Graham Lee, profile picture
Uploaded byGraham Lee
KEY, PDF650 views

Crypto storage

- The document discusses cryptographic storage for smartphone data, specifically the aescrypt format and software which allows encrypted storage of secret files on phones and across backups. - Aescrypt uses a randomly generated initialization vector and password hashes to encrypt the bulk of files with AES-256, and includes metadata and integrity checks without revealing secret information. - The key derived from hashing the password is used to encrypt an actual encryption key, to provide an additional layer of protection in case the derived key is compromised.

Embed presentation

Downloaded 17 times
Cryptographic storage for people in a hurry Graham Lee Smartphone security boffin, Fuzzy Aliens Ltd. fuzzyaliens.com
Cryptographic storage for people in a hurry Graham Lee Smartphone security boffin, Fuzzy Aliens Ltd.
From App to Crap
From App to Crap
Nut[the problem]shell
Nut[the problem]shell • Want to store data
Nut[the problem]shell • Want to store data • But it must be secret
Nut[the problem]shell • Want to store data • But it must be secret • if the phone is stolen
Nut[the problem]shell • Want to store data • But it must be secret • if the phone is stolen • if the iTunes backup is stolen
Nut[the problem]shell • Want to store data • But it must be secret • if the phone is stolen • if the iTunes backup is stolen • It must be tamper-proof
Nut[the problem]shell • Want to store data • But it must be secret • if the phone is stolen • if the iTunes backup is stolen • It must be tamper-proof • …to some extent
Solution: aescrypt
Solution: aescrypt • Unencumbered (public domain) format and freeware implementation at http:// aescrypt.org
Solution: aescrypt • Unencumbered (public domain) format and freeware implementation at http:// aescrypt.org • Not just you using it
Solution: aescrypt • Unencumbered (public domain) format and freeware implementation at http:// aescrypt.org • Not just you using it • Mac, iOS, more
Solution: aescrypt • Unencumbered (public domain) format and freeware implementation at http:// aescrypt.org • Not just you using it • Mac, iOS, more • Let’s start at byte 0 :-)
‘AES0020’ • Magic number • Tells you the version of the crypto format
Meet a Data
Metadata
Metadata • Arbitrary ‘extensions’ section
Metadata • Arbitrary ‘extensions’ section • Creator ID, creation date…
Metadata • Arbitrary ‘extensions’ section • Creator ID, creation date… • …as long as that stuff isn’t a secret
What’s our vector, Victor? // We will use an initialization vector comprised of the current time // process ID, and random data, all hashed together with SHA-256. source: wikipedia
You can’t come in here unless you say “Swordfish” // Hash the IV and password 8192 times memset(digest, 0, 32); memcpy(digest, IV, 16); for(i=0; i<8192; i++) { sha256_starts( &sha_ctx); sha256_update( &sha_ctx, digest, 32); sha256_update( &sha_ctx, (unsigned char*)passwd, (unsigned long)passlen); sha256_finish( &sha_ctx, digest); }
Cutty say 'e can't HANG!
Cutty say 'e can't HANG! • The key we just derived is not used to encrypt the plaintext file • Instead, it’s used to encrypt a key, which is itself used to encrypt the file. • …why?
Irony: Eminem tribute act singing “the real slim shady” … 16 Octets - Initialization Vector (IV) used for encrypting the IV and symmetric key that is actually used to encrypt the bulk of the plaintext file. 48 Octets - Encrypted IV and 256-bit AES key used to encrypt the bulk of the file 16 octets - initialization vector 32 octets - encryption key 32 Octets - HMAC nn Octets - Encrypted message (2^64 octets max) 1 Octet - File size modulo 16 in least significant bit positions 32 Octets - HMAC …
Filler material … 16 Octets - Initialization Vector (IV) used for encrypting the IV and symmetric key that is actually used to encrypt the bulk of the plaintext file. 48 Octets - Encrypted IV and 256-bit AES key used to encrypt the bulk of the file 16 octets - initialization vector 32 octets - encryption key 32 Octets - HMAC nn Octets - Encrypted message (2^64 octets max) 1 Octet - File size modulo 16 in least significant bit positions 32 Octets - HMAC …
To the Question Pit! @iamleeg
To the Question Pit! @iamleeg fuzzyaliens.com

More Related Content

PPT
Advanced Web Technologies 13
bySZABIST
 
PDF
Intel Briefing Notes
byGraham Lee
 
KEY
Dial M For Mitigation
byGraham Lee
 
ZIP
Designing a Secure Cocoa App
byGraham Lee
 
PDF
The Principled Programmer
byGraham Lee
 
PDF
Sign your code
byGraham Lee
 
PDF
Beyond build and analyze
byGraham Lee
 
ZIP
Presentations and Podcasts - OxMug July 2009
byGraham Lee
 
Advanced Web Technologies 13
bySZABIST
 
Intel Briefing Notes
byGraham Lee
 
Dial M For Mitigation
byGraham Lee
 
Designing a Secure Cocoa App
byGraham Lee
 
The Principled Programmer
byGraham Lee
 
Sign your code
byGraham Lee
 
Beyond build and analyze
byGraham Lee
 
Presentations and Podcasts - OxMug July 2009
byGraham Lee
 

Similar to Crypto storage

PDF
CNIT 126 13: Data Encoding
bySam Bowne
 
PDF
When AES(☢) = ☠ - Episode V
byAnge Albertini
 
PDF
when AES(☢) = ☠ --- a crypto-binary magic trick
byAnge Albertini
 
PDF
Practical Malware Analysis Ch13
bySam Bowne
 
PDF
Cryptography (under)engineering
byslicklash
 
PDF
Cryptography
byYnon Perek
 
PPTX
Encryption techniques
byShrikantSharma86
 
PDF
Let's play with crypto! v2
byAnge Albertini
 
PDF
82 86
byEditor IJARCET
 
PDF
Let's play with crypto!
byAnge Albertini
 
PPT
IDEA.ppt
byDummyAccountRahulSin
 
PDF
CNIT 126: 13: Data Encoding
bySam Bowne
 
PPT
BCS_PKI_part1.ppt
byUskuMusku1
 
PPT
Pki by Steve Lamb
byInformation Security Awareness Group
 
PPT
CISSP EXAM PREPARATION FOR A PASSED SCORE
byrinelaam
 
PDF
CNIT 125 Ch 4. Security Engineering (Part 2)
bySam Bowne
 
PDF
82 86
byEditor IJARCET
 
PDF
CISSP Prep: Ch 4. Security Engineering (Part 2)
bySam Bowne
 
PDF
Sasha Romijn - Everything I always wanted to know about crypto, but never tho...
byCodemotion
 
PDF
IRJET - Multi-Key Privacy in Cloud Computing
byIRJET Journal
 
CNIT 126 13: Data Encoding
bySam Bowne
 
When AES(☢) = ☠ - Episode V
byAnge Albertini
 
when AES(☢) = ☠ --- a crypto-binary magic trick
byAnge Albertini
 
Practical Malware Analysis Ch13
bySam Bowne
 
Cryptography (under)engineering
byslicklash
 
Cryptography
byYnon Perek
 
Encryption techniques
byShrikantSharma86
 
Let's play with crypto! v2
byAnge Albertini
 
82 86
byEditor IJARCET
 
Let's play with crypto!
byAnge Albertini
 
IDEA.ppt
byDummyAccountRahulSin
 
CNIT 126: 13: Data Encoding
bySam Bowne
 
BCS_PKI_part1.ppt
byUskuMusku1
 
Pki by Steve Lamb
byInformation Security Awareness Group
 
CISSP EXAM PREPARATION FOR A PASSED SCORE
byrinelaam
 
CNIT 125 Ch 4. Security Engineering (Part 2)
bySam Bowne
 
82 86
byEditor IJARCET
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
bySam Bowne
 
Sasha Romijn - Everything I always wanted to know about crypto, but never tho...
byCodemotion
 
