Link to home
Start Free TrialLog in
Avatar of oaktrees
oaktrees

asked on

Ipod 5 - Data Protection Enabled: An Encrypted Carrying Case? Even Word Files?

I need to update some Microsoft Word files on a Windows PC in the morning at my office and then carry the same files home at night where I may make some small changes, also on a Windows PC system.  Want to use an encrypted, non-cloud physical drive to carry the files between the two computers.  So that, if I lose the drive it can't be read.

Is my Ipod 5 with Data Protection Enabled an encrypted device?  Seems like it is?  But, am I right?  Would Word files saved to the Password Protected Ipod 5 with Data Protection enabled also be encrypted?  

If yes, how robust is the encryption?

Thanks!

OT
Avatar of bbao
bbao
Flag of Australia image

i don't iPod can be considered a secured device and the information will not be encrypted by default.

in your scenario, i think the best and easiest way is to compress your data files with encryption and password, such as using 7Zip, on your PCs editing the files.
Avatar of oaktrees
oaktrees

ASKER

Hi Bing!

Thanks for replying!  When you say "information will not be encrypted by default" I'm confused.  I've activated Data Protection and according to Ipod's OS - https://support.apple.com/en-us/HT202064 - seems like that activates encryption.  How do you see it?

Thanks!

OT
It sounds as good as any other encryption, but I have no experience with it. I did not read critical voices either.
Yep.  Got it.  Let's see if any Apple people weigh in here.  Read your article about USB security at the office.  Good stuff!

Thanks!

OT
ipod is like just another storage and the secure crypto h/w chip is just to store encryption key and provide the safeguards for the master key used. Only from iOS 8, Apple added a data security mechanism called Data Protection, which uses 256-bit AES Encryption key to encrypt everything on the device. It is actually just to refer to "Secure Enclave"
Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, entangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space.

Additionally, data that is saved to the file system by the Secure Enclave is encrypted with a key entangled with the UID and an anti-replay counter.
The device’s unique ID (UID) and a device group ID (GID) are AES 256-bit keys fused (UID) or compiled (GID) into the application processor and Secure Enclave during manufacturing. No software or firmware can read them directly; they can see only the results of encryption or decryption operations performed by dedicated AES engines implemented in silicon using the UID or GID as a key. Additionally, the Secure Enclave’s
UID and GID can only be used by the AES engine dedicated to the Secure Enclave.

The UID allows data to be cryptographically tied to a particular device. For example,
the key hierarchy protecting the file system includes the UID, so if the memory chips
are physically moved from one device to another, the files are inaccessible. The UID is
not related to any other identifier on the device.
https://www.apple.com/business/docs/iOS_Security_Guide.pdf

It is secure at least with the enclave availability otherwise the security posture is no different to s/w based implementation. I do not think ipod has the latest iOS version supporting the security enclave. Regardless with the passcode and the security hw, you can expect an adequate guard against brute-force using a strong pass code - I wrote and article on using passphrase though
By setting up a device passcode, the user automatically enables Data Protection.

iOS supports six-digit, four-digit, and arbitrary-length alphanumeric passcodes. In
addition to unlocking the device, a passcode provides entropy for certain encryption
keys. This means an attacker in possession of a device can’t get access to data in
specific protection classes without the passcode.

The passcode is entangled with the device’s UID, so brute-force attempts must be
performed on the device under attack. A large iteration count is used to make each
attempt slower. The iteration count is calibrated so that one attempt takes approximately
80 milliseconds. This means it would take more than 5½ years to try all combinations
of a six-character alphanumeric passcode with lowercase letters and numbers.

The stronger the user passcode is, the stronger the encryption key becomes.
Passcode considerations - If a long password that contains only numbers is entered, a numeric keypad is displayed at the Lock screen instead of the full keyboard. A longer numeric passcode may be easier to enter than a shorter alphanumeric passcode, while providing similar security.
Hi btan!

Sounds like any data save to the Ipod, OS8 or higher, would also be encrypted.  Word files, too.  Am I right?

Additionally, data that is saved to the file system by the Secure Enclave is encrypted with a key entangled with the UID and an anti-replay counter.
 

Sincerely,

OT
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Super EXPERT skill!  Feel impressed!!  Thank you!!!