Embed Size (px)
Citation preview
Mobile Data EncryptionEnhanced Application Security with SQLCipher
Stephen Lombardo | Zetetic LLC | @sjlombardo
Unique Challenges
Pin CodesShortLow EntropyPredictable
Source: DataGenetics, http://www.datagenetics.com/blog/september32012/
26.83% could be guessed by attempting 20 combinations
Face RecognitionPhoto BypassPoor PerformanceInconvenient
Pattern LockLow EntropySmudge Attacks
See Also: Smudge Attacks on Smartphone Touch Screens ,static.usenix.org/event/woot10/tech/full_papers/Aviv.pdfA
PasswordsInconvenientDictionary BasedFrequently Reused
Source: 10,000 Top Passwords, Mark Burnetthttp://xato.net/passwords/more-top-worst-passwords/
Device EncryptionInconvenientUses Lock Key
Default Insecure
Original photo by Jean-Etienne Poirrier (jepoirrier) on Flickrhttps://secure.flickr.com/photos/30077353@N05/7107568421/
Threat Landscape
•Forensic Analysis•Rooting / Jail breaking•OS Issues• Infrequent Updates•Removable Storage•Cloud Services•Targeted Attacks•Device Sharing
ResponsibilityComplianceCorporateLiabilityGovernment ThreatsRespect
Defense in DepthMake attacks difficult with
multiple layers of security
Principle ofLeast Privilege
Access to device should not allow
access to all apps and data
Data Security
Minimize impact of unauthorized access, on and
off device
Strategies
1. Authentication2. Encryption3. Authenticity
SQLite Extension Full Database EncryptionGood PerformancePortableOpen Source Core
SQLite by D. Richard Hipp, Hwaci, SQLite.org
Features
• AES 256 CBC• Random IVs• Random salt• Key Derivation• MAC• OpenSSL• Fast startup• No size limit
How it WorksPager CodecKey DerivationEncryptionMAC
Database Salt
Encrypted Data
Encrypted Data IVMAC
Encrypted Data
Encrypted Data IVMAC
Encrypted Data
Encrypted Data IVMAC
Page1
Page2
Page3
XamarinDrop-in ReplacementiOS & AndroidComponent StoreFree for EnterpriseTrial Available
Installation
Mono.Data.Sqlcipher
using Mono.Data.Sqlcipher;using(var conn = new SqliteConnection(ConnectionString)){ conn.SetPassword(secret); conn.Open(); using (var cmd = conn.CreateCommand()) { cmd.CommandText = “CREATE TABLE Model(“ + “Id INTEGER PRIMARY KEY AUTOINCREMENT, Content TEXT)"; cmd.ExecuteNonQuery();
cmd.CommandText = "INSERT INTO Model (Content) VALUES (@content)"; var p = cmd.CreateParameter(); p.ParameterName = "@content"; p.Value = content; cmd.Parameters.Add(p);
cmd.CommandText = “SELECT * FROM Model Where Id = 0"; var reader = command.ExecuteReader (); while (reader.Read()) {} }}© The Mono Project
Robert Simpson & SQLite.org
sqlite-net
using SQLite;
public class Model{ [PrimaryKey,AutoIncrement] public int Id { get; set; } public string Content { get; set; }}…using(var conn = new SQLiteConnection (file, secret)){ conn.CreateTable<Model>();
conn.InsertOrReplace( new Model() {Id = 0, Content = content});
var models = conn.Table<Model>().Where(x => x.Id == 0);
models = conn.Query<Model> ( "SELECT * FROM Model WHERE Id = ?", 0);}
© Frank Krueger, Krueger Systemshttps://github.com/praeclarum/sqlite-net
Results
Performance
Advanced
• PRAGMA rekey• PRAGMA cipher• PRAGMA kdf_iter• PRAGMA cipher_page_size• PRAGMA cipher_use_hmac• ATTACH• sqlcipher_export()
FAQ
• Key Management• Lost Credentials• Existing Databases• Compression• Portability• Export
Resources
http://components.xamarin.com/view/sqlcipher-for-android
http://github.com/zeteticllc/sqlcipherapp-xamarin
http://github.com/zeteticllc/sqlcipherspeed-xamarin
http://bis.doc.gov/encryption
http://sqlcipher.net
http://zetetic.net
Q & A
Thank you!Stephen Lombardo | Zetetic LLC | @sjlombardo
