-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/02/13 07:18, Jon Callas wrote: > Deleting the things, however, is trivial. This is a place that iOS > shines. Every file is encrypted with a unique key and if you > delete the file, it is cryptographically erased. You're correct in > that flash *is* notoriously difficult to wipe unencrypted secrets. > Fortunately for us, all the flash on iOS is encrypted and the > crypto management is easy to use.
Hi Jon, I've been trying to understand the properties of iOS's file encryption with regard to recovering deleted files. As far as I can tell, it works as follows - please correct me if I'm wrong. The file's unique key (let's call it k1) is encrypted with a class key (k2) before being stored on disk. If the file uses the strongest class of protection (NSFileProtectionComplete), k2 is encrypted with a key derived from the user's passcode and the device's UID (k3) before being stored on disk, and k2 and k3 are erased from memory whenever the device is locked. After being encrypted with k3, k2 is stored in effaceable storage, and is erased from disk if the user changes the passcode. The UID never leaves the device, so a brute force attack on k3 must be run on the device itself, making the attack slow. Consider a situation where the user receives a message, stores it with NSFileProtectionComplete, and then deletes it. The device is then seized. The file (encrypted with k1) and k1 (encrypted with k2) are stored in ordinary non-effaceable storage, so they may be recoverable after deletion. If the device is seized while it's unlocked, k2 is in memory, so it may be possible to decrypt k1 and thus decrypt the file. If the device is seized while it's locked, a slow brute force attack may recover k3, so it may be possible to decrypt k2, and thus decrypt k1, and thus decrypt the file. Is that correct? If so, it seems to me that deleting the file doesn't provide much extra protection - the attacks that can decrypt the file are the same attacks that could decrypt it if it hadn't been deleted. Don't get me wrong, iOS does a really impressive job of making those attacks hard - my point is only that they're no harder for deleted files than for files that haven't been deleted. Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRG9ERAAoJEBEET9GfxSfM48EH/3o0LIKNsx9OlgdtUYTs7o8b e06uc/b6sIT0Csc0AqLjKfkUWPexq1IoxuGgktlkdhY/bqWWUhRtBmvNDVqA7gjE gojdAC3QaGTOCNqIJ75toGAOtWWhzKflkfHfPeCWkWB6u6qfskEJoVvWwSjLZ9n/ VLTbKeTIKBO14/xpGKp3AVhXIOjgm8hDuPw/Y8J77FCkM6VclYXVRLLRT2vK2iP8 kyLnPUyUdcdHBmwgGII0uxOAGr8mxfjf+nwpo+USGUijImH7b0lIN4JbTOh/phOg w+/RdUsl0DvkEEwVaD3aC4yvgzpikSMkhC/0tHl04aV4Q+tKAZQt1+7JHrIxtmA= =Daje -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography