On Apple's Cloud Key Vault - and why it *might* actually be secure

-
There is a nice writeup on this at Lawfare.  (TL;DR - holding on to keys in a safe way such that 3rd parties can also access them repeatedly without high potential for catastrophic loss is impossibly hard)
...Apple’s design intentionally solved the problems that come from exceptional access schemes by removing itself from the equation. Rather than providing an exceptional access solution, Apple took the radical step of destroying those keys in order to have an acceptable level of protection. 
[To] turn Apple’s Cloud Key Vault into an exceptional access mechanism....Apple would have to replace the HSM with one that accepts an additional message from Apple or the FBI—or an agency from any of the 100+ countries where Apple sells iPhones—saying “OK, decrypt,” as well as the user’s password. In order to do this securely, these messages would have to be cryptographically signed with a second set of keys, which would then have to be used as often as law enforcement access is required. Any exceptional access scheme made from this system would have to have an additional set of keys to ensure authorized use of the law enforcement access credentials.Managing access by a hundred-plus countries is impractical due to mutual mistrust, so Apple would be stuck with keeping a second signing key (or database of second signing keys) for signing these messages that must be accessed for each and every law enforcement agency. [As a result] Apple [would need] to protect another repeatedly-used, high-value public key infrastructure: an equivalent situation to what has already resulted in the theft of Bitcoin wallets, RealTek’s code signing keys, and Certificate Authority failures, among many other disasters. 
Repeated access of private keys drastically increases their probability of theft, loss, or inappropriate use. Apple’s Cloud Key Vault does not have any Apple-owned private key, and therefore does not indicate that a secure solution to this problem actually exists. 
...Among the nontechnical hurdles would be the requirement, for example, that Apple run a large legal office to confirm that requests for access from the government of Uzbekistan actually involved a device that was located in that country, and that the request was consistent with both US law and Uzbek law.[It's] not that the technical community doesn’t know how to store high-value encryption keys—that’s the whole point of an HSM. Rather, we assert that holding on to keys in a safe way such that any other party (i.e. law enforcement or Apple itself) can also access them repeatedly without high potential for catastrophic loss is impossible with today’s technology.
There is quite a bit to unpack there, and I could go into it, but I'll leave it to the comment's on Schneier's (excellent) blog. Its worth reading it all, but most of it comes down to
  • impossible doesn't mean what you think it means - what is computationally impossible today is not so much in 10 years, and that doesn't even begin to get into quantum cryptography, etc.
  • Apple can potentially update it's custom code on the HSM to do all sort sorts of "fun" things
  • There is no source code, there are no design docs, and there really really is no no sunlight on any of this. We basically have Apple's word on whats going on back there. Do you actually, really trust them?
  • And, of course, all of this presumes that the _other_ weaknesses in the system are not exploitable...


Comments

Post a Comment

Popular posts from this blog

Cannonball Tree!

-
Image
Spotted this one just outside the Ravindra Kalakshetra in Bangalore .  Its called the Cannonball Tree , but is - technically (i.e., in Latin, if thats your metier) - Couroupita Guianensis , or ನಾಗಲಿಂಗ ಪುಷ್ಪಾ  in Kannada. The fruits look like Cannonballs (well, d-uh), and the flowers are really quite amazing, and pretty ludicrously distinctive...
Read more

Erlang, Binaries, and Garbage Collection (Sigh)

-
Image
The nice thing about garbage-collection is that it is makes memory management absolutely transparent to you Of course, the above is true right up to the point when it stops being transparent, at which point it does a phase change from nice to clusterf**k of biblical proportions .  There are entire posts, books, and suicide notes that have been written about this, and I have no great desire to add to them, save with the minor comment that paranoia about garbage-collection is still justified , albeit only in the edge-cases for most people. That said, I'll give you that Erlang GC is in many ways much, much better positioned in this regard than, oh, Java, but it still rears up and bites you in the butt when you least expect it. ( More information about Erlang's GC vis-a-vis Java here , and Jesper's truly excellent description of Erlang's GC here ).  A story from the past should serve to illustrate this. Once upon a time, in a magical land far far away - well, Her
Read more

Visualizing Prime Numbers

-
Image
From Jason Davies , we have El Patron de Los Primos , probably one of the coolest prime number visualizer that I've seen.  For every Natural number, he draws a periodic curve that intersects at that number and each of its multiples.  Needless to say, prime numbers are touched by only two curves (itself and 1 ). You can scroll to the right, and move up the prime food change. (The image above is a screen grab.  Go here to see the actual thing)
Read more