DTI / Titolo principale della presentazione

IPHONE ENCRYPTION

Litiano Piccin

11 ottobre 2014

1

DTI / Titolo principale della presentazione

MOBILE FORENSICS

Nella Computer Forensics, le evidenze che vengono acquisite sono dispositivi statici di massa; questa significa che possiamo ottenere la stessa immagine (bit stream) ogni volta.

Nella Mobile Forensics tutti dispositivi possono essere considerati come dispositivi dinamici salvo particolari modalità di acquisizione (fisica).

11 ottobre 2014 Litiano Piccin

2

DTI / Titolo principale della presentazione

3

IPHONE ENCRYPTION

 Data Protection  File System Encryption SECURE ENCLAVE (5S) UID (256 bit)

11 ottobre 2014 Litiano Piccin

http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf

DTI / Titolo principale della presentazione

4

FILE SYSTEM ENCRYPTION File System Encryption: since iPhone 3GS*, Apple offers 256-bit AES encoding hardware-based encryption to protect all data on the device. Disk encryption was designed to accomplish one thing: Instantaneous remote wipe. Disk wiping work by simply erasing the 256-bit AES key used to encrypt the data (EMF, Dkey and BAG1 Key).

11 ottobre 2014 Litiano Piccin

http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf

DTI / Titolo principale della presentazione

5

DATA PROTECTION Data Protection: Apple develop a new encryption scheme that has the primary advantage of using the user’s passcode or password to derive a key that is used to encrypt data on the device. When the phone is locked or turned off, the key is immediately erased, making data secured on the device inaccessible. Data protection is a feature available for devices that offer hardware encryption, including iPhone 3GS and later, all iPad models, and iPod touch (3rd generation and later).

11 ottobre 2014 Litiano Piccin

http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf

DTI / Titolo principale della presentazione

6

File System Encryption (EMF)

DATA ENCRYPTION

Data Protection

FILE Contenuto del file criptato con una chiave unica. La chiave viene criptata con una “CLASS KEY” e inserita nei metadati del file. I Metadati sono criptati con una “File System Key”

La “CLASS KEY” è protetta da un HARDWARE UID e dalla password dell’utente. (ES Dkey per la maggior parte dei file)

11 ottobre 2014 Litiano Piccin

DTI / Titolo principale della presentazione

7

File System Encryption (EMF)

DATA ENCRYPTION

Data Protection

 Ogni file è criptato con una chiave diversa.  La chiave che cripta il file è criptata con la chiave del DATA PROTECTION.  Il risultato delle criptazione della chiave che cripta il file viene salvato nei metadati del file.  Il metadato che descrive il file viene criptato con la chiave di criptazione del File System.

11 ottobre 2014 Litiano Piccin

DTI / Titolo principale della presentazione

8

WIPE AREA (Effaceable Storage) NAND BLOCK1

DATA ENCRYPTION: FILE SYSTEM ENCRYPTION File System encryption protects the raw File System. If you were to remove and dump the contents of the NAND chip inside an iOS device, you’d find that the entire File System portion of the NAND is encrypted. The encryption key used to encrypt the “DATA USER” File System is named “EMF” stored into the block 1 of the NAND.

NAND BLOCK 16 TO (END-15)

11 ottobre 2014 Litiano Piccin

https://code.google.com/p/iphone-dataprotection/wiki/EncryptionKeys

DTI / Titolo principale della presentazione

9

NAND BLOCK1

DATA ENCRYPTION: FILE SYSTEM ENCRYPTION Starting from iPhone 3GS, iDevices contain a cryptographic chip that performs hardware encryption of the filesystem. The NAND chip is a flash memory organized as the following:  Block 1 : contains the following encryption keys: EMF : used to encrypt the DATA PARTITION. Dkey: used to encrypt the master key of the protection class "NSFileProtectionNone" (the majority of files) BAG1: used with the passcode to produce the encryption keys for the other master keys (for files like Mails...).  Block 16 to (END-15): contains the HFS+ filesystem.

NAND BLOCK 16 TO (END-15)

11 ottobre 2014 Litiano Piccin

https://code.google.com/p/iphone-dataprotection/wiki/EncryptionKeys

DTI / Titolo principale della presentazione

10

NAND BLOCK1

DATA ENCRYPTION: FILE SYSTEM ENCRYPTION EMF and Dkey keys are automatically extracted from Block 1 of the NAND in order to decrypt the the HFS+ filesystem “Data Partition”.

