Hacker News new | past | comments | ask | show | jobs | submit login

Yes exactly. When I look at the settings in the app it says "PINS keep information stored with Signal encrypted only you can access it."

However the page that you linked does not mention encryption. I can't see anywhere explain exactly what the PIN does. Does it encrypt your data or not?




Any reasonable length pin would not contain enough information to act as a safe encryption key; it would be too easy to brute force.


Depends on if the app itself rate-limits attempts, or destroys the encrypted content after a set number of attempts.


This would only be true as long as whatever the decryption algorithm is, it is not possible to run it off of the device, or otherwise interrupt the process of resetting the counter used to decide to rate-limit or self-destruct.

Famously older iPhones were susceptible to resetting the 'Invalid Attempts to Unlock' counter that the iPhone stored in the Secure Element to workaround the PIN rate-limit, by halting the CPU before it had a chance to increment the value, but right after it returned the pass/fail result.

So Signal could be entangling this PIN with a key from the Secure Enclave, and then trying to securely increment a counter inside the Secure Enclave to implement exponential rate-limiting and self-destruct, but it would be tricky to implement correctly.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: