Naked Science Forum
Non Life Sciences => Geek Speak => Topic started by: cheryl j on 18/02/2016 06:43:50
-
I've read several articles about the controversy surrounding the FBI, Apple, and the locked Iphone of the San Bernadino shooters. It's not clear in these articles exactly what the FBI is asking Apple to do, or even if the tool or method currently exists that would actually allow them to open or decrypt the phone. Some articles suggest they can, but if they make an exception, countless other requests will inevitably follow. Other articles suggest that "it just doesn't work like that." Can someone clarify all this?
-
The Apple phone has a sort of self-destruct: it will scramble the data stored after 10 password attempts have failed. If someone (Apple?) could make a back-up copies of the [encrypted] contents of the phone, then the FBI could try to crack* the copies , ( if the copy on a virtual (https://en.wikipedia.org/wiki/Emulator) phone self-destructed that's not a problem : just use another copy ).
If the phone-owner used a long gibberish pass-phrase then it will be uncrackable , even with the computing-power available to the FBI.
* https://en.wikipedia.org/wiki/Category:Password_cracking_software
-
It's not clear in these articles exactly what the FBI is asking Apple to do
Every nation has some process for allowing security agencies to tap into private data. And there are legal compulsions for companies to cooperate if due process has been followed by the courts.
It appears that the blanket terminology of the "All Writs Act" of 1789 (http://en.wikipedia.org/wiki/All_Writs_Act) has previously been used to force smartphone manufacturers to assist security agencies to unlock phones, and read the content of the phone.
In this case, the court wants Apple to create a special version of the phone's software that will enable an unlimited number of attempts at entering the password, and to allow the passwords to be entered electronically, rather than using the touchscreen.
Normally the phone will erase the memory after 10 failed attempts. Electronic entry of passwords would allow unlimited, rapid guesses.
It's not clear .. if the tool or method currently exists that would actually allow them to open or decrypt the phone
.
Apple claims (http://www.apple.com/customer-letter/) that they have fully cooperated with security agencies and legal process (ie to tell them how the encryption works, and how to crack it).
Reading between the lines...
- Security agencies can read the contents of general-purpose memory chips, but with the data encrypted, it is just gibberish.
- Knowing the encryption algorithm is just part of the problem - you also have to know (or guess) the encryption key. And it is possible to make that key long enough to take a thousand years to crack with todays computers.
- It is generally easier to guess a password than to guess a long encryption key. After all, the length of the password is limited by the owner's patience and dexterity.
- If part of the encryption key is embedded inside a special-purpose chip within the phone, is not readable from outside the chip, and not recorded by Apple at time of manufacture, then guessing the password will not decrypt the files. If such a security key were the first thing erased when you reach 10 failed passwords, the phone data will be unusable (at least for 10 or 20 years until we have much more powerful computers).
- This leaves the security agencies with the tricky task of carefully grinding the lid and top-level circuitry off the encryption chip, and using an atomic force microscope or similar to read the contents of the memory cells containing the encryption key.
What the security agencies would really like is some software that they can download on any phone, and read the memory contents - even when the phone is in your pocket. Tearing the phone apart might make the owner a bit suspicious. (...and what lawyer would look at the disassembled and mangled phone, and not be suspicious that someone had been tampering with the evidence?).
Apple says that they wish to protect the privacy of their customers, so they don't want to create this "Trojan Horse (http://en.wikipedia.org/wiki/Trojan_horse_(computing))" software. Once it has been created, that horse has (figuratively) bolted. No doubt they would be forced to produce similarly "hacked" versions of all future software.
And its not just for the FBI; every security agency in every country will want that "Trojan horse" version of the software so they can hack into Apple phones owned by citizens of other countries. It is a small step from there for governments to ban their employees from using Apple phones - and perhaps completely ban Apple products from import and sale in their country.
Apple argues that there are laws already covering this area of national security, and changes to the existing laws should be debated and enacted by the government, and not invented on the spot by a judge.
-
I heard another aspect today...
Apparently Apple uses public-key cryptography to validate software before the phone will run the software.
Apple's public key is hard-coded in the phone. Apple signs tested and approved software with its private key, and the phone can validate that the software is approved software using Apple's public key.
If someone modifies the software, the signature won't match (with a very high confidence), and the software won't run.
- If a criminal tries to modify your phone software, the hack will be detected, and the software won't run.
