Encryption On PalmOS?

TheTomcat asks: "I'm planning on writing some software for Handspring Visor (or any palmOS device) in PocketC (because I can develop in pocketC directly on the Palm, and I don't have time to learn the SDK), but I would like to encrypt the data that is stored in case the handheld gets lost, stolen, or somehow gets into the wrong hands. Setting the Private Bit is not good enough. Simply, I want simple encryption that is very secure, fast, and can be unlocked by a passphrase (thanks to graffiti). I'm looking at an algorithm called Tiny Encryption Algorithm (TEA), but the spec is dated November 1994, so I'm not sure if it would still be considered secure. Any help would be much appreciated, especially if you can point me at some C source. Thanks!"

fileSafe

[cheeserd00d]

quick google search turns up fileSafe [palmtracker.com] - its a PalmOS encryption program which supports 448 bit Blowfish (which is still considered secure) and 128 bit TEA (which i don't know much about).

Strip

[hooha]

There is an excellent Palm OS program called Strip [zetetic.net] from Zetetic Enterprises. It stores passwords securely using IDEA or DES encryption.

The source code is available at the site (with export restrictions). Perhaps that would help you?

GNU Keyring

[iriefrank]

There is an open-source project called GNU Keyring [sourceforge.net] that uses Triple-DES to encrypt info on a PalmOS machine. I have been using 1.0 for a few months now, and I like it a lot. I don't trust it enough to store irreplacable stuff, but it does a good job of storing passwords and such. It also has a random password generator built in, although it is noted on their page that the PalmOS random number generator isn't that great. All in all though, it's a great little program that gets the job done.

Frank Bynum
UT Austin undergrad

already available

[fsck!]

there already are blowfish-enabled password managers and memopads in available for Palm OS. do a search for blowfish on PalmGear HQ [palmgear.com]
--

Rijndael and/or Blowfish

[rjh]

I'd stay away from TEA; I seem to recall some attacks against it in the literature, but I can't think of them for the life of me right now.

The number one concern you have with a Palm is its limited memory and processor. You don't want an algorithm which requires a lot of overhead or which has extremely slow throughput. Algos like 3DES are out for this reason.

My own two cents says go for Rijndael and/or Blowfish. Blowfish isn't suitable for apps which do key initialization a lot, but you don't sound like you need that.

Either way, you'll be getting a cipher with a lot of cryptanalysis and a fair degree of trust from the cryptographic community.

If you're looking for C source, check GNU Privacy Guard--Blowfish is already in there, and Rijndael should be there soon.

JAWS

[OctaneZ]

I have been using JAWS encryption on my Palm Pilot for over two years now, and I have loved it. You can set it so that the first few characters of something are still readable, like the Title or Subject, and encrypt the rest of the document on your palm using up to a 4096 bit key. You can find more information here:
http://www.rodeoisland.com/jaws/jaws_info3.htm [rodeoisland.com]
and find a review and help from ZDnet here:
http://www.zdnet.com/zdhelp/stories/main/0,5594,24 03097-3,00.html [zdnet.com]

What about compression for the Palm?

[EMIce]

How do you compress data stored in a palm? I'm trying to write an app for palm that stores a huge database of information. Maybe 1.6 megs. How can I compress this data so it is inflated on the fly when it is needed?

Re:JAWS

[seaan]

I'd suggest some caution about using the JAWS (JAWZ) algorithm. First, read about recognizing "cryptographic snake-oil":
Snake Oil FAQ [interhack.net]
Counterpane Cryptogram Article [info-sec.com]

I was unable to find a description of the JAWS algorithm on the JAWZ website (JAWS Home Page [jawstech.com]), now that they have become a security consulting firm. The best I could find was a small redaction of the original JAWS claims here: 4comm DataEncryptor [4comm.com].

I wonder if anybody still has a copy of the original JAWZ claims (quite a hoot).