Recently, a report criticizing Knox Technology’s password management and encryption functions in Samsung’s Note ad Galaxy mobile devices (Android-based) provoked a lot of replies and rebuttals.
According to an advisory, that was published last week, a PIN selected during setup of the Knox App on Samsung devices is saved in clear text. The author also criticized the libraries that are used to derive encryption keys by Knox Personal on Galaxy S4. As a reply to the critical statement, Samsung revealed that Knox Personal has already been replaced, and the security issues have been eliminated on Knox enterprise version.
A researcher with Azimuth Security said that apparently the tested version of the device was old and not meant for enterprise use. The flaws that were pointed out in the report do not affect users on the last version of Knox and were never a threat for the users of the enterprise version.
The report was issued a few days after NSA (National Security Agency) as included Galaxy devices that run Knox in its Commercial Solutions for Classified Program.
→Samsung Knox provides security features that enable business and personal content to coexist on the same handset. The user presses an icon that switches from Personal to Work use with no delay or reboot wait time. (Wikipedia)
Here are the three major points made in the report and how Samsung replied to them in a statement from last Friday.
A Mealy Machine Library, Used in the Key Generation Process
Samsung states that Password-Based Key Derivation Function 2 (PBKDF2) is used in Knox 1.0. Its purpose is to generate an encryption key by combining a random number generator on the devices and the user’s password. The key derivation has been strengthened in Knox 2.0 by following the Common Criteria recommendation MDFPP.
The Encryption Key That Is Required to Auto-Mount the Container’s File System Is Saved in the TrustZone
This statement has been confirmed by Samsung, but the company points out that the access to this key is controlled. It can be retrieved only by trusted system processes. And if a system gets compromised, KNOX Trusted Boot will lock the container key store.
KNOX Container Stores an Alternative PIN in Plaintext for Password Resets
The company absolutely denies this for the enterprise containers. Instead, it counts on IT administrators to reset and change passwords, by using their MDM agent. Samsung confirms the information for Knox 1.0 Personal containers, stating that these containers are not managed by an MDM agent and store an alternative PIN or rely on a Samsung account to recover passwords. The personal containers cannot be created on KNOX 2.0 devises.