Friday 11 December 2015

Disk Encryption: The Good and The Slow

Simple screen locks in the form of PINs and patterns have been around for a long time, but only recently, with the launch of Android Honeycomb, did full disk encryption make an appearance on Android. Encrypting and decrypting user data on the fly, i.e., during read and write operations, boosted device security considerably, based on a device master key.

Prior to Android Lollipop, the aforementioned master key was based on the user’s password only, opening it up to a host of vulnerabilities through external tools like ADB. However, Lollipop carries out full disk encryption at the kernel level, using a 128bit AES key generated at first boot, which works in tandem with hardware-backed authentication like TrustZone, ridding it of the ADB vulnerability.

Disk encryption can be done at two different levels, namely, at the software level or at the hardware level. Software encryption uses the CPU to encrypt and decrypt data, either using a random key unlocked by the user’s password, or by using the password itself to authenticate operations. On the other hand, hardware encryption uses a dedicated processing module to generate the encryption key, offloading the CPU load and keeping the critical keys and security parameters safer from brute force and cold boot attacks.

In spite of newer Qualcomm SoCs supporting hardware encryption, Google opted for CPU-based encryption on Android, which forces data encryption and decryption during disk I/O, occupying a number of CPU cycles, with device performance taking a serious hit as a result. With Lollipop’s mandating full disk encryption, the Nexus 6 was the first device to bear the brunt of this type of encryption.

Read More: http://www.xda-developers.com/disk-encryption-the-good-and-the-slow/

No comments:

Post a Comment