- If a spy tries to modify your phone software, the hack will be detected, and the software won't run.
- If a security agency tries to modify your phone software, the hack will be detected, and the software won't run.
Apple needs to keep its private key absolutely secret, otherwise criminals will be able to modify software, load it on your phone, and steal your data. If Apple gives the private key to every security agency that demands it, they will all be able to run any software they please on any phone in the world they want to target.
I can see why Apple does not want to give away the keys to unlock their phones.
-
And another aspect: if Apple produce a universal key, it
could inevitably will leak out of the FBI and into the hands of every fraudster who wants access to your bank account. Unlilkely? Well, the reward is effectively infinite, and people take bigger risks for less.
And another: if FBI, why not GCHQ, KGB, or the honourable government of Nigeria? If the FBI caught an ISIS member, should they hand the key to the Assad government? Shared intelligence is not always in the interests of the population.
-
considering without encryption someone would be able to track your exact location and kill you, or track your family members and harm them, or threaten ransom, blackmail you, theres endless potential for mayhem and we will only become more reliant on technology going forward, what happens when we all start relying on life extending technology to sustain us? or even just accessing a private message you sent about a lethal allergy you have(be pretty easy to poison you). encryption is the only security
the government wants to solve one problem by creating a thousand new problems, as usual
-
Thanks, folks. Best explanation I've read anywhere.
-
I just saw the John Mcaffee says he can decrypt the phone using "social engineering" and it will takes 3 weeks and there will be no need for Apple to create a back door. What does he mean?
-
... Apple to create a back door ...
The "back door" would have to be in existence [on the phone] before the data was encrypted. If one doesn't already exist , creating a "back door" now would only make future phones vulnerable.
... What does [John Mcaffee] mean?
Depending on how much "bath salts" he's used , even he may not know what he's saying [:D] ...
[ Invalid Attachment ]
-
This leaves the security agencies with the tricky task of carefully grinding the lid and top-level circuitry off the encryption chip, and using an atomic force microscope or similar to read the contents of the memory cells containing the encryption key.
Wow - you can do this?
-
carefully grinding the lid and top-level circuitry off the encryption chip
This has been a standard practice for doing fault analysis of commercial chip failures in the factory and field. I have seen several reports produced in this way.
It is very delicate work, and expensive, but sometimes there is no other way to analyze faults and improve the design.
Many years ago, there were fears that companies would offer a more extensive service of grinding off progressive layers of circuitry, taking images of each layer, and turning them into "masks" that could be used to clone commercial chips. I imagine that this has become more difficult as the size of chip features dropped below the wavelength of light into the realm of the electron microscope.
But its a very real threat - in 2001 when a US spy plane was forced to land in China, the first thing they did was to smash all their top-secret chips, and dump them overboard.
There has even been recent discussion of building pyrotechnics into commercial security chips - at the first sign of tampering, a pulse of electricity would trigger an explosion inside the chip, melting the circuitry into a puddle.
See "Intelligence loss" at: https://www.fas.org/sgp/crs/row/RL30946.pdf
-
If the string of characters used as a password is random, with no resemblance to words in any dictionary, (unlike what I've done here) , then 14 characters is plenty to make cracking by brute force (https://en.wikipedia.org/wiki/Brute-force_attack) unfeasibly time-consuming if you include upper & lower case , number , and symbol ...
[ Invalid Attachment ]
https://www.grc.com/haystack.htm
-
This image is the analysis of one of my server passwords. I should be okay...
-
I would be interested to know whether the FBI have actually generated a password and accessed data in the phone or simply found a way to bypass the self destruct system.
For a brute force password generation to work you need a way to input trial passwords rapidly you cannot do it by pressing buttons !.
-
“The government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple Inc,” the government said.
http://www.theguardian.com/technology/2016/mar/28/apple-fbi-case-dropped-san-bernardino-iphone
"accessed the data" doesn't necessary mean being able to decrypt it.
-
Here are some educated guesses about how the FBI may have achieved it...
http://spectrum.ieee.org/tech-talk/telecom/security/5-ways-experts-think-the-fbi-might-have-hacked-the-san-bernardino-iphone
-
An interesting article, suggesting that the FBI should encourage better encryption, not try to poke holes in it:
http://spectrum.ieee.org/tech-talk/telecom/security/expert-to-fbi-please-join-the-21st-century-we-could-use-the-help