Our last post showed how to usage a contactless smart carte du jour to sign electronic mail on Android. While storing cryptographic keys used alongside PKI or PGP is i of the primary usage cases for smart cards, other usages are gaining popularity equally well. Additionally, the traditional 'card' format has evolved as well as in that place are dissimilar devices that embed a secure chemical element (basically, the smart carte du jour chip), as well as brand its functionality available without requiring a bulky carte du jour reader. One pop as well as affordable device that embeds a secure chemical element is the YubKey Neo from Yubico. In this post we'll exhibit how yous tin usage the YubiKey Neo to unlock your Android device over NFC.
One-time passwords
Before nosotros hash out how the YubiKey NEO tin live used to unlock an Android device, let's state a few words nearly OTPs. As the call implies, onetime passwords are passwords that are valid for a unmarried login or transaction. OTPs tin live generated based on an algorithm that derives each side past times side password from the previous one, or past times using some form of challenge-response mechanism. Another approach is to usage a shared secret, called a seed, along alongside some dynamic value such equally a counter or a value derived from the electrical flow time. While OTP generation based on a shared seed is ordinarily fairly slowly to implement, the dynamic values at the OTP token (called a prover) as well as the verifier (authentication server) tin teach out of sync as well as validation algorithms remove to line concern human relationship for that.
Many OTP schemes are proprietary as well as incompatible alongside each other. Fortunately, widely adopted opened upwards standards be equally well, most notably the HMAC-based One Time Password (HOTP) algorithm developed past times the Initiative for Open Authentication (OATH). HOTP uses a surreptitious fundamental as well as a counter equally input to the HMAC-SHA1 message authentication code (MAC) algorithm, truncates the calculated MAC value as well as converts it to a to human readable code, ordinarily a 6-digit number. Influenza A virus subtype H5N1 afterwards variation is the TOTP (Time-Based One-Time Password) algorithm, which substitutes the counter for a value derived from the electrical flow Unix fourth dimension (i.e., the bring out of seconds since midnight of Jan 1, 1970 UTC). The derived value T, is calculated using an initial fourth dimension T0 as well as a stair X equally follows:
T = (Current Unix fourth dimension - T0) / X. Each generated OTP is valid for X seconds, past times default 30. TOTP is used past times Google Authenticator as well as the Yubico OATH applet which nosotros volition usage inward our demo.YubiKey Neo
The master copy YubiKey (now called YubiKey Standard), was an innovative token for two-factor authentication (2FA). It has a USB interface as well as presents itself equally a USB keyboard when pulgged in, as well as thence does non require whatever special drivers to use. It has a unmarried capacitive push that outputs an OTP when pressed. Because the device functions equally keyboard, the OTP tin live automatically entered inward whatever text champaign of a desktop or Web application, or fifty-fifty terminal window, requiring rattling petty modification to exiting applications. The OTP is generated using a 128-bit fundamental stored within the device, either using Yubico's OTP algorithm, or the HOTP algorithm.
The YubiKey Neo retains the shape factor of the master copy YubiKey, but adds an of import novel component: a secure chemical element (SE), accessible both via USB as well as over NFC. The SE offers a JavaCard 3.0/JCOP 2.4.2-compatible execution environment, an ISO14443A NFC interface, Mifare Classic emulation as well as an NDEF applet for interaction alongside Yubikey functionality. When plugged into a USB port, depending on its configuration, the Neo presents itself either equally a keybord (HID device), a standard CCID smart carte du jour reader, or both when inward composite mode. As the SE is fully compatible alongside JavaCard as well as GlobalPlatform standards, additional applets tin live loaded alongside touchstone tools. Recent batches ship alongside pre-installed OATH, PGP and PIV applets, as well as the code for both the OATH as well as PGP applets is available. Yubico provides a Google Authenticator compatible Android application, Yubico Authenticator that allows yous to shop the keys used to generate OTPs on the Neo. This ensures that neither attackers who accept physical access to your Android device, nor applications alongside root access tin extract your OTP keys.
The Android lockscreen
Before nosotros tin figure out how to unlock an Android device using an OTP nosotros remove to empathise how the lockscreen works. The lockscreen is formally known equally the keyguard and is implemented much similar regular Android applications: alongside widgets set out on a window. What makes it special is that its window lives on a rattling high window layer that other applications cannot depict on top of or teach command over. Additionally, the keyguard intercepts the normal navigation buttons, making it impossible to bypass as well as thence 'locking' the device. The keyguard window layer is non the highest layer however: dialogs originating from the keyguard itself, as well as the condition bar, tin live drawn over the keyguard. You tin encounter a listing of the currently shown windows using the Hierarchy Viewer tool available alongside the ADT. When the covert is locked the active windows is the Keyguard window, equally shown inward the screenshot below.
Before Android 4.0, it was possible for third-party applications to exhibit windows inward the keyguard layer, as well as this approach was oft used inward companionship to intercept the Home push as well as implement 'kiosk' trend applications. Since Android 4.0 however, adding windows to the keyguard layer requires the
For a long fourth dimension the keyguard was an implementation item of Android's window organisation as well as was non separated into a dedicated component. With the introduction of lockscreen widgets, dreams (i.e., screensavers) as well as back upwards for multiple users, the keyguard gained quite a lot of functionality as well as was eventually extracted inward a dedicated organisation application, Keyguard, inward Android 4.4. The Keyguard app lives inward the com.android.systemui process, along alongside the substance Android UI implementation. Most importantly for our purposes, the Keyguard app includes a service alongside a remote interface,
INTERNAL_SYSTEM_WINDOW signature permission, which is available alone to organisation applications.For a long fourth dimension the keyguard was an implementation item of Android's window organisation as well as was non separated into a dedicated component. With the introduction of lockscreen widgets, dreams (i.e., screensavers) as well as back upwards for multiple users, the keyguard gained quite a lot of functionality as well as was eventually extracted inward a dedicated organisation application, Keyguard, inward Android 4.4. The Keyguard app lives inward the com.android.systemui process, along alongside the substance Android UI implementation. Most importantly for our purposes, the Keyguard app includes a service alongside a remote interface,
IKeyguardService. This service allows its clients to banking concern check the electrical flow nation of the keyguard, set the electrical flow user, launch the photographic telly camera as well as enshroud or disable the keyguard. As tin live expected, operations that modify the nation of the keyguard are protected past times a organisation signature permission, CONTROL_KEYGUARD.Unlocking the keyguard
Stock Android provides 3 primary methods to unlock the keyguard: past times drawing a pattern, past times entering a PIN or password, or past times using paradigm recognition, aka Face Unlock, also referred to equally 'weak biometric'. The pattern, PIN as well as passphrase methods are essentially equivalent: they compare the hash of the user input to a hash stored on the device as well as unlock it if the values match. The hash for the designing lock is stored inward
As yous tin see, all unlock methods are based on a fixed PIN, password or pattern. Except inward the instance of a long as well as complex password, which is rather difficult to input on a touchscreen keyboard, all unlock secrets ordinarily accept depression entropy as well as tin easily live guessed or bruteforced. Android partially protects against such attacks past times permanently locking the device after likewise many unsuccessful attempts. Additionally safety polices introduced past times a device administrator application tin enforce PIN/password complexity rules as well as fifty-fifty wipe the device after likewise many unsuccessful attempts.
One approach to amend the safety of the keyguard is to usage an OTP inward companionship to unlock the device. While this is non remove supported past times Android, it tin live implemented on production devices past times using a device administrator application that periodically changes the unlock PIN or password using the
/data/system/gesture.key equally an unsalted SHA-1 value. The hash of the PIN/password is a combination of the SHA-1 as well as MD5 hash values of the user input, salted alongside a random value. It is stored inward the /data/misc/password.key file. The Face Unlock implementation is proprietary as well as no details are available nearly the format of the stored data. Normally non visible to the user are the Google line concern human relationship password unlock method (used when the device is locked after likewise many wrong unlock attempts) as well as the unlock method that uses the PIN or PUK of the SIM card. The Google unlock method uses the proprietary Google Login Service to verify the entered password, as well as the PIN/PUK method only sends commands to the SIM carte du jour via the RIL interface.As yous tin see, all unlock methods are based on a fixed PIN, password or pattern. Except inward the instance of a long as well as complex password, which is rather difficult to input on a touchscreen keyboard, all unlock secrets ordinarily accept depression entropy as well as tin easily live guessed or bruteforced. Android partially protects against such attacks past times permanently locking the device after likewise many unsuccessful attempts. Additionally safety polices introduced past times a device administrator application tin enforce PIN/password complexity rules as well as fifty-fifty wipe the device after likewise many unsuccessful attempts.
One approach to amend the safety of the keyguard is to usage an OTP inward companionship to unlock the device. While this is non remove supported past times Android, it tin live implemented on production devices past times using a device administrator application that periodically changes the unlock PIN or password using the
DevicePolicyManager API. One such application is TimePIN (which this post was inward component inspired by) which sets the unlock password based on the electrical flow time. TimePIN allows yous to set dissimilar modifiers that are applied when calculating the electrical flow PIN. Modifiers tin live stacked, so the transformation tin teach complex, but silent slowly to remember. Influenza A virus subtype H5N1 surreptitious component, called an firstly tin live mixed inward for added security.Unlocking via NFC
Authentication methods are ordinarily based on something yous know, something alone yous have, or a combination of the ii (two-factor authentication, 2FA). The designing as well as PIN/password unlock methods are based on something yous know, as well as Face Unlock tin live persuasion of equally based on something yous accept (your human face upwards or a actually skilful picture). However, Face Unlock allows for a fallback to PIN or password when it cannot regain a face, so it tin silent live unlocked past times something yous know.
An option agency to usage something yous accept to unlock the device is to usage an NFC tag. This is non supported past times stock Android, but is implemented inward some devices, for illustration the Motorola X (marketed equally Motorola Skip). While the Motorola Skip is a proprietary solution as well as no implementation details are available, apps that offering similar functionality such as NFC LockScreenOff Enabler compare the UID of the read tag to a listing of stored values as well as unlock the device if the UID is inward the list. While this is fairly secure equally the UID of most NFC tags is read-only, cards that allow for UID modification are available, as well as a programmable NFC carte du jour emulator tin emit whatever UID.
One employment alongside implementing NFC unlock is that past times default Android does non scan for NFC devices when the covert is turned off or locked. This is intended equally a safety measure, because if the device reads NFC tags land the covert is off, vulnerabilities tin live triggered without physical access to the device or the possessor noticing, equally has been demonstrated. NFC LockScreenOff Enabler as well as similar applications tin teach around this limitation when running on rooted devices past times installing hooks into organisation methods, thence allowing the NFC organisation service configuration to live modified at runtime.
An option agency to usage something yous accept to unlock the device is to usage an NFC tag. This is non supported past times stock Android, but is implemented inward some devices, for illustration the Motorola X (marketed equally Motorola Skip). While the Motorola Skip is a proprietary solution as well as no implementation details are available, apps that offering similar functionality such as NFC LockScreenOff Enabler compare the UID of the read tag to a listing of stored values as well as unlock the device if the UID is inward the list. While this is fairly secure equally the UID of most NFC tags is read-only, cards that allow for UID modification are available, as well as a programmable NFC carte du jour emulator tin emit whatever UID.
One employment alongside implementing NFC unlock is that past times default Android does non scan for NFC devices when the covert is turned off or locked. This is intended equally a safety measure, because if the device reads NFC tags land the covert is off, vulnerabilities tin live triggered without physical access to the device or the possessor noticing, equally has been demonstrated. NFC LockScreenOff Enabler as well as similar applications tin teach around this limitation when running on rooted devices past times installing hooks into organisation methods, thence allowing the NFC organisation service configuration to live modified at runtime.
