While Android has received a discover of security enhancements inward the lastly few releases, the lockscreen (also know equally the keyguard) in addition to password storage have got remained virtually unchanged since the 2.x days, relieve for adding multi-user support. Android m is finally changing this alongside official back upwardly for fingerprint authentication. While the code related to biometric back upwardly is currently unavailable, some of the novel code responsible for password storage in addition to user authentication is partially available inward AOSP's master copy branch. Examining the runtime demeanour in addition to files used past times the electrical current Android m preview reveals that some password storage changes have got already been deployed. This postal service volition briefly review how password storage has been implemented inward pre-M Android versions, in addition to and then innovate the changes brought almost past times Android M.
Keyguard unlock methods
Stock Android provides 3 keyguard unlock methods: pattern, PIN in addition to password (Face Unlock has been rebranded to 'Trusted face' in addition to moved to the proprietary Smart Lock extension, business office of Google Play Services). The pattern unlock is the original Android unlock method, piece PIN in addition to password (which are essentially equivalent nether the hood) were added inward version 2.2. The next sections volition hash out how credentials are registered, stored in addition to verified for the pattern in addition to PIN/password unlock methods.
Pattern unlock
Android's pattern unlock is entered past times joining at to the lowest degree 4 points on a 3×3 matrix (some custom ROMs allow a bigger matrix). Each betoken tin terminate live used alone 1 time (crossed points are disregarded) in addition to the maximum discover of points is nine. The pattern is internally converted to a byte sequence, alongside each betoken represented past times its index, where 0 is elevation left in addition to eight is bottom right. Thus the pattern is similar to a PIN alongside a minimum of 4 in addition to maximum of nine digits which uses alone nine distinct digits (0 to 8). However, because points cannot live repeated, the discover of variations inward an unlock pattern is considerably lower compared to those of a nine-digit PIN. As pattern unlock is the original in addition to initially sole unlock method supported past times Android, a fair Android PIN hash mode), equally shown below . An 8-character (
Android's lockscreen password tin terminate live easily reset past times only deleting the
?l?l?l?l?l?l?l?l), lower instance alone password takes a yoke of hours on the same hardware.$ truthful cat lockscreen.txt user:$dynamic_1$A4A628AE48E22443250C30A3E1449BD0$327d5ce3f570d2eb $ ./john --mask=?d?d?d?d?d?d lockscreen.txt Loaded 1 password hash (dynamic_1 [md5($p.$s) (joomla) 128/128 AVX 480x4x3]) Will run eight OpenMP threads Press 'q' or Ctrl-C to abort, almost whatever other fundamental for condition 456987 (user) 1g 0:00:00:00 DONE 6.250g/s 4953Kp/s 4953Kc/s 4953KC/s 234687..575297
Android's lockscreen password tin terminate live easily reset past times only deleting the
gesture.key and password.key files, so you lot powerfulness live wondering what is the betoken inward trying to bruteforce it. As discussed inward previous posts, the lockscreen password is used to derive keys that protect the keystore (if non hardware-backed), VPN profile passwords, backups, equally good equally the disk encryption key, so it powerfulness live valuable if trying to extract information from whatever of these services. And of course, the peril that a detail user is using the same pattern, PIN or password on all of their devices is quite high. Gatekeeper password storage
We briefly introduced Android M's
Here
Neither the HAL, nor the currently available AOSP source code specifies where password handles are to live stored, but looking through the
gatekeeper daemon inward the keystore redesign postal service inward relation to per-key potency tokens. It turns out the gatekeeper does much to a greater extent than than that in addition to is also responsible for registering (called 'enrolling') in addition to verifying user passwords. Enrolling turns a plaintext password into a so called 'password handle', which is an opaque, implementation-dependent byte string. The password take away hold tin terminate in addition to then live stored on disk in addition to used to banking concern check whether a user-supplied password matches the currently registered handle. While the gatekeeper HAL does non specify the format of password handles, the default software implementation uses the next format:typedef uint64_t secure_id_t; typedef uint64_t salt_t; static const uint8_t HANDLE_VERSION = 2; struct __attribute__ ((__packed__)) password_handle_t { // fields included inward signature uint8_t version; secure_id_t user_id; uint64_t flags; // fields non included inward signature salt_t salt; uint8_t signature[32]; bool hardware_backed; }; Here
