iCloud Keychain uses compromised encryption (NIST/NSA)

Discussion in 'Apple Music, Apple Pay, iCloud, Apple Services' started by Jaap, Mar 14, 2014.

  1. Jaap macrumors member

    Joined:
    Jul 3, 2008
    #1
    In the "Security Now #446" podcast of 2014-03-11, Steve Gibson talks about iOS 7 security in general, and that of iCloud Keychain specifically.

    Audio (mp3): http://media.GRC.com/sn/SN-446.mp3
    Transcript (txt): https://www.grc.com/sn/sn-446.txt
    Video: http://twit.tv/show/security-now/446

    According to Apple's own "iOS Security" pdf at http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf (page 24), iCloud Keychain uses Asymmetric Elliptical Key (using P256) encryption.

    That form of encryption is believed to be compromised by NSA/NIST:
    http://safecurves.cr.yp.to/index.html
    http://www.hyperelliptic.org/tanja/vortraege/20130531.pdf

    My advice is: Don't use iCloud Keychain.
     
  2. Alrescha, Mar 14, 2014
    Last edited: Mar 14, 2014

    Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #2
    By your logic, we also should not use SSL. Good luck with that.

    http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html

    Just because the tools we use are not perfect does not mean that we should not use them. Better tools will come with time.

    By the way, it is a particular implementation of elliptical curve encryption that is known to be untrusted (Dual_EC_DRBG, see: http://www.math.columbia.edu/~woit/wordpress/?p=6243 ), not all implementations. I have seen no documents that demonstrate that the implementation Apple is using (ECDH over Curve25519) has been compromised. There are concerns that the NSA *may* have weakened other security protocols, but that applies to pretty much everything today.

    A.
     
  3. Jaap thread starter macrumors member

    Joined:
    Jul 3, 2008
    #3
    In SSL the server and client negotiate the encryption at the start of the connection. The server and client both have a list of encryptions they support, and the first one in the server's list that the client understands is used. This could be a weak one or a strong one, depending mostly on the server config.

    That is very different from the iCould keychain encryption where one specific encryption is used, namely Asymmetric Elliptical Key (using P256) which multiple sources say is compromised.
     
  4. Alrescha, Mar 14, 2014
    Last edited: Mar 14, 2014

    Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #4
    Yes, Mr. Gibson says so (on a notoriously anti-Apple talk show), but he hardly counts as "multiple sources". Could you provide one link from those many sources that says specifically that the implementation of AEK/P256 that Apple is using is known to be compromised? The other links you provided do not say this.

    A.
     
  5. Jaap thread starter macrumors member

    Joined:
    Jul 3, 2008
    #5
    Hey if Daniel J. Bernstein et al. don't convince you i am not even going to try.

    I recommend anyone with any math/crypto skills to make up their own mind.

    Also, read/listed to the podcast to find out if Steve Gibson has any love for iOS.
     
  6. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #6
    I said:

    "Could you provide one link from those many sources that says specifically that the implementation of AEK/P256 that Apple is using is known to be compromised?"

    So that would be a "no" then? Bernstein does have many complaints about the ECDL implementation, but has little to say about the ECDH implementation that Apple is using.

    A.
     
  7. Jaap thread starter macrumors member

    Joined:
    Jul 3, 2008
    #7
    No i cannot. I am not a cryptography expert.
    Try google.
     
  8. Jaap thread starter macrumors member

    Joined:
    Jul 3, 2008
    #8
    Steve Gibson just had a third netcast about iOS security in which iCloud Keychain was discussed futher:
    Source text: https://www.grc.com/sn/sn-448.txt
     
  9. satcomer, Mar 28, 2014
    Last edited: Mar 28, 2014

    satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #9
    If you all want to know about all this No Such Agency's hacking by NIST standards watch this video:



    So ALL encryption has been compromised, not just Apple or SSL.
     
  10. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #10
    Did you even watch it? Did you read the previous discussion in this thread? The guy in the video is describing a particular problem with elliptical curve cryptography, and specifically uses the previously mentioned Dual_EC_DRBG algorithm in his example.

    For you to say that "ALL encryption has been compromised" is unfounded, is uninformed FUD, and is a disservice to people who read your posting.

    A.
     
  11. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #11
    Yes I did watch kit. What you didn't see when the professor said all crypto is based on the NIST standards. So it it is all crypto used the net that could be compromised if the setup their generators using the NIST standards.
     
  12. Alrescha, Mar 29, 2014
    Last edited: Mar 30, 2014

    Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #12
    You are right, I did not see when he said that, because he did not say that. It would be absurd for him to say it. Think about it for a second - all cryptography on the planet is based on a NIST standard? Seriously?

    His entire discussion is talking about elliptic curve cryptography, which is *one* subset of *one* type of all the different kinds of cryptography in the world. See:

    https://en.wikipedia.org/wiki/Elliptic_curve_cryptography

    For other kinds of public-key cryptography, see:

    https://en.wikipedia.org/wiki/Public-key_cryptography#Examples

    Furthermore, the NIST standard he describes is for *one* particular random number generator which is suspected to be intentionally weak, *if* you use the supplied constants. See:

    https://en.wikipedia.org/wiki/Dual_EC_DRBG

    So, IF you use elliptic curve cryptography, and IF you use the Dual EC DRBG random number generator, and IF you use the supplied values for P & Q in the equation, then it is *possible* that the NSA could decrypt your traffic (1).

