views:

128

answers:

3

Hi I have some questions (read Doubts part) regarding implementing encrypted storage (kind of encrypted filesystem) on Android, Blackberry and J2ME. I need your advice, you cryptography masters.

I know this question is a bit long a maybe too verbose, but please try to read it till the end (I have so many related questions that I couldn't split them up in several posts). I would really appreciate if you can give me some feedback on at least one of my questions (Doubts part).

Thanks,

 

 

Objective


I am currently designing the API for a multiplatform storage system that would offer same interface and capabilities accross following supported mobile Java Platforms:

  • J2ME. Minimum configuration/profile CLDC 1.1/MIDP 2.0 with support for some necessary JSRs (JSR-75 for file storage).
  • Android. No minimum platform version decided yet, but rather likely could be API level 7.
  • Blackberry. It would use the same base source of J2ME but taking advantage of some advaced capabilities of the platform. No minimum configuration decided yet (maybe 4.6 because of 64 KB limitation for RMS on 4.5).

Basically the API would sport three kind of stores:

  • Files. These would allow standard directory/file manipulation (read/write through streams, create, mkdir, etc.).
  • Preferences. It is a special store that handles properties accessed through keys (Similar to plain old java properties file but supporting some improvements such as different value data types such as SharedPreferences on Android platform)
  • Local Message Queues. This store would offer basic message queue functionality.

Considerations


Inspired on JSR-75, all types of stores would be accessed in an uniform way by means of an URL following RFC 1738 conventions, but with custom defined prefixes (i.e. "file://" for files, "prefs://" for preferences or "queue://" for message queues). The address would refer to a virtual location that would be mapped to a physical storage object by each mobile platform implementation. Only files would allow hierarchical storage (folders) and access to external extorage memory cards (by means of a unit name, the same way as in JSR-75, but that would not change regardless of underlying platform). The other types would only support flat storage.

The system should also support a secure version of all basic types. The user would indicate it by prefixing "s" to the URL (i.e. "sfile://" instead of "file://"). The API would only require one PIN (introduced only once) to access any kind of secure object types.

Implementation issues


For the implementation of both plaintext and encrypted stores, I would use the functionality available on the underlying platforms:

  • Files. These are available on all platforms (J2ME only with JSR-75, but it is mandatory for our needs). The abstract File to actual File mapping is straight except for addressing issues.
  • RMS. This type of store available on J2ME (and Blackberry) platforms is convenient for Preferences and maybe Message Queues (though depending on performance or size requirements these could be implemented by means of normal files).
  • SharedPreferences. This type of storage, only available on Android, would match Preferences needs.
  • SQLite databases. This could be used for message queues on Android (and maybe Blackberry).

When it comes to encryption some requirements should be met:

  • To ease the implementation it will be carried out on read/write operations basis on streams (for files), RMS Records, SharedPreferences key-value pairs, SQLite database columns. Every underlying storage object should use the same encryption key.
  • Handling of encrypted stores should be the same as the unencrypted counterpart. The only difference (from the user point of view) accessing an encrypted store would be the addressing.
  • The user PIN provides access to any secure storage object, but the change of it would not require to decrypt/re-encrypt all the encrypted data.
  • Cryptographic capabilities of underlying platform should be used whenever it is possible, so we would use:
    • J2ME: SATSA-CRYPTO if it is available (not mandatory) or lightweight BoncyCastle cryptographic framework for J2ME.
    • Blackberry: RIM Cryptographic API or BouncyCastle
    • Android: JCE with integraced cryptographic provider (BouncyCastle?)

