[guardian-dev] forensic analysis of WeChat's use of SQLCipher on Android

Tom Ritter tom at ritter.vg
Tue Jan 20 18:34:30 EST 2015


On 14 January 2015 at 01:53, Hans-Christoph Steiner
<hans at guardianproject.info> wrote:
> As for techniques for better managing a password without having the user enter
> one, that I haven't looked deep into because I believe it is ultimately
> futile.  If the user does not need to enter the password to unlock something,
> neither will anyone else.
>
> One minor improvement would be using a hardware security module (HSM) to
> manage the password in this kind of setup.  As far as I understand how they
> are implemented in smartphones, a forensic data acquisition would not be able
> to get the keys out of the HSM.  So then the actual device would be required
> in order to unlock the encryption.


This line of research is very interesting to me.  I'm not 100% certain
I know what you mean by using an HSM though.  I guess you mean similar
to iPhone, where there is a Secure Element on the phone that performs
crypto operations with a key, and therefore you must query that
element then performing brute force attacks to decrypt data?

It's a step up, certainly, but ultimately the security relies on the
password itself.  And for mobile phones I think we need to find a
solution that gives adequate security when using 4 digit PINs and
Swipes.  Anything else... it's tough to get people to adopt.

My main idea for this is use a SIM or other UUIC with a JavaCard
applet.  You enter a 4-digit pin (so simple, so easy!) and if correct,
the JavaCard applet releases a symmetric key (or key material or
asymmetric private key or whatever) that the app uses and keeps in
memory.  If you enter the wrong pin 5 times in a 5 minute window (or
however you implement it) - the symmetric key is wiped.  This prevents
fast brute forcing and instead resolves to very slow, careful brute
forcing which you can mathematically choose to limit at your
discretion - or really good guessing.

Requires: Ability to load a JavaCard applet to a UUIC, APIs in Android
to do so, a SIM that lets you load stuff.  OpenCard is a new mechanism
that, combined with SEEK for Android, might make this a possibility if
you jump through hoops with your ROM.

This is a problem businesses grapple with too.  The right combination
of players might be able to effect change here.

-tom


More information about the Guardian-dev mailing list