[vlc-devel] [RFC] Memory keystore

Thomas Guillem thomas at gllm.fr
Tue Feb 9 13:15:47 CET 2016


Nobody said we'll store clear text into storage.
For android, we'll use java.security package to encrypt/decrypt
passwords.
it seems quite safe (if the device is not rooted) see
http://developer.android.com/training/articles/keystore.html#ExtractionPrevention 

On Tue, Feb 9, 2016, at 13:12, Rémi Denis-Courmont wrote:
> Le 2016-02-08 12:58, typx a écrit :
> > On 2016-02-05 20:56, Jean-Baptiste Kempf wrote:
> >> On 05 Feb, Rémi Denis-Courmont wrote :
> >>> I would remove the file I/O support altogether.
> >> Why? How do you do on OS that do not have a Wallet API?
> >> With my kindest regards,
> >
> > Well in any case clearkeys shouldn't be an option.
> 
> Obviously, writing credentials to persistent storage without protection 
> is not acceptable. The simplest solution would be to not install 
> (noinst_LTLIBRARIES) the cleartext plugin.
> 
> However, for testing purpose, I think the in-memory plugin would 
> actually be better than the existing clear text plugin. So then the 
> cleartext plugin is useless and can be removed completely.
> 
> > Without Wallet API you can still cipher the data but
> > then how would you store the keys to decipher it.
> 
> Ahem, the wallet back-ends have the same problem (unless some sort of 
> secure hardware is involved). Typically the storage is encrypted and the 
> master key is derived from a passphrase that is not stored. The user 
> must supply the pass phrase at least once per session.
> 
> > The main issue being that the code is readable so it's
> > not like we can obfuscate anything.
> 
> > Honestly, to me, you shouldn't allow to store secrets when there are
> > no wallet-like APIs.
> 
> Wallet is a high level service. It might be possible to work with 
> somewhat lower level services, so long as VLC does not have to deal with 
> the cryptography and the arbitration.
> 
> -- 
> Rémi Denis-Courmont
> http://www.remlab.net/
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> https://mailman.videolan.org/listinfo/vlc-devel


More information about the vlc-devel mailing list