Storage card wipe and encryption - What's the deal?

re: Storage card wipe and encryption - What's the deal?

DanITman — Fri, 16 Mar 2007 21:47:37 GMT

I'm glad they added this in the new version of WM and Exchange 2007. I remember when MS released the video of that guy in that Taxi and he left phone in the Taxi. They called the system admin to have him remotely wipe the device so everything was safe. I was always thinking that it didn't make much sense because the chances are a large power point would have been stored on the memory card defeating the purpose of the remote wipe :)

re: Storage card wipe and encryption - What's the deal?

Eagle117 — Fri, 16 Mar 2007 22:46:41 GMT

How will recovery work? Is there something like a EFS recovery agent to access an SD card if it is removed from the device and the key on the device is lost? Or a way to prevent the SD card from being wiped and staying encrypted until setup by the user again?

In the last week I've had two users wipe their phones after they forgot their PIN 8 times. Associating it with ActiveSync and getting their data back isn't a big deal but if they lost 2 GB worth of an SD card that they wanted secure, I would have more trouble since there isn't a good way to backup an SD card.

re: Storage card wipe and encryption - What's the deal?

jasonlan — Sat, 17 Mar 2007 11:36:15 GMT

Eagle117 - Unfortunately there isn't a recovery mechanism that I'm aware of.

re: Storage card wipe and encryption - What's the deal?

Fergus — Sat, 17 Mar 2007 13:53:20 GMT

I suppose the main question is "What encryption technology/How easy to crack"?

I have a customer who wants to use very sensitive data on WM devices and if there was any chance it could end up in the public domain they'd get their balls chewed.

re: Storage card wipe and encryption - What's the deal?

JasperM — Sat, 17 Mar 2007 17:24:22 GMT

So, lets see a quick consumer type scenario, since that is mainly who I work with...Customer gets device (WM6), they decide to be cute and encrypt all the photos of their cats, or sensitive business data. If the device decides to die (an OEM would say this never happens, it must be customer abuse, haha) the customer can access the data on another WM 6 device so long as they have the unique ID?

Re-reading the article, it seems that the user does not have access to the unique ID on the WM device, correct?

"You cannot move the encrypted card to another device without first decrypting the card."

Would lead me to believe there is no way of exporting the key to another device, or a way of storing it on the exchange server? I can see scenarios like this causing a nightmare for support.

-JasperM

re: Storage card wipe and encryption - What's the deal?

jasonlan — Sat, 17 Mar 2007 21:28:12 GMT

Fergus - we use AES 128 bit encryption so the time to crack is a long long time.. if at all...

Jasper - Understand your concerns however being able to export the key and hold it in other places does present a security risk as well.

Storage card wipe and encryption - What's the deal?

Pocket.Net - Mobile 2.0 — Sat, 17 Mar 2007 21:44:37 GMT

In Windows Mobile 6 Microsoft added the ability to encrypt the storage card of a Windows Mobile device

re: Storage card wipe and encryption - What's the deal?

JasperM — Sun, 18 Mar 2007 19:55:39 GMT

"The encryption is tied to a unique ID created upon Hard Reset of the device."

Does this mean a new unique ID is created for every hard reset? Would this mean, if you had a card encrypted before a hard reset, that since a new unique ID was created, the same card could not be read due to the hard reset and creation of a new unique ID?

Do you know of any white papers that deal with the storage encryption?

-JasperM

The Mobile Minute 156

Nino.Mobile — Mon, 19 Mar 2007 07:34:25 GMT

Software / Hardware Loke has a very handy WM5/WM6 feature guide CoolSmartPhone.com is reporting that

re: Storage card wipe and encryption - What's the deal?

andy — Mon, 19 Mar 2007 21:04:51 GMT

QUOTE:"This is important as many existing solutions (particularly on other platforms) store the key and data in the same place... so if you have the device you have everything you need to decrypt the data (all you need is time :) )"

... applying that same principal to the way WM stores Exchange credentials on the device for direct push ... doesn't that also suggest that it is only a matter of time before someone can decrypt a user's exchange password on the device?

