iCloud Keychain uses compromised encryption (NIST/NSA)

Jaap

macrumors member
Original poster
Jul 3, 2008
34
2
In the "Security Now #446" podcast of 2014-03-11, Steve Gibson talks about iOS 7 security in general, and that of iCloud Keychain specifically.

Audio (mp3): http://media.GRC.com/sn/SN-446.mp3
Transcript (txt): https://www.grc.com/sn/sn-446.txt
Video: http://twit.tv/show/security-now/446

According to Apple's own "iOS Security" pdf at http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf (page 24), iCloud Keychain uses Asymmetric Elliptical Key (using P256) encryption.

That form of encryption is believed to be compromised by NSA/NIST:
http://safecurves.cr.yp.to/index.html
http://www.hyperelliptic.org/tanja/vortraege/20130531.pdf

My advice is: Don't use iCloud Keychain.
 

Alrescha

macrumors 68020
Jan 1, 2008
2,157
315
By your logic, we also should not use SSL. Good luck with that.

http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html

Just because the tools we use are not perfect does not mean that we should not use them. Better tools will come with time.

By the way, it is a particular implementation of elliptical curve encryption that is known to be untrusted (Dual_EC_DRBG, see: http://www.math.columbia.edu/~woit/wordpress/?p=6243 ), not all implementations. I have seen no documents that demonstrate that the implementation Apple is using (ECDH over Curve25519) has been compromised. There are concerns that the NSA *may* have weakened other security protocols, but that applies to pretty much everything today.

A.
 
Last edited:

Jaap

macrumors member
Original poster
Jul 3, 2008
34
2
In SSL the server and client negotiate the encryption at the start of the connection. The server and client both have a list of encryptions they support, and the first one in the server's list that the client understands is used. This could be a weak one or a strong one, depending mostly on the server config.

That is very different from the iCould keychain encryption where one specific encryption is used, namely Asymmetric Elliptical Key (using P256) which multiple sources say is compromised.
 

Alrescha

macrumors 68020
Jan 1, 2008
2,157
315
Asymmetric Elliptical Key (using P256) which multiple sources say is compromised.
Yes, Mr. Gibson says so (on a notoriously anti-Apple talk show), but he hardly counts as "multiple sources". Could you provide one link from those many sources that says specifically that the implementation of AEK/P256 that Apple is using is known to be compromised? The other links you provided do not say this.

A.
 
Last edited:

Jaap

macrumors member
Original poster
Jul 3, 2008
34
2
Hey if Daniel J. Bernstein et al. don't convince you i am not even going to try.

I recommend anyone with any math/crypto skills to make up their own mind.

Also, read/listed to the podcast to find out if Steve Gibson has any love for iOS.
 

Alrescha

macrumors 68020
Jan 1, 2008
2,157
315
I said:

"Could you provide one link from those many sources that says specifically that the implementation of AEK/P256 that Apple is using is known to be compromised?"

Hey if Daniel J. Bernstein et al. don't convince you i am not even going to try.
So that would be a "no" then? Bernstein does have many complaints about the ECDL implementation, but has little to say about the ECDH implementation that Apple is using.

A.
 

Jaap

macrumors member
Original poster
Jul 3, 2008
34
2
No i cannot. I am not a cryptography expert.
Try google.
 

Jaap

macrumors member
Original poster
Jul 3, 2008
34
2
Steve Gibson just had a third netcast about iOS security in which iCloud Keychain was discussed futher:
Steve Gibson said:
But the [iCloud] Keychain is a concern in a pure RSA sort of worry mode. Everywhere [in other iOS security stuff] that we have encountered, they have been using the right crypto. In every instance. And in fact, I re-read the paper, the entire thing, after I stumbled my toes over the use of the wrong elliptic curve for protecting the Keychain because it is the only place in Apple's entire architecture they use the wrong elliptic curve. And by "wrong," I mean one that came from the NSA, which no security expert now trusts.
Steve Gibson said:
... But what's odd is, first of all, they used the proper curve, Curve25519, Dan Bernstein's bulletproof, solid elliptic curve, and said so proudly throughout this document in every single other instance. Or they used large RSA bit keys, 2048 or 4096 generally.

Here, in iCloud, for no explicable reason, they have not used the good curve. They have used the P-256 curve which nobody now trusts. We know that it came from a guy named Jerry Solinas at the NSA. I mean, we've gone back, the crypto community has really looked at this carefully. And it was generated by the NSA using an SHA-1 hash where we've been given the seed of a series of hashes, and downstream of the series is the result on which this elliptic curve is based. And I don't remember now whether it was Bernstein or Schneier or Matt. But all three of them have said no.
Source text: https://www.grc.com/sn/sn-448.txt
 

satcomer

macrumors 603
Feb 19, 2008
6,340
943
The Finger Lakes Region
If you all want to know about all this No Such Agency's hacking by NIST standards watch this video:


So ALL encryption has been compromised, not just Apple or SSL.
 
Last edited:

Alrescha

macrumors 68020
Jan 1, 2008
2,157
315
If you all want to know about all this No Such Agency's hacking by NIST standards watch this video...
So ALL encryption has been compromised, not just Apple or SSL.
Did you even watch it? Did you read the previous discussion in this thread? The guy in the video is describing a particular problem with elliptical curve cryptography, and specifically uses the previously mentioned Dual_EC_DRBG algorithm in his example.

For you to say that "ALL encryption has been compromised" is unfounded, is uninformed FUD, and is a disservice to people who read your posting.

A.
 

satcomer

macrumors 603
Feb 19, 2008
6,340
943
The Finger Lakes Region
Did you even watch it? Did you read the previous discussion in this thread? The guy in the video is describing a particular problem with elliptical curve cryptography, and specifically uses the previously mentioned Dual_EC_DRBG algorithm in his example.

For you to say that "ALL encryption has been compromised" is unfounded, is uninformed FUD, and is a disservice to people who read your posting.

A.
Yes I did watch kit. What you didn't see when the professor said all crypto is based on the NIST standards. So it it is all crypto used the net that could be compromised if the setup their generators using the NIST standards.
 

Alrescha

macrumors 68020
Jan 1, 2008
2,157
315
What you didn't see when the professor said all crypto is based on the NIST standards.
You are right, I did not see when he said that, because he did not say that. It would be absurd for him to say it. Think about it for a second - all cryptography on the planet is based on a NIST standard? Seriously?

His entire discussion is talking about elliptic curve cryptography, which is *one* subset of *one* type of all the different kinds of cryptography in the world. See:

https://en.wikipedia.org/wiki/Elliptic_curve_cryptography

For other kinds of public-key cryptography, see:

https://en.wikipedia.org/wiki/Public-key_cryptography#Examples

Furthermore, the NIST standard he describes is for *one* particular random number generator which is suspected to be intentionally weak, *if* you use the supplied constants. See:

https://en.wikipedia.org/wiki/Dual_EC_DRBG

So, IF you use elliptic curve cryptography, and IF you use the Dual EC DRBG random number generator, and IF you use the supplied values for P & Q in the equation, then it is *possible* that the NSA could decrypt your traffic (1).

The statement "ALL encryption has been compromised" is simply ridiculous.

A.

(1) Make no mistake, despite the algorithm being under suspicion since 2007, some companies did exactly this.
 
Last edited:

satcomer

macrumors 603
Feb 19, 2008
6,340
943
The Finger Lakes Region
You are right, I did not see when he said that, because he did not say that. It would be absurd for him to say it. Think about it for a second - all cryptography on the planet is base on a NIST standard? Seriously?

His entire discussion is talking about elliptic curve cryptography, which is *one* subset of *one* type of all the different kinds of cryptography in the world. See:

https://en.wikipedia.org/wiki/Elliptic_curve_cryptography

For other kinds of public-key cryptography, see:

https://en.wikipedia.org/wiki/Public-key_cryptography#Examples

Furthermore, the NIST standard he describes is for *one* particular random number generator which is suspected to be intentionally weak, *if* you use the supplied constants. See:

https://en.wikipedia.org/wiki/Dual_EC_DRBG

So, IF you use elliptic curve cryptography, and IF you use the Dual EC DRBG random number generator, and IF you use the supplied values for P & Q in the equation, then it is *possible* that the NSA could decrypt your traffic (1).

The statement "ALL encryption has been compromised" is simply ridiculous.

A.

(1) Make no mistake, despite the algorithm being under suspicion since 2007, some companies did exactly this.
Around the 7:30 mark the cameraman and the professor talk back & fourth about the "money shot" about all companies using NIST standards for encryption all NIST encryption is compromised.
 

Alrescha

macrumors 68020
Jan 1, 2008
2,157
315
Around the 7:30 mark the cameraman and the professor talk back & fourth about the "money shot" about all companies using NIST standards for encryption all NIST encryption is compromised.
They say no such thing.

At the 7:30 mark, the 'money shot' is an image of the two constants supplied by this *one* NIST document, which applies to this *one* random number generator, when used in this *one* type of cryptography. In addition, the back and forth goes as follows, emphasis mine:

"IF ALL of these companies used the SAME the same equation and the SAME numbers provided by the government...".

That is a pretty big IF, and it is not a statement it is a question. Not only that, they are still talking about users of this ONE algorithm.

The sentence finishes:

"...weren't they all generating the same random numbers?"

Which is of course a bad thing, but there was no statement about anything else.


I would like to make something clear here: This professor's talk is great, and in a very short time he explains very simply what is wrong with the Dual EC DRBG random number generator.

What is completely bogus is *other* people's conclusions that the problems with this one algorithm apply to everything everywhere. It says nothing about other NIST standards, it says nothing about similar encryption using other random number generators, and nothing at all about the many other kinds of encryption in use today.

