[messaging] abusing u2f
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Mar 23 17:36:25 PDT 2016
On Wed 2016-03-23 15:27:06 -0400, Tom Ritter wrote:
> The strategy I want to see someone POC is using secure enclaves for
> this. Either SIM cards (specifically a dual-SIM phone combined with
> SEEK for Android) or Android's new 'Trusty' API. Write a javacard or
> whatever 'applet' that lives in the Secure Enclave. It enforces '10
> wrong attempts, and I delete the key'. This mimics iOS's Secure
> Enclave but now we have it on a per-app basis.
In this case, the enforcement needs to be done inside an applet that
cannot be backed up and restored, right? Does a SIM card meet that
promise? (disclaimer: i know nothing about SIM cards, feel free to
point me at the relevant reading)
--dkg
More information about the Messaging
mailing list