IRJET - Multi-Key Privacy in Cloud Computing
byIRJET Journal
 

More from Graham Lee

KEY
Security and Encryption on iOS
byGraham Lee
 
KEY
Unit testing for Cocoa developers
byGraham Lee
 
KEY
Cross platform Objective-C Strategy
byGraham Lee
 
KEY
Taking a Test Drive
byGraham Lee
 
KEY
Taking a Test Drive: iOS Dev UK guide to TDD
byGraham Lee
 
KEY
Smartphone security and privacy: you're doing it wrong
byGraham Lee
 
PPTX
Object-Oriented Programming in Functional Programming in Swift
byGraham Lee
 
Security and Encryption on iOS
byGraham Lee
 
Unit testing for Cocoa developers
byGraham Lee
 
Cross platform Objective-C Strategy
byGraham Lee
 
Taking a Test Drive
byGraham Lee
 
Taking a Test Drive: iOS Dev UK guide to TDD
byGraham Lee
 
Smartphone security and privacy: you're doing it wrong
byGraham Lee
 
Object-Oriented Programming in Functional Programming in Swift
byGraham Lee
 

Recently uploaded

PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
The year in review - MarvelClient in 2025
bypanagenda
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
software-security-intro in information security.ppt
byismaeelsahib032
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 

Crypto storage

  • 2.
    Cryptographic storage for peoplein a hurry Graham Lee Smartphone security boffin, Fuzzy Aliens Ltd. fuzzyaliens.com
  • 3.
    Cryptographic storage for peoplein a hurry Graham Lee Smartphone security boffin, Fuzzy Aliens Ltd.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
    Nut[the problem]shell • Wantto store data • But it must be secret
  • 9.
    Nut[the problem]shell • Wantto store data • But it must be secret • if the phone is stolen
  • 10.
    Nut[the problem]shell • Wantto store data • But it must be secret • if the phone is stolen • if the iTunes backup is stolen
  • 11.
    Nut[the problem]shell • Wantto store data • But it must be secret • if the phone is stolen • if the iTunes backup is stolen • It must be tamper-proof
  • 12.
    Nut[the problem]shell • Wantto store data • But it must be secret • if the phone is stolen • if the iTunes backup is stolen • It must be tamper-proof • …to some extent
  • 13.
  • 14.
    Solution: aescrypt • Unencumbered(public domain) format and freeware implementation at http:// aescrypt.org
  • 15.
    Solution: aescrypt • Unencumbered(public domain) format and freeware implementation at http:// aescrypt.org • Not just you using it
  • 16.
    Solution: aescrypt • Unencumbered(public domain) format and freeware implementation at http:// aescrypt.org • Not just you using it • Mac, iOS, more
  • 17.
    Solution: aescrypt • Unencumbered(public domain) format and freeware implementation at http:// aescrypt.org • Not just you using it • Mac, iOS, more • Let’s start at byte 0 :-)
  • 18.
    ‘AES0020’ • Magic number •Tells you the version of the crypto format
  • 19.
  • 22.
  • 23.
  • 24.
    Metadata • Arbitrary ‘extensions’section • Creator ID, creation date…
  • 25.
    Metadata • Arbitrary ‘extensions’section • Creator ID, creation date… • …as long as that stuff isn’t a secret
  • 26.
    What’s our vector, Victor? // We will use an initialization vector comprised of the current time // process ID, and random data, all hashed together with SHA-256. source: wikipedia
  • 27.
    You can’t comein here unless you say “Swordfish” // Hash the IV and password 8192 times memset(digest, 0, 32); memcpy(digest, IV, 16); for(i=0; i<8192; i++) { sha256_starts( &sha_ctx); sha256_update( &sha_ctx, digest, 32); sha256_update( &sha_ctx, (unsigned char*)passwd, (unsigned long)passlen); sha256_finish( &sha_ctx, digest); }
  • 28.
    Cutty say 'ecan't HANG!
  • 29.
    Cutty say 'ecan't HANG! • The key we just derived is not used to encrypt the plaintext file • Instead, it’s used to encrypt a key, which is itself used to encrypt the file. • …why?
  • 30.
    Irony: Eminem tributeact singing “the real slim shady” … 16 Octets - Initialization Vector (IV) used for encrypting the IV and symmetric key that is actually used to encrypt the bulk of the plaintext file. 48 Octets - Encrypted IV and 256-bit AES key used to encrypt the bulk of the file 16 octets - initialization vector 32 octets - encryption key 32 Octets - HMAC nn Octets - Encrypted message (2^64 octets max) 1 Octet - File size modulo 16 in least significant bit positions 32 Octets - HMAC …
  • 31.
    Filler material … 16 Octets- Initialization Vector (IV) used for encrypting the IV and symmetric key that is actually used to encrypt the bulk of the plaintext file. 48 Octets - Encrypted IV and 256-bit AES key used to encrypt the bulk of the file 16 octets - initialization vector 32 octets - encryption key 32 Octets - HMAC nn Octets - Encrypted message (2^64 octets max) 1 Octet - File size modulo 16 in least significant bit positions 32 Octets - HMAC …
  • 32.
    To the QuestionPit! @iamleeg
  • 33.
    To the QuestionPit! @iamleeg fuzzyaliens.com

