Apple advances user security with powerful new data protections

[hishnash]

17 hours ago, wanderingfool2 said:

If you advertise something as E2EE and stage that it prevents Apple from reading your messages in transit...and yet they can read your messages if they so chose to

At no point were they able to read in transit.  

To do this they would have had to modify iOS so that when a new device is added to a users iMessage account the existing devices cross sign the keys for that new device without prompting the user.  Without that cross signature a new device added to a users account would not be able to eavesdrop (decrypt) messages sent on existing conversations.  However it can create new conversations. 

 

What has not E2EE was backups and apple were clear about this. (iMessage backups should have been E2EE or at least had an option for it).   
 

[wanderingfool2]

5 hours ago, hishnash said:

At no point were they able to read in transit.  

To do this they would have had to modify iOS so that when a new device is added to a users iMessage account the existing devices cross sign the keys for that new device without prompting the user.  Without that cross signature a new device added to a users account would not be able to eavesdrop (decrypt) messages sent on existing conversations.  However it can create new conversations. 

 

What has not E2EE was backups and apple were clear about this. (iMessage backups should have been E2EE or at least had an option for it).   

That's not correct though.  Apple distributes the public keys, and also the communication on how many devices an user has (each device has it's own set of public key/private keys but they are not related).  Notice how in the white paper and the subsequent update to the white paper no mention of signing the keys.

 

To be clear here, how Apple handles multiple devices, each device generates it's private key and sends the public key to Apple (there isn't overlap in terms of the private key numbers...if there was you compromise the fundamental principle of RSA and would be able to derive the private keys from the public keys).  When you send a message your device gets the multiple keys and encrypts the message multiple times.  Just because Apple may prompt when you add new devices to iMessage, does not mean they can't add in new public keys in the backend

 

So if Apple's servers act as intended and as they claim it does then yes, they can't read it in transit.  If the authorities step in and say you must facilitate snooping (with a warrant), then Apple could do 1 of 2 things.  Generate a private/public key and attach it to the account (so that it gets sent twice, but in theory if they monitor their traffic carefully this could be spotted).  Or generate a public/private key, and broadcast that to the targets they want to read the texts of.  When it's sent simply decrypt the message, repack it and send it along on it's way.  Unless the person timed sending/responses it would be hard to detect (as Apple prior to this update didn't give an option to see the public key)

[hishnash]

20 hours ago, wanderingfool2 said:

Just because Apple may prompt when you add new devices to iMessage, does not mean they can't add in new public keys in the backend

while they could add new keys would not be able to partake in existing conversations (only new threads). For a device to be enrolled in so that it can partake in existing threads it needs one of the existing authenticated devices to share it some keys for the conversation. 

 

Apple could create a new public private key pair and make if follow the flow of a user that has lost all of their devices. This however means it would not be able to partake in any existing conversations with other devices of the user it is trying to impersonate. 

 

20 hours ago, wanderingfool2 said:

Unless the person timed sending/responses it would be hard to detect (as Apple prior to this update didn't give an option to see the public key)

No they cant do this since when messages are sent the messages are not only encrypted but also signed.  So a classic man in the middle attack like this would be detected. 


Fundamentally all the other messaging apps have this issue and many of them are even more susceptible as they use the phone number as proof of ID (so that users can keep an account when they change phone). Governments can (and do) intercept phone number messages calls etc on an every day basis and can do this without even contacting the operator of such messaging services.  

The alternative is making it close to impossible to message someone unless you first meet them in person (of have some other trusted communication channel for key verification). And then also accept that you loos your phone even through your contacts lib is backed up every one of your contacts will no longer get your messages until you meat them in person again. For a practical mass market messaging solution you do need to let people use the platform without these limitations. 

[Paul Thexton]

On 12/14/2022 at 12:55 PM, hishnash said:

while they could add new keys would not be able to partake in existing conversations (only new threads).

From a lawful intercept point of view, that would be sufficient for various authorities I would expect.