Analysis of Secure Key Storage Solutions on Android

Size: px

Start display at page:

Download "Analysis of Secure Key Storage Solutions on Android"

Deborah Smith
8 years ago
Views:

1 Analysis of Secure Key Storage Solutions on Android Tim Cooijmans, Joeri de Ruiter, Erik Poll Digital Security, Radboud University Nijmegen

2 Mobile payments App to transfer money or pay in a shop Transaction needs to be approved by user Typically done by signing transaction data How can this key be protected? Joeri de Ruiter - Digital Security, Radboud University Nijmegen 2 / 22

signing transaction data How can this key be protected?

3 Secure key storage Secure environment to store keys Symmetric: AES, 3DES Asymmetric: RSA, ECC Cryptographic operations usually performed within secure environment Form of secure computations Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 22

performed within secure environment Form of secure computations

4 Secure key storage on Android Biggest OS for mobile devices Open environment Easy to inspect or make changes More public documentation available Focused on Nexus devices Joeri de Ruiter - Digital Security, Radboud University Nijmegen 4 / 22

public documentation available Focused on Nexus devices

5 Security mechanisms Access control File system Unique user id per app Trusted execution environment (TEE) Complete app in secure world Cryptographic operations in secure world Password-protected storage Stored password User-provided password Joeri de Ruiter - Digital Security, Radboud University Nijmegen 5 / 22

operations in secure world Password-protected storage Stored password

6 TrustZone Technology ARM processor feature Default in processor designs Two execution environments Normal world Secure world Virtualisation Joeri de Ruiter - Digital Security, Radboud University Nijmegen 6 / 22

Normal world Secure world Virtualisation Joeri de

7 Secure key storage solutions: Bouncy Castle Cryptographic library for Java Stripped down for Android Software only Stored password User-provided password Joeri de Ruiter - Digital Security, Radboud University Nijmegen 7 / 22

Android Software only Stored password User-provided

8 Secure key storage solutions: Bouncy Castle Cryptographic library for Java Stripped down for Android Software only Stored password User-provided password Joeri de Ruiter - Digital Security, Radboud University Nijmegen 8 / 22

9 Secure key storage solutions: AndroidKeyStore Available since 4.3 Service running in background No access to key Hardware-based secure storage Qualcomm devices Texas Instruments devices Software-fallback Joeri de Ruiter - Digital Security, Radboud University Nijmegen 9 / 22

secure storage Qualcomm devices Texas Instruments devices

10 Attacker models Malicious app attacker Attacks other apps Root attacker Full access to file system Intercepting root attacker Full access to file system and user input Joeri de Ruiter - Digital Security, Radboud University Nijmegen 10 / 22

attacker Full access to file system and user input Joeri de

11 Security requirements Device-binding Key can only be used on one device App-binding Key can only be used by one app on one device User-consent Key can only be used with explicit consent from user Joeri de Ruiter - Digital Security, Radboud University Nijmegen 11 / 22

User-consent Key can only be used with explicit consent from user

12 Method KeyStorageTest app Check if algorithms are bound to device Generate keys Generate signatures Try to create a valid signature Using another app On another device Without asking for user consent Joeri de Ruiter - Digital Security, Radboud University Nijmegen 12 / 22

Using another app On another device Without asking for user consent

13 Devices Phone Processor Android version TrustZone Nexus 4 Qualcomm Yes Nexus 5 Qualcomm Yes Galaxy Nexus Texas Instruments 4.3 Yes* Nexus S Samsung No Nexus S Samsung No Moto G Qualcomm 4.3 No Moto G Qualcomm Yes * not enabled by default Joeri de Ruiter - Digital Security, Radboud University Nijmegen 13 / 22

14 Bouncy Castle using stored password Password stored in app specific directory Device-binding App-binding User-consent Malicious app Root Intercepting root Joeri de Ruiter - Digital Security, Radboud University Nijmegen 14 / 22

User-consent Malicious app Root Intercepting root Joeri

15 Bouncy Castle using user-provided password Password not stored on device Password need to contain enough entropy Correctness of password can be verified using Bouncy Castle's integrity check Malicious app Root Intercepting root Device-binding * App-binding * User-consent * Joeri de Ruiter - Digital Security, Radboud University Nijmegen 15 / 22

Castle's integrity check Malicious app Root Intercepting root Device-binding *

16 AndroidKeyStore Storage handled by service in Android Two files on filesystem Key parameters and encrypted private key 10101_USRPKEY_TestKeyPair Certificate 10101_USRCERT_TestKeyPair Files can be moved by root user Joeri de Ruiter - Digital Security, Radboud University Nijmegen 16 / 22

10101_USRPKEY_TestKeyPair Certificate 10101_USRCERT_TestKeyPair Files

17 AndroidKeyStore using TEE Qualcomm: Nexus 4 and 5, Moto G Texas Instruments: Galaxy Nexus Trustlet running in TEE for key operations Device specific key File formats different Device-binding App-binding User-consent Malicious app Root Intercepting root Joeri de Ruiter - Digital Security, Radboud University Nijmegen 17 / 22

formats different Device-binding App-binding User-consent Malicious app Root

18 AndroidKeyStore using softwarefallback No encryption if no device PIN/password set Device-binding App-binding User-consent Malicious app Root Intercepting root Encrypted using device PIN/password Malicious app Root Intercepting root Device-binding * App-binding User-consent Joeri de Ruiter - Digital Security, Radboud University Nijmegen 18 / 22

using device PIN/password Malicious app Root Intercepting root Device-binding *

19 Discussion All methods safe against malicious app Bouncy Castle If user-provided password is used app- and device-binding provided AndroidKeyStore No app-binding No posibility for user-consent Possible to create oracle User-consent No control over what is signed Joeri de Ruiter - Digital Security, Radboud University Nijmegen 19 / 22

posibility for user-consent Possible to create oracle User-consent No control over

20 Recommendations Use Bouncy Castle with user-provided password if possible Be careful with passwords Educate users about the dangers of root AndroidKeyStore Include user id integrity in key files Offer possiblity to use user-provided passwords Improve TEE implementations Check apps that request key operations What-you-see-is-what-you-sign Joeri de Ruiter - Digital Security, Radboud University Nijmegen 20 / 22

possiblity to use user-provided passwords Improve TEE implementations Check apps that request key

21 Conclusions Bouncy Castle provides reasonable security when using user-provided password AndroidKeyStore TEE-based store provides device-binding No app-binding so effectiveness is limited Can be improved by using more TEE-features Confirmation dialogs Integrity checking Joeri de Ruiter - Digital Security, Radboud University Nijmegen 21 / 22

22 Conclusions Bouncy Castle provides reasonable security when using user-provided password AndroidKeyStore TEE-based store provides device-binding No app-binding so effectiveness is limited Can be improved by using more TEE-features Confirmation dialogs Integrity checking Thank you for your attention! Joeri de Ruiter - Digital Security, Radboud University Nijmegen 22 / 22

Certificate Authorities and Public Keys. How they work and 10+ ways to hack them.

Certificate Authorities and Public Keys How they work and 10+ ways to hack them. -- FoxGuard Solutions Www.FoxGuardSolutions.com melkins@foxguardsolutions.com Version.05 9/2012 1 Certificate Use Overview