I wouldn't want to rely on the device never needing to be hard reset / replaced. In addition to the scenarios given above, I've had several devices lock during the boot phase and the only way out is a hard reset. In this scenario that would be 'goodbye data'.

re: Storage card wipe and encryption - What's the deal?

jasonlan — Mon, 19 Mar 2007 22:47:11 GMT

Andy - the Exchange password is stored hashed double encrypted on the device using 128-bit RC4 encryption so I think it'd take a VERY long time for someone to decrypt.... if ever....

re: Storage card wipe and encryption - What's the deal?

JasperM — Tue, 20 Mar 2007 05:27:27 GMT

Storage Card encryption uses AES 128, according the whitepapers previously posted, and WPA2 uses 128 and 256 bit keys for wifi encryption.

Here is additional information I found from a US government website:

http://csrc.nist.gov/CryptoToolkit/aes/aesfact.html

Approximately how big are the AES key sizes?

The AES specifies three key sizes: 128, 192 and 256 bits. In decimal terms, this means that there are approximately:

3.4 x 10^38 possible 128-bit keys;

6.2 x 10^57 possible 192-bit keys; and

1.1 x 10^77 possible 256-bit keys.

In comparison, DES keys are 56 bits long, which means there are approximately 7.2 x 10^16 possible DES keys. Thus, there are on the order of 10^21 times more AES 128-bit keys than DES 56-bit keys.

# What is the chance that someone could use the "DES Cracker"-like hardware to crack an AES key?

In the late 1990s, specialized "DES Cracker" machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message.

Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.

-JasperM

re: Storage card wipe and encryption - What's the deal?

Scott Yost — Tue, 20 Mar 2007 07:17:56 GMT

@JasperM: A new key is generated after a cold boot, so if you hard reset the device, the files are unreadable. (it has to be like that, we don't want it to be that easy to get into the encrypted storage card of a stolen device+card)

@Eagle: One method to migitate the pin recovery risk is to use the OWA password reset feature that's in WM6. Users can log into their OWA account and get a recovery code which is used to reset the password on the device. This will preserve the encrypted files.

re: Storage card wipe and encryption - What's the deal?

jasonlan — Tue, 20 Mar 2007 11:38:51 GMT

JasperM - love it :) I had been using those numbers in some MEDC presentations last year.... I think most people's device contents will have little value in 149 trillion years ;)

re: Storage card wipe and encryption - What's the deal?

breadtan — Wed, 21 Mar 2007 08:29:07 GMT

Wiping issue on Flash Vs PC Harddisk (HDD)

- I thought the wiping is to make the erased content unrecoverable hence the DoD standards for the wiping sequences. Rather than it is due to the placement of the head but still in a way it does help and I do agree too.

- For Flash memory, does it require those wiping standards too? It is still storing non-volatile data like HDD, or am I wrong

Regards

Windows Mobile 6 Storage Card Encryption FAQ

Windows Mobile Team Blog — Tue, 27 Mar 2007 04:43:59 GMT

My colleague Jason Langridge wrote a post about the storage card encryption feature in WM6. This is one

Windows Mobile 6 Storage Card Encryption FAQ

Windows Mobile Team Blog — Tue, 27 Mar 2007 04:44:59 GMT

My colleague Jason Langridge wrote a post about the storage card encryption feature in WM6. This is one

Windows Mobile 6 Storage Card Encryption FAQ

RSS It All — Tue, 27 Mar 2007 05:01:11 GMT

My colleague Jason Langridge wrote a post about the storage card encryption feature in WM6. This is one

Windows Mobile 6 Storage Card Encryption FAQ

Pocket.Net - Mobile 2.0 — Tue, 27 Mar 2007 06:11:56 GMT

My colleague Jason Langridge wrote a post about the storage card encryption feature in WM6. This is one

Windows Mobile Encryption and Recovery

Marco Nielsen at myITforum.com — Sat, 31 Jan 2009 09:43:37 GMT

A lot of discussions within IT organizations are about security, and how the approved security policies

Windows Mobile Encryption and Recovery

Marco Nielsen at myITforum.com — Sat, 31 Jan 2009 09:46:27 GMT

A lot of discussions within IT organizations are about security, and how the approved security policies