… the PIN.
Today I read in the news that a smartphone manufacturer has received a “friendly” invitation letter from US law enforcement that asks them to help decrypting a phone of a terrorist that is encrypted. The encryption key itself is protected with the PIN that the user has to type in and software that keeps increasing the delay between two guessing attempts. I am sure the company sympathizes with the general idea of decrypting a device of a terrorist but sees itself unable to comply with the request as this would also significantly weaken security and privacy for the rest of us. If the let someone do it with that phone it can be done with others, too. Once in the wild…
While most of the media is discussing the pros and cons of the move there is a deeper issue here that nobody seems to think about: A simple 4 or 6 digit pin and a bit of software should not protect the ciphering key in the first place.
The mere fact that perhaps software could be written to get around the increasing delays when the PIN is entered incorrectly several times and even allow a program guessing the PIN, which can do it much faster than guessing attempts via the touch screen is clearly showing that a PIN, even if it is 6 digit long, does not really protect encrypted data on a device. Other 3-letter agencies can make similar requests with a gag order so the story would never even have come out in the first place.
The only real protection is to use a longer password when the device first boots up that is independent of the weaker PIN that the user has to type in when he unlocks the device during normal operation. If the user then selects a really long and strong “power-up” password his data is much safer than it is now, where the only thing between safety and vulnerability is the current policy of a company not to compromise their users safety and privacy.
Fortunately I discovered quite some time ago that Android does indeed have this split password for power-up and PIN / swipe gesture / etc for device unlock. A much better approach!
I think there is more to this than a simple pin. There is hardware security device that holds the actual key. I heard it will destroy said key, if it thinks it is being compromised. For example being fed a wrong pin too many times. There should also be a two step process, where you can set a pin (or fingerprint) and an additional, hopefully strong, passphrase, which will then work similar to the classic pin/puk model.
Yep, there are a lot of things that can be done to decouple the user’s security from the manufacturer of a device.