Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad PIN! when using my gnuk token #2368

Closed
DamienCassou opened this issue Jul 9, 2018 · 25 comments · Fixed by #2596
Closed

Bad PIN! when using my gnuk token #2368

DamienCassou opened this issue Jul 9, 2018 · 25 comments · Fixed by #2596

Comments

@DamienCassou
Copy link

I've just got a usb token with gnuk (I replaced neug with gnuk in an FST-01G). I put a keyring on it and things seem to work fine on my computer. In OpenKeychain, I imported the keys from the token in such a way that I get a new entry in "My Keys". Nevertheless, when trying to decrypt a file using the token, I always get "Bad PIN!" error message. The PIN I enter is good. I even cleared the password cache and restarted the phone.

I tried to change the user PIN from gnupg and got the same "Bad PIN!" message after that in OpenKeychain.

I tried to change the user PIN from OpenKeychain and got 3 input fields: 1 for the admin PIN and 2 for the user PIN. When I validated the popup, I got a "Hold Security Token against the NFC…" popup even though my token was inserted already. I unplugged the token and pluged it back and got a "Bad PIN!" error message again.

Your Environment

  • Android Version: 8.1.0 with LineageOS 15.1-20180709
  • Device Model: OnePlus 1 (bacon)
  • OpenKeychain Version: 5.1.4
  • From Google Play or F-Droid?: F-Droid
@DamienCassou
Copy link
Author

I captured some logs. Here is an extract:

07-09 17:03:17.903 I/am_set_resumed_activity(3078): [0,org.sufficientlysecure.keychain/.ui.CreateKeyActivity,resumeTopActivityInnerLocked]
07-09 17:03:17.906 I/am_resume_activity(3078): [0,128487145,1389,org.sufficientlysecure.keychain/.ui.CreateKeyActivity]
07-09 17:03:17.943 I/notification_enqueue(3078): [1000,3078,android,17040724,NULL,0,Notification(channel=SECURITY pri=-1 contentView=null vibrate=null sound=null defaults=0x0 flags=0x2 color=0x00000000 vis=PRIVATE),0]
07-09 17:03:17.946 I/sysui_count(3078): [window_time_0,2]
07-09 17:03:17.938 E/NxpTml  (6177): _i2c_write() errno : 5
07-09 17:03:17.947 I/sysui_multi_action(3078): [757,803,799,window_time_0,802,2]
07-09 17:03:17.939 E/NxpTml  (6177): PN54X - Error in I2C Write.....
07-09 17:03:17.939 E/NxpHal  (6177): write error status = 0x1ff
07-09 17:03:17.939 E/NxpHal  (6177): write_unlocked failed - PN54X Maybe in Standby Mode - Retry
07-09 17:03:17.987 I/am_on_resume_called(8591): [0,org.sufficientlysecure.keychain.ui.CreateKeyActivity,RESUME_ACTIVITY]
07-09 17:03:17.995 W/Adreno-EGL(8591): <qeglDrvAPI_eglGetConfigAttrib:607>: EGL_BAD_ATTRIBUTE
07-09 17:03:17.998 D/vndksupport(8591): Loading /vendor/lib/hw/gralloc.msm8974.so from current namespace instead of sphal namespace.
07-09 17:03:18.013 I/sysui_multi_action(3078): [319,35,321,33,322,128,325,1272,757,761,758,9,759,4,806,org.sufficientlysecure.keychain,871,org.sufficientlysecure.keychain.ui.CreateKeyActivity,904,org.sufficientlysecure.keychain,905,0]
07-09 17:03:18.035 W/StaticLayout(4730): maxLineHeight should not be -1.  maxLines:1 lineCount:1

@Valodim
Copy link
Member

Valodim commented Jul 17, 2018

Sorry I didn't have time to look at this yet. I have no idea why this could be happening, and the logs unfortunately don't provide any clues. I tested the current version on a gnuk and things worked fine for me, so I don't really have a good way to debug this. :(

@DamienCassou
Copy link
Author

I have changed my keys and PIN and can still reproduce the problem. I'm on vacation and am willing to spend some time debugging this. What can I do please?

@Valodim
Copy link
Member

Valodim commented Jul 17, 2018

If you build a debug version of openkeychain from current master, there should be a lot more debug output, including a full transcript of communication with the token. Might be able to tell what's going on from there. Note that this output contains potentially sensitive data, please post those logs only for encrypted data and pin codes you don't care about :)

@DamienCassou
Copy link
Author

I got this with the debug version. I don't know what to look for so please tell me if this is not ok:

07-17 17:42:08.943 I/am_resume_activity(3504): [0,132839344,1701,org.sufficientlysecure.keychain.debug/org.sufficientlysecure.keychain.ui.SecurityTokenOperationActivity]
07-17 17:42:08.943 D/UsbTransport(29261): CCID Description: CcidDescription{maxSlotIndex=0, voltageSupport=1, protocols=2, features=132218}
07-17 17:42:08.965 W/StaticLayout(5777): maxLineHeight should not be -1.  maxLines:1 lineCount:1
07-17 17:42:08.985 D/OpenGLRenderer(5777): endAllActiveAnimators on 0x8fa76d80 (RippleDrawable) with handle 0x88cdb460
07-17 17:42:09.013 I/sysui_count(3504): [window_time_0,0]
07-17 17:42:09.013 I/sysui_multi_action(3504): [757,803,799,window_time_0,802,0]
07-17 17:42:09.044 V/CcidTransceiver(29261): CCID: attempting to power on with voltage AUTO
07-17 17:42:09.045 I/dvm_lock_sample(3504): [system_server,1,Binder:3504_8,58,WindowManagerService.java,1930,int com.android.server.wm.WindowManagerService.relayoutWindow(com.android.server.wm.Session, android.view.IWindow, int, android.view.WindowManager$LayoutParams, int, int, int, int, android.graphics.Rect, android.graphics.Rect, android.graphics.Rect, android.graphics.Rect, android.graphics.Rect, android.graphics.Rect, android.graphics.Rect, android.util.MergedConfiguration, android.view.Surface),-,2951,void com.android.server.wm.WindowManagerService.continueSurfaceLayout(),11]
07-17 17:42:09.050 W/Adreno-EGL(29261): <qeglDrvAPI_eglGetConfigAttrib:607>: EGL_BAD_ATTRIBUTE
07-17 17:42:09.052 D/vndksupport(29261): Loading /vendor/lib/hw/gralloc.msm8974.so from current namespace instead of sphal namespace.
07-17 17:42:09.054 D/CcidTransceiver(29261): Usb transport connected, took 104ms, ATR=3bda11ff81b1fe551f0300318473800180059000e1
07-17 17:42:09.063 D/UsbTransport(29261): USB >> 00a4040006d27600012401
07-17 17:42:09.065 D/CcidTransceiver(29261): USB XferBlock call took 2ms
07-17 17:42:09.065 D/UsbTransport(29261): USB << 9000
07-17 17:42:09.066 D/UsbTransport(29261): USB >> 00ca006e00
07-17 17:42:09.069 D/CcidTransceiver(29261): USB XferBlock call took 2ms
07-17 17:42:09.070 D/UsbTransport(29261): USB << ...SOME DATA...
07-17 17:42:09.082 D/BaseSecurityTokenActivi(29261): BaseNfcActivity.onResume
07-17 17:42:09.085 E/NxpTml  (6680): _i2c_write() errno : 5
07-17 17:42:09.085 E/NxpTml  (6680): PN54X - Error in I2C Write.....
07-17 17:42:09.085 E/NxpHal  (6680): write error status = 0x1ff
07-17 17:42:09.085 E/NxpHal  (6680): write_unlocked failed - PN54X Maybe in Standby Mode - Retry
07-17 17:42:09.105 D/UsbTransport(29261): USB >> 0020008206363839343832
07-17 17:42:09.110 D/CcidTransceiver(29261): USB XferBlock call took 1ms
07-17 17:42:09.112 D/UsbTransport(29261): USB << 6985
07-17 17:42:09.137 I/am_on_resume_called(29261): [0,org.sufficientlysecure.keychain.ui.SecurityTokenOperationActivity,RESUME_ACTIVITY]
07-17 17:42:09.182 D/BaseSecurityTokenActivi(29261): Exception in handleSecurityTokenError
07-17 17:42:09.182 D/BaseSecurityTokenActivi(29261): org.sufficientlysecure.keychain.securitytoken.CardException: Bad PIN!
07-17 17:42:09.182 D/BaseSecurityTokenActivi(29261): 	at org.sufficientlysecure.keychain.securitytoken.SecurityTokenConnection.verifyPinForOther(SecurityTokenConnection.java:339)
07-17 17:42:09.182 D/BaseSecurityTokenActivi(29261): 	at org.sufficientlysecure.keychain.securitytoken.operations.PsoDecryptTokenOp.verifyAndDecryptSessionKey(PsoDecryptTokenOp.java:72)
07-17 17:42:09.182 D/BaseSecurityTokenActivi(29261): 	at org.sufficientlysecure.keychain.ui.SecurityTokenOperationActivity.doSecurityTokenInBackground(SecurityTokenOperationActivity.java:214)
07-17 17:42:09.182 D/BaseSecurityTokenActivi(29261): 	at org.sufficientlysecure.keychain.ui.base.BaseSecurityTokenActivity.handleSecurityToken(BaseSecurityTokenActivity.java:439)
07-17 17:42:09.182 D/BaseSecurityTokenActivi(29261): 	at org.sufficientlysecure.keychain.ui.base.BaseSecurityTokenActivity$1.doInBackground(BaseSecurityTokenActivity.java:149)
07-17 17:42:09.182 D/BaseSecurityTokenActivi(29261): 	at org.sufficientlysecure.keychain.ui.base.BaseSecurityTokenActivity$1.doInBackground(BaseSecurityTokenActivity.java:137)
07-17 17:42:09.182 D/BaseSecurityTokenActivi(29261): 	at android.os.AsyncTask$2.call(AsyncTask.java:333)
07-17 17:42:09.182 D/BaseSecurityTokenActivi(29261): 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
07-17 17:42:09.182 D/BaseSecurityTokenActivi(29261): 	at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:245)
07-17 17:42:09.182 D/BaseSecurityTokenActivi(29261): 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
07-17 17:42:09.182 D/BaseSecurityTokenActivi(29261): 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
07-17 17:42:09.182 D/BaseSecurityTokenActivi(29261): 	at java.lang.Thread.run(Thread.java:764)
07-17 17:42:09.244 W/Adreno-EGL(29261): <qeglDrvAPI_eglGetConfigAttrib:607>: EGL_BAD_ATTRIBUTE

