[Cryptography] Apple’s iMessage Defense Against Spying Has One Flaw

Jerry Leichter leichter at lrw.com
Thu Sep 10 09:56:53 EDT 2015

Apple is producing something for mass consumption.  Checking against some out of band information, transmitted in some unspecified way?  Not the kind of thing that's compatible with mass usage.

Besides, the obvious approaches *don't work*.  The Apple model has one public/private key pair *per device*, not *per user*.  The private keys never leave the device that created them; there's no way to transfer your old private key to your new iPhone.  The Apple server sends you a set of public keys for all the devices the user you want to talk to has registered with Apple.  The attack would be for the Apple server to send an *additional* key that the FBI (say) owned.  A check that the key your correspondent is using is in the set of keys you received will succeed!  What you would need to check is that *all* the keys you received are for devices your correspondent knows about and approves.  This is way beyond what almost anyone would be in a position to check.

If you've previously talked to Bob, your system *could* tell you that the set of keys the server returned for Bob includes a new one.  But this would be a very frequent occurrence - replacing a phone, getting and registering an additional device, even some Mac OS version upgrades add new keys.  Virtually all the time, this alert would be a false alarm.  Not only would it annoy users - but in practice, with no easy, safe way to verify the new keys - you can't do it over the iMessage channel you're trying to establish! - who would it actually help?

It's easy to come up with solutions if you don't actually consider all the details of the problem.  An example:  Apple's Facetime chat service provides end-to-end encryption, while Google's Hangout's don't.  People jump on Google for this, but there's a really solid technical reason behind it:  FaceTime is 1-1; Hangouts are n-n broadcasts.  This requires level-adjusting, mixing, echo-canceling, and other processing of the audio so that n-n conversations actually work well.  (Sometimes playing games with the video may also be needed).  Hangouts do this in the server - which requires the server to have access to the unencrypted streams.  To do it purely end-to-end, each endpoint would have to maintain a connection to all the other endpoints and do its own mixing and other processing locally.  This impractical for network bandwidth reasons, if nothing else, even for a fairly small number of people on a single call.

In fact, this is very roughly analogous to what happens in iMessage.  Its connections are "1-1" in terms of people, but "n-m" in terms of devices.  Text messages don't need mixing and level balancing and such, so group chats are no big deal - but just the key distribution for those n and m endpoints requires something beyond pure endpoint-to-endpoint encryption.  That "something else"  adds usage complexity, opens holes, or both.

What Apple has done, and is defending in court, is by no means trivial.  In general, *existing* business records can be obtained through relatively simple court proceedings.  If Apple had access to unencrypted streams, they could easily be required to turn them over, no muss, no fuss.  The same would occur if Apple had access to the encrypted messages and the corresponding keys - the LE agency would take the information and do its own decryption.

It's considerably more challenging to force a third party to actively create something they don't already have.  Requiring Apple to change what it actually sends to its customers - which would probably first require them to add flows to their software to even enable such a thing - while perhaps possible, is harder.  For traditional telephone conversations, CALEA required a new law - LE didn't have the authority to simply order the telco's to build such a feature into their hardware.

Law enforcement agencies don't want "harder".  They want the courts involved as little as possible; they want as little paper trail as possible.  They certainly don't want to have to ask Congress to give them the authority to make such demands, should the courts tell them they don't currently have such authority.  They'd much rather find a way to force Apple to simply hand stuff over quietly.

                                                        -- Jerry

More information about the cryptography mailing list