mercredi 26 mai 2010

iPhone fail

According to Apple, all data on the iPhone 3GS is hardware-encrypted using 256-bit AES, which cannot be disabled by the user. Access to data on the iPhone is normally restricted to computers with which the iPhone has previously been connected and to which the requisite credentials have previously been transferred. This exchange of credentials is blocked when the iPhone is locked, so that connecting a locked iPhone to an unfamiliar computer will not allow the latter access to data on the iPhone.
Sauf que c'est vraiment "according to apple", dans la réalité c'est un poil différent:
Bernd Marienfeldt, security officer at UK internet node LINX, found that he was able to gain unfettered access to his iPhone 3GS from Ubuntu 10.04. If he connected the device whilst it was turned off and then turned it on, Ubuntu auto-mounted the file system and was able to access several folders despite never having previously been connected to the iPhone.
Lien vers l'article d'origine ici.
Je n'ai pas d'iphone sous la main pour tester, mais si quelqu'un veut bien me confirmer la chose... :-)

lundi 10 mai 2010

La crypto dans la vie de tous les jours

C'est parfois effrayant:

[...] it was very interesting to examine the Outlook 2003 PST files. This file format has three levels of encryption. “None“, “Compressible Encryption” and “Best Encryption” with “Compressible Encryption” being the default.

None” is not encrypting the data at all - just like the Netscape Mail example.

Compressible Encryption” is simply a substitution cipher. It is exactly what the “secret decoder ring” does; it is also called a Caesar cipher. For data, a particular byte always gets substituted by a fixed other one. That is why the PST file still compresses well. It just obscures the data and would have stopped my naïve Notepad attack. But this would not stop any forensic software from undoing this substitution on the fly.

Best Encryption” is similar but the substitution table changes depending on the data’s position. This also can be automatically undone without the password.