The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/27607
A2BREAKING5THE7CODE1ONSMOBILERDEVICE2DATACENCRYPTIONX3 THE BASICS ABOUT ENCRYPTION Encryption refers to the process of protecting information by changing it from a readable form into an unreadable form using algorithms based on complex mathematical equations. The key to encryption is that without knowing the inputs into the equation (password, PIN, key file, etc.), a person or device cannot convert the unreadable text into something legible. Only you, and those you trust, know what those special inputs are. Most of the time encryption happens behind the scenes, and we are not aware it’s even happening. However, there are three important encryption concepts that everyone should know. • Encryption can be either hardware- or software-based. Hardware-based solutions offer the best performance, while software-based solutions offer more flexibility. • Strong encryption systems can be compromised if they lack strong key enforcement (i.e., the inputs into the math equation), and if proper key management isn’t implemented (i.e., how you share the inputs, with whom and how frequently the inputs change). • All encryption systems can be broken given enough time and effort. The best systems rely on the fact that the amount of computing power and time required is beyond what’s possible with current technology. makes it impossible for users to accidentally disable it. Their implementation is based on the Advanced Encryption Standard (AES), a math algorithm used to encrypt the data, which is the standard adopted by the U.S. Department of Defense. Bringing this into our math equation example, think of this as a process BlackBerry has built into their platform to help enforce the use of encryption, and to help manage the process of sharing the special inputs with others. RIM’s attention to end-to-end security, third-party approvals and certifications earned the BlackBerry a solid foothold in the global mobile device market — especially in the corporate landscape. APPLE IPHONE 4 The iPhone, currently in its fourth generation, has added a “Hardware-based solutions offer the best performance, while software-based solutions offer more flexibility.” Not all smartphones implement data encryption. While encryption of data sent across networks is typically the chief area of focus, an often-overlooked area is encryption of data storage or device encryption. So how does your favorite mobile device stack up? THE ENTERPRISE BENCHMARK: BLACKBERRY Research in Motion (RIM) built the BlackBerry for the enterprise, and security features like data encryption are fully implemented on the device. Many government organizations in the U.S., U.K., Canada, Austria, Australia and New Zealand approve their implementation of data encryption. Simply put, these governments approve of the math equation being used, and the method used to manage the inputs. Administrative policy on the BlackBerry Enterprise Server can enforce data encryption on BlackBerry devices. This number of features needed to improve security that paved the way for corporate adoption. These features include hardware-based data encryption, which also relies on the AES. Fortunately, the user cannot deactivate this system, so there is no need to enforce it with an administrative policy. Although the introduction of hardware-based encryption was warmly received by consumers and corporations, the security community quickly found that the methods used to protect the keys (from the example above, the inputs into the math equation) was inadequate. The encryption key on the device had little to no protection; it was easily available to anyone with physical access to the device and access to a tool on the Internet that is used to unlock additional features on the phone. When Apple released its newest operating system, dubbed iOS 4, they resolved this issue by adding an optional feature — enabled by default — called “Data Protection,” which is able to manage encryption at the file level. Apple’s Data Protection protects the device’s encryption keys with the user’s passcode, so they cannot be easily accessed. Without knowledge of the passcode, certain areas of data are not accessible. For now, this protection only extends to e-mail messages and attachments. ANDROID-BASED DEVICES The first Android phone, the Nexus One, was originally touted as the “super phone.” However, it and other Android phones are missing a lot when it comes to security features. Specifically, there is no native support for data encryption. Peer to Peer the quarterly magazine of ILTA 69