mar 21 10:14:18 EDT 2013


Peter Gutmann wrote:
> Jeffrey Walton <noloader at gmail.com> writes:
> 
>> Android 4.0 and above also offer a Keychain (
>> http://developer.android.com/reference/android/security/KeyChain.html). If
>> using a lesser version, use a Keystore (
>> http://developer.android.com/reference/java/security/KeyStore.html).
> 
> What Android gives you is pretty rudimentary, it barely qualifies to use the
> same designation as Apple's Keychain.
> 
>> Linux has not warmed up to the fact that userland needs help in storing
>> secrets from the OS.
> 
> There's KWallet and Gnome Keyring, last time I looked KWallet was also pretty
> primitive (about the level of Android's Keychain) and not being updated much,
> but the Gnome Keyring seems to be actively updated.
> 

I would say these things (I hesitate to qualify them as IT security 
mechanisms or schemes) address an impossible task, for which apparent 
success is possible only in a proprietary environment (just making the 
reverse engineering harder).

Client-side storage of long-term secrets can only be secured by 
dedicated client-side hardware. Your mileage may vary.

- Thierry





More information about the cryptography mailing list