do i understand correctly that the public key is used to encrypt the message? as otherwise if not then why not just have private keys only?
Because without a public key, the messages are not able to be decrypted, so the person on the receiving end would receive a bunch of meaningless characters. That's the way private & public key systems work.
I've expanded on my answer after realising I misread your question slightly, I hope it's more insightful now!i see, thank you
I've expanded on my answer after realising I misread your question slightly, I hope it's more insightful now!
I said this on Reddit but I'll say it again here:
Finding flaws in a protocol which was obviously designed to be secure and then pointing the finger and saying "See? It's all on purpose" is just crazy.
A much bigger problem is that iCloud backups are not stored encrypted. If you backup your messages to iCloud, Apple has no need to go to the trouble of intercepting your messages in transit.
If Apple has blatantly lied about security, that's bad news. Makes you wonder what else they deliberately and consistently deceive us with.
No - the public key can not be used to encrypt data, only decrypt.
Essentially the first time you use a public & private key based system the two keys are generated.
- The private is only "known" by you/stored on your device and used to encrypt the outgoing data.
- The public key is then shared with anyone that needs to decrypt that data.
The process for iMessages likely goes something like this (taking an educated guess):
Message typed on phone -> message encrypted using private key -> message & public key sent to Apple's servers -> public key & message transferred to recipient's device -> message decrypted using public key and displayed on device.
Without a public key the messages are not able to be decrypted so the person on the receiving end would receive a bunch of meaningless characters. Likewise, if the wrong public key was provided the end result would also be receiving a bunch of meaningless characters.
Hope this helps!
The company's claim that iMessage is protected by unbreakable encryption is "just basically lies," said Cyril Cattiaux, who has developed iOS jailbreak software and works for Quarkslab, a penetration testing and reverse engineering company in Paris.
Why should we believe a jailbreaker?
Ugh, I really shouldn't get into security conversations before I've had my morning coffee. You are indeed correct, I've updated my post - Thank you.This is categorically FALSE! If this were true, there would be no security.
The public key is, well, public. As in everybody has access to it. Which would mean everybody would be able to decrypt. Not what you want.
What happens is:
Essentially the first time you use a public & private key based system the two keys are generated.
- The private is only "known" by you/stored on your device and used to decrypt the incoming data.
- The public key is then shared with anyone that needs to encrypt the data they want to sent to you.
So...
In case of iMessage, if I want to communicate with you, I give you my public key, and you give me your public key. When I sent something to you, I use your public key to encrypt, which you can decrypt using your private key. A response you send to me will be encrypted using my public key, that can only be decrypted using my private key.
It's not always the text itself that is of interest but what it says about you. When taken together with others en mass it can be used to generate a pretty realistic profile of you as a person.
If iMessages is hackable and Apple claimed that the data is safe, then how are we expected to trust Apple's claim that TouchID is also safe?
Because he knows a lot more about this than you do.
If Apple has access to them, then the NSA has nothing. They don't have magical superpowers to break in everywhere.
This logic makes Apple technology unworthy of enterprise class. They can't just be lazy expecting their competitors not poking into their communication channel however unimportant the communication may be and guessing their luck.
Why? Because privacy is only for criminals? Thats your point, isn't it?I guess we are all drug dealers or spies here.
[url=http://cdn.macrumors.com/im/macrumorsthreadlogodarkd.png]Image[/url]
Following the revelation of government data gathering program PRISM in June, Apple released a statement on customer privacy that suggested the company was unable to access or decrypt iMessage and FaceTime conversations.
According to researchers who presented at the Hack the Box conference in Kuala Lumpur (via Macworld), it is actually possible for someone inside Apple to intercept messages because the company has access to public iMessage keys.
To encrypt iMessages, Apple utilizes public key cryptography, which means that every Apple device is assigned both a private key and a public key. When an iMessage is sent, it requests the public key of the recipient's device to encrypt the message, which is then decrypted by a private key upon receipt.
Because Apple manages public keys and does not divulge them to users, it is not possible to verify that a sent iMessage is going to the intended recipient. Apple could, for example, substitute or add a public key to intercept an outgoing message without the sender being aware of the change, as end users do not have access to public keys.According to the researchers, there would be no way for an end user to detect an intercepted or rerouted message from their iOS device, as it is impossible to see whether or not a key has been switched or where a message has been routed.*The solution to the issue, to introduce true end-to-end encryption, would require Apple to store public keys on each iOS device to allow users to compare keys to verify that messages are going to the intended recipient.
Earlier this year, a Drug Enforcement Agency document noted that it was impossible for law enforcement agencies to eavesdrop directly on iMessage conversations due to Apple's encryption, but it appears that Apple itself could potentially intercept those messages using public keys.
Update: Apple spokeswoman Trudy Muller said in a statement to AllThingsD that "iMessage is not architected to allow Apple to read messages," adding that "The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so."
Article Link: Researchers Claim Apple Can Potentially Access Encrypted iMessages [Updated]