---------- Forwarded message ---------- From: Nikolay Elenkov <[email protected]> Date: Mon, Aug 6, 2012 at 11:49 PM Subject: Re: [android-security-discuss] Re: Full Disk Encryption Questions To: seattleandrew <[email protected]>
On Mon, Aug 6, 2012 at 11:25 PM, seattleandrew <[email protected]> wrote: > Just going through and answering my own questions > > As of Android 4.0+ is the encryption for both the file system and master key > still 128 AES or have both upgraded to 256 AES? > > In JB it looks like the key got upgraded to 256 but I haven't seen anything > on the actual filesystem. #define SALT_LEN 16 #define KEY_LEN_BYTES 16 #define IV_LEN_BYTES 16 says it's still 128, not sure where you got the 256 bit info from. For the master key encryption key it's /* Turn the password into a key and IV that can decrypt the master key */ PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN, HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); so it does generate 256 bits, but half of this used as the IV, so key size is still 128 bits. > > Does the encryption process only make a single pass or does it make > multiple passes? > > per dmcrypt it does 2000 passes of PBKDF2 with a 128-bit random salt > > If multiple, how many passes? > > 2000 #define HASH_COUNT 2000 That is the number of rounds for deriving the master key encryption key, depending on what you mean 'multiple passes', it might not be the thing you are looking for. > > For devices with internal storage will the process only encrypt “/data”, or > will it encrypt other storage locations such as “/mnt/sdcard”? > > This is a bit trickier to answer, but here's the blunt response: It will > encrypt just "/data" as the Android standard. This means all of your app's > contents will be protected but any downloaded documents won't. Now this > changes depending on OEM. An OEM can enhance the Android Encryption > functionality to encrypt the entire disk (internal storage) and even encrypt > the SD Card (external Storage). > This can be OEM dependent indeed, but /mnt/sdcard is now just a symlink to a 'virtual' SD card that lives under /data. So downloaded documents, media etc. are encrypted along with private data, etc. From the boot script: # create virtual SD card at /storage/sdcard0, based on the /data/media directory # daemon will drop to user/group system/media_rw after initializing # underlying files in /data/media will be created with user and group media_rw (1023) If one some device /mnt/sdcard (external storage) is independent from /data, it might not get encrypted. But then again they may modify the firmware to encrypt it. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
