'The default implementation for KeyStore, the system in Android
designed to store user credentials and cryptographic keys, is broken,
researchers say.>In an academic paper published this week, researchers
argue that the particular encryption scheme that KeyStore uses fails
to protect the integrity of keys and could be exploited to allow an
attacker to modify stored keys through a forgery attack.
KeyStore, which performs key-specific actions through the OpenSSL
library, allows Android apps to store and generate their own
cryptographic keys. By storing keys in a container, KeyStore makes it
more difficult to remove them from the device. Mohamed Sabt and
Jacques Traore, two researchers with the French telecom Orange Labs,
claim the scheme associated with the system is "non-provably secure,"
and could have "severe consequences." The two point out in their paper
"Breaking Into the KeyStore: A Practical Forgery Attack Against
Android KeyStore," that it's the hash-then-encrypt (HtE) authenticated
encryption (AE) scheme in cipher block chaining mode (CBC) in KeyStore
that fails to guarantee the integrity of keys.'
-- source: https://tech.slashdot.org/story/16/07/07/1819233
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174