@DamienCassou
Copy link
Author

I replaced some hexadecimal numbers with "... SOME DATA..." above as I was not sure if that was leaking any important information.

@Valodim
Copy link
Member

Valodim commented Jul 17, 2018

So the error that is thrown is 6985, which is "Conditions of use not satisfied". That error is usually thrown when incorrect input is given, e.g. a too long or too short pin. But it doesn't even come up in the verify method that we call (see here), so something deeper must be going on here. I'll point gniibe to this thread, maybe he has an idea :)

Ah, one more thing, what version of gnuk are you using?

@DamienCassou
Copy link
Author

DamienCassou commented Jul 17, 2018 via email

@DamienCassou
Copy link
Author

To be more precise, I'm on commit b905b4802fe6ae551b3443f531e58854fbcf68e9 of git.gniibe.org/gnuk/gnuk.git.

@DamienCassou
Copy link
Author

I'm still very interested in getting that fixed. Please tell me if I can do anything to help.

@Valodim
Copy link
Member

Valodim commented Jul 27, 2018

I sent a message to gniibe linking him to this thread, but didn't get a reply. It's possible this is just a bug in the gnuk master, but I don't have enough time to test with that commit right now, sorry :(

@DamienCassou
Copy link
Author

DamienCassou commented Jul 28, 2018 via email

@DamienCassou
Copy link
Author

I can still reproduce. @Valodim: could you please tell me which version of gnuk you have on your device?

@DamienCassou
Copy link
Author

I'm still interested in solving this issue.

@cype-dev
Copy link

cype-dev commented Aug 25, 2019
edited

Does OpenKeychain support KDF-DO described in the OpenPGP Card 3.3 specification? I just experienced the same problem after running kdf-setup on my gnuk token. With the setting disabled it works just fine.

