James

Android Full Disk Encryption

Recommended Posts

James    6

The Register reports on a weakness with the Device Encryption Key (DEK) used on Android. The DEK is encrypted using the owner’s PIN or password and an encrypted block of data called the KeyMaster Key Blob. The blob is located in the protected TrustZone. However Gal Beniamini has discovered bugs in the management app running the TrustZone that create a privilege-escalation vulnerability. Once the blob has been acquired it only requires brute force on the PIN or password to obtain decrypted access.

Unfortunately the patching process depends on the hardware vendor, so it may be some time before the known bugs are patched. Even though Google has already patched the Nexus it will only remain secure until further privilege-escalation bugs are identified, and more are only to be expected. Ultimately it is the methodology that allows this weakness to prevail.

Share this post


Link to post
Share on other sites
James    6

Android Nougat, released today, has updated full disk encryption:

  • The encryption algorithm is 128 Advanced Encryption Standard (AES) with cipher-block chaining (CBC) and ESSIV:SHA256. The master key is encrypted with 128-bit AES via calls to the OpenSSL library. You must use 128 bits or more for the key (with 256 being optional).
  • Upon first boot, the device creates a randomly generated 128-bit master key and then hashes it with a default password and stored salt. The default password is: "default_password" However, the resultant hash is also signed through a TEE (such as TrustZone), which uses a hash of the signature to encrypt the master key.
  • fast encryption only encrypts used blocks on the data partition to avoid first boot taking a long time. Only ext4 and f2fs filesystems currently support fast encryption.

Share this post


Link to post
Share on other sites
James    6

It appears that hardware support for the encryption capability of Android Nougat is determining upgrade paths for many mobiles.

In the article Why Android 7.0 won’t officially come to Snapdragon 800/801 devices it says “Sony has confirmed that the Xperia Z3+, the Xperia Z5 range, and the Xperia X & XA ranges will all get Nougat, while HTC has announced that Android Nougat will be coming to its HTC 10, One M9, and One A9 smartphones” ... “Sony’s announcement didn’t include the Xperia Z3, HTC’s announcement didn’t include the One M8, and Google isn’t planning to release Nougat for the Nexus 5. These three devices have two things in common. First, their age: they were all released in 2013/2014, making them at least two years old. Secondly, they all use the Snapdragon 800 or Snapdragon 801 processor”.

and “the Snapdragon 800/801 couldn’t match the AES encryption speeds of the ARMv8 chips because it doesn’t have hardware encryption” ... “Google’s requirement for high speed encryption the Snapdragon 800/801 can’t pass the CTS and don’t comply with the CDD. At least, that is the theory anyway.”

Share this post


Link to post
Share on other sites
James    6

A recent article by The Register highlights the unfinished nature of Android’s encryption. There is a TODO comment in the source code regarding the removal of encryption keys from memory.

//https://android.googlesource.com/platform/system/vold/+/master/Ext4Crypt.cpp

bool e4crypt_lock_user_key(userid_t user_id) {
    if (e4crypt_is_native()) {
        // TODO: remove from kernel keyring
    } else if (e4crypt_is_emulated()) {

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now