Data encryption in android
Let's talk about the resistance of built -in Cryptographic systems!
Full -disking (FDE) data in android
For the first time, full -disking (Full Disk Encryption - FDE) tried to introduce in the tablet version of Android 3.0 HoneyComb. Then, together with the Linux 2.6.36 nucleus, the DM-Crypt module appeared in it, which provides encryption possible on any block data storage (including Nand Flash). In the universal fourth version of Android, encryption was also available, but for most it remained an unclaimed option. Due to the lack of software optimizations and low speed of built-in processors of that time, the inclusion of encryption led to a drop in input-output performance by 6-8 times on top models and up to 20 times on budget.
It was possible to fix the situation only with the advent of 64-bit processors with a separate set of instructions to accelerate crypto-gums. Therefore, the mandatory encryption in Android has become only with version 5.0, pre -installed on devices with modern single -critical systems.
It was in the fifth version of the Android that the Forceencrypt FSTAB flag appeared, indicating the need to activate encryption when the device first turned on. Pay attention: there is a fundamental difference between whether the device was updated to Android 5.x or newer or immediately produced with such a surplus. In the second case, data encryption will always be performed. In the first version (when updated), it will remain optional and can be disconnected by the reset to factory settings (Factory Reset).
In the general case, three bite sequences are used in Android for full-disking encryption: master key, salt and user PIN code. The master key and salt are generated automatically, and the PIN code is introduced by the owner of the device. The role of the PIN code can also perform a password, a graphic key or any other “secret”-for the processor it is still a bit sequence, and quite a bit.
Persistent data encryption password into android
Most users set a short password on a smartphone or tablet, since they often have to enter it. The problem is that Android uses one password for all operations, including the screen unlock and data decryption. The ENCPASSCHANGER application allows you to install separate passwords and increase the crypto resistance of the storage scheme of the master key, which encrypted user data. The application works on Android 4.0.3 and above (Root required).
User data are encrypted with a master key, and salt and pin code are only in order to store the master key in the encrypted form. Therefore, a change of password does not lead to overcoming all data. The key always remains the same (originally generated), and the new password only changes its cryptographic shell.
At the first turned on, the device with a pre-installed OS Android 5.0 and above heerates the pseudo-random 128-bit key. It is called a master key, or DEK (Device Encryption Key). In addition to DEK, another pseudo 128-bit number (salt) will also be generated, and the user is asked for a password.
It is with the help of DEK that all data on the beneficial section/DATA ultimately encrypted. How exactly this key looks like, the owner of the device does not know. He never introduces it and can not even consider it standard means.
In the early versions of Android (up to 5.0), the master key and encryption settings were stored in a separate unencrypted structure of Crypto Footer (simplified analogue of LUKS) at the beginning of the encrypted DATA section. DEX itself was encrypted by another key calculated on the basis of the user password and salt.
This method did not deplete protection against Bubors of the master key on external computing systems, therefore, Android 5.0 and above appeared a new requirement for manufacturers of devices: to provide at the hardware level a secure keys storage. Additionally, DEK began to be subscribed using another key (HBK-Hardware-Bound Private Key), specific for this device. It is barred at the production stage and is not available to any user process.
How FDE data encryption in android works
The scheme of creating keys for encrypting user data in Android 5.0 and higher looks like this: it looks like this:
The master key is used to encrypt the entire contents of the user section in the vested memory of the device. Each sector generates its own vector of initialization with salt and indicating the sector number (Essiv). When entering the user password, the master key deciphens, and then the user data automatically decrypted in the background.
The inaccessibility of all the keys for direct reading (for example, launched on the device by a script) is ensured by processing only inside an isolated trusted environment (Trusted Execution Environment - TEE). In the processors of ARM architecture, TRUSTZONE is played by the role of TEE, which ensures the control of integrity of data, their protected storage and isolated code execution. It also stores intermediate values calculated by the function of the formation of the key.
Both the key storage and all key cryptographic procedures in modern versions of Android should be performed in an isolated environment, inaccessible to the user and applications. In practice, this condition is not always respected, since Android works on completely different platforms. There are three conceptually there: ARM, Intel X86 and MIPS. Each of them has its own architectural branches that add confusion. Moreover, on the basis of the same nuclei (for example, ARM Cortex-A53), each manufacturer with an architecture license (Architectural License) can make its version of a single-chip system with any non-urgent properties.
It is precisely because of this variety of Google platforms that it still does not think to provide a single foundation for encryption, as Apple did back in 2013 (see Secure Enclave). Segoma in devices running Android or protected keys of keys at all, or it has no reliable implementation.
For example, Qualcomm Snapdragon chips uses its own implementation of a hardware -isolated environment - Qsee (Qualcomm Secure Execution Environment). Trustlets (Trustlets) are launched in it, including Keymaster processing module. As Gal Beniamini showed, in QSEE there is no complete hardware insulation in fact. The attacker can launch his code in the QSEE space. At the same time, it will become entrusted and automatically increase privileges, after which he will be able to count through Keymaster both an encrypted master key and a hooked hbk key.
