On 23 March 2016 at 19:36, Daniel Kahn Gillmor <[email protected]> wrote: > On Wed 2016-03-23 15:27:06 -0400, Tom Ritter wrote: >> The strategy I want to see someone POC is using secure enclaves for >> this. Either SIM cards (specifically a dual-SIM phone combined with >> SEEK for Android) or Android's new 'Trusty' API. Write a javacard or >> whatever 'applet' that lives in the Secure Enclave. It enforces '10 >> wrong attempts, and I delete the key'. This mimics iOS's Secure >> Enclave but now we have it on a per-app basis. > > In this case, the enforcement needs to be done inside an applet that > cannot be backed up and restored, right? Does a SIM card meet that > promise? (disclaimer: i know nothing about SIM cards, feel free to > point me at the relevant reading)
Yes - that's correct. The SIM is acting as a tiny little inexpensive hardware security module that's difficult to restore/tamper/etc. I'm sure it's possible, but it would up the game. -tom _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
