Monday, September 8, 2014

encryption - How exactly does FBE's key derivation work?


These are the files that I know go into verifying a user's password:



/data/system/gatekeeper.password.key
/data/system/gatekeeper.pattern.key
/data/system/locksettings.db
/data/system/locksettings.db-shm
/data/system/locksettings.db-wal

I know that this is where the files used construct the FBE key are stored:


/data/misc/vold/user_keys/ce/0/current/version
/data/misc/vold/user_keys/ce/0/current/secdiscardable
/data/misc/vold/user_keys/ce/0/current/encrypted_key

/data/misc/vold/user_keys/ce/0/current/stretching
/data/misc/vold/user_keys/de/0/encrypted_key
/data/misc/vold/user_keys/de/0/stretching
/data/misc/vold/user_keys/de/0/keymaster_key_blob
/data/misc/vold/user_keys/de/0/secdiscardable
/data/misc/vold/user_keys/de/0/version

Although I'm told the encrypted FBE keys are stored in the above paths, these files seem related:


/data/system_de/0/spblob/0000000000000000.handle
/data/system_de/0/spblob/XXXXXXXXXXXXXXXX.pwd

/data/system_de/0/spblob/XXXXXXXXXXXXXXXX.secdis
/data/system_de/0/spblob/XXXXXXXXXXXXXXXX.spblob

The XXXXXXXXXXXXXXXX is a placeholder for a 16-character long hexadecimal "handle"; 0000000000000000.handle, by contrast, is named exactly as it written. There are actually several sets of pwd/secdis/spblob files on my phone and two that are missing their spblob file. I'm not sure I'm supposed to have that many.


Over the pass few days, I've messed up my phone trying to get TWRP to decrypt my data. At first, after removing my password, I couldn't set another one as Settings would crash whenever I tried. I was able to fix it by renaming locksettings.db. I then went ahead and set and cleared several different (but very insecure) passwords/PINs, including my old one (which is secure). I'm unable to remember the order of events, but now I'm at a point where I get Pixel is starting whenever I swipe on my home screen after booting. I'm suspecting this has to do with it not being able to decrypt my FBE key. I'm wondering if through my combination of renaming files like gatekeeper.*.key and locksettings.db that the FBE key maybe was decrypted with the wrong key and then reencrypted with a different one.


I'd like to know what role the above files play in the encrypting my phone. I'd also like to know:



  • What data from what sources is combined using what algorithms to decrypt the keys that encrypt my phone.

  • What happens when the password is changed (e.g., what files are decrypted/reencrypted, whether the salt is changed, etc.).

  • How the files gatekeeper.*.key and locksettings.db used in the process.


  • Whether or not the FBE key ever changes with the password.


The purpose of all of this is to determine if the problem with my lies with the encryption key being wrong or if it's a matter of cleaning up the right files, and to get past the endless Pixel is starting message to my apps and content.




-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

samsung galaxy s 2 - Cannot restore Kies backup after firmware upgrade

I backed up my Samsung Galaxy S2 on Kies before updating to Ice Cream Sandwich. After the upgrade I tried to restore, but the restore fails ...