My Doubts. Help Wanted Here


Having reached this point I was struck by some doubts about what solution would be more convenient, taking into account the limitation of the plataforms. These are some of my doubts:

  • Encryption Algorithm for data. Would AES-128 be strong and fast enough? What alternatives for such scenario would you suggest?
  • Encryption Mode. I have read about the weakness of ECB encryption versus CBC, but in this case the first would have the advantage of random access to blocks, which is interesting for seek functionality on files. What type of encryption mode would you choose instead? Is stream encryption suitable for this case?
  • Key generation. There could be one key generated for each storage object (file, RMS RecordStore, etc.) or just use one for all the objects of the same type. The first seems "safer", though it would require some extra space on device. In your opinion what would the trade-offs of each?
  • Key storage. For this case using a standard JKS (or PKCS#12) KeyStore file could be suited to store encryption keys, but I could also define a smaller structure (encryption-transformation / key data / checksum) that could be attached to each storage store (i.e. using addition files with the same name and special extension for plain files or embedded inside other types of objects such as RMS Record Stores). What approach would you prefer? And when it comes to using a standard KeyStore with multiple-key generation (given this is your preference), would it be better to use a record-store per storage object or just a global KeyStore keeping all keys (i.e. using the URL identifier of abstract storage object as alias)?
  • Master key. The use of a master key seems obvious. This key should be protected by user PIN (introduced only once) and would allow access to the rest of encryption keys (they would be encrypted by means of this master key). Changing the PIN would only require to reencrypt this key and not all the encrypted data. Where would you keep it taking into account that if this got lost all data would be no further accesible? What further considerations should I take into account?
  • Platform cryptography support. Do SATSA-CRYPTO-enabled J2ME phones really take advantage of some dedicated hardware acceleration (or other advantage I have not foreseen) and would this approach be prefered (whenever possible) over just BouncyCastle implementation? For the same reason is RIM Cryptographic API worth the license cost over BouncyCastle?

Any comments, critics, further considerations or different approaches are welcome.

+1  A: 

My first thoughts:

Encryption Algorithm for data: AES is a pretty fast algorithm, but you can take AES-256 if you want to make sure that it is strong enough. Although I think there are easier ways to hack this system if you really want to (e.g. keys in memory? reading of PIN code?)

Master key: If the user loses the master key, you can do nothing. That is the whole point! If there is a backdoor, it will be found and used by hackers.

As with all security issues, how much effort do you want to do to keep hackers away. This has mainly to do with how popular and widely used the program becomes.

Marc
So AES-256 seems a good trade-off between speed/strength. My concern now is what type of mode to use. Would it be posible to use something secure as CBC but allowing random block access?
Fernando Miguélez
That completely depends on how secure you need it to be. As I said before, you have to weigh the options of security, usability and performance. Simply try the best security option that you can find and test the performance seems a good strategy. You can easily select a simpler mode...
Marc
A: 

What about the other issues? No one but Marc answered :-(

ECB vs CBC

It seems to me that ECB should be left out, but CBC will offer better security with bigger block sizes. I have read about XTS mode used in TrueCrypt, because CBC with IV derived from block index didn't convinced them.

Keystorage

A disadvantage to store encryption keys inside a keystore per file is how encrytion on keys are carried out --> Only password (at least JKS and BouncyCastle KeyStores). I would like to encrypt them with my master key (say it is AES-256).

Key generation

I missed a key point. What about key generation enthropy? Where should I take a seed inside a mobile phone to get a rather "good" key. The keys to encrypt files should be generated on-the-fly without user intervention.

Fernando Miguélez
A: 

JFYI: we will be releasing Android and iPhone versions (maybe Blackberry too) of our SolFS virtual file system, that does all that you plan, within 2 weeks. It lets you perform both per-file and whole-storage encryption. I.e. you will be reinventing the wheel here.

Eugene Mayevski 'EldoS Corp
Does your system support J2ME phones (CLDC-1.1/MIDP-2.0)? This is a requirement in our system, so it is not as reinventing-wheel-task as it may sound. Supporting iPhone for the time being is not an issue (here in Europe is not as popular as there in the States). Thanks for the pointer to your product anyway (I'll take a look at it).
Fernando Miguélez
MIDP is available only via JNI -- the core is written in ANSI C. We considered rewriting it in Java too, but there's too little demand for it to make it pay. I apologize for "reinventing the wheel" comment.
Eugene Mayevski 'EldoS Corp