@gouttegd
Copy link

gouttegd commented Oct 6, 2019

For what is worth, I have the same issue as reported here with OpenKeychain 5.3 running on Android 8, with a FST-01G token running Gnuk 1.2.13. That token does use the KDF-DO mechanism.

@emilazy
Copy link

emilazy commented Mar 16, 2020

I have the same issue with a YubiKey 5 NFC that also has KDF enabled for the PIN.

The KDF algorithm is quite simple to implement; in case it would help anyone, here's a Python implementation I've contributed to yubikey-manager: Yubico/yubikey-manager#325. I'd be happy to see this adapted into a patch for OpenKeychain (and hereby release the code under the GPLv3 for the convenience of anyone doing so).

@Thomas-git
Copy link

Same problem here. @emilazy maybe you can contribute to openkeychain also ? @Valodim where should we start to add kdf support?

@zanona
Copy link

zanona commented Sep 19, 2020

Same issue here on Yubikey 5 NFC, I have changed my pin to number only and 8 characters and still get the 'bad pin' message ... :(

@stikonas
Copy link

Same issue here on Yubikey 5 NFC, I have changed my pin to number only and 8 characters and still get the 'bad pin' message ... :(

Well, this has nothing to do with number of characters... It's just that KDF is not implemented in open-keychain.

@Valodim
Copy link
Member

Valodim commented Sep 22, 2020

Looks straightforward to implement, and we should have the primitives all there to copy most of the things from @emilazy's example above. If anyone is up for it, would welcome a PR on this.

@zanona
Copy link

zanona commented Sep 25, 2020

Well, this has nothing to do with number of characters... It's just that KDF is not implemented in open-keychain.

YubiKey has KDF disabled by default, correct? I'm experiencing this issue on a fresh one? 🤔
I got the below from Yubico support:

KDF is not enabled by default, but if it has been enabled, you'll need to reset your YubiKey's OpenPGP application in order to disable it.
Please note that in our testing, an older version of GPG incorrectly reported KDF as still being enabled after a reset, but updating to the latest seemed to resolve this, so if you are seeing that KDF still appears enabled after resetting, make sure your GPG installation is up-to-date.

@Frederick888
Copy link

@zanona You can check if KDF is enabled via gpg --card-status if your GnuGP is recent enough. I'm using 2.2.23 and I can see it.

@zanona
Copy link

zanona commented Sep 25, 2020

@zanona You can check if KDF is enabled via gpg --card-status if your GnuGP is recent enough. I'm using 2.2.23 and I can see it.

Thanks for this. 😉
Yes, it seems to be off indeed.

$ gpg --version | head -1
gpg (GnuPG) 2.2.23
$ gpg --card-status | grep KDF
KDF setting ......: off

@hagau hagau mentioned this issue Sep 27, 2020
Merged
@fititnt
Copy link

fititnt commented Dec 28, 2020

@DamienCassou I think an better title, instead of

"Bad PIN! when using my gnuk token"

could be something like

'Bad PIN! When using smartcards with KDF (Key Derived Function) "hashed PINs"'.

I can confirm that this does happens also with Yubikey. So @DamienCassou may actually be earlier tester <3!

But as soon as this issue drduh/YubiKey-Guide#226 is fixed on drduh/YubiKey-Guide, this point here is likely to be get more people on this issue. But I can confirm that, using the defaults from Yubikey, an user is unlikely to have this issue. Also, I do not fully tested, but configuring the kdf-setup after one already working Yubikey may 100% fully work (e.g. may require a factory reset and restore the GPGs from backup).

About KDF

For who is interested here the https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.pdf, see page 18, "4.3.2 Key derived format".

In short, it means that if some backdoor is listening to the USB communication (and not keyboard input), instead of the plain password, it will only get the hashed password. So with this, while I think even on this very bad backdoor scenario, while would be possible to log on the smartcard, at least the way the PIN/PUK was stored (if 6/8 numbers or up to 127 complex characters) would not be obvious just by listening to the USB communication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Implement password KDF hagau/open-keychain
10 participants
@stikonas @Valodim @zanona @DamienCassou @fititnt @Thomas-git @Frederick888 @cype-dev @emilazy @gouttegd