Last but not least, back to the title of this thread which is just as bogus as the rest of this discussion, Apple does not even use this random number generator.

A.
 
Last edited:

Jaap

macrumors member
Original poster
Jul 3, 2008
34
2
I'm gonna have to agree with Alrescha here, it is unlikely that all NIST standards are compromised, despite what the people in your video say.

Most cryptographers say: trust the math. The math is sound.
The NSA paid RSA to make one bad PRNG default for a reason: that's the one the NSA can crack.
 

jeffkoe

macrumors newbie
Mar 30, 2014
1
0
Yes, Mr. Gibson says so (on a notoriously anti-Apple talk show), but he hardly counts as "multiple sources". Could you provide one link from those many sources that says specifically that the implementation of AEK/P256 that Apple is using is known to be compromised? The other links you provided do not say this.

A.
You must not have listened to this show, as it is not even close to "anti-Apple." Mr. Gibson said iOS used excellent security protocols with the exception of the Keychain encryption standard of P256.
 

Alrescha

macrumors 68020
Jan 1, 2008
2,157
315
You must not have listened to this show, as it is not even close to "anti-Apple."
I appreciate very much that you took the time to sign up just to comment. I used the word 'notoriously', referring to reputation. I was not thinking about that episode, or even that show - but rather everything that comes out of that particular studio nowadays. I freely admit that is just my opinion, but one that I apparently share with others.

Mr. Gibson said iOS used excellent security protocols with the exception of the Keychain encryption standard of P256.
I read the transcript. Here is a fine example:
"STEVE: Yeah. I mean, and it just stands out. It's like the one place they use the wrong elliptic curve, and it's a NSA compromised one, and it couldn't be in a worse place.

LEO: What a surprise.

STEVE: It's in the iCloud keychain logic to protect everyone's iCloud backed-up password libraries. And so it's like, oh ho ho ho ho. And it just stands out there. And they just sort of casually said, yeah, we use P-256. It's like, what? You didn't use it anywhere else. Why are you using it here?

LEO: Interesting. Isn't that interesting."
I believe that we are supposed to read between the lines that this is no accident, i.e. that Apple did it on purpose. I find that pretty 'anti-Apple', no matter what other nice things might have been said previously.

Which brings us around to where we started: I have found nothing to corroborate Mr. Gibson's claim that P256 is compromised. It's only fault appears to be that it is a NIST standard. I think the distinction is important, especially when the result is that the OP makes threads titled "iCloud Keychain uses compromised encryption".

People are right to be concerned about other standards created by an organization when one of them has been found questionable. I could believe that someone in Apple, knowing now what we all have learned from Mr. Snowden, wishes they chose a different algorithm. But Mr. Gibson did not just raise a question, he publicly said that Apple used a compromised encryption standard. And my reaction was, and still is, "Citation needed."

A.

(unsubscribed from this thread)
 
Last edited:

Jaap

macrumors member
Original poster
Jul 3, 2008
34
2
- Whether Steve Gibson is anti-apple or not is completely irrelevant (it was an ad hominem attack by Alrescha which just deflects from the actual discussion).

- This thread is not absurd even if some of the things said are proven to be untrue. It is the purpose of discussion to find these errors.

- Signing is a very important part of a security system because if you don't know who you are talking to you cannot trust the content.

- It's very easy to say "Citation needed" when all we have to go on is a document released by Apple which is very detailed about a lot of the security features in iOS 7 but very vague on the iCloud Keychain part. Feel free to trust/use iCloud Keychain as much as you want but i choose not to trust everything by default anymore.
 

dumastudetto

macrumors 68040
Aug 28, 2013
3,178
3,675
I believe that we are supposed to read between the lines that this is no accident, i.e. that Apple did it on purpose. I find that pretty 'anti-Apple', no matter what other nice things might have been said previously.
I find the transcript you posted extremely troubling and I'm glad you are raising concerns about how impartial Mr. Gibson might be towards Apple. I also think it's pretty insulting to leave open the idea that Apple may have deliberately chosen P256 as a backdoor to security agencies to gain access to our passwords. I don't believe Apple would do this for a second. It would be completely against the corporate culture of the company.

I am proud to be an Apple consumer because I know Apple is on my side when it comes to protecting my data, my privacy, and my interests against government overreach. Apple is the only company I will trust in this regard, and until they do something to change my opinion I will defend them robustly against such disgusting accusations.

I no longer listen to twit podcasts because they are all so anti-Apple. Even the main MacBreak Weekly co-host is an Android user now. :eek:
 

Jaap

macrumors member
Original poster
Jul 3, 2008
34
2
I hope you are trolling.

It is widely known that the NSA can ask their secret court to order a company (say Apple) to do something and then that company is forbidden to disclose any information about it.

So it certainly is not Apple's fault.