On Fri, Aug 12, 2016 at 5:41 PM Zenaan Harkness <zen@freedbms.net> wrote:
Cause for both cautious optimism - this might result in a competitive
market for 'full system' 'wholistic' encryption ecosystem -

@pp13 at BlackHat: Reopening the "Going Dark" Debate
https://lawfareblog.com/apple-blackhat-reopening-going-dark-debate

(The author says some things which sound a bit messed up e.g. "Apple
built the very thing that they and the privacy community have been
saying for years is reckless, dangerous or impossible: a high-value
encryption key secured in a vault such that the key can’t be stolen or
misused by hackers or malicious insiders" - perhaps he's attempting to
obfuscate things, or perhaps his own mind is naturally obfuscated.)

Apple has created a MUCH higher value target than an individual iPhone, and I doubt they've made it enough more expensive to crack than an individual iPhone that they won't eventually be forced to break it. Of course, forcing them to break it is tantamount to outlawing such a system anyway, so it doesn't actually have to be impossible to break, just hard enough that the law has to change in a significant way before they can be force to break it. In which case they'd just switch to key escrow anyway and we'd all feel sorry for them because well at least they tried.

Perhaps it's my lack of imagination, but this doesn't seem to move the bar much on the "reckless, dangerous, or impossible" thing. They were able to build the vault because its functionality is essentially identical to the Secure Enclave chip. Its construction, AFAICT, does not prove that one can build a similarly secure system that could allow selective access, because the immutability of the system means you would still need some kind of master key to authenticate to it to get it to decrypt individual secrets. You still need physical access, of course, but then it's just a plain ol' HSM, is it not?

The other property that lets this approach work is that even if the device fails, that just invalidates people's keychain backups. It doesn't destroy their original keychains. I'm guessing that Apple scales the service and avoids the possibility of the loss of a single device invalidating all backups by having a way to add new master keys over time. Such a mechanism couldn't be used to decrypt any existing backup, but it could be used to force Apple to add an escrowed key and get every iPhone to reencrypt its backup with the new key.

Found a nice photo from the talk, by the way: http://imgur.com/a/YO6ak

(Speaking of autonomous, inaccessible, non-updatable systems...)