Replies and rebuttals are flying about regarding a report critical of the encryption and password management functions deployed with Samsung’s Knox technology in its Android-based Galaxy and Note mobile devices.
Last week, a researcher published an advisory that said a PIN chosen during setup of the Knox App on consumer versions of Samsung devices is stored in clear text. The researcher was also critical of the libraries used to derive encryption keys by the version of Knox he tested, Knox Personal on the Galaxy S4. Samsung has since said Knox Personal has been replaced, and that the security issues—some of which Samsung confirmed—are not present on the enterprise version of Knox.
“It appears that the discrepancy is that these researchers seem to have tested an old, discontinued version of Knox that was never intended for enterprise use,” said Dan Rosenberg, senior security researcher with Azimuth Security. “These flaws may have been present on that platform, but at least according to Samsung, do not affect users of the latest version of Knox, and have never affected users of the enterprise solution (as opposed to the “Personal” containers).”
The report came less than a week after the National Security Agency endorsed Galaxy devices running Knox as part of its Commercial Solutions for Classified Program. By including Galaxy devices on this list, the agency cleared it for use in protecting classified data.
Knox is the code name for partitions, or containers, used on Samsung smartphones and tablets to keep personal and business data separate and encrypted. Samsung issued its statement late Friday to three points made in the report.
The first was a claim that a mealy machine library was used in the key generation process. Samsung said Knox 1.0 uses Password-Based Key Derivation Function 2, or PBKDF2, to generate an encryption key from a combination of the user’s password and a random number generator on the devices. In Knox 2.0, Samsung said it has strengthened key derivation by following the Common Criteria recommendation MDFPP for key derivation and storage.
The researcher, meanwhile, was clear in his report that he did not analyze the enterprise version of Knox, instead looked at the pre-installed Knox Container App, or Knox Personal on the Samsung Galaxy S4. He is, however, reaffirming that version 2.0 of the Knox App Container and 3.0 of the Knox ContainerAgent was present on his device, rebutting some public criticism that he was looking at early developer version.
“I don’t think that version 2.0_2 seems to be an early developer version?!?” he said. “I did the analysis about one month ago with a new Samsung S4 and all updates installed. That doesn’t seem to be an early developer version, right? Or did I [buy] a fake one ;)?”
Samsung confirmed another point raised by the report claiming that Knox saves the encryption key required to auto-mount the container’s file system in the TrustZone.
“However, unlike what is implied in the blog, the access to this key is strongly controlled. Only trusted system processes can retrieve it, and KNOX Trusted Boot will lock down the container key store in the event of a system compromise,” Samsung said.
The remaining sticking point is the contention that Knox stores an alternative PIN for password resets in clear text on the phone. Samsung denies this for Knox enterprise containers, but confirms that for Knox 1.0 Personal containers, the alternative PIN is stored on the device.
“This KNOX 1.0 Personal container is not a part of the KNOX enterprise solution and was discontinued early this year. KNOX Personal containers cannot be created on KNOX 2.0 devices,” Samsung said. “However, customers who created one on an older firmware revision can migrate to KNOX 2.0 as part of a system update, for enhanced security.”
Samsung said that Knox 1.0 Personal has been replaced in later versions by My Knox, which is based on the enterprise version. My Knox, the researcher said, is available only for Galaxy S5 and Note4 devices.
