Thanks to Swordmaker for the ping!!
Posted on 11/03/2015 11:58:52 AM PST by Swordmaker
Your claim that no encryption is unbreakable is in practice false.
The fact is if it takes more time to break the encryption than the utility of the encrypted data's value, it is, for all practical purposes, unbreakable. . . or if there is just not enough time left before the universe dies a heat death to break the encryption, which with our current technology is the case.
The current state of the art is that 256 bit AES encryption can only be broken by brute force, trying every possible key until you find the right one that will decrypt the data. Most of our financial industry uses 128 bit AES encryption which they think is sufficient for their purposes in handling Trillions of dollars of transactions securely. . . as does many of our governmental agencies. So far, the Financial industry has been correct. I won't judge the security of our government. They are rapidly moving to 256 bit AES.
Apple, for example uses a key that takes the user's passcode of whatever length (it can be anything from four numbers to a complex passcode of up to 256 characters made up of the 223 alphanumeric and symbols accessible through the keyboard) and entangles it with the 128 characters of a Universal Unique ID imbedded in the device to create the key used to make the encryption.
For example, if the user elects to use a 16 character complex passcode using upper and lower case letters mixed with numbers and symbols, that passcode would be then entangled with the 128 character UUID of the device to construct a 144 character key. The number of possible keys is 144223.
Calculating from that, it turns out that if we were to use the fastest supercomputer in the world technologically available to us, which could try and compare 100,000 keys per second to see if each key resulted in anything sensible in the data, and if it did not, then going on to the next potential key (this is at a rate of 3 TRILLION possible keys per year), it would take 5.62 undecillion (5.62 X 10195 years before all possible keys could be tested.
The half-life of a proton is estimated to be only 1030 years and by 1078 or 1080 years, all matter in the Universe would have devolved to a soup of sub-atomic particles. . . long before that supercomputer, if it still existed, was even half-way done trying keys.
If you made that supercomputer even a TRILLION times faster, it would merely knock off only 12 zeros off the number of years it would take to try all the number of keys, making it take only 5.62 X 10183 years. . . before all keys had been tried.
It is pretty obvious that any information held by such an encryption would be moot long before it could be broken.
This is what has these governments' panties in such a wad. . . they cannot possibly break the encryption.
The only way they can get in is to get the owner of the device to give them the passcode. . . and if that owner refuses, to torture it out of him.
Quantum computers are going to be merely a lot faster. . . that does not give them magical abilities to suddenly break the laws of large numbers. . . or to magically break encryptions that would take large numbers of years to try every possible key looking for sensibility in the data. Even were a Quantum Computer a trillion times faster than the fastest supercomputer available today, it would shorten the time by only 12 zeros off a very large number. . . and for us, it would make no difference in the already astronomical time frames. Unless you put a trillion parallel such computers working on sections of the possible keys, which would probably not be worth the investment, you'd not be able to shorten the time to find the right key. . . and even then, it'd probably still be years before the right key would be found, at a tremendous cost.
By passcode, does this include the basic entry to unlock the phone? Or is this hypothetical 16 digit passcode somewhere deeper in the system, or inside some encryption app that then applies to email, etc?
sounds like Apple isn’t going to be able to sell iPhones in the previously free and Great Britain.
Even if the Brits passed this law, couldn’t someone simply write an app that installs similar encryption? Apple couldn’t be responsible for that.
The passcode is either the four digit number, which will be entangled with the UUID, or now, with iOS 9 which defaults to a six digit passcode, or the user can opt to use a complex alphanumeric/symbolic passcode which can access 223 characters from the keyboard, all of which will be entangled with the UUID. None of which is kept on the device.
If the user opts for just the four digit numeric passcode, the key would be constructed from that number plus the 128 character UUID, making a 132 character key. That is STILL a very difficult key to break. The number of possible keys is 132223. . . a number far larger than a Googol.
Of course, it is much easier for someone to watch the user unlock his device and observe his passcode and note which four digits he uses than to observe and note which sixteen characters he may be using, if he opts for a more complex passcode. Once a crook or cop knows the passcode, there is nothing to stop them from getting in.
The passcode, the key, etc. are converted to a one-way HASH which is stored in the Secure Enclave portion of the Processor. Each time the user enters the passcode, the one-way HASH is recalculated and then compared with what is stored in the Secure Enclave. If it matches, the device is unlocked. The user is allowed five attempts to input the passcode. . . if those five attempts fail, the device is locked and will require use of the owner's AppleID and an unlock signal to be sent from Apple to re-activate the device. The user can also opt to have the device erased completely after a set number of attempts. The user can also remotely erase the device if it is stolen or out of his control.
It the device is openable by the TouchID sensor, the pattern is also kept as a one-way HASH in the Secure Enclave. Incidentally, the TouchID sensor doesn't use the fingerprint, it uses the ridges and the valleys of the fat pads under the epidermis of the finger. No photo or pattern of fingerprints is kept on the device. If the device is not opened for 48 hours, or the device has been turned off, the passcode must be used. Again, if a number of failed attempts is tried, then an AppleID is required to access. . . or the device can be erased.
That's exactly what it means. . .
Not the same thing at all. . . Apple provides encryption for the device and to and from iCloud, assuring privacy at all levels. An App cannot do that. . . and since Apple curates the App Store, they'd be held responsible for allowing it on the App Store. Damned if the do, damned if they don't.
Thanks to Swordmaker for the ping!!
Possibly. How do you trust the authors though? Also, you'd need really good passwords to keep them from being able to brute-force it. If it was an Android, I'd say you could keep your PGP/GPG keys on an SD card, but you can't do that with Apple phones. (one of the few beefs I have with them.)
Ok, I haven’t been an apple fan,,,, but that’s freakin’ impressive.
People who want them will still get them. Buy online from Apple or some other merchant, or go phone shopping on the Continent.
My passcode includes the sound of a .45 unloading in the face of anyone asking me for my passcode.
Pricks. If they force the manufacturers to do this, everyone should just start encrypting the comms along the way.
Which is why Apple should stand firm. If Britons are no longer permitted by law to purchase the latest iPhone, perhaps they will elect politicians who will change the law.
It is still a free country.
In practice there is. How do you know when you’ve successfully broken the encryption? When the cleartext makes sense? But...for a full size key that isn’t reused, there should be a key that produces a given ciphertext from any arbitrary cleartext of the same length. Thus, how do you know that your “readable” cleartext is the right readable cleartext?
And indulge me one more question. How does this affect or not effect data stored in the cloud? If you are backing up to the cloud, if they cannot open your phone, cant they essentially get that data from the provider?
Or does the encryption reach that deep?
Either I'm on crack, or they came up with some new permutation math, or that's supposed to be 223^144. ;)
True, given enough time and computing resources, you could eventually crack any encryption. But most data justifying encryption is time sensitive, and if it is going to take a couple of hundred years, the data is probably not going to be very helpful once it is finally accessed...
But knowing the UUID, for a person known to have a four-character passcode, couldn't they just brute force the 223^4 possible combinations of that with the UUID, hash, and find the one that matches? 223^4 is 2.47x10^6, so that's still a lot, but not past the death of the universe or anything.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.