[Cryptography] Apple?s iMessage Defense Against Spying Has One Flaw

John-Mark Gurney jmg at funkthat.com
Thu Sep 10 14:53:39 EDT 2015 

Jerry Leichter wrote this message on Thu, Sep 10, 2015 at 09:56 -0400:
> Apple is producing something for mass consumption.  Checking against some out of band information, transmitted in some unspecified way?  Not the kind of thing that's compatible with mass usage.
> 
> Besides, the obvious approaches *don't work*.  The Apple model has one public/private key pair *per device*, not *per user*.  The private keys never leave the device that created them; there's no way to transfer your old private key to your new iPhone.  The Apple server sends you a set of public keys for all the devices the user you want to talk to has registered with Apple.  The attack would be for the Apple server to send an *additional* key that the FBI (say) owned.  A check that the key your correspondent is using is in the set of keys you received will succeed!  What you would need to check is that *all* the keys you received are for devices your correspondent knows about and approves.  This is way beyond what almost anyone would be in a position to check.

Not really...  Say Alice is sending her key to Bob, Alice uses her
current device key to sign a list of public keys aka devices, and
sends that sgned list to Bob, this can easily work...  Then Bob has a
list of approved devices which are trusted to be Alice's, and future
changes to the list of approved devices/keys can be automated by any
of those verified devices...

If a Apple were to add a key that Alice didn't know about, hopefully
she would recognize that she doesn't have a second iPad, and not sign
the new set of keys including the bogus one...

This would require Alice to "approve" the new device from one of her
existing devices instead of simply authenticating to Apple before Bob
would trust it, but IMO that is a minor issue..  (or does Apple already
require you to access a previously auth'd device before adding a new
one?)

> If you've previously talked to Bob, your system *could* tell you that the set of keys the server returned for Bob includes a new one.  But this would be a very frequent occurrence - replacing a phone, getting and registering an additional device, even some Mac OS version upgrades add new keys.  Virtually all the time, this alert would be a false alarm.  Not only would it annoy users - but in practice, with no easy, safe way to verify the new keys - you can't do it over the iMessage channel you're trying to establish! - who would it actually help?

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

More information about the cryptography mailing list