End to end encryption under threat

Fr0dders said:
and yet it's secured it well enough that even the FBI has to go to court to get apple to open it for them ?

The security measures apple put in place prevent you from brute forcing it, which is why 4 digits is fine.
Click to expand...

Four digits is not fine, you are now essentially totally relying on a relatively untested brute force protection mechanism to safeguard your data instead of actual encryption. The fact that it is possible for Apple to remove the brute force protection makes it inherently insecure, by introducing trust into the chain of security you eliminate one of the key benefits of encryption which is that you don't need to trust device vendors. Even if they had a mechanism that was 100% provably secure, it completely relies on trusting Apple, they could comply with the court order, a rogue employee could compromise a device etc. there are so many examples in cryptanalysis of why using a weak key generation mechanism is always a bad idea regardless of the cipher strength or any other safeguards in place. Creating a false sense of security by allowing 4 digit pins to be used to secure a device is crazy, it is provably easy to brute force, Apples mechanism on the other hand is not provably secure.
 
Last edited:
Fr0dders said:
and yet here we are with the FBI asking for apple to unlock the phone for them and everybody speculating whether or not it can be done because nobody has actually done it yet ....
Click to expand...

You mean that no one has published an attack on it, not that no one has broken it yet. Very important difference!

But you are missing the point.
 
Last edited:
Energize said:
Four digits is not fine, you are now essentially totally relying on a relatively untested brute force protection mechanism to safeguard your data instead of actual encryption. The fact that it is possible for Apple to remove the brute force protection makes it inherently insecure, by introducing trust into the chain of security you eliminate one of the key benefits of encryption which is that you don't need to trust device vendors. Even if they had a mechanism that was 100% provably secure, it completely relies on trusting Apple, they could comply with the court order, a rogue employee could compromise a device etc. there are so many examples in cryptanalysis of why using a weak key generation mechanism is always a bad idea regardless of the cipher strength or any other safeguards in place. Creating a false sense of security by allowing 4 digit pins to be used to secure a device is crazy, it is provably easy to brute force, Apples mechanism on the other hand is not provably secure.
Click to expand...

4 didgets though is about rhe maximum to avoid irritstion and not be used.

Like sll your credit cards and bank cards use 4 didgets cause a 6 didget pin would **** people off
 
I tend to agree, but if someone is encrypting something, that to me implies that they are looking for a very high level of security, a context where security has a higher priority over convenience than it would be over someone say just wanting authentication.

I would wager that users would not expect that their manufacturer could on a whim decrypt their phone. It would be fine if there was a warning that it is cryptographically insecure when the user selects the 4 digit pin option, any standard encryption program for a computer will warn you if you use less than 20 characters typically. But to my knowledge there is no such warning, and as such it creates a false sense of security and interestingly is the cause of this whole legal debacle.

Credit/debit cards are quite a different scenario as the potential consequences of having a card stolen are considerably less than having secret information exposed. Added to that is the fact that banks are financially liable for stolen cards. It's more an inconvenience than anything else.
 
Last edited:
Energize said:
I tend to agree, but if someone is encrypting something, that to me implies that they are looking for a very high level of security, a context where security has a higher priority over convenience than it would be over someone say just wanting authentication.
Click to expand...

for most people, the pin code isn't even about encryption, is just about making the phone secure. Anybody who steals your phone can't then just open it up and start going through your apps / contacts / details etc.. I very much doubt your average phone snatcher is going to be bothered to try and crack the encryption, assuming he even knows how.

So it's enough to stop people casually snooping. It's not designed to keep the FBI out of their iphone. Heck, i suspect 99 % of iphone users don't even realize that this pin code is used to encrypt the files on the device. I didn't until this story broke out.
 
Aside from govenrments no one can be arsed cracking a lhone.


They just want it wiped for resale.

Lets face it if you really wanted to get into somones phone 10 miniutes with them and a wrench will likley get the job done
 
It is however a prime example of how western nations should not set precedents. There would be nothing stopping countries like China insisting on Apple using the tool they developed for the FBI to "crack" phone the Chinese authorities want access to.

Apple routinely provide data to many governments, and release the numbers in yearly transparency reports, like most larger tech companies.
 
So now the FBI have got an outside company to unlock the phone in question without apples help and withdrawn the request, apple aren't happy and want info on how it was done but due to the case being withdrawn have been told to do one.
You couldn't make this stuff up!!
 
Wow, Apple look pretty stupid now...

San Bernardino iPhone: US ends Apple case after accessing data without assistance

They've gone from using this a marketing tool to show how secure their iPhones were and were saying "we won't work with the FBI on this", to now saying "..is that the FBI? You know how we didn't want to work with you? Well we meant we did want to work with you so you can tell us how you cracked our phones"

The FBI I expect will return the middle finger
 
I doubt it's weak, the fbi likely had this company in their sights regardless as a plan b, infact the phone was probably cracked awhile ago.

They clearly have agendas to fill to get their funding approved.
 
So now this "hack" has been created, when will it be released into the wild and criminals get their hands on it?
 
You must log in or register to reply here.
Back
Top Bottom