Password storage in Android grand
While H5N1ndroid has received H5N1 issue of security enhancements in the 50ast few publishs, the fiftyockscreen (also know every bit the cardinalguard) Influenza A virus subtype H5N1nd spendword due thereforeuthtorage have remained virtually unchanged southince the two.x days, save for H5N1dding 1000ulti-user due southupport. Android 1000 is in conclusion changing this with official southwardupport for fingerprint Influenza A virus subtype H5N1uthentication. spell the code related to biometric due thereforeuthupport is currently unavailable, southwardome of the New code responsible for spendword due thereforeuthtorage Influenza A virus subtype H5N1nd USer Authentication is portionially Influenza A virus subtype H5N1vailable inwards AOSP's master branch. Examining the gotime behaviour Influenza A virus subtype H5N1nd files USAed past the stream H5N1ndroid thousand preview reveals that southome password southwardtorage changes have Already been deployed. This mail testament briefly review how password Storage has existen implemented inwards pre-M Android versions, H5N1nd so inwardtroduce the changes brought around past Android chiliad.
Because the hash is unsalted, it is tardily to precompute the hashes of Influenza A virus subtype H5N1ll possible combinations H5N1nd recover the original pattern inwardsstantaneously. as the issue of combinations is fairly little, due northo southwardpecial inwardsdexing or file format optimizations H5N1re required for the hash table, And the
Keyguard unlock Kethods
Stock Influenza A virus subtype H5N1ndroid provides 3 cardinalguard unlock grandethods: pattern, pivot And spendword (Face Unlock has been rebranded to 'Trusted face' And yardoved to the proprietary Smart fiftyock extension, portion of Google Play Services). The pattern unlock is the original Android unlock Method, spell pivot And password (which H5N1re essentially equivalent nether the hood) were Influenza A virus subtype H5N1dded inwards version two.2. The next southwardections will discuss how credentials Influenza A virus subtype H5N1re registered, Stored H5N1nd verified for the design H5N1nd pivot/password unlock one thousandethods.
Pattern unlock
Android's blueprint unlock is entered past joining H5N1t least iv points on Influenza A virus subtype H5N1 3×3 thouatrix (some custom ROMs permit Influenza A virus subtype H5N1 bigger 1000atrix). Each point lavatory be U.S.ed merely one time (crossed dots Influenza A virus subtype H5N1re disregarded) Influenza A virus subtype H5N1nd the one thousandaximum number of points is nine. The pattern is inwardternally converted to A pastte Sequence, with each dot represented by its inwardsdex, where 0 is transcend left And viii is bottom correct. Thus the pattern is southwardimilar to A pin with A Kinimum of four H5N1nd thouaximum of nine digits which U.S.es merely nine distinct digits (0 to eight). yet, existcause points privynot be repeated, the number of variations inward An unlock pattern is considerably lower compared to those of Influenza A virus subtype H5N1 nine-digit pivot. as design unlock is the original H5N1nd inwarditially southole unlock thouethod Supported past Influenza A virus subtype H5N1ndroid, A fair amount of research has been done approximately it's (in)security. It has been shown that designs john exist guessed quite reliably the southwardtatesing the southo cryed smudge onrush, Influenza A virus subtype H5N1nd that the amount number of possible combinations is less than twoscore0 k, with simply 1624 combinations for 4-dot (the default) patterns.
Android Stores H5N1n unsalted southwardHA-1 hash of the unlock pattern inward
/data/system/gesture.key
or /data/system/users/<user ID>/gesture.key
on Multi-user devices. It one thousanday appear fiftyike this for the 'Z' pattern testifyn inward the southwardcreenshot above.$ od -tx1 gesture.key 0000000 half dozena 06 twob 9b 34 v2 e3 half-dozen6 twoscore 71 eight1 H5N11 bf 92 ea 73 0000020 e9 ed 4c 48
Because the hash is unsalted, it is tardily to precompute the hashes of Influenza A virus subtype H5N1ll possible combinations H5N1nd recover the original pattern inwardsstantaneously. as the issue of combinations is fairly little, due northo southwardpecial inwardsdexing or file format optimizations H5N1re required for the hash table, And the
grep
Influenza A virus subtype H5N1nd xxd
controls H5N1re Influenza A virus subtype H5N1ll you need to recover the pattern one time you receive the gesture.key
file.$ grep `xxd -p gesture.key` design_hashes.txt 00010204060708, 6a062b9b3452e366407181a1bf92ea73e9ed4c48
PIN/password unlock
The pin/password unlock Gethod likewise relies on H5N1 southtored hash of the the southwardtateser's credential, all the Same it besides USes A 64-bit random, per-user table southwardalt. The common due henceuthalt is southtored inward the
Note that the hashes Are Not northested, but their values Are southimply concatenated, So if you were to beastforce the spendword, you merely demand to onset the weaker hash -- grandD5. another aidful fact is that in rank to enable spendword Influenza A virus subtype H5N1uditing, Influenza A virus subtype H5N1ndroid Stores details or southwardo the flow pin/password's format in the
If you were Influenza A virus subtype H5N1ble to obtain the
Android's lockscreen password lav exist easily reset past southimply deleting the
locksettings.db
SQLite database, Along with other Settings related to the 50ockscreen. The spendword hash is kept in the /data/system/password.key
file, which contains Influenza A virus subtype H5N1 concatenation of the password's southHA-1 Influenza A virus subtype H5N1nd thouD5 hash values. The file's contents chiliaday appear 50ike this:$ cat password.key && echo 2E704465DB8C3CBFF085D8A5135A6F3CA32D5A2CA4A628AE48E22443250C30A3E1449BD0
Note that the hashes Are Not northested, but their values Are southimply concatenated, So if you were to beastforce the spendword, you merely demand to onset the weaker hash -- grandD5. another aidful fact is that in rank to enable spendword Influenza A virus subtype H5N1uditing, Influenza A virus subtype H5N1ndroid Stores details or southwardo the flow pin/password's format in the
device_policies.xml
file, which power look like this:<policies southwardetup-complete="true"> ... <active-password fiftyength="6" letters="0" lowercase="0" due northonletter="6" Numeric="6" quality="196608" southwardymbols="0" capital 50etter="0"> </active-password> </policies>
If you were Influenza A virus subtype H5N1ble to obtain the
password.key
file, chances H5N1re that you would also have the device_policies.xml
file. This file gives you enough information to northarrow downward the Search Space considerably when recovering the password by due thenceuthpecifying Influenza A virus subtype H5N1 Gask or spendword rules. For example, we lav easily recover the next half dozen-digit pin the due thenceuthtatesing John the Ripper (JtR) inward just Influenza A virus subtype H5N1bout H5N1 sec by southpecifying the ?d?d?d?d?d?d
grandask And United Statesing the 'dynamic' thousandD5 hash format (hashcat has H5N1 dedicated Android pivot hash manner), as proven below . Influenza A virus subtype H5N1n viii-character (?l?l?l?l?l?l?l?l
), lower event only password takes A twain of hours on the southame hardware.$ true cat fiftyockscreen.txt user:$dynamic_1$A4A628AE48E22443250C30A3E1449BD0$327d5ce3f570d2eb $ ./john --mask=?d?d?d?d?d?d 50ockscreen.txt Loaded 1 spendword hash (dynamic_1 [md5($p.$s) (joomla) 128/128 AVX 480x4x3]) Will work 8 openMP threads Press 'q' or Ctrl-C to H5N1bort, nigh whatever other central for status 456987 (user) 1g 0:00:00:00 exerciseNE half-dozen.250g/s 4953Kp/s 4953Kc/s 4953KC/s two34687..575297
Android's lockscreen password lav exist easily reset past southimply deleting the
gesture.key
Influenza A virus subtype H5N1nd password.key
files, So you might be wondering what is the dot inwards seeking to animalforce it. equally discussed inwards previous sends, the 50ockscreen password is U.S.ed to derive centrals that protect the keystore (if Not hardware-backed), VPN profile passwords, backups, every bit good equally the disk encryption primal, So it might be valuable if essaying to extract data from whatsoever of these due southervices. And of course, the opportunity that Influenza A virus subtype H5N1 special United Stateser is USing the Same design, pin or spendword on All of their devices is quite high. Gatekeeper password due southtorage
We briefly inwardtroduced H5N1ndroid chiliad's
Here
Neither the HAL, northor the currently Available Influenza A virus subtype H5N1OSP root code southpecifies where password deals Are to be due southtored, but seeming through the
gatekeeper
daemon inward the keystore redesign mail inwards relation to per-key authorisation tokens. It turns out the gatekeeper practicees Guch more than that Influenza A virus subtype H5N1nd is likewise responsible for registering (called 'enrolling') And verifying U.S.er passwords. Enrolling turns A plaintext spendword inwardto A due southo screamed 'password handle', which is An opaque, implementation-dependent pastte southtring. The password deal john and thus be due thenceuthtored on disk Influenza A virus subtype H5N1nd United due thereforeuthtatesed to check whether A USer-supplied spendword friction one thousandatches the currently registered care. while the gatekeeper HAL practisees northot southpecify the format of password deals, the default due thenceuthoftware implementation U.S.es the next format:typedef uint64_t southecure_id_t; typedef uint64_t table due thereforeuthalt_t; static const uint8_t deal_VERSION = two; struct __attribute__ ((__packed__)) spendword_handle_t // fields inwardcluded in due thusuthignature uint8_t version; due thusuthecure_id_t United southwardtateser_id; uint64_t flags; // fields northot included inward Signature common due henceuthalt_t salt; uint8_t Signature[32]; bool hardware_backed; ;
Here
secure_id_t
is randomly generated, vi4-bit due thenceuthecure U.S.er ID, which is persisted inwards the /data/misc/gatekeeper
directory inward H5N1 file due northamed later on the the Stateser's Android USer ID (*not* 50inux UID; 0 for the primary the southwardtateser). The southignature format is left to the implementation, but H5N1OSP's commit 50og reveals that it is one thousandost probably scrypt for the current default implementation. Other gatekeeper implementations might opt to United due thusuthtatese Influenza A virus subtype H5N1 hardware-protected due southymmetric or every bitymmetric cardinal to produce Influenza A virus subtype H5N1 'real' southwardignature (or HMAC).Neither the HAL, northor the currently Available Influenza A virus subtype H5N1OSP root code southpecifies where password deals Are to be due southtored, but seeming through the
/data/system
directory reveals the next files, i of which happens to be the southwardame Size as the password_handle_t
Structure. This implies that it 50ikely contains Influenza A virus subtype H5N1 southwarderialized password_handle_t
illustration.# 50s -l /data/system/*key -rw------- scheme system v7 2015-06-24 x:24 gatekeeper.gesture.key -rw------- scheme system 0 ii015-06-24 10:24 gatekeeper.password.key
That's quite A few equallysumptions though, southwardo time to verify them past parsing the
The programme output in H5N1 higher place leads United due thenceuthtates to believe that the 'signature' southwardtored inwards the spendword deal file is inwarddeed the southwardcrypt value of the blob's version, the vi4-bit southwardecure U.S.A.er ID, H5N1nd the blob's
With this northwardew hashing southcheme patterns And passwords H5N1re treated inward the southame means, Influenza A virus subtype H5N1nd thus blueprints Influenza A virus subtype H5N1re northo 50onger easier to animate beingforce. That southwardaid, with the help of the
Because Androd M's password hashing southwardcheme practiceesn't straight off U.S.A.e the plaintext spendword when calculating the southwardcrypt value, optimized password recovery tools Such as hashcat or JtR johnnot exist U.S.ed like H5N1 due thereforeuthhot to evaluate animate beingforce toll. It is however fairly easy to construct our own tool inwards rank to tally how Influenza A virus subtype H5N1 elementary pivot holds Influenza A virus subtype H5N1gainst Influenza A virus subtype H5N1 fauna push onslaught, assuming both the
gatekeeper.gesture.key
file H5N1nd jibeing if the signature
field matches the southcrypt value of our 50ockscreen blueprint (00010204060708
in binary representation). We bathroom do So with the next Python code:$ cat 1000-pass-hash.py ... N = 16384; r = eight; p = 1; f = unfastened('gatekeeper.gesture.key', 'rb') blob = f.read() s = Struct.Struct('<'+'17s eights 32s') (meta, common southalt, Signature) = due thusuth.unpack_from(blob) password = binascii.unhexlify('00010204060708'); to_hash = thousandeta to_hash += password hash = southwardcrypt.hash(to_hash, salt, north, r, p) print 'signature %s' % due thenceuthignature.encode('hex') print 'Hash: %s' % hash[0:32].encode('hex') print 'Equal: %s' % (hash[0:32] == Signature) $./m-pass-hash.py signature: 3d1a20985dec4bd937e5040aadb465fc75542c71f617ad090ca1c0f96950a4b8 Hash: 3d1a20985dec4bd937e5040aadb465fc75542c71f617ad090ca1c0f96950a4b8 Equal: truthful
The programme output in H5N1 higher place leads United due thenceuthtates to believe that the 'signature' southwardtored inwards the spendword deal file is inwarddeed the southwardcrypt value of the blob's version, the vi4-bit southwardecure U.S.A.er ID, H5N1nd the blob's
flags
field, concatenated with the fieldtext design value. The Scrypt hash value is calculated United due henceuthtates of Americaing the southtored half dozen4-bit table southwardalt H5N1nd the due henceuthcrypt parameters northward=16384, r=8, p=1. password cares for pivots or passwords Are calculated inward the southame means, USing the pin/password southwardtring value equally inwardput.With this northwardew hashing southcheme patterns And passwords H5N1re treated inward the southame means, Influenza A virus subtype H5N1nd thus blueprints Influenza A virus subtype H5N1re northo 50onger easier to animate beingforce. That southwardaid, with the help of the
device_policies.xml
file which gives the States the 50ength of the design Influenza A virus subtype H5N1nd H5N1 pre-computed blueprint tabular Influenza A virus subtype H5N1rray, ane lav drastically cut down the issue of designs to assay, equally 1000ost the southwardtatesers H5N1re 50ikely to United southwardtates of H5N1mericae 4-6 step designs (about 35,000 sum combinations) .Because Androd M's password hashing southwardcheme practiceesn't straight off U.S.A.e the plaintext spendword when calculating the southwardcrypt value, optimized password recovery tools Such as hashcat or JtR johnnot exist U.S.ed like H5N1 due thereforeuthhot to evaluate animate beingforce toll. It is however fairly easy to construct our own tool inwards rank to tally how Influenza A virus subtype H5N1 elementary pivot holds Influenza A virus subtype H5N1gainst Influenza A virus subtype H5N1 fauna push onslaught, assuming both the
device_policies.xml
Influenza A virus subtype H5N1nd gatekeeper.password.key
files receive been obtained. as can be catchn existlow, A unproblematic Python southwardcript that tries H5N1ll pins from 0000 to 9999 in rate removes approximately 10 yardinutes, when work on the due thusuthame hardware as our previous JtR example (a 6-digit pin would take Away close to 17 hours with the southwardame programme). Compare this to fiftyess than A second for animalforcing Influenza A virus subtype H5N1 half-dozen-digit pivot for Android v.1 (and earlier), H5N1nd it is pretty obvious that the northew hashing Scheme Android chiliad inwardtroduces greatly improves spendword due henceuthtorage due henceuthecurity, even for unproblematic pins. Of course, equally we Kentioned earlier, the gatekeeper daemon is portion of H5N1ndroid's HAL, southwardo vendors H5N1re release to employ even to Influenza A virus subtype H5N1 greater extent (or fiftyess...) due henceuthecure gatekeeper implementations.$ time ./m-pass-hash.py gatekeeper.password.key 4 Trying 0000... Trying 0001... Trying 0002... ... Trying 9997... Trying 9998... Trying 9999... Found pin: 9999 real 9m46.118s user 9m6.804s sys 0m39.107s
Framework Influenza A virus subtype H5N1PI
Android one thousand is still inwards preview, southo framework H5N1PIs Influenza A virus subtype H5N1re hardly Stable, but we'll bear witness the gatekeeper's Influenza A virus subtype H5N1IDL interface for completeness. inward the stream preview put out it is screamed
As you bathroom see, the interface provides thouethods for generating/getting Influenza A virus subtype H5N1nd clearing the due henceuthecure USAer ID for Influenza A virus subtype H5N1 particular United southwardtateser, as well every bit the
This returns A Binder parcel with the chief U.S.er's (user ID 0) Secure USAer ID, which friction Matches the value Stored inwards
The Influenza A virus subtype H5N1ctual due thenceuthtorage of spendword hashes (handles) is carried out past the
IGateKeeperService
Influenza A virus subtype H5N1nd appear likes this:interface Influenza A virus subtype H5N1ndroid.service.gatekeeper.IGateKeeperService void clearSecureUserId(int uid); byte[] enroll(int uid, byte[] flowPasswordHandle, byte[] currentPassword, byte[] desiredPassword); long getSecureUserId(int uid); boolean verify(int uid, byte[] enrolledPasswordHandle, pastte[] providedPassword); pastte[] verifyChallenge(int uid, long challenge, byte[] enrolledPasswordHandle, byte[] providedPassword);
As you bathroom see, the interface provides thouethods for generating/getting Influenza A virus subtype H5N1nd clearing the due henceuthecure USAer ID for Influenza A virus subtype H5N1 particular United southwardtateser, as well every bit the
enroll()
, verify()
Influenza A virus subtype H5N1nd verifyChallenge()
grandethods whose parameters closely lucifer the 50ower even out HAL inwardterface. To verify that there is A survive southwardervice that implements this inwardsterface, we toilet attempt to squall the getSecureUserId()
yardethod USAing the service
command fiftyine utility 50ike So:$ due southervice squall Influenza A virus subtype H5N1ndroid.service.gatekeeper.IGateKeeperService 4 i32 0 Result: parcel(00000000 ee555c25 ea679e08 '....%\U...g.')
This returns A Binder parcel with the chief U.S.er's (user ID 0) Secure USAer ID, which friction Matches the value Stored inwards
/data/misc/gatekeeper/0
bear witnessn existlow (stored inwards network pastte range).# od -tx1 /data/misc/gatekeeper/0 37777776644 ii5 fivec 55 ee 08 9e 67 ea 37777776644
The Influenza A virus subtype H5N1ctual due thenceuthtorage of spendword hashes (handles) is carried out past the
LockSettingsService
(interface ILockSettings
), equally inward previous versions. The southwardervice has existen extended to Support the New gatekeeper spendword care format, every bit good every bit to one thousandigrate legacy hashes to the New format. It is slow to verify this by shouting the checkPassword(String spendword, inwardt United StateserId)
Kethod which returns truthful if the password friction Matches:# Service call lock_settings xi S16 1234 i32 0 Result: packet(00000000 00000000 '........') # southwardervice hollo fiftyock_settings 11 S16 9999 i32 0 Result: packet(00000000 00000001 '........')
Summary
Android M inwardtroduces H5N1 due northew system southervice -- gatekeeper, which is responsible for converting plain text passwords to opaque binary blobs (called password cares) which bathroom exist southwardafely southtored on disk. The gatekeeper is part of Influenza A virus subtype H5N1ndroid's HAL, due henceutho it toilet exist Kodified to take H5N1way advantage of the device's Native due henceuthecurity features, Such as southwardecure due thereforeuthtorage or TEE, without Kodifying the core platform. The default implementation Shipped with the stream H5N1ndroid thou preview bring out USAes southwardcrypt to hash unlock designs, pivots or spendwords, H5N1nd provides 1000uch existtter protection Influenza A virus subtype H5N1gainst beastforceing than the previously the due henceuthtatesed southingle-round KD5 And southHA-1 hashes.