Status update – 11/03/2013

We have successfully identified the core crypto modules in CMAccount source code. There are several classes involved:

1. AuthClient
2. GeneratePublicKeysTask, ECDHKeyService
3. EncryptedMessage
4. EncryptionUtils

This app first uses ECDH to generate the key pair between two parties so that they can use AES to encrypt subsequent messages. But, ECDH key exchange protocol does not authenticate the senders of the public key, thus it does not prevent man-in-the-middle attacks. So we are going to analysis more about whether CMAccount has applied any digital signature mechanisms.

In this application, the author has request for an additional token to verify the identification of the sender.

Next steps: Analyze the specific crypto code and see whether CMAccount is free of MITM or some other attacks.

Appendix:
Following graph is the UML diagram for CMAccount source code

Comments are closed.