Android KeyStore Encryption Scheme Broken (threatpost.com) 58
Reader msm1267 writes: The default implementation for KeyStore, the system in Android designed to store user credentials and cryptographic keys, is broken, researchers say.>In an academic paper published this week, researchers argue that the particular encryption scheme that KeyStore uses fails to protect the integrity of keys and could be exploited to allow an attacker to modify stored keys through a forgery attack.
KeyStore, which performs key-specific actions through the OpenSSL library, allows Android apps to store and generate their own cryptographic keys. By storing keys in a container, KeyStore makes it more difficult to remove them from the device. Mohamed Sabt and Jacques Traore, two researchers with the French telecom Orange Labs, claim the scheme associated with the system is "non-provably secure," and could have "severe consequences." The two point out in their paper "Breaking Into the KeyStore: A Practical Forgery Attack Against Android KeyStore," that it's the hash-then-encrypt (HtE) authenticated encryption (AE) scheme in cipher block chaining mode (CBC) in KeyStore that fails to guarantee the integrity of keys.
KeyStore, which performs key-specific actions through the OpenSSL library, allows Android apps to store and generate their own cryptographic keys. By storing keys in a container, KeyStore makes it more difficult to remove them from the device. Mohamed Sabt and Jacques Traore, two researchers with the French telecom Orange Labs, claim the scheme associated with the system is "non-provably secure," and could have "severe consequences." The two point out in their paper "Breaking Into the KeyStore: A Practical Forgery Attack Against Android KeyStore," that it's the hash-then-encrypt (HtE) authenticated encryption (AE) scheme in cipher block chaining mode (CBC) in KeyStore that fails to guarantee the integrity of keys.
Qualcomm (Score:4, Informative)
To be clear, the issue is a hardware issue in Qualcomm chipsets rather than with Android itself, although the effect is the same. Samsung has some non-Qualcomm chipsets (Exonos) used on some of their phones and those are apparently not affected.
BULLSHIT (Score:1)
Qualcomm isn't mentioned at all in the fucking paper itself [iacr.org]
Re: BULLSHIT (Score:5, Funny)
Re:Qualcomm (Score:5, Informative)
To be clear, the issue is a hardware issue in Qualcomm chipsets rather than with Android itself
Incorrect. The threatpost author just threw in the comment regarding Qualcomm at the very end of his writeup, it has entirely nothing to do with the cryptographic weakness the researchers from Orange uncovered.
The uncovered flaw is entirely an Android software issue, wherein an attacker with malware or a 0-day priviledged exploit can silently downgrade the strength of certain symmetric keys apps use to store private/encrypted data to cloud storage services. (Thereby allowing the attacker to swiftly break the encryption of data which previously could be efficiently decrypted only via the unmodified secret key located on the users handset)
Re: (Score:2)
OK, thanks for the clarification. So I was confusing this issue with the Qualcomm one, which is also relevant.
The good news is that the Android flaw will likely be patched quickly (for those of us with Nexus phones at least). The hardware flaw from Qualcomm will probably take a bit more time and of course current HW isn't going to get fixed.
Re: (Score:3)
The uncovered flaw is entirely an Android software issue, wherein an attacker with malware or a 0-day priviledged exploit can silently [...]
So... to gain access, they need to already get root access to the device? Sorry to break it to you, but once they got root, it's game over.
For keys managed by the Android/Linux system, that's true, which is why the encryption in question is deprecated and slated for removal. Keys managed in the trusted execution environment are not compromised by rooting, in the sense that the attacker cannot extract the raw key material, and can't direct the TEE to perform any operations with the key that aren't permitted by whatever access controls are enforced in the TEE.
Re:Qualcomm (Score:5, Informative)
To be clear, the issue is a hardware issue in Qualcomm chipsets rather than with Android itself, although the effect is the same. Samsung has some non-Qualcomm chipsets (Exonos) used on some of their phones and those are apparently not affected.
I'm the Google engineer responsible for Keystore.
What you're talking about is a different (and more serious) issue, related to "hardware-backed" keys. The just-published paper is about a weakness in a software-only legacy method that was put in place to provide minimal protection of keys on devices that lacked any reasonable option for device encryption. It's something that I've been meaning to remove completely. It is applied only when apps specifically request it with KeyPairGeneratorSpec.setEncryptionRequired [android.com]. Based on a scan of the Google Play store, almost no apps request it, and it was formally deprecated in Android Marshmallow. Even if it didn't contain an error in its cryptographic construction, it provides very little security, because you have to root the device to get at the encrypted keys, and once you've done that you have all sorts of options to get at the plaintext.
The primary value in the Android Keystore is in hardware-backed keys: Keys that are generated and used only in the Trusted Execution Environment. Because those keys are (barring issues like the aforementioned Qualcomm TEE bug) never available to the Linux kernel or Android system, no break of the system security can enable extraction of the key material, which keeps the keys bound to the device. Moreover, in a major overhaul of Keystore in Marshmallow, Android Keystore gained the ability to enforce various other access controls to the keys; most of this enforcement is also done in the TEE, reducing the ability of an attacker who roots the device to use Keystore as a key oracle.
There is also some value in Android Keystore on devices without a TEE. Specifically, using Keystore keys rather than keys managed directly by the app moves the key material out of the app's process space, which means that any attack which manages to exploit some security defect in the app and gain access to the app's data can't get a copy of the key material. To do that, the attacker has to get root -- and, assuming "setEncryptionRequired" was used, also break this weak and (in the opinion of the Android security team) unnecessary encryption.
So, yeah. This encryption is broken. But it's unnecessary, deprecated and slated for removal anyway, so it doesn't matter. Which is exactly what I told the researcher when he reported the bug.
The Qualcomm TEE bug, on the other hand, is an issue. It's a fixed issue, but there's this old and very hard-to-fix problem that Android devices don't get security patches the way they should. Nexus devices are patched.
Re: (Score:2)
Good news, Thanks!
I recently got the Marshmallow update on my Alcatel phone, so I should be all good.
Re: (Score:2)
Good news, Thanks!
I recently got the Marshmallow update on my Alcatel phone, so I should be all good.
Marshmallow doesn't fix this broken encryption; we just decided in Marshmallow that since this is not useful we should deprecate it.
Re:Qualcomm (Score:5, Insightful)
This friends is the slashdot of old, where you you could get intelligent, in depth information from an engineer close to the source, or an astronomer talking about mods to their statistical analysis packages.
There was always a political echo chamber and a certain level of douchbaggery, but this is what made the site shine. I have been here in various guises since 97 or so.
Thanks again for helping keep this place great.
Re: (Score:1)
J/K. Seriously, thanks swilden.
Re: (Score:2)
swilden, thank you.
This friends is the slashdot of old, where you you could get intelligent, in depth information from an engineer close to the source, or an astronomer talking about mods to their statistical analysis packages.
There was always a political echo chamber and a certain level of douchbaggery, but this is what made the site shine. I have been here in various guises since 97 or so.
Thanks again for helping keep this place great.
Thanks. That is exactly what always made me love slashdot, and it's mostly those memories that keep me around, I think. I'm glad I could contribute in this case.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
They are the same. If you can't prove it's secure, it must be treated as if it were not secure.
Re: (Score:2)
If you can't prove it's secure, it must be treated as if it were not secure.
Emphasis mine. Just because you treat something as if it was non-secure, does not make it non-secure.
Non-provably secure != Provably non-secure.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
The article says they think there is a theoretical flaw, but they don't have a working exploit. It needs fixing, but should be more than strong enough to keep most adversaries below CIA/MI5 level out .
Re: (Score:1)
they don't have a working exploit.
Yes they do. The abstract of the linked paper [iacr.org] states clearly: "we exploit this flaw to define a forgery attack"
Their demo exploit is an app, malware, and could be used by any other user, criminal, three-letter agency capable of such advanced techniques as *getting malware* onto target device. The linked article further expands on this to point with comments from the author, highlighting that anyone with a 0-day or known exploit would be able to degrade KeyStore encryption to crackable levels, without firs
Re: (Score:2)
If some adversary, even a well-heeled one can find it now, it only will get worse. Once the exploit is out, it can be made into something usable by virtually anyone. Stuff like this needs fixed, theory or no, because the Android keystore or iOS's KeyChain guards a lot of sensitive, high-value content.
In simpler terms, please? (Score:4, Insightful)
Would it kill the editors to cut through the BS and give us a blurb under the article that explains this in simpler terms?
It'd be nice to understand what the actual problem is without having to spend an hour looking up the TLAs.
Re:In simpler terms, please? (Score:5, Interesting)
Thank you! (Score:2)
Thank you! You even managed to make the analogy not hyperbolic. You are the hero we deserve today.
Re: (Score:2)
A not so perfect car analogy...
You have a car that accepts a valet key (short key) and a owner key (long key). Both keys open the door and start the engine, but only the owner key opens the glove box. The flaw in this system is that allows for the possibility for some hacker to "forge" a long key that opens the glove box with a different "key" (that is known to the hacker) which has the short key attributes you check all the time (e.g., opens the door and starts the engine), but doesn't actually open the
Huh (Score:2)
I'm unsure how scared I should be. Could someone put this in a car analogy?
Re: (Score:2)
Re: (Score:2)
Re:Huh (Score:4, Informative)
Somebody can replace the locks in your car with new locks that both your keys and their keys will unlock.
OpenSSL? (Score:2)
...KeyStore, which performs key-specific actions through the OpenSSL library...
Or BoringSSL [googlesource.com] ?
Not clear (Score:2)
No,never. (Score:1)
Suprise,suprise,another hole in Google's crud os,and people complain about ms ?
But then Google have to ale sure every device is readable by nsa etc etc,whatever the user has done to try and lock down device...
Do no evil,what a joke.
They should have said,
Never get caught lieing instead.
Why people ever trusted or still do is beyond me.
Like every other firm that came out of that area,their just a bunch of greedy crooks..
"What about my little keister?" (Score:2)
Can't read this without thinking of this - doesn't get more applicable:
http://www.dailymotion.com/vid... [dailymotion.com]
07:26 for the direct reference, but the whole episode was a truly fantastic piece of comedy...