Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard
-
Upload
petr-dvorak -
Category
Technology
-
view
976 -
download
3
Transcript of Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard
![Page 1: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/1.jpg)
Note on a mobile security... or How the Brave Permutation Rescued
a Naughty Keyboard...
Tomáš RosaSenior Cryptologist, Rai"eisenbank
Petr Dvořák - @joshis_tweetsiOS Development Lead
![Page 2: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/2.jpg)
Outline
• Mobile Security Landscape
• Typical Topics in Security
• The Perils of Jailbreaking
• The Tale of the Brave Permutation
![Page 3: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/3.jpg)
Mobile Security Landscape
![Page 4: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/4.jpg)
Mobile Security Landscape
• New Devices, New Problems
• New Devices, Old Problems
• The Murderer is always the Gardener
![Page 5: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/5.jpg)
Typical Topics
![Page 6: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/6.jpg)
Incorrect Logging
• NSLog is not harmless!
• Works with the system log, readable by anyone
• AppSwitch app
• Disable NSLog for the App Store build
#define NSLog(...)
![Page 7: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/7.jpg)
Incorrect SSL handling
• SSL != Super Secure Line
• iOS Checks if CA is trusted
• OCSP only for EV certi$cates, works best attempt
• http://mitmproxy.org
![Page 8: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/8.jpg)
MITMProxy
![Page 9: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/9.jpg)
NSURLConnection callback
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace*)space{ SecTrustRef trust = [space serverTrust]; SecCertificateRef cert = SecTrustGetCertificateAtIndex(trust, 0);
NSData* serverCertificateData = (NSData*)SecCertificateCopyData(cert);
NSString* description = (NSString*)SecCertificateCopySubjectSummary(certificate);
// check the data... “if (isOK(cert)) { phew(@”It’s OK”); }”
}
![Page 10: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/10.jpg)
Insu%cient design
• Too much weight on HTTPS
• Typical “session” is not always enough
• Use HOTP / TOTP
• Study OAuth: Despite popular belief, 2 < 1
![Page 11: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/11.jpg)
Jailbreak
![Page 12: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/12.jpg)
root || !(2*root)
• You mustn’t jailbreak!
• Jailbreaking = Full root access
• Attackers are tough & pretty smart!
• That sucks. Anything is possible
• The physics stops working
Saurik
![Page 13: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/13.jpg)
#HITB
![Page 14: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/14.jpg)
root || !(2*root)
• You must jailbreak!
• Users are uninformed + don’t care
• JB can happen without users consent
• ... this is what exploits are about...
• Save them! Make your app ready for this
Kelišová
![Page 15: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/15.jpg)
Demo - Cycript
![Page 16: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/16.jpg)
root || !(2*root)
• Considering Jailbreak makes things hard
• Dealing with security on application level
• One of many issues: How to protect the password?
![Page 17: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/17.jpg)
How to protect the password?
![Page 18: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/18.jpg)
How to protect password?
• Malware on the phone = game over
• Password is stolen once you type it
• What about a stolen phone?
• ... wait, why is it di"erent from mallware?
![Page 19: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/19.jpg)
iOS App in Action
iOS Docs: “The system [iOS] keeps suspended apps in memory for as long as possible, removing them only when the amount of free memory gets low.”
App Started
App Closed
App Dead
User: The app is done... Attacker steals a phone...... or you lose it somewhere...
Mallware?Game over...
Password Entered
System: Let’s keep it for a while...
![Page 20: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/20.jpg)
Tale of a Brave Permutation
![Page 21: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/21.jpg)
The Problem
• UITextField is very, very naughty
• Even when it’s “Secure”, it’s not secure...
• How to eliminate password footprint?
![Page 22: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/22.jpg)
Demo - GDB
![Page 23: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/23.jpg)
UITextField Properties
• !!! You need to set
• Adjust to Fit
• Auto-capitalization
• Auto-correction
• Secure
• Not Apple-like. And is it really enough?
![Page 24: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/24.jpg)
Framework / Application
• Let’s do better!
• Idea
• Custom keyboard
• One-Time Pad (Vernam cipher)
• Security context under strict control
• C implementation
![Page 25: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/25.jpg)
Mechanism illustrationAp
p &
Keyb
oard
UIT
extF
ield
C Se
curt
ity
mod
ule
User taps a letter
Ln
KeyboardCreated
Security Context Created
Letter Ln Ciphered using OTP
C_Ln appended
User presses sign-
in
App fetches [C_Li]i=1..Length
Context Deciphers Password
H/TOTP signature computed
Keyboard Destroyed.
Password & Context Destroyed
App Sends Signed
Request.
H/TOTP signature Received
Sent [C_Li]i=1..Length
![Page 26: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/26.jpg)
Mechanism illustrationAp
p &
Keyb
oard
UIT
extF
ield
C Se
curt
ity
mod
ule
User taps a letter
Ln
KeyboardCreated
Security Context Created
Letter Ln Ciphered using OTP
C_Ln appended
User presses sign-
in
App fetches [C_Li]i=1..Length
Context Deciphers Password
H/TOTP signature computed
Keyboard Destroyed.
Password & Context Destroyed
App Sends Signed
Request.
H/TOTP signature Received
Ln C_Ln
Sent [C_Li]i=1..Length
![Page 27: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/27.jpg)
Mechanism illustrationAp
p &
Keyb
oard
UIT
extF
ield
C Se
curt
ity
mod
ule
User taps a letter
Ln
KeyboardCreated
Security Context Created
Letter Ln Ciphered using OTP
C_Ln appended
User presses sign-
in
App fetches [C_Li]i=1..Length
Context Deciphers Password
H/TOTP signature computed
Keyboard Destroyed.
Password & Context Destroyed
App Sends Signed
Request.
H/TOTP signature Received
[C_Li]i=1..Length binary garbage
Sent [C_Li]i=1..Length
[C_Li]i=1..Length
![Page 28: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/28.jpg)
How to (de)cipher the text?
![Page 29: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/29.jpg)
Preconditions
• Decimal PIN of 4 to 8 digits.
• Unpredictable cursor shifts are allowed.
• UITextField must be able to process the crypto-chars.
• The encryption/decryption as well as the setup phase shall be pretty fast.
![Page 30: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/30.jpg)
Permutation tables
• To encrypt a PIN digit, we use a particular permutation table ri : {0, ..., 9} → {0, ..., 9}.
• Each permutation table is chosen randomly from the set of all possible 10! (=3 628 800) bijective mappings.
![Page 31: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/31.jpg)
Table Generator• There is an algorithm that for each
permutation on n-element set computes a unique number k, such that:
• 0 ≤ k < n!
• It was already noted in [1] that we can obtain a fast permutation generator by running this algorithm backwards.
• So called shu(ing, cf. [1], algorithms 3.3.2P and 3.4.2P.
![Page 32: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/32.jpg)
Compact Key For Tables• Instead of generating random nonces for
each generator cycle (as suggested in [1]), we generate just one random key k with uniform distribution on <0, ..., n!).
• According to the factorial number system [1], such k uniquely describes the particular permutation on n-element set.
• We then run alg. 3.3.2P in the simple reverse order.
![Page 33: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/33.jpg)
Generator Properties
• It can be easily shown that our approach is equivalent to generating random tweets for each pass through the main cycle of the reversed alg. 3.3.2P.
• We just collect all these nonces in one number using the wonderful factorial number system.
• Of course, there is an independent fresh k for each table generated.
![Page 34: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/34.jpg)
Setup Phase
• We subdivide the 7-bit ASCII set to 9 code pages by 10 characters each:
• {32, ..., 41}, {42, ..., 51}, ..., {112, ..., 121}.
• We also generate 9 independent keys and their corresponding permutation tables:
• (k1, ..., k9) → (r0, ..., r8).
![Page 35: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/35.jpg)
Encryption
• To encrypt j-th character typed pj, we choose the permutation ri, where i = j mod 9, and compute:
• cj = ri ( pj ) + 10*i + 32.
• The counter j is incremented with each character encrypted regardless possible cursor shifts, etc.
![Page 36: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/36.jpg)
Decryption
• To decrypt a crypto-char c, we $rst decide which table was used for its encryption:
• i = ( c - 32 ) div 10.
• Then we use the inverse permutation to obtain the original plaintext char:
• p = ri-1 ( c - 10*i - 32 ).
• We prepare both ri and ri-1 tables in setup.
![Page 37: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/37.jpg)
Why This Way?• To allow unpredictable cursor shifts
• we use the code page o"set to encode the keystream index i within each crypto-char.
• To eliminates the risk of compromising the whole table when the keystream index i accidentally repeats
• we use the general permutation tables instead of a simple $nite group operation like xor, add, mul, etc.
![Page 38: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/38.jpg)
Cautionary note
• This was pretty clever, right?
• Don’t spoil it by doing something stupid.
• Wipe out all the keys and permutation tables after having $nished!
![Page 39: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/39.jpg)
Thank you!
![Page 40: Note on a Mobile Security... or How the Brave Permutation Saved a Naughty Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052904/55838e1bd8b42a11178b4f62/html5/thumbnails/40.jpg)
References
• [1] Knuth, D.-E.: The Art of Computer Programming / Vol. 2 - Seminumerical Algorithms, 3rd ed., Addison-Wesley, 1998.
• [2] http://developer.apple.com
• [3] http://theiphonewiki.com
• [4] http://www.cycript.org