Apple, Encryption, and You

Published By

Recently in the news everyone from tech CEOs and politicians to my neighbors have been commenting on the recent hot news in information security. If you haven’t heard the FBI has the iPhone 5C from one of the San Bernardino shooters and is requesting assistance from Apple to bypass some of the security features on the phone that keep data safe.

Specifically the FBI wants Apple to develop a custom firmware that will remove the phone’s self wiping feature after too many tries on the passcode, remove the delay between passcode tries, and allow for passcodes to be entered via software instead of having to physically tap the screen. There are a lot of nuances and opinions on all sides as to how Apple should respond to the request but this article is going to look at the actual practicalities of information security in embedded systems.

Modern devices hold incredible amounts of information about our lives. Every device we use collects information about us from the obvious things like our smart phones which know our most intimate details to our thermostats that are now web connected and can betray our habits to people who could access the stored information. All of these devices are also becoming connected to the greater internet opening up new attack vectors making on device security even more important.

See related product


STMicroelectronics Peripherals Misc View

Apple, starting with the iPhone 5C, has implemented a security enclave. This security enclave is a complex beast but at its heart is a two key system locking down the user partition of the phone which contains all user data and the app sandbox which holds the app specific data. With this implementation private information is effectively locked away from prying eyes. To access the data the phone has a private hardware key that is merged with the user passcode creating a class key that can open the enclave but even after you get past this door each file is protected with a per-file key stored in the hardware AES engine. Without the user passcode the information is pretty tightly protected as the AES engine uses 256bit keys. 

To give you an idea of the strength of the protection one billion GPUs running at 2 gigaflops each dedicated to breaking AES256 would require almost 10 years to brute force the key. There are some more efficient methods to getting into AES protected data but with current compute power it could still take long enough to get in for the data to no longer be actionable or relevant thus why the FBI is looking for Apple’s assistance to speed up the process. If the changes the FBI wants are implemented in firmware on the phone a four digit passcode could theoretically be cracked in a few hours through brute force. A six digit code would present a tougher hurdle by boosting the total potential combinations to 1 million versus the 10,000 for a four digit code.

When we look at security in embedded systems there are a couple of angles to it; sender verification, data verification, and data protection. Sender verification is simply making sure the device you think you are communicating is actually that device to prevent imposters from interacting with a protected network or adding new devices. Data verification is making sure that information from a trusted source has not been tampered with in transmission and has remained the message that was meant to be sent. Data protection is when you move to a complete encrypted memory set to prevent prying eyes from even viewing the data held by systems. In systems holding confidential data such as anything related to banking or medical systems data protection is key. The more intense the level of protection needed the more computing power that needs to be dedicated to the process and sometimes it makes sense to offload this process to something like the Atmel ATAES132A which has secure key and data storage capabilities.

This was a very simple overview of some of the challenges in modern data protection and a couple methods to keep your data safe. In further articles we will look to dive deeper into sender verification, data verification, and complete data protection.

Related news articles

Latest News

Sorry, your filter selection returned no results.

We've updated our privacy policy. Please take a moment to review these changes. By clicking I Agree to Arrow Electronics Terms Of Use  and have read and understand the Privacy Policy and Cookie Policy.

Our website places cookies on your device to improve your experience and to improve our site. Read more about the cookies we use and how to disable them here. Cookies and tracking technologies may be used for marketing purposes.
By clicking “Accept”, you are consenting to placement of cookies on your device and to our use of tracking technologies. Click “Read More” below for more information and instructions on how to disable cookies and tracking technologies. While acceptance of cookies and tracking technologies is voluntary, disabling them may result in the website not working properly, and certain advertisements may be less relevant to you.
We respect your privacy. Read our privacy policy here