From Revelation security to Android password managers using a PHP based transformer - Westhoffswelt - Welcome to the real world

From Revelation security to Android password managers

I bought myself a Motorola Milestone some time ago. Finally being free of all the Apple restrictions on the iPhone feels great. I am really enjoying my new smartphone. However there is still something missing. A way to have all my passwords with me on my phone in a safely encrypted container.

I store all of my passwords in an application called Revelation on my desktop system. The encrypted passwords are automatically pushed to a subversion repository every time I change them. Before the application is started it automatically checks for a newer password file in the repository and updates it if necessary. This way I always have access to a recent version of my passwords on my notebook as well as on my desktop system.

Revelation Password ManagerRevelation Password Manager

What always bothered me is the fact that I couldn't access my passwords from my mobile phone. After now having an Android phone I decided this circumstance had to change.

Evaluation of different possibilities

The first idea to solve the problem was to write an Android password manager application, that could read and write the revelation password file format. Even though this would have been the best solution I don't have the time to take a deeper look into Android application development at the moment. I might however pick up this idea again in the future.

Secrets for AndroidSecrets for Android

Nevertheless a more efficient and time saving solution needed to be found. I did some research into the availability of password managers for Android phones, which could import passwords in some kind of format. During my search in the web and the android market I stumbled across the Secrets for Android application. It had a nice UI, was able to import a CSV based file into its password db and most important a quick look into its source did not reveal any obvious security flaws to me. I decided to go with this application on the android side.

The Revelation password file format

Unfortunately no real documentation of the Revelation password file format exists. I jumped right into the code of Revelation to take a look at how it stores the passwords. Until that point I only new it was using a AES-256 block cipher for the task. What I dug out didn't really satisfy my security paranoia. What Revelation did was right padding the given password string with zeros and using it directly as key to the AES-256 cipher, therefore weakening the encryption by possibly using a unnecessary small key length.

Because I didn't want to migrate all my passwords away from Revelation and I really like this application, the decision was made to change the file format. I created a new DataHandler for it, which uses salted multihashed keys. The new format does integrate gracefully with the old one. If you open an old versioned file it is automatically converted to the new version as soon as the file is saved again. My patched Revelation source code can be found inside a bitbucket repository

Even though I sent a pull request for these changes to the author of the application it is unlikely they will ever be committed to the main repositories, as the application isn't maintained for quite some time now. As the author told me in an email, he has discontinued supporting this project for good.

The application is however doing exactly what I want it to do. After my changes to the encryption format I am satisfied with the security as well. Therefore I don't see any reason not to continue using it.

Converting Revelation password files

Having a good knowledge of the Revelation password file format by now, I needed a way of transforming it to something the Secrets for Android application is able to import. A converter needed to be written. Obviously I decided to use PHP for this task, as it provided all the necessary functionality. Furthermore, as stated before, my freetime for this project was limited. Therefore I chose a language I know inside out.

The revtrans application was born. It is a simple commandline tool, which reads either the unencrypted XML exported by Revelation, or its encrypted password files and outputs a CSV file, which Secrets for Android is able to import. It requires PHP 5.3 to run, as it uses some of its new features like namespaces. Furthermore the mcrypt extension needs to be installed in order to read the encrypted file format. When it comes to the encryption format the old, as well as the new one I created as stated above, is supported.

The usage of revtrans couldn't be simpler. A call to the revtrans.php on the commandline reveals its options to you:

RevTrans - Revelation Password File Transformer Copyright 2010 Jakob Westhoff Usage: revtrans.php [OPTIONS] <input file> Options: --input-format=<plain,encrypted> Input format to read (Default: encrypted) --password=<password> Password to use for decryption. It is discouraged to supply a password on the commandline. You will be asked for one if necessary. --output=<file> Write output to a file instead of stdout.

For example this call would transform the file paswords.db, which is in the encrypted Revelation format, to CSV data, which is outtputted to STDOUT:

$ ./revtrans.php passwords.db

New versions of this tool can always be found in its git repository over at github:

git://github.com/jakobwesthoff/Revtrans.git

If you know of other password managers for Android, which might be better suited for my needs, I would be glad if you could drop me a line. Any comment on this conversion tool or my changes made to Revelation is appreciated as well.

Trackbacks

Comments

  • James on Tue, 20 Apr 2010 10:01:26 +0200

    You could use Private Passwords (see my homepage link) - it's web-based and has a mobile version which works nicely on my Android device. It uses 256-bit AES also.

  • Martink on Tue, 20 Apr 2010 13:26:10 +0200

    And what's wrong with KeePass Droid? I use it now for a year on my PC's and HTC HERO. I use dropbox to keep it in sync and now when dropbox will have an Android client soon it will be even easier

  • Jakob on Tue, 20 Apr 2010 16:08:32 +0200

    @James:
    Thanks for the hint. But I would not trust any thirdparty with handling my passwords. Even though I don't have any actual reason to believe the service you mentioned isn't save, it just doesn't feel right for me to store my passwords somewhere I don't have full control over them.

    I have been playing with implementing a fully javascript based password storage, which uses AES as well. Therefore revtrans may get an export option in the future which allows exporting to a HTML document including the encrypted passwords, as well as an application to open and read them.

    @Martink:
    KeePass seems to be a nice application. However changing my desktop password manager was a no go for me. I wanted to stay with Revelation, as I am very happy with it. Furthermore I have really stored a lot passwords in it, which I would not want to manually transfer to a new password manager. Anyway thank you for mentioning the applications here, as readers of this article, which are currently not using Revelation might get an inspiration what software to look at.

    Cheers,
    Jakob

  • Chris on Tue, 20 Apr 2010 21:24:26 +0200

    Funny I am facing the same issue right now (Revelation -> Android) and I was testing few android apps... BioWallet, Password Juggler and Secrets. In my case, I am looking for a one-way transformation as Revelation is now abandoned and sync with my home and work computers is always a nightmare. A phone database (with export backup) is a best bet for me.

    Juggler has a nice UI, but so far no import/export option.
    Biowallet(beta) has a nice UI and an import/export although I still need to find the csv format that it will recognize. Secrets UI is a bit bare for my taste...

    I might have to use your script to do a revalation -> secrets -> biowallet move.

  • Jakob on Wed, 21 Apr 2010 00:10:00 +0200

    Revtrans architecture makes use of some loosely coupled components, which can be replaced at nearly any point.

    Therefore it should be really easy to create a visitor to implement a writer for the format Biowallet can read.

    I would really appreciate such a writer. If you need any help with Revtrans let me know. I am looking forward to a pull request from you *hint* *hint* ;)

    Cheers,
    Jakob

  • Chris on Mon, 26 Apr 2010 20:43:44 +0200

    Unfortunately PHP-5.3 is not in the Gentoo tree, not even as an unstable package yet. so I am on hold.

    I never wrote any PHP so don't hold your breath ;)

  • Christoph on Tue, 10 Aug 2010 12:01:46 +0200

    Hi.

    I also use revelation, and i recently got an android phone. Unfortunately your version of revelation doesn't work on either of the three distributions i've tried. On Centos 5.x and Debian Lenny i386 it doesn't compile and on Debian Squeeze it does compile with a bit of work, but then fails to start. (I forget the error msg, but i can't include it here as the HD just died -.-)

    In effect i can't transition my passwords from revelation to secrets. Could you enhance your revtrans to also convert from the original revelation file format?

    Thanks in advance

  • Simon Jagoe on Sat, 08 Jan 2011 17:41:12 +0100

    Hi there,

    Well done for spotting the AES key handling problems in Revelation. I also use Revelation heavily and would like to upgrade (using a launchpad PPA). Do you have your version of Revelation built on Launchpad? Or would you like me to do that for you?

  • Jakob Westhoff on Wed, 12 Jan 2011 13:41:59 +0100

    Hi Simon,

    I don't have a PPA for the updated Revelation version. I really appreciate your offer to create one. You are very welcome to create and publish a PPA for this project :). If you do so please let me know about it.

    Cheers,
    Jakob

Add new comment

Fields with bold names are mandatory.