Ipod 5 - Data Protection Enabled: An Encrypted Carrying Case?  Even Word Files?

oaktrees
oaktrees used Ask the Experts™
on
I need to update some Microsoft Word files on a Windows PC in the morning at my office and then carry the same files home at night where I may make some small changes, also on a Windows PC system.  Want to use an encrypted, non-cloud physical drive to carry the files between the two computers.  So that, if I lose the drive it can't be read.

Is my Ipod 5 with Data Protection Enabled an encrypted device?  Seems like it is?  But, am I right?  Would Word files saved to the Password Protected Ipod 5 with Data Protection enabled also be encrypted?  

If yes, how robust is the encryption?

Thanks!

OT
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
bbaoIT Consultant

Commented:
i don't iPod can be considered a secured device and the information will not be encrypted by default.

in your scenario, i think the best and easiest way is to compress your data files with encryption and password, such as using 7Zip, on your PCs editing the files.

Author

Commented:
Hi Bing!

Thanks for replying!  When you say "information will not be encrypted by default" I'm confused.  I've activated Data Protection and according to Ipod's OS - https://support.apple.com/en-us/HT202064 - seems like that activates encryption.  How do you see it?

Thanks!

OT
Distinguished Expert 2018

Commented:
It sounds as good as any other encryption, but I have no experience with it. I did not read critical voices either.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Yep.  Got it.  Let's see if any Apple people weigh in here.  Read your article about USB security at the office.  Good stuff!

Thanks!

OT
btanExec Consultant
Distinguished Expert 2018

Commented:
ipod is like just another storage and the secure crypto h/w chip is just to store encryption key and provide the safeguards for the master key used. Only from iOS 8, Apple added a data security mechanism called Data Protection, which uses 256-bit AES Encryption key to encrypt everything on the device. It is actually just to refer to "Secure Enclave"
Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, entangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space.

Additionally, data that is saved to the file system by the Secure Enclave is encrypted with a key entangled with the UID and an anti-replay counter.
The device’s unique ID (UID) and a device group ID (GID) are AES 256-bit keys fused (UID) or compiled (GID) into the application processor and Secure Enclave during manufacturing. No software or firmware can read them directly; they can see only the results of encryption or decryption operations performed by dedicated AES engines implemented in silicon using the UID or GID as a key. Additionally, the Secure Enclave’s
UID and GID can only be used by the AES engine dedicated to the Secure Enclave.

The UID allows data to be cryptographically tied to a particular device. For example,
the key hierarchy protecting the file system includes the UID, so if the memory chips
are physically moved from one device to another, the files are inaccessible. The UID is
not related to any other identifier on the device.
https://www.apple.com/business/docs/iOS_Security_Guide.pdf

It is secure at least with the enclave availability otherwise the security posture is no different to s/w based implementation. I do not think ipod has the latest iOS version supporting the security enclave. Regardless with the passcode and the security hw, you can expect an adequate guard against brute-force using a strong pass code - I wrote and article on using passphrase though
By setting up a device passcode, the user automatically enables Data Protection.

iOS supports six-digit, four-digit, and arbitrary-length alphanumeric passcodes. In
addition to unlocking the device, a passcode provides entropy for certain encryption
keys. This means an attacker in possession of a device can’t get access to data in
specific protection classes without the passcode.

The passcode is entangled with the device’s UID, so brute-force attempts must be
performed on the device under attack. A large iteration count is used to make each
attempt slower. The iteration count is calibrated so that one attempt takes approximately
80 milliseconds. This means it would take more than 5½ years to try all combinations
of a six-character alphanumeric passcode with lowercase letters and numbers.

The stronger the user passcode is, the stronger the encryption key becomes.
Passcode considerations - If a long password that contains only numbers is entered, a numeric keypad is displayed at the Lock screen instead of the full keyboard. A longer numeric passcode may be easier to enter than a shorter alphanumeric passcode, while providing similar security.

Author

Commented:
Hi btan!

Sounds like any data save to the Ipod, OS8 or higher, would also be encrypted.  Word files, too.  Am I right?

Additionally, data that is saved to the file system by the Secure Enclave is encrypted with a key entangled with the UID and an anti-replay counter.
 

Sincerely,

OT
Exec Consultant
Distinguished Expert 2018
Commented:
Yes by default with Data Protection
Every time a file on the data partition is created, Data Protection creates a new 256-bit key (the “per-file” key) and gives it to the hardware AES engine, which uses the key to encrypt the file as it is written to flash memory using AES CBC mode. (On devices with
an A8 processor, AES-XTS is used.) The initialization vector (IV) is calculated with the block offset into the file, encrypted with the SHA-1 hash of the per-file key.

When a file is opened, its metadata is decrypted with the file system key, revealing
the wrapped per-file key and a notation on which class protects it. The per-file key
is unwrapped with the class key, then supplied to the hardware AES engine, which
decrypts the file as it is read from flash memory.

All wrapped file key handling occurs in the Secure Enclave; the file key is never directly exposed to the application processor.

The metadata of all files in the file system is encrypted with a random key, which is created when iOS is first installed or when the device is wiped by a user.
Data Protection is also base on the class that the file belongs to (more info from pg12 onwards for the various basic classes and policies)
When a new file is created on an iOS device, it’s assigned a class by the app that creates it. Each class uses different policies to determine when the data is accessible.

Complete Protection
(NSFileProtectionComplete): The class key is protected with a key derived
from the user passcode and the device UID.

Protected Unless Open
(NSFileProtectionCompleteUnlessOpen): Some files may need to be
written while the device is locked.

Protected Until First User Authentication
(NSFileProtectionCompleteUntilFirstUserAuthentication): This
class behaves in the same way as Complete Protection, except that the decrypted class
key is not removed from memory when the device is locked.

No Protection
(NSFileProtectionNone): This class key is protected only with the UID, and is
kept in Effaceable Storage.

Author

Commented:
Super EXPERT skill!  Feel impressed!!  Thank you!!!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial