2.3 Change Log

While encrypting all data is a good idea it might be considered too strong in another sense, firstly you can't tell if the database has been cracked, where as if we only encrypt the shared secrets and never notify that the PIN entered was wrong the person attempting to connect to remote systems will never know they entered the wrong PIN. It also gives the user some plausable denability in the sense if the PIN is demanded from them they can simply give the wrong one. Once a brute force attempt begins to use the wrong PIN numbers this can be detected and disabled on a server level further limiting the damage of a shared secret being lost.

People will need to be careful now adding secrets or refreshing secrets if they entered the wrong PIN, if the right PIN is entered for other shared secrets the shared secrets will decrypt in weird and interesting ways.

This release will no longer prompt a user for a site/server PIN, in conjuction with this release the FreeAuth PAM module will be updated to allow end users to update their shared secrets via PAM.

Version 2.3.10:

  • Swapped {} for !- and . to ?
  • Current Character set: 123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:

Version 2.3.9:

  • Added a timer + message during start-up sequence to notify the user that something was happening, rather then things looking like it freezes after the password has entered.

Version 2.3.8:

  • Replaced the ^ in the character set, is a special character on some keyboards, so replaced it with :
  • Fixed code that didn't handle the wrong PIN 100%, still not 100% perfect.

Version 2.3.7:

  • Replaced () in the character set, was confusingly too similar to capital C on most handset fonts, replaced () with %^

Version 2.3.6:

  • Fixed numerous bugs introduced either when encryption was added or when the interface was redesigned.
  • Improved code converting between MD5 hashes and character sets.
  • Improved original method of generating shared secrets

2.2 Change Log

  • Added bouncy castle code to encrypt the database, now you will need to type in a PIN number during the application startup, this is to prevent people stealing data from your device if for example there is a new bluetooth exploit and what not.
  • Added code to "upgrade" data from plain text to encrypted, once DB upgrade has completed the old data store is deleted.
  • Added code to generate and load a 8 byte salt from the phone memory, generated once using SecureRandom.
  • Replaced all instences of Random with SecureRandom

2.1 Change Log

  • Complete re-write of the user interface from scratch, all displays now have soft menu button options rather then pressing special codes.
  • Main page no longer has a funky search/select, instead you scroll.
  • Limitation of 80 shared secrets have been removed, instead the phone space is checked before allowing you to create a new secret.
  • First startup the server epoch is checked and matched in the phone, the time zone is automatically updated without showing a warning about clock skew now.

2.0 Change Log

  • To increase security we are reworking the implementation, this means from version 2 onwards it won't be backward compatible with previous versions, for a complete breakdown of why were are doing this, have a look at the FreeAuth Protocol Implementation page.
    • Increased key space by using 64 possible characters instead of 16 for both the shared secret and OTPs
    • Increase the OTP to 8 chars instead of 6
    • Change the time stamp to be div 60 instead of div 10 to reduce the number of passwords to 1 a minute instead of 1 every 10 seconds.
  • Code added to generate 32bit or 64bit passcodes.
  • Timestamp lookup code was changed to only do a lookup if no database already exists, startup time on some devices was excessively long due to connection times for http etc over GPRS/WAP.
  • Code was added to cope better with screen widths, the text wraps funny, might be able to add code to check for white space before the wrap rather then wrapping in the middle of words etc.

1.3 Change Log

  • Version 1.3.0 was released as a renamed version (from mOTP+ to FreeAuth).

1.2 Change Log

  • Add RC4 encryption for testing purposes, needs to be replaces with AES or at least RC5
  • Able to upload/download from remote server, needs to be made configurable.
  • fixed several errors that weren't being caught and causing the app not to run on phones that disallowed GPRS/http access amoung other things.

Version 1.2.9 appeared to fix all the startup crashes

1.1 Change Log

  • Delete an entry
  • Reset hashes
  • Instead of scrolling, maybe a search instead? Kludgy but works with limited key keypads
  • Manually enter a hash instead of generating it
  • Secure deployment in enterprise, central DB server to communicate with.
    • Custom variables 'alias','hash','timez' are all setable from the .jad file. On first run information is loaded into local database, the .jad file can be dynamically generated on a wap server after the user logs into their account (via SSL).
  • Can view amount of database usage from the about screen (percentage + bytes).
  • UI has a limitation of about 80 entries, interface can be recoded to get around this problem but there doesn't seem to be a need at this point in time.
  • MIDLet can grab the current GMT time stamp from CAcert.org and compare with internal value and warn user about clock skew and time zone issues.
  • Database limited to 80 entries + checks added to prevent running out of space.
  • Get the current time zone (UTC +/- 12) from a wap site.

1.0 Change Log

  • Ability to store multiple hashes for multiple websites/servers
  • Assign a memorable alias for each hash
  • Refresh/Delete hashes
  • Search for hashes
  • Manually enter a hash