Category Archives: Encryption

Smartphone encryption ‘means a child will die’, says DoJ

Posted on by

SMARTPHONE ENCRYPTION in iPhones and Android devices apparently has the US Department of Justice (DoJ) panicked.

The Wall Street Journal reported on Wednesday that a senior DoJ official recently told Apple executives that strong encryption could mean that a child might die in a kidnapping case if police couldn't access the information in a smartphone seized from a suspect.

Apple and Google both announced in September that they will provide secure end-to-end encryption technology in mobile devices running iOS and Android.

The firms said that they will not have access to their users' private encryption keys, and thus will be unable to comply with law enforcement demands to hand over data.

DoJ officials, including US deputy attorney general James Cole, met with Apple general counsel Bruce Sewell and two other Apple employees on 1 October.

Cole reportedly told the Apple executives during the meeting that the firm was marketing to criminals, and that providing strong encryption would allow people to place themselves above the law.

Cole quoted the Cupertino firm's announcement that strong encryption would mean that Apple wouldnt be able to comply with a court order to retrieve data from a phone even if it wanted to.

He then predicted that someday some child will die, and police will say that they would have been able to rescue that child if they had been able to access the data in a smartphone.

It could, of course, be seen as the traditional 'think of the children' ploy that high-handed government officials invariably fall back on whenever anyone resists intrusive police state surveillance.

Apple's Sewell reportedly called Cole's hypothetical scenario "inflammatory and inaccurate", and pointed out that police have other methods to obtain data from smartphones.

Read the original post:
Smartphone encryption 'means a child will die', says DoJ

Slow Nexus 6? Android’s new default encryption feature could be to blame

Posted on by

In amongst all the new features included in Android 5.0 Lollipop, you might have noticed this one: New devices come with encryption enabled by default. Android has offered the feature for several years but now any phones or tablets that come shipped with Lollipop have it switched on out of the box.

That makes it much harder for anyone law enforcement agencies, thieves, and so on to get data off your phone, and iOS includes a similar level of protection. This extra security comes at a cost though, and thanks to some in-depth reporting by AnandTech we know that built-in encryption is having a significantly negative impact on the Nexus 6s read and write speeds.

Related:Now that the Nexus 6 isnt cheap, is it worth buying at all?

How bad is it? AnandTech found a 62.9 percent drop in random read performance, a 50.5 percent drop in random write performance, and a staggering 80.7 percent drop in sequential read performance. Encryption doesnt directly affect the speed of the very capableSnapdragon 805 CPU inside the Nexus 6, but it does mean that the CPU might be idly kicking its heels while it waits for data to be transferred to and from the rest of the system.

None of this is particularly surprising the extra processing required to encrypt and decrypt data as its written is always going to lead to a performance hit but now we have some real-world figures thatshowjust how much the speed of the Nexus 6 is affected by Lollipops newest layer of security. If your brand new Lollipop phone or tablet feels a little sluggish, now you know why. Older devices getting Lollipop via an OTA update, like the Nexus 5, will not have encryption enabled by default.

Whats more, the extra security feature doesnt have much benefit unless you lock your device with a passcode, something that many users fail to do. The move to enable [full disk encryption] by default in Lollipop seems like a reactionary move to combat the perception that Android is insecure or more prone to attack than iOS, even if that perception may not actually be accurate, write Brandon Chester and Joshua Ho in the AnandTech report. While its always good to improve the security of your platform, the current solution results in an unacceptable hit to performance. [We] hope Google will either reconsider their decision to enable FDE by default, or implement it in a way that doesnt have as significant of an impact on performance.

Go here to read the rest:
Slow Nexus 6? Android’s new default encryption feature could be to blame

Decrypting User-Side Encryption – a Tech/Policy Rising Discussion (p1) – Video

Posted on by


Decrypting User-Side Encryption - a Tech/Policy Rising Discussion (p1)
Major companies are responding to growing public pressure by building greater privacy and security features into their products, like default client-side device encryption. Federal agencies...