    The statement "ALL encryption has been compromised" is simply ridiculous.

    A.

    (1) Make no mistake, despite the algorithm being under suspicion since 2007, some companies did exactly this.
     
  13. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #13
    Around the 7:30 mark the cameraman and the professor talk back & fourth about the "money shot" about all companies using NIST standards for encryption all NIST encryption is compromised.
     
  14. Alrescha, Mar 29, 2014
    Last edited: Mar 30, 2014

    Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #14
    They say no such thing.

    At the 7:30 mark, the 'money shot' is an image of the two constants supplied by this *one* NIST document, which applies to this *one* random number generator, when used in this *one* type of cryptography. In addition, the back and forth goes as follows, emphasis mine:

    "IF ALL of these companies used the SAME the same equation and the SAME numbers provided by the government...".

    That is a pretty big IF, and it is not a statement it is a question. Not only that, they are still talking about users of this ONE algorithm.

    The sentence finishes:

    "...weren't they all generating the same random numbers?"

    Which is of course a bad thing, but there was no statement about anything else.


    I would like to make something clear here: This professor's talk is great, and in a very short time he explains very simply what is wrong with the Dual EC DRBG random number generator.

    What is completely bogus is *other* people's conclusions that the problems with this one algorithm apply to everything everywhere. It says nothing about other NIST standards, it says nothing about similar encryption using other random number generators, and nothing at all about the many other kinds of encryption in use today.

    Last but not least, back to the title of this thread which is just as bogus as the rest of this discussion, Apple does not even use this random number generator.

    A.
     
  15. Jaap thread starter macrumors member

    Joined:
    Jul 3, 2008
    #15
    I'm gonna have to agree with Alrescha here, it is unlikely that all NIST standards are compromised, despite what the people in your video say.

    Most cryptographers say: trust the math. The math is sound.
    The NSA paid RSA to make one bad PRNG default for a reason: that's the one the NSA can crack.
     
  16. jeffkoe macrumors newbie

    Joined:
    Mar 30, 2014
    #16
    You must not have listened to this show, as it is not even close to "anti-Apple." Mr. Gibson said iOS used excellent security protocols with the exception of the Keychain encryption standard of P256.
     
  17. Alrescha, Mar 30, 2014
    Last edited: Apr 4, 2014

    Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #17
    I appreciate very much that you took the time to sign up just to comment. I used the word 'notoriously', referring to reputation. I was not thinking about that episode, or even that show - but rather everything that comes out of that particular studio nowadays. I freely admit that is just my opinion, but one that I apparently share with others.

    I read the transcript. Here is a fine example:
    I believe that we are supposed to read between the lines that this is no accident, i.e. that Apple did it on purpose. I find that pretty 'anti-Apple', no matter what other nice things might have been said previously.

    Which brings us around to where we started: I have found nothing to corroborate Mr. Gibson's claim that P256 is compromised. It's only fault appears to be that it is a NIST standard. I think the distinction is important, especially when the result is that the OP makes threads titled "iCloud Keychain uses compromised encryption".

    People are right to be concerned about other standards created by an organization when one of them has been found questionable. I could believe that someone in Apple, knowing now what we all have learned from Mr. Snowden, wishes they chose a different algorithm. But Mr. Gibson did not just raise a question, he publicly said that Apple used a compromised encryption standard. And my reaction was, and still is, "Citation needed."

    A.

    (unsubscribed from this thread)
     
  18. Jaap thread starter macrumors member

    Joined:
    Jul 3, 2008
    #18
    - Whether Steve Gibson is anti-apple or not is completely irrelevant (it was an ad hominem attack by Alrescha which just deflects from the actual discussion).

    - This thread is not absurd even if some of the things said are proven to be untrue. It is the purpose of discussion to find these errors.

    - Signing is a very important part of a security system because if you don't know who you are talking to you cannot trust the content.

    - It's very easy to say "Citation needed" when all we have to go on is a document released by Apple which is very detailed about a lot of the security features in iOS 7 but very vague on the iCloud Keychain part. Feel free to trust/use iCloud Keychain as much as you want but i choose not to trust everything by default anymore.
     
  19. dumastudetto macrumors 68020

    Joined:
    Aug 28, 2013
    #19
    I find the transcript you posted extremely troubling and I'm glad you are raising concerns about how impartial Mr. Gibson might be towards Apple. I also think it's pretty insulting to leave open the idea that Apple may have deliberately chosen P256 as a backdoor to security agencies to gain access to our passwords. I don't believe Apple would do this for a second. It would be completely against the corporate culture of the company.

    I am proud to be an Apple consumer because I know Apple is on my side when it comes to protecting my data, my privacy, and my interests against government overreach. Apple is the only company I will trust in this regard, and until they do something to change my opinion I will defend them robustly against such disgusting accusations.

    I no longer listen to twit podcasts because they are all so anti-Apple. Even the main MacBreak Weekly co-host is an Android user now. :eek:
     
  20. Jaap thread starter macrumors member

    Joined:
    Jul 3, 2008
    #20
    I hope you are trolling.

    It is widely known that the NSA can ask their secret court to order a company (say Apple) to do something and then that company is forbidden to disclose any information about it.

    So it certainly is not Apple's fault.
     

Share This Page