From Revelation security to Android password managers
I bought myself a Motorola Milestone some time ago. Finally being free of all the Apple restrictions on the iPhone feels great. I am really enjoying my new smartphone. However there is still something missing. A way to have all my passwords with me on my phone in a safely encrypted container.
I store all of my passwords in an application called Revelation on my desktop system. The encrypted passwords are automatically pushed to a subversion repository every time I change them. Before the application is started it automatically checks for a newer password file in the repository and updates it if necessary. This way I always have access to a recent version of my passwords on my notebook as well as on my desktop system.
What always bothered me is the fact that I couldn't access my passwords from my mobile phone. After now having an Android phone I decided this circumstance had to change.
Evaluation of different possibilities
The first idea to solve the problem was to write an Android password manager application, that could read and write the revelation password file format. Even though this would have been the best solution I don't have the time to take a deeper look into Android application development at the moment. I might however pick up this idea again in the future.
Nevertheless a more efficient and time saving solution needed to be found. I did some research into the availability of password managers for Android phones, which could import passwords in some kind of format. During my search in the web and the android market I stumbled across the Secrets for Android application. It had a nice UI, was able to import a CSV based file into its password db and most important a quick look into its source did not reveal any obvious security flaws to me. I decided to go with this application on the android side.
The Revelation password file format
Unfortunately no real documentation of the Revelation password file format exists. I jumped right into the code of Revelation to take a look at how it stores the passwords. Until that point I only new it was using a AES-256 block cipher for the task. What I dug out didn't really satisfy my security paranoia. What Revelation did was right padding the given password string with zeros and using it directly as key to the AES-256 cipher, therefore weakening the encryption by possibly using a unnecessary small key length.
Because I didn't want to migrate all my passwords away from Revelation and I really like this application, the decision was made to change the file format. I created a new
DataHandler for it, which uses salted multihashed keys. The new format does integrate gracefully with the old one. If you open an old versioned file it is automatically converted to the new version as soon as the file is saved again. My patched Revelation source code can be found inside a bitbucket repository
Even though I sent a pull request for these changes to the author of the application it is unlikely they will ever be committed to the main repositories, as the application isn't maintained for quite some time now. As the author told me in an email, he has discontinued supporting this project for good.
The application is however doing exactly what I want it to do. After my changes to the encryption format I am satisfied with the security as well. Therefore I don't see any reason not to continue using it.
Converting Revelation password files
Having a good knowledge of the Revelation password file format by now, I needed a way of transforming it to something the Secrets for Android application is able to import. A converter needed to be written. Obviously I decided to use PHP for this task, as it provided all the necessary functionality. Furthermore, as stated before, my freetime for this project was limited. Therefore I chose a language I know inside out.
The revtrans application was born. It is a simple commandline tool, which reads either the unencrypted XML exported by Revelation, or its encrypted password files and outputs a CSV file, which Secrets for Android is able to import. It requires PHP 5.3 to run, as it uses some of its new features like namespaces. Furthermore the
mcrypt extension needs to be installed in order to read the encrypted file format. When it comes to the encryption format the old, as well as the new one I created as stated above, is supported.
The usage of revtrans couldn't be simpler. A call to the
revtrans.php on the commandline reveals its options to you:
RevTrans - Revelation Password File Transformer Copyright 2010 Jakob Westhoff Usage: revtrans.php [OPTIONS] <input file> Options: --input-format=<plain,encrypted> Input format to read (Default: encrypted) --password=<password> Password to use for decryption. It is discouraged to supply a password on the commandline. You will be asked for one if necessary. --output=<file> Write output to a file instead of stdout.
For example this call would transform the file
paswords.db, which is in the encrypted Revelation format, to CSV data, which is outtputted to
$ ./revtrans.php passwords.db
If you know of other password managers for Android, which might be better suited for my needs, I would be glad if you could drop me a line. Any comment on this conversion tool or my changes made to Revelation is appreciated as well.