Android Key Management @Droidcon London 2014

56
Android Key Management Roberto Piccirillo ([email protected]) Roberto Gassirà ([email protected]) Droidcon London 2014

description

The presentation will cover several aspects related to security issues concerning the “Key Management” for Android apps. In the first part of the presentation, various scenarios will be analyzed where it is necessary to protect the data used by an application, followed by a theoretical introduction of the possible techniques available for protecting data using symmetric and asymmetric key cryptosystems. The presentation will continue with the description and the implementation of some key management techniques used for storing securely encryption keys for symmetric algorithms, taking into account any interaction with the end user. The final part of the presentation will deal with the analysis of the tools provided by Android for the management of private keys and their certificates used in asymmetric algorithms, such as the KeyChain and the new “Android Key Store” , which is available from version 4.3.

Transcript of Android Key Management @Droidcon London 2014

Page 1: Android Key Management @Droidcon London 2014

AndroidKey ManagementRoberto Piccirillo ([email protected])Roberto Gassirà ([email protected])

Droidcon London 2014

Page 2: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Roberto Piccirillo

● Senior Security Analyst - Mobile Security Lab○ Vulnerability Assessment (IT, Mobile Application)○ Hijacking Mobile Data Connection

■ BlackHat Europe 2009■ DeepSec Vienna 2009■ HITB Amsterdam 2010

○ Android Secure Development

● GDG Rome Lab

@robpicone

Page 3: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Roberto Gassirà

● Senior Security Analyst - Mobile Security Lab○ Vulnerability Assessment (IT, Mobile Application)○ Hijacking Mobile Data Connection

■ BlackHat Europe 2009■ DeepSec Vienna 2009■ HITB Amsterdam 2010

○ Android Secure Development

● GDG Rome Lab

@robgas

Page 4: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Android Key Management: Agenda

● Mobile Application Cryptography

● Key Management and CryptoSystem

● Crypto in Android

● Symmetric Encryption

● Symmetric Key Management

● Asymmetric key: Encryption/Digital Signature

● Keychain e AndroidKeyStore

Page 5: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Mobile Application Cryptography

➢ Exchange data securely:

➢ Protect Data:○ Sensitive Data

○ Backup on /sdcard

Page 6: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Key Management

"Key management is the management of cryptographic keys in a cryptosystem."

Page 7: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

CryptoSystem

"refers to a suite of algorithms needed to implement a particular form of encryption and decryption"

● Two types of encryption:○ Symmetric Key Algorithms

■ Identical key for encryption/decryption

■ AES, Blowfish, DES, Triple DES

○ Asymmetric Key Algorithms■ Pair of keys (public/private) for

encryption/decryption■ RSA, DSA, ECDSA

Page 8: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Symmetric Key Algorithms: Ciphers

● Two types of ciphers:○ Block: Process entire blocks of fixed-length

groups of bits at a time (padding may be required)

○ Stream: Process single bit at a time(no padding)

● Block Cipher modes of operation:○ ECB: each block encrypted independently○ CBC, CFB, OFB: (feedback mode) each block

is encrypted combined with the previous encrypted block (starting from an IV)

○ CTR: each block xored with the encrypted successive values of a counter ( starting from a nonce)

ECB

CBC

Page 9: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Crypto in Android

● Framework based on JCA ( Java Cryptography Architecture)

● Provides API for:● Encryption/Decryption● Message digests (hashes) ● Key management● Secure random number generation

● API implemented by Cryptographic Service "Provider"

● "Dynamic" Provider:

javax.crypto.*java.security.*

Page 10: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Default Providers

➢ From the beginning○ Bouncy Castle (Customized):

■ Some services and API removed■ Varies between Android versions■ Fixed only in the latest versions

○ Crypto (Apache Harmony)■ Few basic services■ Only for backward compatibility

➢ From Android 4.0○ AndroidOpenSSL:

■ OpenSSL JNI■ Performance Improved■ Vulnerable to Heartbleed in 4.1.1

Page 11: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

➢ Spongy Castle (SC)○ Repackage of Bouncy Castle○ Supports more cryptographic options○ Not vulnerable to the Heartbleed Bug○ Up-to-date

➢ GPS Dynamic Security Provider○ Available from Play Services 5.0○ Based on OpenSSL ( No Heartbleed)○ Rapid delivery of security patches○ Vendor independent !!!

Dynamic Providers

Page 12: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Cipher Benchmarks

Run on Google Nexus 5 Android 4.4.4

CBC CTR

Page 13: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Cipher Class

Secret Key Specification

Cipher getInstance

Cipher Init

Cipher Final

Page 14: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

SecretKey Specification

javax.crypto.spec.SecretKeySpec

● SecretKeySpec specifies a key for a specific algorithm

SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");

Encryption/Decryption Key

Cryptographic Algorithm

Page 15: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Cipher GetInstance

javax.crypto.Cipher

● Create cryptographic cipher

Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding”,“SC”);

Transformation (describes set of operation to perform):

• algorithm/mode/padding• algorithm

Provider( SpongyCastle )

Page 16: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Cipher Init

javax.crypto.Cipher

● Initializes the cipher instance with the specified operational mode, key and algorithm parameters.

cipher.init(Cipher.DECRYPT_MODE, keySpec, new IvParameterSpec(iv));

Operational Mode:• ENCRYPT_MODE• DECRYPT_MODE• WRAP_MODE• UNWRAP_MODE

SecretKeySpec Specify Cipher Algorithm parameters

( IV for CBC )

Page 17: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Cipher Final

javax.crypto.Cipher

● Complete a multi-part transformation (encryption or decryption)

byte[] encryptedText = cipher.doFinal(clearText.getBytes());

EncryptedText in byte

ClearText in bytes

Page 18: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Key Generation: SecureRandom

java.security.SecureRandom

● Cryptographically secure pseudo-random number generator

SecureRandom secureRandom = new SecureRandom();

Default constructor uses the most cryptographically

strong provider available

● Seeding SecureRandom is dangerous:○ Not Secure○ Output may change

Page 19: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Some SecureRandom Thoughts...

● Android security team discovered in August 2013 an improper PRNG initialization for default OpenSSL provider

● Applications invoking system-provided OpenSSL PRNG without explicit initialization are also affected

● Key Generation, Signing or Random Number Generation not receiving cryptographically strong values

● Developer must explicitly initialize the PRNG

PRNGFixes.apply()

http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html

Page 20: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

KeyGenerator keyGenerator = KeyGenerator.getInstance("AES","SC");keyGenerator.init(outputKeyLength, secureRandom);

SecretKey key = keyGenerator.generateKey();

Generate Secret Key

javax.crypto.KeyGenerator

● Symmetric cryptographic keys generator

Specify Key Size

Algorithm and Provider

Key to use in Cipher.init()

Page 21: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Key Management: Store on device

● Protected by Android Filesystem Isolation● Plain File● SharedPreferences● Keystore File (BKS, JKS)

● More secure with Phone Encryption

● Store safely● MODE_PRIVATE flag● Use only internal storage

/data/data/app_package

Page 22: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Key Management: Store on device

➢ Device rooted?

○ Check at run-time...

Page 23: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Key Management: Store in App● Uses static keys or device specific information at run-time

(IMEI, mac address, ANDROID_ID)

● Android app can be easily reversed

● Hide with Code obfuscationREVERS

ING

Page 24: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Key Management: PBKDF2

● Password Based Key Derivation Function (PKCS#5)● Variable length password in input● Fixed length key in output

● User interaction required

● Params:○ Password○ Pseudorandom Function○ Salt○ Number of iteration○ Key Size

● Available with BC

Page 25: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt, NUM_OF_ITERATIONS, KEY_SIZE); SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(PBE_ALGORITHM); encKey = secretKeyFactory.generateSecret(keySpec);

Key Management: PBKDF2

javax.crypto.spec.PBEKeySpec

● PBE Key specification and generation

A good PBE algorithm isPBKDF2WithHmacSHA1

User Password

N. >= 1000

Page 26: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

SecretKeyFactory factory;if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT)

// Use compatibility key factory -- only uses lower 8-bits of passphrase charsfactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1And8bit");

else if (Build.VERSION.SDK_INT >= 10)// Traditional key factory. Will use lower 8-bits of passphrase chars on

// older Android versions (API level 18 and lower) and all available bits // on KitKat and newer (API level 19 and higher) factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");else // FIX for Android 8,9

factory = SecretKeyFactory.getInstance("PBEWITHSHAAND128BITAES-CBC-BC");

SecretKeyFactory API in Android 4.4

Page 27: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Key Management: Other solutions

● Store on server side● Internet connection required● Use trusted and protected connections (HTTPS, Certificate

Pinning)

● Store on external device● NFC Java Card (NXP J3A081)● Smartcard● USB PenDrive● MicroSD with secure storage

● AndroidKeyStore???

Page 28: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Asymmetric Algorithms

● Public/Private Key○ Public Key -> encrypt/verify signature ○ Private Key -> decrypt/sign

● Advantages:○ Public Key distribution is not dangerous

● Disadvantages:○ Computationally expensive

● Usually used with PKI (Public Key Infrastructure for digital certificates)

Page 29: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Public-key Applications

● Can classify uses into 3 categories:

○ Encryption/Decryption (provides Confidentiality)

○ Digital Signatures (provides Authentication and Integrity)

○ Key Exchange (of Session Keys)

● Some algorithms are suitable for all uses (RSA), others are specific to one

Page 30: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

PKCS for Asymmetric Algorithms

● PKCS is a group of public-key cryptography standards published by RSA Security Inc

● PKCS#1 (v.2.1)○ RSA Cryptography Standard

● PKCS#3 (v.1.4)○ Diffie-Hellman Key Agreement Standard

● PKCS#8 (v.1.2)○ Private-Key Information Syntax Standard

● PKCS#10 (v.1.7)○ Certification Request Standard

● PKCS#12 (v.1.0)○ Personal Information Exchange Syntax Standard

Page 31: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Android: RSA

KeyPairGenerator kpg = KeyPairGenerator.getIstance(”RSA");

Java.security.KeyPairGenerator

● KeyPairGenerator is an engine capable of generating public/private keys with specified algorithms

Cryptographic Algorithm

Page 32: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Available Providers for RSA Algorithm

KeyPairGenerator.getInstance(”RSA”,”SEC_PROVIDERS”);

Java.security.KeyPairGenerator

● Different security providers could be used (could change for different OS versions)

“AndroidOpenSSL”“BC”“AndroidKeyStore”“GmsCore_OpenSSL”

Version 1.0Version 1.49Version 1.0

Page 33: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

● KeySize – 1024,2048,4096 bits

KeyPairGenerator: Initialization and Randomness

KeyPairGenerator kpg = KeyPairGenerator.initialize(2048);

Key Size

Java.security.KeyPairGenerator

● KeyPairGenerator initialization with the key size

Page 34: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

KeyPairGenerator: Initialization and Randomness

KeyPairGenerator kpg = KeyPairGenerator.initialize(2048,sr);

Java.security.KeyPairGenerator, Java.security.SecureRandom

● KeyPairGenerator initialization with a SecureRandom

SecureRandom sr = new SecureRandom();

Page 35: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Generating RSA Key

Java.security.KeyPair

● KeyPair is a container for a public/private key generated by the KeyPairGenerator

KeyPair keypair = kpg.genKeyPair()

● We can retrieve public/private keys from KeyPair

Key public_key = kaypair.getPublic();

Key private_key = kaypair.getPrivate();

Page 36: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Using RSA Keys: cipher example

Javax.crypto.Cipher

● Cipher provides access to implementation of cryptography ciphers for encryption and decryption

Cipher cipher = Cipher.getInstance(“RSA”,”SEC_PROVIDER);

Transformation“AndroidOpenSSL”“BC”“AndroidKeyStore”“GmsCore_OpenSSL”

Page 37: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Using RSA Key: cipher example

Javax.crypto.Cipher

● Encryption

cipher.init(Cipher.ENCRYPT_MODE,public_key);

● Decryption

byte[] encrypted_data=cipher.doFinal(“DroidconUK-2014”.getBytes());

cipher.init(Cipher.DECRYPT_MODE,private_key);

byte[] decrypted_data=cipher.doFinal(cipherd_data);

Page 38: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Parameters of RSA Keys

java.security.KeyFactory, java.security.spec,

● Retrieve RSA Key parameters using KeyFactory

RSAPublicKeySpec rsa_public= keyfactory.getKeySpec(keypair.getPublic(),

RSAPublicKeySpec.class);

RSAPrivateKeySpec rsa_private = keyfactory.getKeySpec(keypair.getPrivate(),

RSAPrivateKeySpec.class);

Page 39: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Extract Parameters of RSA Keys

Java.security.spec.RSAPublicKeySpec, java.security.spec.RSAPrivateKeySpec

● Retrieved parameters can be stored

BigInteger m = rsa_public.getModulus();

BigInteger e = rsa_public.getPublicExponent();

BigInteger d = rsa_private.getPrivateExponent();

Is Private

Page 40: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

AndroidKeyStore

● Custom Java Security Provider available from Android 4.3 version and beyond

● An App can generate and save private keys

● Keys are private for each App

● 2048-bit key size (4.3), 1024-2048-4096-bit key size (4.4) can be stored

● ECDSA support added from Android 4.4

Page 41: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Key Management Evolution

API LEVEL 14 API LEVEL 18

Global Level:KeyChain( Public API )

App Level:KeyStore( Closed API )

Global Level Only:

Default TrustStorecacerts.bks

(ROOTED device)

Global Level:KeyChain( Public API )

App Level and per User Level:AndroidKeyStore( Public API )

Page 42: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

AndroidKeyStore Storage

● Two kinds of storage

○ Hardware-backed (Nexus 7, Nexus 4, Nexus 5 :-) with OS >= 4.3)○ Secure Element ○ TPM○ TrustZone

○ Software only (Other devices with OS >= 4.3)

Page 43: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Type of Storage

import android.security.KeyChain;

if (KeyChain.isBoundKeyAlgorithm("RSA")) // Hardware-Backed else // Software Only

Page 44: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Certificate parameters

Context cx = getActivity();

String pkg = cx.getPackageName();

Calendar notBefore = Calendar.getInstance();

Calendar notAfter = Calendar.getInstance();

notAfter.add(1, Calendar.YEAR);

import android.security.KeyPairGeneratorSpec.Builder;

Builder builder = new KeyPairGeneratorSpec.Builder(cx);

builder.setAlias(“DEVKEY1”);

String infocert = String.format("CN=%s, OU=%s", “DEVKEY1”, pkg);

builder.setSubject(new X500Principal(infocert));

builder.setSerialNumber(BigInteger.ONE);

builder.setStartDate(notBefore.getTime());

builder.setEndDate(notAfter.getTime());

KeyPairGeneratorSpec spec = builder.build();

Time parameters

Self-Signed X.509● Common Name(CN)● Subject(OU)● Serial Number

Generate certificate

ALIAS to index the certificate

Page 45: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Generating Public/Private keys

KeyPairGenerator kpGenerator;

kpGenerator = KeyPairGenerator

.getInstance("RSA", "AndroidKeyStore");

kpGenerator.initialize(spec);

KeyPair kp;

kp = kpGenerator.generateKeyPair();

Engine to generate Public/Private key

Init Engine with:● RSA Algorithm● Provider: AndroidKeyStore

Init Engine with certificate parameters

After generation, the keys will be stored into AndroidKeyStore and will be accessible by ALIAS

● Generating Private/Public key

Page 46: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

AndroidKeyStore Initialization

keyStore = KeyStore.getInstance("AndroidKeyStore");

keyStore.load(null);

Now we have the KeyStore reference that will be used to access to the Private/Public key by the ALIAS

Should be used if there is an InputStream to load (for example the name of imported KeyStore). If not

used the App will crash

Get a reference to the AndroidKeyStore

Page 47: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

RSA Encryption

● Encryption○ Confidentiality ○ RSA Public key to Encrypt○ RSA Private key to Decrypt

KeyStore.Entry entry = keyStore.getEntry(“DEVKEY1”, null);

PublicKey publicKeyEnc = ((KeyStore.PrivateKeyEntry) entry)

.getCertificate().getPublicKey();

String textToEncrypt = new String(”DroidconUK-2014");

Cipher encCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");

encCipher.init(Cipher.ENCRYPT_MODE, publicKeyEnc);

byte[] encryptedText = encCipher.doFinal(byteTextToEncrypt);

Access to Public key to encrypt

● Algorithm● Encryption with

Public key

Ciphered

Access to keys identified by ALIAS

Page 48: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

RSA Decryption

Cipher decCipher = null;

byte[] plainTextByte = null;

decCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");

decCipher.init(Cipher.DECRYPT_MODE,

((KeyStore.PrivateKeyEntry) entry).getPrivateKey());

plainTextByte = decCipher.doFinal(byteEcryptedText);

String plainText = new String(plainTextByte);

Algorithm

Decryption with Private key

Plaintext

Page 49: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

s.initVerify(((KeyStore.PrivateKeyEntry) entry).getCertificate());

s.update(data);

boolean valid = s.verify(signature);

RSA Digital Signature

● Digital Signature○ Authentication, Non-Repudiation and Integrity ○ RSA Private key to Sign○ RSA Public Key to Verify

KeyStore.Entry entry = keyStore.getEntry(“DEVKEY1”, null);

s.initSign(((KeyStore.PrivateKeyEntry) entry).getPrivateKey());

Access to Private/Public key identified by ALIAS

Private key to sign

Public Key in certificate to verify

signature

Page 50: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Issue 61989 …

Page 51: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

KeyChain

● KeyChain○ Accessible by any Application

● Typically used for corporate certificates

Page 52: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

Example: Import Certificates

● Import .p12 certificates

Intent intent = KeyChain.createInstallIntent();

byte[] p12 = readFile(“CERTIFICATE_NAME.p12”);

Intent.putExtra(KeyChain.EXTRA_PKCS12,p12);

Specify PKCS#12 Key to install

startActivity(intent);The user will be prompted for the password

Page 53: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

KeyChain.choosePrivateKeyAlias(Activity activity,KeyChainAliasCallBack response,String[] keyTypes,Principal[] issuers,String host,Int port,String Alias);

Example: Retrieve the key

● The KeyChainAliasCallback invoked when a user chooses a certificate/private key

Page 54: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

@Overridepublic void alias(String alias){

.

.PrivateKey private_key = KeyChain. getPrivateKey(this,alias);

.

.X509Certificate[] chain = KeyChain. getCertificateChain(this,”DroidconUK-2014”);

.PublicKey public_key = chain[0].getPublicKey();

}

Example: Retrieve and use the keys

Private Key

Public Key

● KeyChainAliasCallbak must implement the abstract method alias:

Page 55: Android Key Management @Droidcon London 2014

AndroidKey Management Droidcon London 2014

References● http://developer.android.com/about/versions/android-4.3.html#Security

● http://developer.android.com/reference/java/security/KeyStore.html

● http://en.wikipedia.org/wiki/Encryption

● http://en.wikipedia.org/wiki/Digital_signature

● http://nelenkov.blogspot.it/2013/08/credential-storage-enhancements-android-43.html

● http://nelenkov.blogspot.it/2012/05/storing-application-secrets-in-androids.html

● http://nelenkov.blogspot.it/2012/04/using-password-based-encryption-on.html

● http://nelenkov.blogspot.it/2011/11/ics-credential-storage-implementation.html

● http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.html

● http://android-developers.blogspot.it/2013/02/using-cryptography-to-store-credentials.html

● http://www.bouncycastle.org/

● http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html

● http://nelenkov.blogspot.it/2013/10/signing-email-with-nfc-smart-card.html

● http://en.wikipedia.org/wiki/PKCS

● http://developer.android.com/reference/android/security/KeyChain.html

● http://android-developers.blogspot.it/2013/12/changes-to-secretkeyfactory-api-in.html