Proceedings 2018 Network and Distributed System Security Symposium 2018
DOI: 10.14722/ndss.2018.23365
|View full text |Cite
|
Sign up to set email alerts
|

Removing Secrets from Android's TLS

Abstract: Abstract-Cryptographic libraries that implement Transport Layer Security (TLS) have a responsibility to delete cryptographic keys once they're no longer in use. Any key that's left in memory can potentially be recovered through the actions of an attacker, up to and including the physical capture and forensic analysis of a device's memory. This paper describes an analysis of the TLS library stack used in recent Android distributions, combining a C language core (BoringSSL) with multiple layers of Java code (Con… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

1
5
0

Year Published

2018
2018
2019
2019

Publication Types

Select...
4

Relationship

1
3

Authors

Journals

citations
Cited by 4 publications
(6 citation statements)
references
References 27 publications
1
5
0
Order By: Relevance
“…Obviously, these credentials and keys must also be deleted in a timely manner. We previously looked at SSL/TLS session key retention [34], discovering a number of issues similar to what we have found with password retention in this study.…”
Section: Discussionsupporting
confidence: 54%
See 4 more Smart Citations
“…Obviously, these credentials and keys must also be deleted in a timely manner. We previously looked at SSL/TLS session key retention [34], discovering a number of issues similar to what we have found with password retention in this study.…”
Section: Discussionsupporting
confidence: 54%
“…Although Android apps are commonly written in Java, they may make native calls to underlying C libraries included by the app or installed natively on the system. For example, the Android TLS implementation wraps a Java layer (Conscrypt) atop the BoringSSL cryptographic library written in C. If passwords are copied from the Java layer to the C layer, there is also a possibility for the data to be retained in the C layer [34].…”
Section: B Risks Of Password Retentionmentioning
confidence: 99%
See 3 more Smart Citations