secure_id_t is randomly generated, 64-bit secure user ID, which is persisted inward the /data/misc/gatekeeper directory inward a file named later on the user's Android user ID (*not* Linux UID; 0 for the primary user). The signature format is left to the implementation, but AOSP's commit log reveals that it is most in all likelihood scrypt for the electrical current default implementation. Other gatekeeper implementations powerfulness opt to role a hardware-protected symmetric or asymmetric fundamental to create a 'real' signature (or HMAC).Neither the HAL, nor the currently available AOSP source code specifies where password handles are to live stored, but looking through the
/data/system directory reveals the next files, 1 of which happens to live the same size equally the password_handle_t structure. This implies that it probable contains a serialized password_handle_t instance.# ls -l /data/system/*key -rw------- organisation organisation 57 2015-06-24 10:24 gatekeeper.gesture.key -rw------- organisation organisation 0 2015-06-24 10:24 gatekeeper.password.key
That's quite a few assumptions though, so fourth dimension to verify them past times parsing the
The plan output higher upwardly leads us to believe that the 'signature' stored inward the password take away hold file is indeed the scrypt value of the blob's version, the 64-bit secure user ID, in addition to the blob's
With this novel hashing scheme patterns in addition to passwords are treated inward the same way, in addition to therefore patterns are no longer easier to bruteforce. That said, alongside the assist of the
Because Androd M's password hashing scheme doesn't straight role the plaintext password when calculating the scrypt value, optimized password recovery tools such equally hashcat or JtR cannot live used straight to evaluate bruteforce cost. It is all the same fairly tardily to create our ain tool inward guild to banking concern check how a elementary PIN holds against a beast forcefulness attack, assuming both the
gatekeeper.gesture.key file in addition to checking if the signature land matches the scrypt value of our lockscreen pattern (00010204060708 inward binary representation). We tin terminate range so alongside the next Python code:$ truthful cat m-pass-hash.py ... due north = 16384; r = 8; p = 1; f = open('gatekeeper.gesture.key', 'rb') blob = f.read() s = struct.Struct('<'+'17s 8s 32s') (meta, salt, signature) = s.unpack_from(blob) password = binascii.unhexlify('00010204060708'); to_hash = meta to_hash += password hash = scrypt.hash(to_hash, salt, N, r, p) impress 'signature %s' % signature.encode('hex') impress 'Hash: %s' % hash[0:32].encode('hex') impress 'Equal: %s' % (hash[0:32] == signature) $./m-pass-hash.py signature: 3d1a20985dec4bd937e5040aadb465fc75542c71f617ad090ca1c0f96950a4b8 Hash: 3d1a20985dec4bd937e5040aadb465fc75542c71f617ad090ca1c0f96950a4b8 Equal: True The plan output higher upwardly leads us to believe that the 'signature' stored inward the password take away hold file is indeed the scrypt value of the blob's version, the 64-bit secure user ID, in addition to the blob's
flags field, concatenated alongside the plaintext pattern value. The scrypt hash value is calculated using the stored 64-bit tabular array salt in addition to the scrypt parameters N=16384, r=8, p=1. Password handles for PINs or passwords are calculated inward the same way, using the PIN/password string value equally input.With this novel hashing scheme patterns in addition to passwords are treated inward the same way, in addition to therefore patterns are no longer easier to bruteforce. That said, alongside the assist of the
device_policies.xml file which gives us the length of the pattern in addition to a pre-computed pattern table, 1 tin terminate drastically trim back the discover of patterns to try, equally most users are probable to role 4-6 footstep patterns (about 35,000 full combinations) .Because Androd M's password hashing scheme doesn't straight role the plaintext password when calculating the scrypt value, optimized password recovery tools such equally hashcat or JtR cannot live used straight to evaluate bruteforce cost. It is all the same fairly tardily to create our ain tool inward guild to banking concern check how a elementary PIN holds against a beast forcefulness attack, assuming both the
