On Fri, Dec 28, 2012 at 5:14 AM, Anders Rundgren <[email protected]> wrote: > On 2012-12-28 11:00, Jeffrey Walton wrote: >> On Fri, Dec 28, 2012 at 4:53 AM, Anders Rundgren >> <[email protected]> wrote: >>> On 2012-12-28 10:36, Jeffrey Walton wrote: >>> >>> Too many things, my brain works best with one thing at a time :-) >>> >>>>> MSFT and RIM have absolutely nothing for on-line banking. >>>> For whom? The consumer or the enterprise? >>>> >>>> For the consumer, its generally low-value data and banking apps are >>>> fine (some risk is accepted). >>> >>> If we keep stick to the (original) subject line my primary concern is >> Hard to tell - you were all over the place ;) >> >>> that the most popular mobile platform doesn't offer a useful facility >>> for provisioning keys for third party applications like on-line banking. >> OK. What kind of keys for whom? Online banking users? Executives and >> management? > > The 500M+ users of consumer on-line banking. > >> >> Perhaps you'd like to use GnuPG? ElGamal FTW? GnuPG uses Lim-Lee >> primes, and the keys cannot be validated in practice (you need the >> uniques factorization). That means you can't apply your secret to >> their public key, and you can't trust their signatures from their >> private key. >> >>> "Useful" in this space means not only that it is "secure" but also that >>> it also offers a reasonable functionality. <keygen> was great...1996. >> You can specify key size, which determines security levels. 3072 bit >> RSA or 256-bit curves (give or take) provide all the security folks >> like you, me, and most banking customers need. Or at least for me and >> most banking customers. > > I have no problem with the cryptography in Android. > > The problem (as *I* see it NB) is that "apps" cannot use it without > effectively > duplicating <keygen>/"KeyChain" which seems like a pretty bad idea. So, I think there is a disconnect here (due to me). I should probably retire from the thread.
Questions before I go (please forgive my ignorance): besides its birth date, why is keygen obsolete? On the device: why not use BouncyCastle to generate keys (after getting a user seed), and then store the secrets in the KeyStore (pre-Android 4.0) or KeyChain (Android 4.0+)? I guess I'm not clear why you have to duplicate the functionality. Jeff -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
