Encryption on the phone

Hi all, I don’t this is the first time this has come up, but…is there any
type of data encryption done on the phones? Other than the password used to
login, what security is there in the commcare client?

Jon

Jon,

I’ve written the encryption libraries for the mobile client, but haven’t
worked out the last 10% of getting it configurable for use in the interface.
There are some tricky aspects of doing so. (I’ve attached some details at
the bottom if you’re curious). We can make a push for this if there’s a
specific use case. I’d love to get encryption properly rolled in and
functional ASAP.

-Clayton

Tech details:
The system uses a master encryption key which is wrapped by each of the user
keys in order to maintain the ability to access the data in the event that,
say, a user forgets their password. (The key can be re-fetched from the
server by a different user in that case). Generating this key requires
somewhat more synchronicity than CommCare is generally used to supporting.
Since the j2me environment is super sandboxed, it’s basically impossible
to guarantee enough randomness on the mobile devices to be able to
comfortably generate the key. An attacker could fairly easily replicate the
initial conditions the phone used until they hit upon a key which worked.
Additionally, we want the key to always be available globally, so there’s no
use cases in which a user will be locked out of their data. We have a
protocol for handling this, but writing up the UI in a clean way to be able
to either generate a temporary key and submit it to the server or require
synchronicity at first login is a bit of work.

··· On Thu, Jun 23, 2011 at 7:31 AM, Jonathan Payne wrote:

Hi all, I don’t this is the first time this has come up, but…is there any
type of data encryption done on the phones? Other than the password used to
login, what security is there in the commcare client?

Jon

Hi Clayton,

I expected you already had a design in mind. This definitely sounds like an
important feature. D-tree has a proposal in the works that will fall under
some combination of Harvard, HIPAA, and IRB restrictions, so this might be
required depending on the design. Will keep in touch regarding this…

thanks,
Jon

··· On Thu, Jun 23, 2011 at 6:53 PM, Clayton Sims wrote:

Jon,

I’ve written the encryption libraries for the mobile client, but haven’t
worked out the last 10% of getting it configurable for use in the interface.
There are some tricky aspects of doing so. (I’ve attached some details at
the bottom if you’re curious). We can make a push for this if there’s a
specific use case. I’d love to get encryption properly rolled in and
functional ASAP.

-Clayton

Tech details:
The system uses a master encryption key which is wrapped by each of the
user keys in order to maintain the ability to access the data in the event
that, say, a user forgets their password. (The key can be re-fetched from
the server by a different user in that case). Generating this key requires
somewhat more synchronicity than CommCare is generally used to supporting.
Since the j2me environment is super sandboxed, it’s basically impossible
to guarantee enough randomness on the mobile devices to be able to
comfortably generate the key. An attacker could fairly easily replicate the
initial conditions the phone used until they hit upon a key which worked.
Additionally, we want the key to always be available globally, so there’s no
use cases in which a user will be locked out of their data. We have a
protocol for handling this, but writing up the UI in a clean way to be able
to either generate a temporary key and submit it to the server or require
synchronicity at first login is a bit of work.

On Thu, Jun 23, 2011 at 7:31 AM, Jonathan Payne paynejd@gmail.com wrote:

Hi all, I don’t this is the first time this has come up, but…is there
any type of data encryption done on the phones? Other than the password used
to login, what security is there in the commcare client?

Jon

Jon,

Sounds good. The design work should take a bit of time, but the actual
encryption libraries are already written and in the code base, so hopefully
the actual negotiation layer won’t take too much time on top.

-Clayton

··· On Fri, Jun 24, 2011 at 1:41 AM, Jonathan Payne wrote:

Hi Clayton,

I expected you already had a design in mind. This definitely sounds like an
important feature. D-tree has a proposal in the works that will fall under
some combination of Harvard, HIPAA, and IRB restrictions, so this might be
required depending on the design. Will keep in touch regarding this…

thanks,
Jon

On Thu, Jun 23, 2011 at 6:53 PM, Clayton Sims csims@dimagi.com wrote:

Jon,

I’ve written the encryption libraries for the mobile client, but haven’t
worked out the last 10% of getting it configurable for use in the interface.
There are some tricky aspects of doing so. (I’ve attached some details at
the bottom if you’re curious). We can make a push for this if there’s a
specific use case. I’d love to get encryption properly rolled in and
functional ASAP.

-Clayton

Tech details:
The system uses a master encryption key which is wrapped by each of the
user keys in order to maintain the ability to access the data in the event
that, say, a user forgets their password. (The key can be re-fetched from
the server by a different user in that case). Generating this key requires
somewhat more synchronicity than CommCare is generally used to supporting.
Since the j2me environment is super sandboxed, it’s basically impossible
to guarantee enough randomness on the mobile devices to be able to
comfortably generate the key. An attacker could fairly easily replicate the
initial conditions the phone used until they hit upon a key which worked.
Additionally, we want the key to always be available globally, so there’s no
use cases in which a user will be locked out of their data. We have a
protocol for handling this, but writing up the UI in a clean way to be able
to either generate a temporary key and submit it to the server or require
synchronicity at first login is a bit of work.

On Thu, Jun 23, 2011 at 7:31 AM, Jonathan Payne paynejd@gmail.comwrote:

Hi all, I don’t this is the first time this has come up, but…is there
any type of data encryption done on the phones? Other than the password used
to login, what security is there in the commcare client?

Jon