Relevant technical info re Apple iPhone cryptosecurity
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Verry interesting... "The CIA Campaign To Steal Apple's Secrets" By Jeremy Scahill and Josh Begley, published in The Intercept: https://tinyurl.com/p9wtmdf "These machines have two separate keys integrated into the silicon of their Apple-designed processors at the point of manufacture. The two, paired together, are used to encrypt data and software stored on iPhones and iPads. One, the User ID, is unique to an individual’s phone, and is not retained by Apple. That key is vital to protecting an individual’s data and — particularly on Apple’s latest devices — difficult to steal. A second key, the Group ID, is known to Apple and is the same across multiple Apple devices that use the same processor. The GID is used to encrypt essential system software that runs on Apple’s mobile devices." -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJWz010AAoJEDZ0Gg87KR0LE78QAIUPc8cfT7wkWUKuY1XcpewY FyuFOM2feDiQDcLCxDk0jgGISS+0G3V7lK+JRoN83LPrd0WiXKi2Ermp2VKMNkN/ G4FMTVkLE6b3VJ0yPYOjXGR0kFg8pHmBsxn6TTeHkefe7sNMijaq9lXaIQqRXqBA xXfyKGzbEwUaQW7AZB0gpS51HVMFA/NJpeGkfiJ/HxzQOHU8BoyXKHqvTEPryQEG wvncgg16w3NRIlpYP4RAbYCyqwAGZQ9wt98bZbl74zQO4oIm6a2eUVKpdu80ymk6 KKZXWO/28ujZ+Tdya5dppso1QheY4UUIkTfaExAsJZTVCZQA3Or6DCXKpt8w2+kv 0OxpfQ3XdSMfPZVwijvPIzp/qrD3cbyoOc4eUQWe7fQ8YaVZyiLtggH0ZT07XFiB BQ/gC3bAg2HHN01BhGMMQ84MwHTtqHyQJsxSWaQn2IK0hsAe1391Xk1yF23luw5/ TMuLXJ0GKDMMlT8CAdn3lpMzwG2mbU9igKmR9sZyz7jTRx710pCvxZOdfi4Ld0ru eNNguLdWg14iYFFkZqSj4qxwkscnhPT3Uub0Yh4MnTVa6Yh7Ud4Dw11x0+43HqO8 96cqArs8Hx9qj+7czaK73uRBerVYicfZwtwsmLOeDpUhFv3CEhC+t3X7T0al3sv6 185sCwU15KQpcsii4r9R =tvGR -----END PGP SIGNATURE-----
On Thu, 25 Feb 2016 13:52:37 -0500 Steve Kinney <admin@pilobilus.net> wrote:
"These machines have two separate keys integrated into the silicon of their Apple-designed processors at the point of manufacture.
http://blog.cryptographyengineering.com/2014/10/why-cant-apple-decrypt-your-... Hm. So, if you don't have the UID you can't run the key derivation function. And allegedly the UID is not known to apple...despite the fact that they (or their foundry) put the UID into the 'secure' crypto coprocessor... `
The two, paired together, are used to encrypt data and software stored on iPhones and iPads. One, the User ID, is unique to an individual’s phone, and is not retained by Apple. That key is vital to protecting an individual’s data and — particularly on Apple’s latest devices — difficult to steal. A second key, the Group ID, is known to Apple and is the same across multiple Apple devices that use the same processor. The GID is used to encrypt essential system software that runs on Apple’s mobile devices."
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJWz010AAoJEDZ0Gg87KR0LE78QAIUPc8cfT7wkWUKuY1XcpewY FyuFOM2feDiQDcLCxDk0jgGISS+0G3V7lK+JRoN83LPrd0WiXKi2Ermp2VKMNkN/ G4FMTVkLE6b3VJ0yPYOjXGR0kFg8pHmBsxn6TTeHkefe7sNMijaq9lXaIQqRXqBA xXfyKGzbEwUaQW7AZB0gpS51HVMFA/NJpeGkfiJ/HxzQOHU8BoyXKHqvTEPryQEG wvncgg16w3NRIlpYP4RAbYCyqwAGZQ9wt98bZbl74zQO4oIm6a2eUVKpdu80ymk6 KKZXWO/28ujZ+Tdya5dppso1QheY4UUIkTfaExAsJZTVCZQA3Or6DCXKpt8w2+kv 0OxpfQ3XdSMfPZVwijvPIzp/qrD3cbyoOc4eUQWe7fQ8YaVZyiLtggH0ZT07XFiB BQ/gC3bAg2HHN01BhGMMQ84MwHTtqHyQJsxSWaQn2IK0hsAe1391Xk1yF23luw5/ TMuLXJ0GKDMMlT8CAdn3lpMzwG2mbU9igKmR9sZyz7jTRx710pCvxZOdfi4Ld0ru eNNguLdWg14iYFFkZqSj4qxwkscnhPT3Uub0Yh4MnTVa6Yh7Ud4Dw11x0+43HqO8 96cqArs8Hx9qj+7czaK73uRBerVYicfZwtwsmLOeDpUhFv3CEhC+t3X7T0al3sv6 185sCwU15KQpcsii4r9R =tvGR -----END PGP SIGNATURE-----
On Thu, Feb 25, 2016 at 05:34:08PM -0300, juan wrote:
On Thu, 25 Feb 2016 13:52:37 -0500 Steve Kinney <admin@pilobilus.net> wrote:
"These machines have two separate keys integrated into the silicon of their Apple-designed processors at the point of manufacture.
http://blog.cryptographyengineering.com/2014/10/why-cant-apple-decrypt-your-...
Hm. So, if you don't have the UID you can't run the key derivation function. And allegedly the UID is not known to apple...despite the fact that they (or their foundry) put the UID into the 'secure' crypto coprocessor...
That's called 'plausible deniability'. If only the NSA/Mossad/MI5 funded janitorial staff grab the UIDs, then both the fab and apple can pretend it's not happening. Seems like the FBI and NSA are having a bad breakup over a little too much LOVINT. It seems much cheaper to actually and truly forget the UID once it's been encapsulated in the chip package, than to risk that you might get Snowdened, and leave the spookery up to the spooks.
On Thu, 25 Feb 2016 16:14:16 -0600 Troy Benjegerdes <hozer@hozed.org> wrote:
On Thu, Feb 25, 2016 at 05:34:08PM -0300, juan wrote:
On Thu, 25 Feb 2016 13:52:37 -0500 Steve Kinney <admin@pilobilus.net> wrote:
"These machines have two separate keys integrated into the silicon of their Apple-designed processors at the point of manufacture.
http://blog.cryptographyengineering.com/2014/10/why-cant-apple-decrypt-your-...
Hm. So, if you don't have the UID you can't run the key derivation function. And allegedly the UID is not known to apple...despite the fact that they (or their foundry) put the UID into the 'secure' crypto coprocessor...
That's called 'plausible deniability'.
Yeah, except, apple claiming "we don't have the key we burned into the phone" isn't too 'plausible' ^-^ Anyway, the government gets the uid key one way or another and then brute force the passcode. Depending on passcode the process can take something like 0.000001s or less. It's technically possible that the passcode itself is a 'big' ( > 90 bits?) random number or equivalent passphrase. But, likely? I doubt it. Also, from what I read, people can use their fingerprint as passcode? So, all the gov't has to do is look up the fingerprint in their archive? (ok, some format conversion required, but I suppose they can manage that)
If only the NSA/Mossad/MI5 funded janitorial staff grab the UIDs, then both the fab and apple can pretend it's not happening.
Yes, they can pretend... ^-^
Seems like the FBI and NSA are having a bad breakup over a little too much LOVINT.
It seems much cheaper to actually and truly forget the UID once it's been encapsulated in the chip package, than to risk that you might get Snowdened, and leave the spookery up to the spooks.
Maybe. So, they don't have the keys, they already gave them to their partners in crime at the nsa. It also should be noted that NOTHING that ANY subject of the US mafia/government says can be 'trusted'. Any one of these subjects may be under a 'secret order' 'gag order' 'liberty order' or whatever the correct newspeak term is.
https://github.com/planetbeing/xpwn/tree/master/crypto "This package allows you to directly access the iPhone's AES engine from userland. You may encrypt and decrypt with the UID and GID keys,"
participants (3)
-
juan -
Steve Kinney -
Troy Benjegerdes