nokia n95 password encryption
June 14, 2008 10:29 PM Subscribe
Does Nokia N95 encrypts e-mail passwords that it stores for automatic retrieval?
If it does, what is the encryption scheme? AES? Proprietary code? I am currently using IMAP functionality and i am curious if some malicious code run in web browser (or some other trick for that matter) could leak sensitive information such as the stored email passwords.
Regards.
If it does, what is the encryption scheme? AES? Proprietary code? I am currently using IMAP functionality and i am curious if some malicious code run in web browser (or some other trick for that matter) could leak sensitive information such as the stored email passwords.
Regards.
Response by poster: what if the encryption key (for the stored passwords) is not on the machine, but on a central server on Internet? if the malicious code can not "own" the mail client but can only have memory area access then how is it possible for it to get hold of the key?
posted by raphael19 at 11:32 PM on June 14, 2008
posted by raphael19 at 11:32 PM on June 14, 2008
Response by poster: also even if the encryption key is "on" the machine, if the encryption scheme is proprietary, i dont think it is an easy job for the malicious code to decode it. it should have the the mail client reverse-engineer'ed completely beforehand.
posted by raphael19 at 11:49 PM on June 14, 2008
posted by raphael19 at 11:49 PM on June 14, 2008
The central server scenario doesn't improve your threat model much. Presumably, the mail client would need a secret to authenticate to the central server, which just forces malicious code to impersonate the mail client to the password server instead of the POP server.
Also, "completely reverse engineered" is a huge exaggeration. I have reverse-engineered pseudo-security with the key embedded in the application before, and it took me a couple of hours to find the decryption part and rewrite it as a perl script (it took me a bit longer to find out that what I had done was reimplement RC4). "Easy" depends, but I'm nowhere near as skilled as the average Internet criminal when it comes to this stuff.
If you need to be as paranoid as you seem to be, do not save your passwords. Otherwise, evaluate your priorities. You're vulnerable in principle, but I'm pretty sure that there's no criminal business model currently in operation that's based on exploiting flaws in the N95 web browser and using that to read people's mail.
posted by themel at 12:05 AM on June 15, 2008
Also, "completely reverse engineered" is a huge exaggeration. I have reverse-engineered pseudo-security with the key embedded in the application before, and it took me a couple of hours to find the decryption part and rewrite it as a perl script (it took me a bit longer to find out that what I had done was reimplement RC4). "Easy" depends, but I'm nowhere near as skilled as the average Internet criminal when it comes to this stuff.
If you need to be as paranoid as you seem to be, do not save your passwords. Otherwise, evaluate your priorities. You're vulnerable in principle, but I'm pretty sure that there's no criminal business model currently in operation that's based on exploiting flaws in the N95 web browser and using that to read people's mail.
posted by themel at 12:05 AM on June 15, 2008
It's not stored as plaintext, if that's what you're worried about. Secondly, it's quite improbable that malicious code run in the browser can access the filesystem, especially the areas where passwords and other important stuff is stored.
posted by cyanide at 12:42 AM on June 15, 2008
posted by cyanide at 12:42 AM on June 15, 2008
I disagree with cyanide's assessment of what is "quite improbable". Here is a Symbian program which claims to recover passwords from any email program -- regardless of how/if passwords are encrypted -- by simply pretending to be an SMTP server and redirecting the client to connect to it. (The N95 isn't supported, but the same or a similar method could probably work on that model.)
Also, although I don't know much about Symbian, I'd be surprised if you couldn't use an emulator and/or debugger to locate the region of memory where the mail client has the password ready to send to the server, and once that location is known there is probably a way for malicious code on the device to access it. So, even if a proprietary encryption system is being used, it would not be necessary for an attacker to figure out how exactly it works because they can simply read its output instead.
themel is correct to describe this kind of crypto application as pseudo-security. If the attacker can has the encryption key, what is the point of using encryption? (And again, if you could keep the attacker from getting the key, why would you even need to encrypt the password in the first place?)
posted by finite at 1:20 PM on June 15, 2008 [1 favorite]
Also, although I don't know much about Symbian, I'd be surprised if you couldn't use an emulator and/or debugger to locate the region of memory where the mail client has the password ready to send to the server, and once that location is known there is probably a way for malicious code on the device to access it. So, even if a proprietary encryption system is being used, it would not be necessary for an attacker to figure out how exactly it works because they can simply read its output instead.
themel is correct to describe this kind of crypto application as pseudo-security. If the attacker can has the encryption key, what is the point of using encryption? (And again, if you could keep the attacker from getting the key, why would you even need to encrypt the password in the first place?)
posted by finite at 1:20 PM on June 15, 2008 [1 favorite]
This thread is closed to new comments.
I don't know what the N95 does, but if you can check your mail on it without entering a password then I would assume that malicious software on it probably could too.
posted by finite at 11:12 PM on June 14, 2008