device_policies.xml in addition to gatekeeper.password.key files have got been obtained. As tin terminate live seen below, a elementary Python script that tries all PINs from 0000 to 9999 inward guild takes almost 10 minutes, when run on the same hardware equally our previous JtR illustration (a 6-digit PIN would accept almost 17 hours alongside the same program). Compare this to less than a 2nd for bruteforcing a 6-digit PIN for Android 5.1 (and earlier), in addition to it is pretty obvious that the novel hashing scheme Android m introduces greatly improves password storage security, fifty-fifty for elementary PINs. Of course, equally nosotros mentioned earlier, the gatekeeper daemon is business office of Android's HAL, so vendors are gratis to employ fifty-fifty to a greater extent than (or less...) secure gatekeeper implementations.$ fourth dimension ./m-pass-hash.py gatekeeper.password.key 4 Trying 0000... Trying 0001... Trying 0002... ... Trying 9997... Trying 9998... Trying 9999... Found PIN: 9999 existent 9m46.118s user 9m6.804s sys 0m39.107s
Framework API
Android m is soundless inward preview, so framework APIs are hardly stable, but we'll present the gatekeeper's AIDL interface for completeness. In the electrical current preview unloose it is called
As you lot tin terminate see, the interface provides methods for generating/getting in addition to clearing the secure user ID for a detail user, equally good equally the
This returns a Binder Parcel alongside the primary user's (user ID 0) secure user ID, which matches the value stored inward
The actual storage of password hashes (handles) is carried out past times the
IGateKeeperService in addition to expect likes this:interface android.service.gatekeeper.IGateKeeperService { void clearSecureUserId(int uid); byte[] enroll(int uid, byte[] currentPasswordHandle, byte[] currentPassword, byte[] desiredPassword); long getSecureUserId(int uid); boolean verify(int uid, byte[] enrolledPasswordHandle, byte[] providedPassword); byte[] verifyChallenge(int uid, long challenge, byte[] enrolledPasswordHandle, byte[] providedPassword); } As you lot tin terminate see, the interface provides methods for generating/getting in addition to clearing the secure user ID for a detail user, equally good equally the
enroll(), verify() in addition to verifyChallenge() methods whose parameters closely fit the lower marker HAL interface. To verify that at that spot is a alive service that implements this interface, nosotros tin terminate elbow grease to telephone band the getSecureUserId() method using the service ascendence draw of piece of employment utility similar so:$ service telephone band android.service.gatekeeper.IGateKeeperService 4 i32 0 Result: Parcel(00000000 ee555c25 ea679e08 '....%\U...g.')
This returns a Binder Parcel alongside the primary user's (user ID 0) secure user ID, which matches the value stored inward
/data/misc/gatekeeper/0 shown below (stored inward network byte order).# od -tx1 /data/misc/gatekeeper/0 37777776644 25 5c 55 ee 08 9e 67 ea 37777776644
The actual storage of password hashes (handles) is carried out past times the
LockSettingsService (interface ILockSettings), equally inward previous versions. The service has been extended to back upwardly the novel gatekeeper password take away hold format, equally good equally to migrate legacy hashes to the novel format. It is tardily to verify this past times calling the checkPassword(String password, int userId) method which returns truthful if the password matches:# service telephone band lock_settings eleven s16 1234 i32 0 Result: Parcel(00000000 00000000 '........') # service telephone band lock_settings eleven s16 9999 i32 0 Result: Parcel(00000000 00000001 '........')
Summary
Android m introduces a novel organisation service -- gatekeeper, which is responsible for converting plainly text passwords to opaque binary blobs (called password handles) which tin terminate live safely stored on disk. The gatekeeper is business office of Android's HAL, so it tin terminate live modified to accept wages of the device's native safety features, such equally secure storage or TEE, without modifying the gist platform. The default implementation shipped alongside the electrical current Android m preview unloose uses scrypt to hash unlock patterns, PINs or passwords, in addition to provides much ameliorate protection against bruteforceing than the previously used single-round MD5 in addition to SHA-1 hashes.
Tag :
android security
0 Komentar untuk "Droidcedas : Password Storage Inwards Android M"