[Cryptography] Apple?s iMessage Defense Against Spying Has One Flaw

John-Mark Gurney jmg at funkthat.com
Thu Sep 10 17:36:57 EDT 2015 

Jerry Leichter wrote this message on Thu, Sep 10, 2015 at 15:49 -0400:
> On Sep 10, 2015, at 2:53 PM, John-Mark Gurney <jmg at funkthat.com> wrote:
> > Jerry Leichter wrote this message on Thu, Sep 10, 2015 at 09:56 -0400:
> >> Apple is producing something for mass consumption.  Checking against some out of band information, transmitted in some unspecified way?  Not the kind of thing that's compatible with mass usage....

I'll reinsert the missing paragraph that I was replying to:
> >> Besides, the obvious approaches *don't work*.  The Apple model has one public/private key pair *per device*, not *per user*.  The private keys never leave the device that created them; there's no way to transfer your old private key to your new iPhone.  The Apple server sends you a set of public keys for all the devices the user you want to talk to has registered with Apple.  The attack would be for the Apple server to send an *additional* key that the FBI (say) owned.  A check that the key your correspondent is using is in the set of keys you received will succeed!  What you would need to check is that *all* the keys you received are for devices your correspondent knows about and approves.  This is way beyond what almost anyone would be in a position to check.

> > Not really...  Say Alice is sending her key to Bob, Alice uses her
> > current device key to sign a list of public keys aka devices, and
> > sends that sgned list to Bob, this can easily work...  Then Bob has a
> > list of approved devices which are trusted to be Alice's, and future
> > changes to the list of approved devices/keys can be automated by any
> > of those verified devices...
> I'm not sure in what universe this is "easy".
> 
> And you're skipping lightly over the important steps.  In the iMessage world, Alice doesn't send her key to Bob.  She isn't even aware that a key exchange took place.  And, of course, she doesn't need some external, secure, verifiable channel to complete this transfer.  When Alices's phone dies and he gets a new one (hence a new key), are you expecting her to somehow send an update of her list of trusted devices - signed by another trusted device that her receivers already know about, if she has one; or through the magic external channel if she doesn't - to everyone she communicates with?

You deleted the part about how it's supposedly hard to check/verify
all the keys, and I disagree w/ that assertion...  The statement assumes
there is a way to check/verify a key and it would be difficult to
verify all the other keys in the set, and I disagree w/ that statement
and provided a method that would work..

We're talking about steps initiated by Alice to verify her devices to
Bob...  so, she can sign and send the set via iMessage to Bob for OOB
verification, via QR code or some other mechanism...  Even in iMessage
this is safe, since you're verifying the signature, and it's assumed any
tampering would invalidate the signature...

The issue w/ an absolutely new device w/ zero access to the old one is
not solvable by my solution, and is impossible to solve w/ any solution...

> Encrypted mail and other kinds of encryption have been around for decades.  Hardly anyone uses them.  Exchanging and setting up keys, checking fingerprints ... too complicated, too easy to get wrong.  There are plenty of studies of this stuff, and they've all come to the same conclusion:  Cryptography is easy; usable (and hence used) cryptography is difficult.  Cryptography at large scale (tens of millions of people - and up) is *very* difficult.

There are many different issues why this is the case...  One is that
there is limited software deployed to interoperate...  A second is
that (until recently) it wasn't easy to bring two private keys together
like it is today w/ smartphones, and because of that, no one has spent
the time/research to make it easier...

Though most people wouldn't trust putting their GPG private key on
their smartphone, but luckily, we weren't talking about GPG, but about
messaging apps on the phone....

I recently talked w/ Trevor Perrin about this, and I do believe that
now that we have smartphones, that key verification (for smartphone
based keys) will become easier...  We have things like speakers/mics and
camera/qr codes that can make things much easier than we had in the
GPG days..

> I'm willing to bet that the total number of bytes encrypted and transmitted securely by iMessages in the last year - which, given forward security, are now forever secure - exceeds by a large multiple the total number of bytes of email, chat, etc., (not counting government messaging) that were encrypted and transmitted with a comparable level of security in the previous 20 years.  (OK, maybe Skype conversations back in the early days - who knows what the security is now.  Not that anyone on the outside really knew anything for sure about the security even then.)

Yeh, considering Skype supported video calls, just a few minutes of a
Skype video call would cover many people for a few years..

> You can focus on super high security against ever-unlikelier threats for a tiny fraction of the population; or you can build something that provides quite high levels of security for large fractions of the population.  Apple has gone for the latter.

I'm not saying Apple shouldn't do encryption, but they should make
verification possible for the people that care... TextSecure/Signal has
done this, and usability hasn't changed because of it...  They are
looking at better ways for verification...

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

More information about the cryptography mailing list