matthew_d_green

matthew_d_green, 3 months ago

The original iMessage protocol was launched in 2011 and was really amazing for the time, since it instantly provided e2e messaging to huge numbers of people. But cryptographically, it wasn’t very good. My students broke it in 2015: https://www.washingtonpost.com/world/national-security/johns-hopkins-researchers-discovered-encryption-flaw-in-apples-imessage/2016/03/20/a323f9a0-eca7-11e5-a6f3-21ccdbc5f74e_story.html

matthew_d_green, 3 months ago

In 2019 Apple quietly upgraded the protocol to get rid of some obsolete cryptography, but it still wasn’t as advanced as the Signal Protocol used by WhatsApp and Signal.

A big part of the reason: iMessage lacked post-compromise security.

matthew_d_green, 3 months ago

In the Signal protocol, your communication keys are constantly updated and “ratcheted” forwards. This means that a compromised phone/backup won’t be useful for long. You’ll replace the stolen keys within a few minutes. In iMessage this wasn’t true: public keys were long-lived.

matthew_d_green, 3 months ago

The new update adds periodic rekeying using elliptic curve cryptography, to ensure that compromised keys quickly become useless, both in the future and for decrypting past messages. This closes an important threat vector.

Along with key transparency, this makes iMessage a state-of-the-art cryptographic protocol

matthew_d_green, 3 months ago

Key transparency, as an aside, is now also being rolled out by Apple: https://security.apple.com/blog/imessage-contact-key-verification/

matthew_d_green, 3 months ago

Even with those improvements, the remaining problem is that elliptic curve crypto is not secure against future quantum computing advances. This doesn’t matter today, but if such computers are built in the future, they could be used to decrypt past conversations.

matthew_d_green, 3 months ago

So Apple has made two changes in this update. In addition to frequent elliptic curve rekeying, they also use a second “post quantum secure” algorithm: Kyber. This algorithm rekeys as well, but a little less frequently. (This is because Kyber cophertexts are much bigger and “eat” more space on the wire.)

matthew_d_green, 3 months ago

An important note here is that the two main encryption algorithms are arranged into a “combiner”: this means that as long as one algorithm remains secure, nobody should be able to break the encryption. This means Apple gets the safety of elliptic curves today, plus PQC in the future (maybe.)

matthew_d_green, 3 months ago

Ok, so what? You might point out that this is overkill. Quantum computers are years away, and key compromise is rare. So why should I care about this?

(I confess this was also my initial reaction.)

matthew_d_green, 3 months ago

The answer is you probably don’t need to care. It is overkill. But sometimes overkill sends a useful message, one that should be heard by people who aren’t technical at all. Specifically:

For several years (until very recently), Apple’s crypto dev was stagnant. iCloud wasn’t end-to-end encrypted. iMessage was encrypted, but wasn’t being improved.

I think a lot of this was due to Apple being nervous about political backlash from governments around the world.

matthew_d_green, 3 months ago

And oh boy, was there a lot of backlash. In the US, UK and EU, laws were proposed mandating that companies either decrypt end-to-end encrypted messages on demand (somehow), or else scan them for “illegal material”. For varying definitions of that term! https://www.reuters.com/world/europe/uk-bill-seeks-remove-videos-migrant-crossings-2023-01-17/

matthew_d_green, 3 months ago

In 2021 Apple appeared to knuckle to this pressure. They announced a plan to scan photos sent to iCloud on the user’s device, which was exactly the content scanning governments were seeking. They backed off this plan after a huge consumer backlash. https://www.wired.com/story/apple-photo-scanning-csam-communication-safety-messages/

matthew_d_green, 3 months ago

What’s changed since that event is that Apple seems to have taken the leash off of their security team. Since 2022 Apple has:

• Released end-to-end encrypted backup for iCloud
• Added key transparency for iMessage
• Now seriously upgraded iMessage

matthew_d_green, 3 months ago

In the latter two cases (key transparency, iMessage), the upgrades are more important to security experts than to average users. But they still represent a huge investment and forward motion that will drive the industry forward even faster to using strong encryption everywhere.

matthew_d_green, 3 months ago

In the latter two cases (key transparency, iMessage), the upgrades are more important to security experts than to average users. But they still represent a huge investment and forward motion that will drive the industry forward even faster to using strong encryption everywhere.

matthew_d_green, 3 months ago

And this is important because, for better or for worse, Apple often “sets the standard” for the rest of the industry.

(I should point out that on encryption issues, they’ve faced strong competition from WhatsApp and Meta, who are also doing amazing things.)

matthew_d_green, 3 months ago

Anyway: that’s why I think the import of today’s news is bigger than just “Apple adopted some post quantum algorithms.” As exciting as that is for us cryptographers. //fin

matthew_d_green, 3 months ago

@feld No I’m doing it by hand. And aesthetically I dislike long posts so I just do it this way.