By: Access

Visit link:
Decrypting User-Side Encryption - a Tech/Policy Rising Discussion (p1) - Video

Encryption and Storage Performance in Android 5.0 Lollipop

Posted on by

As alluded to in our Nexus 6 review, our normal storage performance benchmark was no longer giving valid results as of Android 5.0. While Androbench was not a perfect benchmark by any stretch of the imagination, it was a reasonably accurate test of basic storage performance. However, with the Nexus 5 on Androids developer preview, we saw anywhere between 2-10x improvement to Androbenchs storage performance results with no real basis in reality. It seems that this is because the way that the benchmark was written relied upon another function for timing, which has changed with Android 5.0.

While we havent talked too much about AndEBench, it has a fully functional storage test that we can compare to our Androbench results. While were unsure of the 256K sequential and random read results, it seems that the results are equivalent to Androbench on Android 4.4 when a 1.7x scaling factor is applied. However, AndEBench results should be trustworthy as we saw no difference in results when updating devices from 4.4 to 5.0. In addition, the benchmark itself uses low level operations that shouldnt be affected by updates to Android.

As you can see, the results show a degree of improvement that is well beyond what could realistically be accomplished with any sort of software optimizations. The results for the random write test are the most notable, with a result that suggests the performance is over 17x faster on Android Lollipop, which could not be the case. This required further investigation, andit's one of the reasons why we were hesitant to post any storage benchmarks in the Nexus 6 review.

The other factor affecting the results of the benchmarks on the Nexus 6 specifically is Android Lollipop's Full Disk Encryption (FDE). Android has actually had this ability since Android 3.0Honeycomb, but Lollipop is the first time it's being enabled by default on new devices. When FDE is enabled, all writes to disk have the informationencrypted before it's committed, and all reads have the information decrypted before they're returned to the process. The key to decrypt is protected by the lockscreen password, which means that the data should be safe from anyone who takes possession of your device. However, unlike SSDs, which often have native encryption, eMMC has no such standard. In addition, most SoCs don't have the type of fixed-function blocks necessary to enable FDE with little to no performance penalty.

As a result, we've observed significant performance penalties caused by the use of FDE on the Nexus 6. Motorola was kind enough to reach out and provide a build with FDE disabled so we could compare performance, and we've put the results in the graphs below. For reference, the Nexus 5 (Lollipop) numbers are run using Andebench, while the original values are read out from Androbench on Android 4.4. The Nexus 5 is also running without FDE enabled, as it will not enable itself by default when updating to Lollipop via an OTA update.

As you can see, there's a very significant performance penalty that comes with enabling FDE, with a 62.9% drop in random read performance, a 50.5% drop in random write performance, and a staggering 80.7% drop in sequential read performance. This has serious negative implications for device performance in any situation where applications are reading or writing to disk. Google's move to enable FDE by default also may not be very helpful with real world security without a change in user behaviour, as much of the security comes from the use of a passcode.This poses a problem, because the users that don't use a passcode doesn't really benefit from FDE, but they're still subject to the penalties.

When the Nexus 6 review was published, I commented that there were performance issues that weren't present on the Nexus 5 running Android Lollipop. Many users commented that the FDE may have been to blame. Like I mentioned earlier, Motorola provided us with a build of Android with FDE disabled. Unfortunately, I haven't noticed any improvements to many of the areas where there are significant frame rate issues such as Messenger and Calendar. I speculated in the Nexus 6 review that the performance issues may simply be the result of insufficient GPU performance or memory bandwidth to drive the QHD display.

Read the original here:
Encryption and Storage Performance in Android 5.0 Lollipop

HTTPS Everywhere | Electronic Frontier Foundation

Posted on by

HTTPS Everywhere is produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by using a clever technology to rewrite requests to these sites to HTTPS.

Information about how to access the project's Git repository and get involved in development is here.

Webmasters and prospective contributors: Check the HTTPS Everywhere Atlas to quickly see how existing HTTPS Everywhere rules affect sites you care about!

Sadly, many sites still include a lot of content from third party domains that is not available over HTTPS. As always, if the browser's lock icon is broken or carries an exclamation mark, you may remain vulnerable to some adversaries that use active attacks or traffic analysis. However, the effort that would be required to eavesdrop on your browsing should still be usefully increased. Update: in recent versions of Firefox, Mozilla has removed the broken padlock indicator. Now, the only difference between a secure and insecure HTTPS deployment is the blue or green tint on the left of the address bar for secure deployments

Answers to common questions may be on the frequently asked questions page.