Benjamini published a script to extract keys from devices based on Qualcomm Snapdragon and further instructions for selecting a user password by crossing. Bubors is not difficult, since the bulk of users have short passwords. Since the attack is overpowered not on a smartphone, but on any computer using a script, built -in means of protection against brutoffs are powerless. With external brutforts, there are no problems with forced delays, nor the risk of washing data after N unsuccessful attempts.
Using a long complex password in practice is too inconvenient. You can come up with arbitrarily complex, but imagine that with each unlocking the screen you will have to enter this abracadabra. Authentication for printing or recognition of the face does not change the situation, since these are only additional methods of authorization created for convenience. In a love, the DEK key will be encrypted with some kind of short bit set.
The above does not mean that the California developer of single -diaries is so bad. Just Qualcomm is more often subjected to a third -party audit. In devices with other SOC, things are no better. In particular, the vulnerability of the trusted environment (TEE) in Hisilicon classmates was analyzed in detail at the Black Hat conference.
Disadvantages of full -disc encoding have been known for a long time. In relation to Android and DM-Crypt, we will highlight the following fundamental points:
Fortunately, full -disking encryption is not the only option for data protection in Android.
Poprol encryption (FBE) of data in android
In Android 7.0, a subinocypically new function appeared - Popyl encryption (File Based Encryption (FBE), which is performed using the capabilities of the EXT4 file sisteam. The new encryption implementation requires the presence of a hardware environment (Trusted Execution Environment) with the API Keymaster 1.0 API (old versions 0.xx are not suitable). The execution of the AES algorithm with a processor should ensure the decoding of data at a speed of at least 50 MB/s. These are rather strict requirements, so support for Android 7.x so far have single devices.
Hardware support for encryption
Only new single-cries with TRUSTZONE and 64-bit ARMV8-A architecture processors are guaranteed to do the problem of background encryption in Android. It is extremely desirable that their technology process is less than 28 nm, otherwise significant heating and reducing the time of autonomous work will become very noticeable.
If you do not dwell on specific classmates like NVIDIA TEGRA PARKER (four cortex-A57 nuclei) and 2014-2015 processors from Intel (ATOM Z3560, Z3570, Z3580, Z3590, Architecture X86-64), then we have the following chips: we have the following chips:
All of them are built on the basis of 4-8 nuclei of the ARM Cortex-A53 with an optional addition in the form of 2-4 more powerful Cortex-A57/A73/A73 nuclei or their branded modifications (Qualcomm Kyro, Samsung Mongoose).
Recent versions of Android can also work on some other proocessors, but in this case it will be necessary to sacrifice very much either speed or duration of work from one charging. Most of other old single -diaries, in principle, do not satisfy the minimum systemic requirements of the Android 5.1 OS and higher. Therefore, smartphones and tablets with them will no longer receive updates - this is not only a marketing solution.
When using FBE, each file can be encrypted with its key and deciphered regardless of the rest. This function works with another novelty of the seventh Android - direct loading (Direct Boot).
Direct Boot API provides a more delicate department of private data from other files. It provides the functionality that was not available when using full -disc encoding.
Before the advent of Android 7.0, when activating FDE, all data were stored with encrypted common password, so it was impossible to use the smartphone before entering the password. Now, individual applications (for example, an alarm clock) can be done available directly on the lock screen. They will work without authorization with their predetermined restrictions, and all user data in the meantime will remain encrypted.
Two applications storage areas appear on the device with active pepilly encryption: an encrypted by a separate password (Crediential Encrypted - CE) and encrypted with a common device (Device Encrypted - De). When turning off FBE, both areas (CE and De) remain open to any application. With active encryption, the CE are decrypted only after entering the user password. De files can be decrypted immediately after boot. At the same time, separate passwords for a special account allow you to create several isolated user accounts on one device - for example, for children and behavior like children of employees.
CECHIP CONTRAGE OF CE is the AES algorithm, but in a different mode - XTS. It was developed specifically for encryption on block devices and does not have typical vulnerabilities for the CBC mode. In particular, the XTS does not allow you to determine the point of change in data, is not subject to data leakage, resistant to substitution and movement attacks.
On the other hand, FBE is vulnerable to the Side Channel attacks, since, despite encryption of files and their names, it leaves open metadata, which can be used to clarify the type of stored information and identifying the user of the device.
findings
The encryption systems built into Android have existence disadvantages. They are vulnerable to classic types of attacks and lead to a noticeable decrease in performance on many devices. However, it is better to use it than to store private data in open form or trust third -party attachments that have not passed the audit.
Brief information about encryption in Android
Trustzone implementation in a single -diary
#Safety and World #Security #Internet