Editor's Notes

  • #2 \n
  • #3 \n
  • #4 \n
  • #5 \n
  • #6 \n
  • #7 \n
  • #8 Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can&amp;#x2019;t test for that in your app. If you can&amp;#x2019;t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • #9 Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can&amp;#x2019;t test for that in your app. If you can&amp;#x2019;t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • #10 Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can&amp;#x2019;t test for that in your app. If you can&amp;#x2019;t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • #11 Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can&amp;#x2019;t test for that in your app. If you can&amp;#x2019;t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • #12 Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can&amp;#x2019;t test for that in your app. If you can&amp;#x2019;t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • #13 Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can&amp;#x2019;t test for that in your app. If you can&amp;#x2019;t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • #14 The main problem with creating any new crypto format is the chance that you&amp;#x2019;ll introduce new vulnerabilities by misusing the crypto primitives, even if those primitives themselves are bug-free. Sidestep that risk and reduce development time by choosing an existing solution: but notice that solutions like GPG and OpenPGP have licensing restrictions that are incompatible with the app stores.\n
  • #15 The main problem with creating any new crypto format is the chance that you&amp;#x2019;ll introduce new vulnerabilities by misusing the crypto primitives, even if those primitives themselves are bug-free. Sidestep that risk and reduce development time by choosing an existing solution: but notice that solutions like GPG and OpenPGP have licensing restrictions that are incompatible with the app stores.\n
  • #16 The main problem with creating any new crypto format is the chance that you&amp;#x2019;ll introduce new vulnerabilities by misusing the crypto primitives, even if those primitives themselves are bug-free. Sidestep that risk and reduce development time by choosing an existing solution: but notice that solutions like GPG and OpenPGP have licensing restrictions that are incompatible with the app stores.\n
  • #17 The main problem with creating any new crypto format is the chance that you&amp;#x2019;ll introduce new vulnerabilities by misusing the crypto primitives, even if those primitives themselves are bug-free. Sidestep that risk and reduce development time by choosing an existing solution: but notice that solutions like GPG and OpenPGP have licensing restrictions that are incompatible with the app stores.\n
  • #18 This basically just exists to let you know you&amp;#x2019;re looking at the correct kind of file.\n
  • #19 Don&amp;#x2019;t spend too much time on this slide, you cretin :-P\n
  • #20 Don&amp;#x2019;t spend too much time on this slide, you cretin :-P\n
  • #21 Don&amp;#x2019;t spend too much time on this slide, you cretin :-P\n
  • #22 Remember not to leak any information in the metadata that should be a secret. For example: keeping photographs of a protest confidential may not be enough for a user if the photo timestamp and geolocation make their attendance public.\n
  • #23 Remember not to leak any information in the metadata that should be a secret. For example: keeping photographs of a protest confidential may not be enough for a user if the photo timestamp and geolocation make their attendance public.\n
  • #24 Remember not to leak any information in the metadata that should be a secret. For example: keeping photographs of a protest confidential may not be enough for a user if the photo timestamp and geolocation make their attendance public.\n
  • #25 Remember not to leak any information in the metadata that should be a secret. For example: keeping photographs of a protest confidential may not be enough for a user if the photo timestamp and geolocation make their attendance public.\n
  • #26 \n
  • #27 \n
  • #28 \n
  • #29 The point of the HMAC is to provide integrity checking. There&amp;#x2019;s no real attack against AES in the case of tampered ciphertext - you can replace real data with garbage, but you can&amp;#x2019;t replace real data with other real data. The point of this HMAC is that it&amp;#x2019;s the quickest way to verify that the key was recovered correctly.\n
  • #30 Notice that this is one of two choices: PKCS#7 padding is the other option.\n
  • #31 \n