Apple Announces 'Groundbreaking' New Security Protocol for iMessage

[MacRumors]

Apple today announced a new post-quantum cryptographic protocol for iMessage called PQ3. Apple says this "groundbreaking" and "state-of-the-art" protocol provides "extensive defenses against even highly sophisticated quantum attacks."

Apple believes the PQ3 protocol's protections "surpass those in all other widely deployed messaging apps," according to its blog post:

Today we are announcing the most significant cryptographic security upgrade in iMessage history with the introduction of PQ3, a groundbreaking post-quantum cryptographic protocol that advances the state of the art of end-to-end secure messaging. With compromise-resilient encryption and extensive defenses against even highly sophisticated quantum attacks, PQ3 is the first messaging protocol to reach what we call Level 3 security — providing protocol protections that surpass those in all other widely deployed messaging apps. To our knowledge, PQ3 has the strongest security properties of any at-scale messaging protocol in the world.

PQ3 will be gradually rolling out for supported iMessage conversations starting with iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4 in March, and it is already in the latest beta versions of these updates, according to Apple. visionOS will not support the PQ3 protocol during the initial rollout, the company confirmed.

Apple says PQ3 will fully replace iMessage's existing cryptography protocol within all supported conversations later this year. All devices in an iMessage conversation must be updated to the above software versions or later to be eligible.

Post-Quantum Cryptography

iMessage already supports end-to-end encryption, but existing cryptographic protocols that are commonly used by messaging apps rely on mathematical problems that could potentially be solved by future quantum computers.

PQ3 is designed to protect users against "Harvest Now, Decrypt Later" attacks, in which malicious actors collect large amounts of encrypted data now and store it in hopes they will be able to decrypt it with a quantum computer in the future:

Although such quantum computers don't yet exist, extremely well-resourced attackers can already prepare for their possible arrival by taking advantage of the steep decrease in modern data storage costs. The premise is simple: such attackers can collect large amounts of today's encrypted data and file it all away for future reference. Even though they can't decrypt any of this data today, they can retain it until they acquire a quantum computer that can decrypt it in the future, an attack scenario known as Harvest Now, Decrypt Later.

Apple says PQ3 achieves what it calls "Level 3" security, meaning it secures "both the initial key establishment and the ongoing message exchange."

For deeply technical details about the protocol, read the Apple Security Research blog post.

Article Link: Apple Announces 'Groundbreaking' New Security Protocol for iMessage

 

[MayaUser]

PQ3 is the next big thing for the next decade..hoping for others to join it

 

[toobravetosave]

ok cool now release a cross platform client so your users can be secure no matter who they talk to

 

[Pezimak]

Everyone will still use bloody WhatsApp 🤣

 

[TechnoMonk]

Quantum computing is much closer than ever. Good move by Apple.

 

[HackMacDaddy]

I hope they will also update iMessage with ui features. Whatsapp is just so much easier and intuitive to use, that‘s why nobody is using iMessage in Europe.

 

[jayryco]

Good move but too bad the majority of the world don't use iMessage 😅

 

[0339327]

Governments around the world already rely on iPhones and iMessage for security. This will only enhance the adoption.

I think this is also a large push towards giving customers a reason to stick with iPhone after RCS introduction.

Of course, WhatsApp is far more popular and is controlled by the untrusted Meta.

 

[TechnoMonk]

I hope they will also update iMessage with ui features. Whatsapp is just so much easier and intuitive to use, that‘s why nobody is using iMessage in Europe.

I tried WhatsApp, it’s pretty much spam magnet. Luckily for me , almost every one I know uses iMessage. For those who don’t, I just text.

 

[adrianlondon]

I hope they will also update iMessage with ui features. Whatsapp is just so much easier and intuitive to use, that‘s why nobody is using iMessage in Europe.

We (me and my friends) tend to use WhatsApp here in Europe as we don't need to worry about what phone others are using. Plus, it works well on laptops.

I use iMessage with my family as we all have iPhones and/or iPads, but it's WhatsApp (or Line if I really have to, with friends in Asia) for everyone else.

 

[Squozen]

I hope they will also update iMessage with ui features. Whatsapp is just so much easier and intuitive to use, that‘s why nobody is using iMessage in Europe.

No, people use WhatsApp in Europe because it’s cross-platform and a lot of people use Android. Adding features to iMessage won’t increase EU usage in the slightest.

 

[obezcinnet]

ok cool now release a cross platform client so your users can be secure no matter who they talk to

they are already doing that, mostly due to EU regulations. https://www.nytimes.com/2023/11/18/technology/iphone-android-apple-rcs-messaging.html

I think they are releasing PQ3 ahead of the RCS implementation to position iMessage as a better solution.

 

[spazzcat]

I hope they will also update iMessage with ui features. Whatsapp is just so much easier and intuitive to use, that‘s why nobody is using iMessage in Europe.

You are used to it; the UI isn't better than messages or more intuitive.

 

[jhwalker]

I tried WhatsApp, it’s pretty much spam magnet. Luckily for me , almost every one I know uses iMessage. For those who don’t, I just text.

Same - our company prohibits use of WhatsApp, and ALL my friends and family have iPhones, so iMessage it is.

 

[Joe Mac User]

"Backdoor this, bitches."

 

[toobravetosave]

they are already doing that, mostly due to EU regulations. https://www.nytimes.com/2023/11/18/technology/iphone-android-apple-rcs-messaging.html

I think they are releasing PQ3 ahead of the RCS implementation to position iMessage as a better solution.

that’s not what a cross platform client is. whatsapp is an example

 

[ShiftHappens]

Quantum computing is much closer than ever. Good move by Apple.

Never a bad thing to be proactive, but I highly doubt quantum computers poses an imminent threat. Or, to quote Bruce Schneyer:
I am also skeptical that we are going to see useful quantum computers anytime soon. Since at least 2019, I have been saying that this is hard. And that we don’t know if it’s “land a person on the surface of the moon” hard, or “land a person on the surface of the sun” hard. They’re both hard, but very different.

An interesting article for the interested: https://spectrum.ieee.org/quantum-computing-skeptics

 

[madmin]

In France they call toilet paper PQ

"Can't innovate, my ass"

 

[HobeSoundDarryl]

1. Is this a standard others can adopt too... or is this a proprietary, Apple-only protocol?
2. An Apple-centric answer to RCS or in addition to RCS?

Update: Answer to the #1 appears to be in the lengthy release...

More than simply replacing an existing algorithm with a new one, we rebuilt the iMessage cryptographic protocol from the ground up

"we" appears to be Apple Inc.

What I don't see in the release is if it is to be offered as a standard for others to adopt too or if it will remain an Apple sandbox exclusive... and thus- like Facetime- not used by MOST of the texting devices in the world. Hopefully this is not about "protecting" blue bubbles vs. green bubbles.

I thoroughly applaud the innovation but the big reward in this great security leap seems to be dependent on parties at BOTH ends of the chat using it.

 

[HackMacDaddy]

You are used to it; the UI isn't better than messages or more intuitive.

Oh yes it is much easier.
Just one example: sending a photo from your camera roll using the share button, you have to enter the recipients name manually or go through all of your hundreds of contacts and pick one. In Whatsapp you simply land in your recent chats overview and just click on an Avatar/Chat to send it. I can‘t wrap my head around the fact that I can not do this simplest and most logical thing within iMessage. There are dozens of more examples.
Of course cross platform is a big one but all my relatives have iPhones and still use Whatsapp. When asked why, they answer „because it‘s easier to use“.

 

[Infodataset]

So can i safely store porn files by messaging myself like in whatsapp?

 

[DominikHoffmann]

Is this one of Apple’s inventions? If so, I wonder, whether they will open-source the algorithm for world-wide auditing by security researchers. How would we know, otherwise, whether the claims Apple makes are held up by reality? If they do that, of course, others will implement the same algorithm in their messaging apps, as well.

 

[bigboy29]

I need to digest this to really understand it but yey for words like "groundbreaking post-quantum cryptographic protocol"!!

 

[chrono1081]

Quantum computing is much closer than ever. Good move by Apple.

This. People think it's some theoretical future thing but quantum computers literally exist today and are getting more powerful each year.

 

[TechnoMonk]

Never a bad thing to be proactive, but I highly doubt quantum computers poses an imminent threat. Or, to quote Bruce Schneyer:
I am also skeptical that we are going to see useful quantum computers anytime soon. Since at least 2019, I have been saying that this is hard. And that we don’t know if it’s “land a person on the surface of the moon” hard, or “land a person on the surface of the sun” hard. They’re both hard, but very different.

An interesting article for the interested: https://spectrum.ieee.org/quantum-computing-skeptics

The problem just like generative AI/Crypto is people treating them like holy grail of humanity. Quantum computing had made lot of progress in past 2-3 years. I can see it being huge when it comes to security. It won’t solve all the problems, but it just needs to do enough to break the security algorithms. It’s no different than the hype of ChatGPT and other overhyped AI, doesn’t mean it’s totally useless.