In iOS 8, Apple has expanded the orbit of information encryption together with straightaway mixes inwards the user's passcode amongst an unextractable hardware UID when deriving an encryption key, making it harder to extract information from iOS 8 devices. This has been somewhat of a hot topic lately, amongst opinions ranging from praise for Apple's novel focus on serious security, to demands for "golden keys" to mobile devices to live magically conjured up. Naturally, the fighting has spread to other OS's, together with Google has announced that the upcoming Android L unloose volition also receive got disk encryption look for patterns inwards the ext4 superblock inwards social club to confirm whether the tried passphrase is correct.
The Android FDE input for hashcat includes the salt, encrypted original fundamental together with the showtime iii sectors of the encrypted partitioning (which incorporate a re-create of the 1024-byte ext4 superblock). The hashcat input file powerfulness facial expression similar this (taken from the hashcat example hash):
On a device that uses a six-digit lockscreen PIN, the PIN, together with consequently the FDE original fundamental tin live recovered amongst the next command:
Even when run on the GPU of a mobile figurer (NVIDIA GeForce 730M), hashcat tin range to a greater extent than than 20,000 PBKDF2 hashes per second, together with recovering a 6 digit PIN takes less than 10 seconds. On the same hardware, a 6-letter (lowercase only) password takes virtually four hours.
As y'all tin see, bruteforcing a elementary PIN or password is real much feasible, so choosing a rigid lockscreen password is vital. Lockscreen password strength tin live enforced past times installing a shell or a dedicated application. CyanogenMod xi supports setting a dedicated disk encryption password out of the box, together with 1 tin live laid via organisation Settings, every bit shown below.
The Android FDE input for hashcat includes the salt, encrypted original fundamental together with the showtime iii sectors of the encrypted partitioning (which incorporate a re-create of the 1024-byte ext4 superblock). The hashcat input file powerfulness facial expression similar this (taken from the hashcat example hash):
$fde$16$ca56e82e7b5a9c2fc1e3b5a7d671c2f9$16$7c124af19ac913be0fc137b75a34b20d$eac806ae7277c8d4...
On a device that uses a six-digit lockscreen PIN, the PIN, together with consequently the FDE original fundamental tin live recovered amongst the next command:
$ cudaHashcat64 -m 8800 -a iii android43fde.txt ?d?d?d?d?d?d ... Session.Name...: cudaHashcat Status.........: Cracked Input.Mode.....: Mask (?d?d?d?d?d?d) [6] Hash.Target....: $fde$16$aca5f840... Hash.Type......: Android FDE Time.Started...: Dominicus October 05 19:06:23 2014 (6 secs) Speed.GPU.#1...: 20629 H/s Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.......: 122880/1000000 (12.29%) Skipped........: 0/122880 (0.00%) Rejected.......: 0/122880 (0.00%) HWMon.GPU.#1...: 0% Util, 48c Temp, N/A Fan Started: Dominicus October 05 19:06:23 2014 Stopped: Dominicus October 05 19:06:33 2014
Even when run on the GPU of a mobile figurer (NVIDIA GeForce 730M), hashcat tin range to a greater extent than than 20,000 PBKDF2 hashes per second, together with recovering a 6 digit PIN takes less than 10 seconds. On the same hardware, a 6-letter (lowercase only) password takes virtually four hours.
As y'all tin see, bruteforcing a elementary PIN or password is real much feasible, so choosing a rigid lockscreen password is vital. Lockscreen password strength tin live enforced past times installing a shell or a dedicated application. CyanogenMod xi supports setting a dedicated disk encryption password out of the box, together with 1 tin live laid via organisation Settings, every bit shown below.
Android 4.4
Android 4.4 adds several improvements to disk encryption, but the most of import 1 is replacing the PBKDF2 fundamental derivation purpose (KDF) amongst scrypt. scrypt has been specifically designed to live difficult to crevice on GPUs past times requiring a large (and configurable) amount of memory. Because GPUs receive got a express amount of memory, executing multiple scrypt tasks inwards parallel is no longer feasible, together with therefore keen scrypt is much slower than PBKDF2 (or similar hash-based KDFs). As percentage of the upgrade procedure to 4.4, Android automatically updates the crypto footer to utilization scrypt together with re-encrypts the original key. Thus every device running Android 4.4 (devices using a vendor-proprietary FDE scheme excluded) should receive got its FDE original fundamental protected using an scrypt-derived key.
