[PATCH] Adding password protection to U-boot
Francesco Albanese
frances.albanese at gmail.com
Tue Jun 10 20:24:42 CEST 2008
Thank you for having answered,
I know the issues related to hash salting; we can extract a valid salt
- for instance - getting from the GSM chipset the IMEI: known number
that is different for every openmoko. Think about it as a TODO note
for the future: I wanted, indeed, release some general modifications
(not related to the board).
Bye
F. Albanese
On Tue, Jun 10, 2008 at 7:11 PM, Roland Häder <roland at mxchange.org> wrote:
> Hi,
>
> I'm a non-C# hacker but you ask me for comments:
>
>> - Password stored as SHA256 non-salted hash and written in the env
>> var. partition (a salting method can be added afterwards)
> You should really add a salting method to your patch. :) Brute-force attacks
> can easily done on the SHA256 hash if no salt is given. Salts are making it
> not impossible to "crack the password" but slows it down depending on the
> length of the salt. So a salt shall be:
>
> - Pseudo-random characters at least (real-random is only possible in
> Lotto. ;) )
> - Variable length (I don't want to make suggestions here, maybe 10 chars are
> fine? Or 20? How much space do we have left for this?
>
>> - If the password is set, user is prompted for a password after a
>> serial connection is established
> Nicely done. :) Keeps some bad guys busy for long time if your smartphone
> falls into the wrong hands.
>
>> - If the device is locked down, a DFU flashing attempt will produce an
>> on-screen error on the Neo
> Well done, again. :)
>
>> - uncomment _USE_PASSWORD in password.h to activate this patch
> Okay, this does not go to me. Because I use the MokoMakefile to (try to) build
> the images.
>
> Roland
>
> PS: BTW, what is the status about my ticket regarding broken libxsettings
> package?
>
> --
> (GNU) PGP ID: 0x4D385570
>
More information about the openmoko-devel
mailing list
