Skip to content

Data Encryption At Rest

Oscar Mira edited this page Sep 19, 2021 · 6 revisions

How Local Encryption Works

Database

Signal uses an SQLCipher database to store contacts, chat history, and attachments, in the app-specific directory on the device. The database is encrypted with AES 256-bit keys randomly generated the first time the app is run.

The encryption key is wrapped with Android KeyStore and stored in the Shared Preferences. If the KeyStore is unavailable as in Android 5.1 (Lollipop) and previous, the key is written as-is to the Shared Preferences.

In Signal, Shared Preferences are plaintext XML files stored along with the database.

However, Molly protects the Shared Preferences with the user's passphrase, providing full encryption of data at rest regardless of the way Android may or may not be encrypting its own storage.

Shared Preferences

Molly encrypts preferences value using AES-256 CBC mode. The preference name and the encrypted value are hashed together with HMAC-SHA256, and stored together with the encrypted value, providing authenticated encryption for the preferences.

The Shared Preferences encryption key is protected with the passphrase set in Molly, run through Argon2id (KDF) with a random salt. The CPU and memory cost parameters of the KDF algorithm are calibrated so that one attempt takes approximately 3 seconds. The passphrase is wiped from memory after hashing it.

To discourage brute-force passphrase attacks, starting in Android 6.0, the output of Argon2 is entangled with 256-bit MAC keys tied to the Android KeyStore. On a device with hardware-backed crypto services, Molly's MAC key is generated randomly inside the Secure Element, when Molly setups the encryption. This key never leaves the chip. This means brute-force attempts must be performed on the device under attack.

The stronger the user passphrase is, the stronger the encryption key becomes. Molly prevents users from creating weak passphrases that may be easily guessed by an attacker. It detects common patterns used to create memorable passwords, such as using words found in a dictionary, common character substitutions (such as using “p4ssw0rd” instead of “password”), patterns found on a keyboard (such as “q12we34r” from a QWERTY keyboard), or repeated sequences.

As soon as Molly is locked, the encryption key is wiped from memory.

Clone this wiki locally