research-article

A note on the security of code memo

Authors:

Mobility '07: Proceedings of the 4th international conference on mobile technology, applications, and systems and the 1st international symposium on Computer human interaction in mobile technology

Pages 261 - 267

https://doi.org/10.1145/1378063.1378107

Published: 10 September 2007 Publication History

Get Access

Abstract

Today, secret codes such as passwords and PINs are the most prevalent means for user authentication. Because of the constantly growing number of required secret codes, computer users are increasingly overtaxed. This leads to many problems in daily use, e.g., costs due to forgotten passwords in enterprises and security problems through bad password practice. Storing secret codes on mobile phones seems to be some kind of panacea to have secret codes always available since mobile phones are today's permanent companions. Code Memo is a software that is used on mobile phones to store secret codes in a safe way; it is provided as firmware on Sony Ericsson mobile phones. We assume that the intention of the Code Memo designers was to provide an ideal cipher system according to Shannon's classification, i.e., it leaves an adversary with uncertainty w.r.t. the correct decryption key. In this paper we show how to break Code Memo. For our attack, we have identified feedback channels in Code Memo that can be exploited for distinguishing correct master passwords from incorrect ones, and thereby, sieving candidates of master passwords. This weakness allows attackers in a realistic setting to identify the correct master password, and thus, to obtain all the stored passwords and PINs.

References

[1]

P. Ducklin. Simple advice for more sensible password use. http://www.sophos.com, Apr. 2006.

Google Scholar

[2]

W. Harrison. Passwords and Passion. IEEE Software, 23(4), July/August 2006.

Digital Library

Google Scholar

[3]

G. Hayday. IT users in password hell. ZDNet UK News, Dec. 2002.

Google Scholar

[4]

G. Hayday. Counting the costs of forgotten passwords. ZDNet UK News, Jan. 2003.

Google Scholar

[5]

SafeNet. 2004 Annual Password Survey Results. SafeNet (Inc.), http://www.safenet-inc.com, 2004.

Google Scholar

[6]

C. Shannon. Communication Theory of Secrecy Systems. Bell System Technical Journal, 28(4), 1949.

Google Scholar

[7]

Sophos. Employee password choices put business at risk. http://www.sophos.com, Apr. 2006.

Google Scholar

[8]

J. VanAuken. Review: Password Management: Grief Relief. Information Week, http://www.informationweek.com, Jan. 2006.

Google Scholar

Index Terms

A note on the security of code memo

Recommendations

Security analysis of an identity-based strongly unforgeable signature scheme

Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any identity string ID can be used for the public key of a user. Although an IBS scheme can be constructed from any PKS scheme by using the certificate paradigm, it is ...
Security analysis and improvement of a double-trapdoor encryption scheme

At Asia Crypt'03, Bresson et al. proposed a probabilistic public-key encryption scheme with a double-trapdoor decryption mechanism. In this paper, we provide security analysis of it, and point out three insecurities of the encryption scheme. It suffers ...
On the security of a strong provably secure identity-based encryption scheme without bilinear pairing

The identity-based encryption scheme enables a sender to generate the ciphertext using a receiver's identity and system's parameters. Because of its convenience, the identity-based encryption scheme has been widely used in many practical applications. ...

Reviews

Reviewer: Amos O Olagunju

Secure electronic transactions via the Web, automated teller machines, and mobile phones require protected personal identification numbers (PINs) and passwords. Secure electronic transaction systems use stored PINs and passwords to authenticate users. PINs and passwords are also used as the encryption keys in classical cryptosystems such as the Vigenere cipher. Unfortunately, the security of any encryption system that employs a key depends on the secrecy of a PIN or password and its length. Algorithms for locating the encryption keys of known ciphers exist in the literature [1]. However, it is complicated to perform a black box study of an unfamiliar encryption algorithm to discover the feedback information channels for recognizing counterfeit decryption keys. Code Memo is software equipped with a hush-hush cryptographic algorithm for saving passwords on Sony Ericsson mobile phones (SEMPs). Wolf and Schneider analytically show how the weaknesses inherent in Code Memo's encryption algorithm could be used to obtain a master password for subsequently retrieving PINs and passwords on SEMPs. The authors exploited the digits and special characters used as input and output in Code Memo's encryption algorithm to create and store PINs. Based on Bernoulli trials, they presented the expected value and variance for the number of times Code Memo would return at least one element of the difference between the input and output character sets when all incorrect master password candidates were keyed in. They illustrated the ease of an attack on Code Memo using a personal computer to enter candidate master passwords into Code Memo on a mobile phone, and to process the decryption results captured by a webcam. A four-digit PIN master password was successfully used to illuminate the ease of obtaining a sample of specially constructed passwords stored with Code Memo. Unfortunately, the authors were unable to recommend a patch for the flaws in Code Memo's cryptographic algorithm. Nevertheless, the paper chronicled the potential loopholes in cryptographic algorithms for storing PINs and passwords in mobile phones. Consequently, the cryptographic algorithms for mobile phones and secure electronic transactions ought to explore trap-door functions and product ciphers for the encryption and decryption of PINs and passwords. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

Mobility '07: Proceedings of the 4th international conference on mobile technology, applications, and systems and the 1st international symposium on Computer human interaction in mobile technology

September 2007

702 pages

ISBN:9781595938190

DOI:10.1145/1378063

General Chairs:
Peter H. J. Chong
Nanyang Technological University, Singapore
,
Adrian David Cheok
National University of Singapore, Singapore

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 September 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

MC07

Sponsor:

SIGMOBILE

MC07: 4th Mobility Conference: International Conference on Mobile Technology, Application & Systems

September 10 - 12, 2007

Singapore

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
170
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Sep 2024

Other Metrics

View Author Metrics

Citations

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Index Terms

Recommendations

Security analysis of an identity-based strongly unforgeable signature scheme

Security analysis and improvement of a double-trapdoor encryption scheme

On the security of a strong provably secure identity-based encryption scheme without bilinear pairing

Reviews

Access critical reviews of Computing literature here

Comments

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Other Metrics

Article Metrics

Other Metrics

Login options

Full Access

PDF

eReader

Abstract

References

Index Terms

Recommendations

Security analysis of an identity-based strongly unforgeable signature scheme

Security analysis and improvement of a double-trapdoor encryption scheme

On the security of a strong provably secure identity-based encryption scheme without bilinear pairing

Reviews

Access critical reviews of Computing literature here

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations