Make password history hashing more secure
Instead of hashing the password directly which makes it possible to bruteforce
the password offline, hash the password together with the synthetic password.
This means without knowledge of the synthetic password, the hash itself is
useless.
As a consequence of this change, saving and checking historical password would
now also require the current device password to be provided. Checking password
history also takes more time due to the need to unwrap synthetic password, at
around 100-200ms.
Bug: 32826058
Test: manual
Change-Id: Icb65171b8c8b703d8f0aa3a8cb2bf7ad96c1332d
diff --git a/core/java/com/android/internal/widget/ILockSettings.aidl b/core/java/com/android/internal/widget/ILockSettings.aidl
index 7e63adc..591f15f 100644
--- a/core/java/com/android/internal/widget/ILockSettings.aidl
+++ b/core/java/com/android/internal/widget/ILockSettings.aidl
@@ -45,6 +45,7 @@
boolean checkVoldPassword(int userId);
boolean havePattern(int userId);
boolean havePassword(int userId);
+ byte[] getHashFactor(String currentCredential, int userId);
void setSeparateProfileChallengeEnabled(int userId, boolean enabled, String managedUserPassword);
boolean getSeparateProfileChallengeEnabled(int userId);
void registerStrongAuthTracker(in IStrongAuthTracker tracker);
diff --git a/core/java/com/android/internal/widget/LockPatternUtils.java b/core/java/com/android/internal/widget/LockPatternUtils.java
index d4ab426..7c339fb 100644
--- a/core/java/com/android/internal/widget/LockPatternUtils.java
+++ b/core/java/com/android/internal/widget/LockPatternUtils.java
@@ -66,8 +66,10 @@
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collection;
import java.util.List;
+import java.util.StringJoiner;
/**
* Utilities for the lock pattern and its settings.
*/
@@ -165,6 +167,7 @@
public static final String SYNTHETIC_PASSWORD_HANDLE_KEY = "sp-handle";
public static final String SYNTHETIC_PASSWORD_ENABLED_KEY = "enable-sp";
+ private static final String HISTORY_DELIMITER = ",";
private final Context mContext;
private final ContentResolver mContentResolver;
@@ -507,31 +510,50 @@
}
/**
+ * Returns the password history hash factor, needed to check new password against password
+ * history with {@link #checkPasswordHistory(String, byte[], int)}
+ */
+ public byte[] getPasswordHistoryHashFactor(String currentPassword, int userId) {
+ try {
+ return getLockSettings().getHashFactor(currentPassword, userId);
+ } catch (RemoteException e) {
+ Log.e(TAG, "failed to get hash factor", e);
+ return null;
+ }
+ }
+
+ /**
* Check to see if a password matches any of the passwords stored in the
* password history.
*
- * @param password The password to check.
+ * @param passwordToCheck The password to check.
+ * @param hashFactor Hash factor of the current user returned from
+ * {@link ILockSettings#getHashFactor}
* @return Whether the password matches any in the history.
*/
- public boolean checkPasswordHistory(String password, int userId) {
- String passwordHashString = new String(
- passwordToHash(password, userId), StandardCharsets.UTF_8);
- String passwordHistory = getString(PASSWORD_HISTORY_KEY, userId);
- if (passwordHistory == null) {
+ public boolean checkPasswordHistory(String passwordToCheck, byte[] hashFactor, int userId) {
+ if (TextUtils.isEmpty(passwordToCheck)) {
+ Log.e(TAG, "checkPasswordHistory: empty password");
return false;
}
- // Password History may be too long...
- int passwordHashLength = passwordHashString.length();
+ String passwordHistory = getString(PASSWORD_HISTORY_KEY, userId);
+ if (TextUtils.isEmpty(passwordHistory)) {
+ return false;
+ }
int passwordHistoryLength = getRequestedPasswordHistoryLength(userId);
if(passwordHistoryLength == 0) {
return false;
}
- int neededPasswordHistoryLength = passwordHashLength * passwordHistoryLength
- + passwordHistoryLength - 1;
- if (passwordHistory.length() > neededPasswordHistoryLength) {
- passwordHistory = passwordHistory.substring(0, neededPasswordHistoryLength);
+ String legacyHash = legacyPasswordToHash(passwordToCheck, userId);
+ String passwordHash = passwordToHistoryHash(passwordToCheck, hashFactor, userId);
+ String[] history = passwordHistory.split(HISTORY_DELIMITER);
+ // Password History may be too long...
+ for (int i = 0; i < Math.min(passwordHistoryLength, history.length); i++) {
+ if (history[i].equals(legacyHash) || history[i].equals(passwordHash)) {
+ return true;
+ }
}
- return passwordHistory.contains(passwordHashString);
+ return false;
}
/**
@@ -830,6 +852,7 @@
updateEncryptionPasswordIfNeeded(password,
PasswordMetrics.computeForPassword(password).quality, userHandle);
updatePasswordHistory(password, userHandle);
+ onAfterChangingPassword(userHandle);
}
/**
@@ -852,8 +875,15 @@
}
}
+ /**
+ * Store the hash of the *current* password in the password history list, if device policy
+ * enforces password history requirement.
+ */
private void updatePasswordHistory(String password, int userHandle) {
-
+ if (TextUtils.isEmpty(password)) {
+ Log.e(TAG, "checkPasswordHistory: empty password");
+ return;
+ }
// Add the password to the password history. We assume all
// password hashes have the same length for simplicity of implementation.
String passwordHistory = getString(PASSWORD_HISTORY_KEY, userHandle);
@@ -864,16 +894,25 @@
if (passwordHistoryLength == 0) {
passwordHistory = "";
} else {
- byte[] hash = passwordToHash(password, userHandle);
- passwordHistory = new String(hash, StandardCharsets.UTF_8) + "," + passwordHistory;
- // Cut it to contain passwordHistoryLength hashes
- // and passwordHistoryLength -1 commas.
- passwordHistory = passwordHistory.substring(0, Math.min(hash.length
- * passwordHistoryLength + passwordHistoryLength - 1, passwordHistory
- .length()));
+ final byte[] hashFactor = getPasswordHistoryHashFactor(password, userHandle);
+ String hash = passwordToHistoryHash(password, hashFactor, userHandle);
+ if (hash == null) {
+ Log.e(TAG, "Compute new style password hash failed, fallback to legacy style");
+ hash = legacyPasswordToHash(password, userHandle);
+ }
+ if (TextUtils.isEmpty(passwordHistory)) {
+ passwordHistory = hash;
+ } else {
+ String[] history = passwordHistory.split(HISTORY_DELIMITER);
+ StringJoiner joiner = new StringJoiner(HISTORY_DELIMITER);
+ joiner.add(hash);
+ for (int i = 0; i < passwordHistoryLength - 1 && i < history.length; i++) {
+ joiner.add(history[i]);
+ }
+ passwordHistory = joiner.toString();
+ }
}
setString(PASSWORD_HISTORY_KEY, passwordHistory, userHandle);
- onAfterChangingPassword(userHandle);
}
/**
@@ -1098,7 +1137,7 @@
return Long.toHexString(salt);
}
- /*
+ /**
* Generate a hash for the given password. To avoid brute force attacks, we use a salted hash.
* Not the most secure, but it is at least a second level of protection. First level is that
* the file is in a location only readable by the system process.
@@ -1107,7 +1146,7 @@
*
* @return the hash of the pattern in a byte array.
*/
- public byte[] passwordToHash(String password, int userId) {
+ public String legacyPasswordToHash(String password, int userId) {
if (password == null) {
return null;
}
@@ -1122,7 +1161,24 @@
System.arraycopy(md5, 0, combined, sha1.length, md5.length);
final char[] hexEncoded = HexEncoding.encode(combined);
- return new String(hexEncoded).getBytes(StandardCharsets.UTF_8);
+ return new String(hexEncoded);
+ } catch (NoSuchAlgorithmException e) {
+ throw new AssertionError("Missing digest algorithm: ", e);
+ }
+ }
+
+ /**
+ * Hash the password for password history check purpose.
+ */
+ private String passwordToHistoryHash(String passwordToHash, byte[] hashFactor, int userId) {
+ if (TextUtils.isEmpty(passwordToHash) || hashFactor == null) {
+ return null;
+ }
+ try {
+ MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
+ sha256.update(hashFactor);
+ sha256.update((passwordToHash + getSalt(userId)).getBytes());
+ return new String(HexEncoding.encode(sha256.digest()));
} catch (NoSuchAlgorithmException e) {
throw new AssertionError("Missing digest algorithm: ", e);
}
@@ -1571,6 +1627,7 @@
updateEncryptionPasswordIfNeeded(credential, quality, userId);
updatePasswordHistory(credential, userId);
+ onAfterChangingPassword(userId);
} else {
if (!TextUtils.isEmpty(credential)) {
throw new IllegalArgumentException("password must be emtpy for NONE type");
diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java
index f1fd00b..1078f6e 100644
--- a/services/core/java/com/android/server/locksettings/LockSettingsService.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java
@@ -1742,7 +1742,8 @@
if (storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN) {
hash = LockPatternUtils.patternToHash(LockPatternUtils.stringToPattern(credential));
} else {
- hash = mLockPatternUtils.passwordToHash(credential, userId);
+ hash = mLockPatternUtils.legacyPasswordToHash(credential, userId)
+ .getBytes(StandardCharsets.UTF_8);
}
if (Arrays.equals(hash, storedHash.hash)) {
if (storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN) {
@@ -2532,6 +2533,33 @@
mRecoverableKeyStoreManager.lockScreenSecretChanged(credentialType, credential, userId);
}
+ /**
+ * Returns a fixed pseudorandom byte string derived from the user's synthetic password.
+ * This is used to salt the password history hash to protect the hash against offline
+ * bruteforcing, since rederiving this value requires a successful authentication.
+ */
+ @Override
+ public byte[] getHashFactor(String currentCredential, int userId) throws RemoteException {
+ checkPasswordReadPermission(userId);
+ if (TextUtils.isEmpty(currentCredential)) {
+ currentCredential = null;
+ }
+ synchronized (mSpManager) {
+ if (!isSyntheticPasswordBasedCredentialLocked(userId)) {
+ Slog.w(TAG, "Synthetic password not enabled");
+ return null;
+ }
+ long handle = getSyntheticPasswordHandleLocked(userId);
+ AuthenticationResult auth = mSpManager.unwrapPasswordBasedSyntheticPassword(
+ getGateKeeperService(), handle, currentCredential, userId, null);
+ if (auth.authToken == null) {
+ Slog.w(TAG, "Current credential is incorrect");
+ return null;
+ }
+ return auth.authToken.derivePasswordHashFactor();
+ }
+ }
+
private long addEscrowToken(byte[] token, int userId) throws RemoteException {
if (DEBUG) Slog.d(TAG, "addEscrowToken: user=" + userId);
synchronized (mSpManager) {
diff --git a/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java b/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java
index 0700ab3..596daeb 100644
--- a/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java
+++ b/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java
@@ -123,6 +123,7 @@
private static final byte[] PERSONALIZATION_FBE_KEY = "fbe-key".getBytes();
private static final byte[] PERSONALIZATION_AUTHSECRET_KEY = "authsecret-hal".getBytes();
private static final byte[] PERSONALIZATION_SP_SPLIT = "sp-split".getBytes();
+ private static final byte[] PERSONALIZATION_PASSWORD_HASH = "pw-hash".getBytes();
private static final byte[] PERSONALIZATION_E0 = "e0-encryption".getBytes();
private static final byte[] PERSONALISATION_WEAVER_PASSWORD = "weaver-pwd".getBytes();
private static final byte[] PERSONALISATION_WEAVER_KEY = "weaver-key".getBytes();
@@ -165,6 +166,11 @@
syntheticPassword.getBytes());
}
+ public byte[] derivePasswordHashFactor() {
+ return SyntheticPasswordCrypto.personalisedHash(PERSONALIZATION_PASSWORD_HASH,
+ syntheticPassword.getBytes());
+ }
+
private void initialize(byte[] P0, byte[] P1) {
this.P1 = P1;
this.syntheticPassword = String.valueOf(HexEncoding.encode(