The Android 4.4 crypto footer looks similar this (version 1.2):
The Android 4.4 crypto footer looks similar this (version 1.2):
struct crypt_mnt_ftr { __le32 magic; __le16 major_version; __le16 minor_version; __le32 ftr_size; __le32 flags; __le32 keysize; __le32 spare1; __le64 fs_size; __le32 failed_decrypt_count; unsigned char crypto_type_name[MAX_CRYPTO_TYPE_NAME_LEN]; __le32 spare2; unsigned char master_key[MAX_KEY_LEN]; unsigned char salt[SALT_LEN]; __le64 persist_data_offset[2]; __le32 persist_data_size; __le8 kdf_type; /* scrypt parameters. See www.tarsnap.com/scrypt/scrypt.pdf */ __le8 N_factor; /* (1 << N) */ __le8 r_factor; /* (1 << r) */ __le8 p_factor; /* (1 << p) */ }; As y'all tin see, the footer straightaway includes an explicit
kdf_type which specifies the KDF used to derive the original fundamental KEK. The values of the scrypt initialization parameters (N, r together with p) are also included. The original fundamental size (128-bit) together with disk sector encryption trend (aes-cbc-essiv:sha256) are the same every bit inwards 4.3.Bruteforcing the original fundamental straightaway requires parsing the crypto footer, initializing scrypt together with generating all target PIN or password combinations. As the 1.2 crypto footer nevertheless does non include a original fundamental checksum, checking whether the tried PIN or password is right 1 time again requires looking for known plaintext inwards the ext4 superblock.
While hashcat does back upwards scrypt since version 1.30, it is non much to a greater extent than efficient (and inwards fact tin live slower) than running scrypt on a CPU. Additionally, the Android 4.4 crypto footer format is non supported, so hashcat cannot live used to recover Android 4.4 disk encryption passphrases every bit is.
Instead, the Santoku Linux FDE bruteforcer Python script tin live extended to back upwards the 1.2 crypto footer format together with the scrypt KDF. H5N1 sample (and non especially efficient) implementation tin live flora here. It powerfulness gain the next output when run on a 3.50GHz Intel Core i7 CPU:
$ fourth dimension python bruteforce_stdcrypto.py header footer four Android FDE crypto footer ------------------------- Magic : 0xD0B5B1C4 Major Version : 1 Minor Version : 2 Footer Size : 192 bytes Flags : 0x00000000 Key Size : 128 bits Failed Decrypts: 0 Crypto Type : aes-cbc-essiv:sha256 Encrypted Key : 0x66C446E04854202F9F43D69878929C4A Salt : 0x3AB4FA74A1D6E87FAFFB74D4BC2D4013 KDF : scrypt N_factor : fifteen (N=32768) r_factor : iii (r=8) p_factor : 1 (p=2) ------------------------- Trying to Bruteforce Password... delight hold back Trying: 0000 Trying: 0001 Trying: 0002 Trying: 0003 ... Trying: 1230 Trying: 1231 Trying: 1232 Trying: 1233 Trying: 1234 Found PIN!: 1234 existent 4m43.985s user 4m34.156s sys 0m9.759s
As y'all tin see, trying 1200 PIN combinations requires almost v minutes, so recovering a elementary PIN is no longer instantaneous. That said, keen a brusque PIN or password is nevertheless real much feasible, so choosing a rigid locksreen password (or a dedicated disk encryption password, when possible) is nevertheless real important.
Android L
H5N1 preview unloose of the upcoming Android version (referred to every bit 'L') has been available for several months now, so nosotros tin divulge roughly of expected changes to disk encryption. If nosotros run the crypto footer obtained from an encrypted Android L device through the script introduced inwards the previous section, nosotros may teach the next output:
As y'all tin encounter above, the crypto footer version has been upped to 1.3, but the disk encryption null trend together with fundamental size receive got non changed. However, version 1.3 uses a new, unknown KDF specified amongst the constant iii (1 is PBKDF2, 2 is scrypt). Additionally, encrypting a device no longer requires setting a lockscreen PIN or password, which suggests that the original fundamental KEK is no longer straight derived from the lockscreen password. Starting the encryption procedure produces the next logcat output:
As discussed inwards a previous post, 'QSEE' stands for keymaster HAL module has been extended to shop the disk encryption fundamental KEK inwards hardware-backed storage (Cf. 'Using scrypt amongst keymaster for cryptfs KDF' inwards the log above). The log also mentions scrypt, so it is possible that the lockscreen password (if present) along amongst roughly fundamental (or seed) stored inwards the TEE are fed to the KDF to gain the concluding original fundamental KEK. However, since no rootage code is currently available, nosotros cannot confirm this. That said, setting an unlock pattern on an encrypted Android L device produces the next output, which suggests that the pattern is indeed used when generating the encryption key:
As y'all tin live encounter inwards the listing above, the
$ ./bruteforce_stdcrypto.py header L_footer four Android FDE crypto footer ------------------------- Magic : 0xD0B5B1C4 Major Version : 1 Minor Version : iii Footer Size : 2288 bytes Flags : 0x00000000 Key Size : 128 bits Failed Decrypts: 0 Crypto Type : aes-cbc-essiv:sha256 Encrypted Key : 0x825F3F10675C6F8B7A6F425599D9ECD7 Salt : 0x0B9C7E8EA34417ED7425C3A3CFD2E928 KDF : unknown (3) N_factor : fifteen (N=32768) r_factor : iii (r=8) p_factor : 1 (p=2) ------------------------- ...
