[messaging] abusing u2f

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Mar 23 17:36:25 PDT 2016

On Wed 2016-03-23 15:27:06 -0400, Tom Ritter wrote:
> The strategy I want to see someone POC is using secure enclaves for
> this.  Either SIM cards (specifically a dual-SIM phone combined with
> SEEK for Android) or Android's new 'Trusty' API.  Write a javacard or
> whatever 'applet' that lives in the Secure Enclave. It enforces '10
> wrong attempts, and I delete the key'.  This mimics iOS's Secure
> Enclave but now we have it on a per-app basis.

In this case, the enforcement needs to be done inside an applet that
cannot be backed up and restored, right?  Does a SIM card meet that
promise?  (disclaimer: i know nothing about SIM cards, feel free to
point me at the relevant reading)


More information about the Messaging mailing list