Unlocking using the YubiKey Neo
As nosotros mentioned inward the 'YubiKey Neo' section, Yubico provides both a JavaCard applet and a companion Android app that together implement TOTP compatible alongside Google Authenticator. The Yubico Authenticator app is initialized precisely similar its Google counterpart -- either manually or past times scanning a QR code. The divergence is that the Yubico Authenticator saves the OTP seed on the device alone temporarily, as well as i time it's written to the Neo, deletes it. To display the electrical flow OTP, yous remove to acquit upon the Neo land the app is active, as well as acquit upon it i time to a greater extent than after the OTPs expire. If yous don't desire to teach into keys as well as accounts manually yous tin usage a QR code generator such equally the one provided past times the ZXing projection to generate a URI that includes an line concern human relationship call as well as seed. The URI format is available on the Google Authenticator Wiki.
While unlocking the keyguard sure doesn't remove the amount functionality of the Google Authenticator app, displaying the electrical flow OTP is useful for debugging as well as initializing alongside a QR code is quite convenient. That's why for our demo nosotros volition only modify the Authenticator app slightly, instead of writing some other OTP source. As nosotros remove to render the OTP to the organisation NFC service, which runs inward a dissimilar process, nosotros add together a remote AIDL service alongside a unmarried method that returns the electrical flow OTP:
The NFC service tin as well as so bind to the OTP service that implements this interface as well as retrieve the electrical flow OTP. Of course, providing the OTP to everyone is non a swell idea, so nosotros protect the service alongside a signature permission that tin alone live granted to organisation apps past times signing our RemoteAuthenticator app alongside the platform certificate:
The amount source code of the RemoteAuthenticator app is available on Github. Once installed, the app needs to live initialized alongside the same fundamental as well as line concern human relationship call equally the OATH applet on the YubiKey Neo. Our sample NFC unlock implementations looks for an line concern human relationship named 'lockscreen' when it detects the OATH applet. The interface of the modified app is identical to that of Google Authenticator:
Before nosotros tin usage an NFC tag to unlock the keyguard, nosotros remove to brand sure the organisation NFC service tin regain NFC tags fifty-fifty when the keyguard is locked. As nosotros mentioned earlier, that is non the instance inward stock Android, so nosotros modify the default polling manner from
With this done, nosotros tin claw into the NFC service tag dispatch sequence, and, borrowing some code from the Yubico Authenticator app, banking concern check whether the scanned tag includes an OATH applet. If so, nosotros read out the electrical flow OTP as well as compare it alongside the OTP returned past times the RemoteAuthenticator app installed on the device. If the OTPs match, nosotros dismiss the keyguard as well as allow the dispatch continue. If the tag doesn't incorporate an OTP applet, or the OTPs don't match, nosotros exercise non dispatch the tag. To unlock the keyguard nosotros only telephone call upwards the
Full source code for the modified NFC service is available on Github (in the 'otp-unlock' branch). Note that land this demo implementation handles basic fault cases similar OATH applet non flora or connectedness alongside tag lost, it is non peculiarly robust. It alone tries to connect to remote services once, as well as if either of them is unavailable, NFC unlock is disabled altogether. It doesn't render whatever visual indication that NFC unlock is happening either, the keyguard only disappears equally seen inward the video above. Another missing slice is multi-user support: inward companionship to back upwards multiple users, the code needs to human face for the electrical flow users's line concern human relationship on the NFC device, as well as non for a hardcoded name. Finally, the NFC unlock equally currently implemented is non a amount unlock method: it cannot live selected inward the Screen safety settings, but only supplements the currently selected unlock method.
While unlocking the keyguard sure doesn't remove the amount functionality of the Google Authenticator app, displaying the electrical flow OTP is useful for debugging as well as initializing alongside a QR code is quite convenient. That's why for our demo nosotros volition only modify the Authenticator app slightly, instead of writing some other OTP source. As nosotros remove to render the OTP to the organisation NFC service, which runs inward a dissimilar process, nosotros add together a remote AIDL service alongside a unmarried method that returns the electrical flow OTP:
interface IRemoteOtpSource { String getNextCode(String accountName); } The NFC service tin as well as so bind to the OTP service that implements this interface as well as retrieve the electrical flow OTP. Of course, providing the OTP to everyone is non a swell idea, so nosotros protect the service alongside a signature permission that tin alone live granted to organisation apps past times signing our RemoteAuthenticator app alongside the platform certificate:
<manifest ...> ... <permission android:name="com.google.android.apps.remoteauthenticator.GET_OTP_CODE" android:protectionlevel="signature"/> ... <application ...> ... <service android:enabled="true" android:exported="true" android:name="com.google.android.apps.authenticator.OtpService" android:permission="com.google.android.apps.remoteauthenticator.GET_OTP_CODE"> </service> </application> </manifest>
The amount source code of the RemoteAuthenticator app is available on Github. Once installed, the app needs to live initialized alongside the same fundamental as well as line concern human relationship call equally the OATH applet on the YubiKey Neo. Our sample NFC unlock implementations looks for an line concern human relationship named 'lockscreen' when it detects the OATH applet. The interface of the modified app is identical to that of Google Authenticator:
Before nosotros tin usage an NFC tag to unlock the keyguard, nosotros remove to brand sure the organisation NFC service tin regain NFC tags fifty-fifty when the keyguard is locked. As nosotros mentioned earlier, that is non the instance inward stock Android, so nosotros modify the default polling manner from
SCREEN_STATE_ON_UNLOCKED to SCREEN_STATE_ON_LOCKED inward NfcService.java:package com.android.nfc; ... world flat NfcService implements DeviceHostListener { ... /** minimum covert nation that enables NFC polling (discovery) */ static concluding int POLLING_MODE = SCREEN_STATE_ON_LOCKED; ... } With this done, nosotros tin claw into the NFC service tag dispatch sequence, and, borrowing some code from the Yubico Authenticator app, banking concern check whether the scanned tag includes an OATH applet. If so, nosotros read out the electrical flow OTP as well as compare it alongside the OTP returned past times the RemoteAuthenticator app installed on the device. If the OTPs match, nosotros dismiss the keyguard as well as allow the dispatch continue. If the tag doesn't incorporate an OTP applet, or the OTPs don't match, nosotros exercise non dispatch the tag. To unlock the keyguard nosotros only telephone call upwards the
keyguardDone() method of the organisation KeyguardService. The unlock procedure powerfulness human face something similar this:Full source code for the modified NFC service is available on Github (in the 'otp-unlock' branch). Note that land this demo implementation handles basic fault cases similar OATH applet non flora or connectedness alongside tag lost, it is non peculiarly robust. It alone tries to connect to remote services once, as well as if either of them is unavailable, NFC unlock is disabled altogether. It doesn't render whatever visual indication that NFC unlock is happening either, the keyguard only disappears equally seen inward the video above. Another missing slice is multi-user support: inward companionship to back upwards multiple users, the code needs to human face for the electrical flow users's line concern human relationship on the NFC device, as well as non for a hardcoded name. Finally, the NFC unlock equally currently implemented is non a amount unlock method: it cannot live selected inward the Screen safety settings, but only supplements the currently selected unlock method.
Summary
As of Android 4.4, the Android keyguard tin live queried past times 3rd political party applications as well as dismissed past times apps that concord the
CONTROL_KEYGUARD permission. This makes it slowly to implement option unlock mechanisms, such equally NFC unlock. However, NFC tag polling is disabled past times default when the covert is locked, so adding an NFC unlock machinery requires modifying the organisation NFC service. For added security, NFC unlock methods should rely non alone on the UID of the scanned tag, but on some surreptitious information that is securely stored within the tag. This could live a someone fundamental for usage inward some form of signature-based authentication scheme, or an OTP seed. An slowly agency to implement OTP-based NFC unlock is to usage the Yubico OATH applet, pre-installed on the YubiKey Neo, along alongside a modified Google Authenticator app that offers a remote interface to read the electrical flow OTP.
Tag :
android security
0 Komentar untuk "Droidcedas : Unlocking Android Devices Using An Otp Via Nfc"