UID key: hardware key (256 bit) embedded in the application processor AES engine, unique for each device. This key is not accessible by the CPU. The UID is also not available via JTAG or from any kind of debug interface. NAND BLOCK 16 TO (END-15)

11 ottobre 2014 Litiano Piccin

https://code.google.com/p/iphone-dataprotection/wiki/EncryptionKeys

DTI / Titolo principale della presentazione

11

DATA ENCRYPTION: PROTECTION CLASS “This technology is designed with mobile devices in mind, taking into account the fact that they may always be turned on and connected to the Internet, and may receive phone calls, text, or emails at any time. Data Protection allows a device to respond to events such as incoming phone calls without decrypting sensitive data and downloading new information while locked. These individual behaviours are controlled on a per-file basis by assigning each file to a class, as described in the “Classes” section later in document.

iOS Security October 2012 11 ottobre 2014 Litiano Piccin

DTI / Titolo principale della presentazione

12

(24/09/2014)

DATA ENCRYPTION: PROTECTION CLASS Data protection is available for devices that offer hardware encryption, including iPhone 3GS and later, all iPad models, and iPod touch (3rd generation and later). Enable data protection by configuring a passcode for your device.

http://support.apple.com/kb/ht4175 11 ottobre 2014 Litiano Piccin

DTI / Titolo principale della presentazione

13

DATA ENCRYPTION: PROTECTION CLASS

HIGHT METADATI FILE EMF + F(Bag1 key + Passcode)

EMF + Dkey LOW

iOS Security October 2012 11 ottobre 2014 Litiano Piccin

DTI / Titolo principale della presentazione

14

DATA ENCRYPTION: PROTECTION CLASS NSFileProtectionComplete. The class key is protected with a key derived from the user passcode and the device UID. The decrypted class key is discarded, rendering all data in this class inaccessible until the user enters the passcode again or unlocks the device using Touch ID. NSFileProtectionCompleteUnlessOpen. Some files may need to be written while the device is locked. A good example of this is a mail attachment downloading in the background. NSFileProtectionCompleteUntilFirstUserAuthentication. This class behaves in the same way as Complete Protection, except that the decrypted class key is not removed from memory when the device is locked. NSFileProtectionNone. This class key is protected only with the UID, and is kept in Effaceable Storage. This is the default class for all files not otherwise assigned to a Data Protection class. iOS Security February 2014 11 ottobre 2014 Litiano Piccin

DTI / Titolo principale della presentazione

CRIPTAZIONE: PROTECTION CLASS

11 ottobre 2014

15

DTI / Titolo principale della presentazione

DATA ENCRYPTION: PROTECTION CLASS When a Protection Class is used each individual file is encrypted with a unique key. When any file on the File System is deleted, the unique key for that file is discarded, which make the file unrecoverable.

 File system’s wiping consists of rewriting the EMF, Dkey and BAG1 Key.  Files deletion consists of deleting the associated Key (cprotect).

11 ottobre 2014 Litiano Piccin

16

DTI / Titolo principale della presentazione

17

DATA ENCRYPTION: KEYBAGS

The keys for services and keychain Data Protection classes are collected and managed in keybags. iOS uses the following keybags:  System: is where the wrapped class keys used in normal operation of the device are stored .  Backup: is created when an encrypted backup is made by iTunes and stored on the computer to which the device is backed up.  Escrow: is used for iTunes syncing and Mobile Device Management (MDM). This keybag allows iTunes to back up and sync without requiring the user to enter a passcode, and it allows an MDM server to remotely clear a user’s passcode. It is stored on the computer that’s used to sync with iTunes, or on the MDM server that manages the device.

 iCloud: is similar to the Backup keybag.

iOS Security February 2014 11 ottobre 2014 Litiano Piccin

DTI / Titolo principale della presentazione

QUESTION?

Litiano Piccin CIFI-CHFI-ACE-AME [email protected]

11 ottobre 2014 Litiano Piccin

18

Mobile Forensics - GitHub

Sep 24, 2014 - DTI / Titolo principale della presentazione. 11 ottobre 2014. 3. IPHONE ENCRYPTION. ❑ Data Protection. ❑ File System Encryption. SECURE ENCLAVE (5S). UID (256 bit) http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf. Litiano Piccin ...
Download PDF
671KB Sizes 1 Downloads 258 Views
Report

Recommend Documents

Programming Mobile Web - GitHub
Wordpress. Theme. Plugin. Joomla. Theme. Add on. Drupal. Module. Theme. More … Forum. Vanilla. esoTalk. Phpbb. More … More … Web server. Apache.
Mobile SDK Development Guide - GitHub
Jul 20, 2017 - Page 1 ..... Chapter 11: Files and Networking . ..... services. Salesforce provides the Salesforce App Cloud to address this need. This cloud ...
Monitorless ATM mobile app - GitHub
Page 3. M. Kerem Tiryaki. 6/45 hours sleepless. Kerem fb.me/keremtiryaki bit.ly/hack-ing. Page 4. Prototype for iPhone&iPad. Experimental ATM. Mobile app. Augmented reality ATM gui. Augmented reality payment gui. Available on bit.ly/hack-ing fb.me/ke
Live memory forensics of mobile phones
in our investigation was an Android mobile phone, the. Google development set. ..... scenario, with each having a memory dump interval of 5, 10,. 20 and 30 s.
External Localization System for Mobile Robotics - GitHub
... the most known external localization reference is GPS; however, it ... robots [8], [9], [10], [11]. .... segments, their area ratio, and a more complex circularity .... The user just places ..... localization,” in IEEE Workshop on Advanced Robo
22 rules in mobile app testing - GitHub
PDF. • Office: Word, Excel, PowerPoint. • Image: PNG, JPG, GIF, BMP. • Video: MP4, 3GP and etc. 14. 10. Support Files of Different Format ... Limitations of app memory on different OS. • Large images. • Long audios. • Mess videos. 16. 12.
Designing Mobile Persuasion: Using Pervasive Applications ... - GitHub
Keywords: Mobile social media, design, persuasion, climate change, transportation ... Transportation, together with food and shelter, is one of the biggest carbon ...
OleDetection—Forensics and Anti-Forensics of ...
statistics using kurtosis and byte-frequency distribution, and the comparison of the ... Acquiring digital data from a target system so that it can be used in an ...
Applied anti-forensics
In Windows 8 the RTL_QUERY_REGISTRY_DIRECT flag works only for the trusted registry keys (that can't be overwritten under limited user account). ▫ But these improvements will not make the already written code more secure. ▫ On Windows 7 we still
Digital Forensics
ناریا زمر همجوا ییوجشواد هخاش. Outline. Introduction. Digital Forensics. Forensics & Watermarking. Applications. Nonintrusive Forensics. Blind Identification of Source Camera Model. Conclusion. 13:38. 2. The 1st Workshop on I
Computer Forensics - Semantic Scholar
The dramatic increase in public attention to corporate losses of data has ... definition as the tools must be defensible in a court of law if they are to be of any value. .... deriving information from dynamic storage, e.g., main memory and registers
Problem Set 5: Forensics
on cloud.cs50.net as well as filling out a Web-‐based form (the latter of which will be ..... If you feel like SFTPing that file to your desktop and double-‐ ..... There's nothing hidden in smiley.bmp, but feel free to test your program out on it
Problem Set 5: Forensics
on cloud.cs50.net as well as filling out a Web-‐based form (the latter of which will be available after lecture on Wed 10/20), which may ... As this output implies, most of your work for this problem set will be organized within two subdirectories.
Computer Forensics: Training and Education
needs within the computer forensics curriculum focussing specifically in the need ... definition as the tools must be defensible in a court of law if they are to be of ...
A Note to Forensics Parents
... from making comparisons during or after rounds- positive comments and good sportsmanship please! ... This is a major inconvenience for the Host school. 3.
Computer Forensics: Training and Education
Computer forensics is generally looked at as having two principal focuses, both of which must be examined. ... techniques change over the years. ..... In fact, many computer science degree programs do in fact require at least one ethics course.
Computer Forensics: Training and Education
The audience can consist of computer science undergraduates, computer ... graduate students the practical aspects of the curriculum must be reduced and they ...
Encouraging Forensics Pedagogy
"Fantasy Theme Analysis in Competitive Rhetorical Criticism." National .... greatly benefit from resources which build a common language, add efficiency to ...