As y'all tin encounter above, the crypto footer version has been upped to 1.3, but the disk encryption null trend together with fundamental size receive got non changed. However, version 1.3 uses a new, unknown KDF specified amongst the constant iii (1 is PBKDF2, 2 is scrypt). Additionally, encrypting a device no longer requires setting a lockscreen PIN or password, which suggests that the original fundamental KEK is no longer straight derived from the lockscreen password. Starting the encryption procedure produces the next logcat output:
D/QSEECOMAPI: ( 178): QSEECom_start_app sb_length = 0x2000 D/QSEECOMAPI: ( 178): App is already loaded QSEE together with app id = 1 D/QSEECOMAPI: ( 178): QSEECom_shutdown_app D/QSEECOMAPI: ( 178): QSEECom_shutdown_app, app_id = 1 ... I/Cryptfs ( 178): Using scrypt amongst keymaster for cryptfs KDF D/QSEECOMAPI: ( 178): QSEECom_start_app sb_length = 0x2000 D/QSEECOMAPI: ( 178): App is already loaded QSEE together with app id = 1 D/QSEECOMAPI: ( 178): QSEECom_shutdown_app D/QSEECOMAPI: ( 178): QSEECom_shutdown_app, app_id = 1
As discussed inwards a previous post, 'QSEE' stands for keymaster HAL module has been extended to shop the disk encryption fundamental KEK inwards hardware-backed storage (Cf. 'Using scrypt amongst keymaster for cryptfs KDF' inwards the log above). The log also mentions scrypt, so it is possible that the lockscreen password (if present) along amongst roughly fundamental (or seed) stored inwards the TEE are fed to the KDF to gain the concluding original fundamental KEK. However, since no rootage code is currently available, nosotros cannot confirm this. That said, setting an unlock pattern on an encrypted Android L device produces the next output, which suggests that the pattern is indeed used when generating the encryption key:
D/VoldCmdListener( 173): cryptfs changepw pattern {} D/QSEECOMAPI: ( 173): QSEECom_start_app sb_length = 0x2000 D/QSEECOMAPI: ( 173): App is already loaded QSEE together with app id = 1 ... D/QSEECOMAPI: ( 173): QSEECom_shutdown_app D/QSEECOMAPI: ( 173): QSEECom_shutdown_app, app_id = 1 I/Cryptfs ( 173): Using scrypt amongst keymaster for cryptfs KDF D/QSEECOMAPI: ( 173): QSEECom_start_app sb_length = 0x2000 D/QSEECOMAPI: ( 173): App is already loaded QSEE together with app id = 1 D/QSEECOMAPI: ( 173): QSEECom_shutdown_app D/QSEECOMAPI: ( 173): QSEECom_shutdown_app, app_id = 1 E/VoldConnector( 756): NDC Command {5 cryptfs changepw pattern [scrubbed]} took every bit good long (6210ms) As y'all tin live encounter inwards the listing above, the
cryptfs changepw command, which is used to ship instructions to Android's vold daemon, has been extended to back upwards a pattern, inwards improver to the previously supported PIN/password. Additionally, the amount of fourth dimension the password alter takes (6 seconds) suggests that the KDF (scrypt) is indeed existence executed to generate a novel encryption key. Once we've laid a lockscreen unlock pattern, booting the device straightaway requires entering the pattern, every bit tin live seen inwards the screenshot below. Another subtle alter introduced inwards Android L, is that when booting an encrypted device the lockscreen pattern, PIN or password needs to live entered entirely 1 time (at kick time), together with non twice (once to a greater extent than on the lockscreen, afterwards Android boots) every bit it was inwards previous versions. While no definitive details are available, it is fairly for certain that (at to the lowest degree on high-end devices), Android's disk encryption key(s) volition receive got roughly hardware protection inwards Android L. Assuming that the implementation is similar to that of the hardware-backed credential store, disk encryption keys should live encrypted past times an unextractable fundamental encryption fundamental stored inwards the SoC, so obtaining a re-create of the crypto footer together with the encrypted userdata partition, together with bruteforcing the lockscreen passphrase should no longer live sufficient to decrypt disk contents. Disk encryption inwards the Android L preview (at to the lowest degree on a Nexus seven 2013) feels significantly faster (encrypting the 16GB information partitioning takes virtually 10 minutes), so it is most belike hardware-accelerated every bit good (or the initial encryption is entirely encrypting disk blocks that are truly inwards use, together with non every unmarried block every bit inwards previous versions). However, it remains to live seen whether high-end Android L devices volition include a dedicated crypto co-processor akin to Apple's 'Secure Enclave'. While the electrical flow TrustZone-based fundamental protection is much ameliorate than the software entirely implementation flora inwards previous versions, a flaw inwards the secure TEE OS or whatever of the trusted TEE applications could Pb to extracting hardware-protected keys or otherwise compromising the integrity of the system.
Update 2014/11/4: The official documentation virtually disk encryption has been updated, including details virtually KEK protection. Quote:
Update 2014/11/4: The official documentation virtually disk encryption has been updated, including details virtually KEK protection. Quote:
The encrypted fundamental is stored inwards the crypto metadata. Hardware backing is implemented past times using Trusted Execution Environment’s (TEE) signing capability. Previously, nosotros encrypted the original fundamental amongst a fundamental generated past times applying scrypt to the user's password together with the stored salt. In social club to brand the fundamental resilient against off-box attacks, nosotros extend this algorithm past times signing the resultant fundamental amongst a stored TEE key. The resultant signature is so turned into an appropriate length fundamental past times 1 to a greater extent than application of scrypt. This fundamental is so used to encrypt together with decrypt the original key. To shop this key:
Here's a diagram that visualizes this process:
- Generate random 16-byte disk encryption fundamental (DEK) together with 16-byte salt.
- Apply scrypt to the user password together with the tabular array salt to gain 32-byte intermediate fundamental 1 (IK1).
- Pad IK1 amongst null bytes to the size of the hardware-bound person fundamental (HBK). Specifically, nosotros pad as: 00 || IK1 || 00..00; 1 null byte, 32 IK1 bytes, 223 null bytes.
- Sign padded IK1 amongst HBK to gain 256-byte IK2.
- Apply scrypt to IK2 together with tabular array salt (same tabular array salt every bit pace 2) to gain 32-byte IK3.
- Use the showtime xvi bytes of IK3 every bit KEK together with the lastly xvi bytes every bit IV.
- Encrypt DEK amongst AES_CBC, amongst fundamental KEK, together with initialization vector IV.
Summary
Android has included total disk encryption (FDE) back upwards since version 3.0, but versions prior to 4.4 used a fairly piece of cake to bruteforce fundamental derivation purpose (PBKDF2 amongst 2000 iterations). Additionally, because the disk encryption password is the same every bit the lockscreen one, most users tend to utilization elementary PINs or passwords (unless a device administrator enforces password complexity rules), which farther facilitates bruteforcing. Android 4.4 replaced the disk encryption KDF amongst scrypt, which is much harder to crevice together with cannot live implemented efficiently on off-the-shelf GPU hardware. In improver to enabling FDE out of the box, Android L is expected to include hardware protection for disk encryption keys, every bit good every bit hardware acceleration for encrypted disk access. These 2 features should brand FDE on Android both to a greater extent than secure together with much faster.
[Note that the give-and-take inwards this post is based on "stock Android" every bit released past times Google (references rootage code is from AOSP). Some device vendors implement slightly unlike encryption schemes, together with hardware-backed fundamental storage and/or hardware acceleration are already available via vendor extensions on roughly high-end devices.]
[Note that the give-and-take inwards this post is based on "stock Android" every bit released past times Google (references rootage code is from AOSP). Some device vendors implement slightly unlike encryption schemes, together with hardware-backed fundamental storage and/or hardware acceleration are already available via vendor extensions on roughly high-end devices.]
1 Komentar untuk "Droidcedas : Revisiting Android Disk Encryption"
Stop copying others material as is
Actual blog:
https://nelenkov.blogspot.com/2014/10/revisiting-android-disk-encryption.html