[Cryptography] DoJ/FBI's "nuclear"/Lavabit option

Thu Mar 17 13:05:54 EDT 2016

FYI --

https://www.techdirt.com/articles/20160316/15292633927/how-apple-could-lose-winning-dojs-next-move-could-be-worse.shtml

"That is, instead of asking Apple to create a hacking tool that would permit the FBI to attempt to brute-force a phone's passcode without triggering escalating delays between guesses or deletion of encrypted data, they could simply demand that Apple turn over the source code and documentation the FBI would need to develop its own custom version of the iOS boot ROM, sans security features.  Then, they require Apple to either cryptographically sign that code or provide the government with access to its developer credentials, so that the FBiOS can run on an iPhone."

https://www.techdirt.com/articles/20131002/17443624734/lavabit-tried-giving-feds-its-ssl-key-11-pages-4-point-type-feds-complained-that-it-was-illegible.shtml

"Somewhat amusingly, Lavabit tried to comply "by turning over the private SSL keys as an 11 page printout in 4-point type." The feds complained that "the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data." Poor, poor FBI. The judge has no problem putting a massive burden on Lavabit, but asking the FBI to actually do some data entry is too onerous? Yup. Apparently. The court then ordered Levison to provide a more useful electronic copy, which then resulted in the $5,000/day fine for failing to live up to that, and then the closure of the site."

----
I suspect that if Apple printed out its source code in 4-point type, it would be considerably larger than 11 pages.

When IBM was faced with anti-trust litigation from the U.S. Govt in the late 1960's, it famously delivered the subpoena'd discovery documents in a number of moving-van-type semi-trailer-truck-fulls of boxes.  I think it took years for the govt to wade through the documents.

Perhaps Apple is currently doing an internal version of the "obfuscated C contest", to slow down this brute force attack.

This might be a good time for Apple to invest in a "return-oriented programming" (ROP) compiler for their firmware loader, so the FBI team can play "find the delay counter".