HTTPS Everywhere can protect you only when you're using sites that support HTTPS and for which HTTPS Everywhere include a ruleset. If sites you use don't support HTTPS, ask the site operators to add it; only the site operator is able to enable HTTPS. There is more information and instruction on how server operators can do that in the EFF article How to Deploy HTTPS Correctly.

Webmasters and prospective contributors: Check the HTTPS Everywhere Atlas to quickly see how existing HTTPS Everywhere rules affect sites you care about!

You can help us test forthcoming site support and new features by installing the development branch of the extension. HTTPS Everywhere uses small ruleset files to define which domains are redirected to https, and how. If you'd like to write your own ruleset, you can find out how to do that here. Information about how to access the project's Git repository and get involved in development is here. Send feedback on this project to the https-everywhere AT eff.org mailing list. Note that this is a public and publicly-archived mailing list. You can also subscribe. Send new rewrite rules or fixes to existing rewrite rules to the https-everywhere-rules AT eff.org mailing list. Note that this is a public and publicly-archived mailing list. You can also subscribe.

Our code is partially based on the STS implementation from the groundbreaking NoScript project (there are other STS implementations out there, too). HTTPS Everywhere aims to have a simpler user experience than NoScript, and to support complex rewriting rules that allow services like Google Search and Wikipedia to be redirected to HTTPS without breaking anything. It also handles situations like https:// pages that redirect back to http:// in a reasonable manner. In an ideal world, every web request could be defaulted to HTTPS. Unfortunately, there's no way to know that what you get from requesting https://www.domain.com/page is the same as what you get from requesting http://www.domain.com/page. So the only way to switch every page to https is to fetch the page insecurely first. There is a Chrome extension called KB SSL Enforcer which attempts to take that approach, but it does not appear to be implemented securely; when we tested it, it seemed to always use http before https, which means that your surfing habits and authentication cookies are not protected (this may be a limitation of the Chrome Extensions framework).

Read this article:
HTTPS Everywhere | Electronic Frontier Foundation

WhatsApp adds end-to-end encryption using TextSecure

Posted on by

WhatsApps new encryption feature will soon support group chat and media messages. Photograph: LIONEL BONAVENTURE/AFP/Getty Images

More than 600 million WhatsApp users are about to benefit from default end-to-end encryption, which should prevent any snoops spying on their communications.

The security boost comes after the Facebook-owned messaging provider contracted Open Whisper Systems, the creator of the TextSecure encrypted text app, to incorporate its technology into WhatsApp.

The new feature is currently only available in the Android version of WhatsApp, but Open Whisper Systems co-founder Moxie Marlinspike confirmed to the Guardian an iOS alternative was in the works. There will soon be support for encrypted messaging for group chat and media messages, too.

Systems that use end-to-end encryption are hard to break because the key that unscrambles communicationsis only stored on users phones. In previous versions of WhatsApp, those keys were also stored by servers as well as users phones, giving Facebook or WhatsApp admins access to messages.

The TextSecure encryption protocol is particularly strong as it uses a form of whats known as forward secrecy, which means a fresh key is created for every message sent.

In a blog post, the Open Whisper Systems team said the WhatsApp project represents the largest deployment of end-to-end encrypted communication in history.

The only other comparable service deployed on such a massive scale is Apples iMessage, which has one notable weakness, in that many people back up messages to Apples iCloud service, where data isnt protected as efficiently.

Though it has just created a rival, Open Whisper Systems will continues to work on its own products, which include RedPhone for Android for encrypted voice communications and the iOS Signal apps that do protected calls and messaging.

Marlinspike and his colleagues want to make encryption the default on all devices. Were more excited about our own apps than ever. Well continue to use TextSecure as a place to advance the state of the art, and hopefully incorporate those gains into third-party products as they progress, like weve done here, he said.

More here:
WhatsApp adds end-to-end encryption using TextSecure