Silkenweb Example: Hackernews Clone

A Formal Analysis of Apple's iMessage PQ3 Protocol [pdf]

161 points by luu 2 months ago | 134 comments

contact9879 2 months ago
This is a revision of a paper that first appeared as an eprint back in September when PQ3 was announced.
https://eprint.iacr.org/2024/1395
dang 2 months ago
Related. Others?
iMessage with PQ3 Cryptographic Protocol - https://news.ycombinator.com/item?id=39453660 - Feb 2024 (267 comments)
modeless 2 months ago
All that security, and then by default Apple literally just sends themselves a copy of your encryption keys to store in iCloud backup, the only cloud backup solution Apple allows you to use. "to help you recover your data" [1] (oh and also to send law enforcement your message history in plaintext on request, but we don't talk about that).
[1] https://support.apple.com/en-us/102651#:~:text=in%20iCloud%2...
- miki123211 2 months ago
  Most users demand:
  1. That their messages won't be lost when they migrate between devices.
  2. That their messages won't be lost when their device is stolen and they set up the new one from nothing but a password.
  3. That Apple's password recovery flows work like any other password recovery flows, AKA that forgetting your password is a minor inconvenience, to be overcome at the Apple Store at worst, not a data loss disaster.
  4. That they don't have to spend $$$ on some strange device called a "Yoobby Key", which they don't understand and will lose anyway.
  There's no way to satisfy those demands and have your desired level of security, hence why iCloud backup encryption is a strictly opt-in feature.
  There are tradeoffs to be made here, and Signal made different tradeoffs, which makes it significantly more secure but also significantly more annoying to use for somebody whose main life interest isn't figuring out why tech works the way it does. Apple does the best it can under the constraints they are given.
  - modeless 2 months ago
    > There's no way to satisfy those demands and have your desired level of security
    False. Google has done it with their backups. And Apple already does it too! Keychain passwords, health data, and a lot of other stuff is end-to-end encrypted in backups even when ADP is disabled, with recovery options if you lose your devices, no yubikey required. They simply choose not to apply the same solution to message data.
    - tgma 2 months ago
      With Google password-based encryption or Keychain, you lose your data if you lost your devices and forget your Google Account password. I suspect that is a use case that is too risky (frequency x impact of data loss) for the Apple customer base that they don't want to risk it.
  - fsflover 2 months ago
    > There's no way to satisfy those demands and have your desired level of security
    Google provides it: https://news.ycombinator.com/item?id=43933626
  - jeroenhd 1 month ago
    Funnily enough, most users I speak to use WhatsApp and they're mostly concerned about their contacts and pictures. I've rarely heard someone say "this is a disaster!" because part of their WhatsApp messages weren't backed up to the cloud the moment they switched phones.
    Truth be told, I don't think most users even care that the company their messenger comes from can read their messages. All of the people I chat to on Telegram seem absolutely fine with it. I begrudgingly accept their chats (I don't want to be that guy that people need to install a special app for to communicate with, as much as I'd like Matrix or XMPP to succeed).
    And to be honest, who cares if Apple's backups are encrypted. They can push a software update to undo that encryption any time they want to. The only people you need to protect your backups from are criminals (but that's what your password and 2FA is for) and law enforcement ("but I'm not a criminal! I have nothing to hide!"). You can't use Apple's phone/Facebook's messenger without accepting the risk that Apple/Facebook will undo all the security they claim to have added to their software.
    - franga2000 1 month ago
      > They can push a software update to undo that encryption any time they want to
      Of course this is true, but it's such a reductive view of the broader security picture.
      If messages are plaintext, they can be leaked by a hacker, accessed by an insider, not wiped from some drives they throw out for recycling... None of these attack vectors require the provider being evil, so removing them already reduces your exposure by a lot.
      Secondly, if you're being targeted by hackers that have already gotten into the messaging provider, looking at some rows in a database is waaay easier and safer than somehow sneaking exhilaration code into the next release build of the app.
      Finally, if your main adversary are government agents with a warrant, there is a huge legal difference between forcing the company to ship malicious code (possibly to all users) and simply printing out a few rows in a database. IIRC Apple has already won at least once in US court on this exact point.
  - matthewdgreen 2 months ago
    Apple has the opportunity to add “extra security” features like disappearing messages, or to treat certain chats the same way they treat your web history (back this chat up, but require my passcode.) For the latter feature one can argue that it’s too advanced for the ordinary Apple user. But disappearing messages are a common security feature in virtually every messaging app, and Apple still won’t deploy those.
    I used to think this was because they were intimidated by law enforcement, but they claimed otherwise. The recent UK attempt to backdoor Advanced Data Protection has made me believe them a bit less.
    - trollbridge 2 months ago
      You can set messages to auto-delete. (I do this so I won’t get into the bad habit of relying on finding ancient messages.)
      But it’s all or nothing and has to be applied to the entire account.
  - tgma 2 months ago
    > Signal made different tradeoffs
    To some degree sure, but the real issue with Signal is the app UX royally sucks, not having to do much with security trade-offs per se.
    - mmooss 2 months ago
      What do you see?
      I've seen many non-technical end users use Signal, immediately upon trying it, with no problems. I've never seen someone have a problem.
- ls612 2 months ago
  The more charitable interpretation is that for most people losing their photos and messages is a bigger threat than the government spying on them. For those who might have a different tradeoff there is Advanced Data Protection.
  - modeless 2 months ago
    I'm glad ADP exists now, but you have to make sure everyone you message has it enabled too, or your messages are still Apple's to read whenever they choose. Meanwhile Google's equivalent backup feature (whatever other faults it may have) has been end-to-end encrypted by default for everyone since long before ADP was even available at all. The risk of losing access is practically nonexistent because the password is your screen lock code, the same one you enter on your lock screen literally every day.
    Also, is government spying the only reason Apple decrypts messages? We don't know. They don't disclose that they do it for the government, but we know they do from other sources. What other purposes might they not be disclosing?
    - ls612 2 months ago
      The concern is if you lose your devices with E2EE enabled then you are locked out permanently. Grandma won't know how to use a Yubikey (which is the alternative Apple provides for this eventuality with ADP enabled) and will be out of luck.
    - londons_explore 2 months ago
      > the password is your screen lock code
      You mean the one that by default is a 4 digit number and therefore trivially brute forcable?
      And neither android hardware nor the google servers have any kind of secure element enforcing brute force protections like '3 tries then we wipe the keys'.
  - 2 months ago
  - xvector 2 months ago
    ADP is a total joke if it doesn't also disable plaintext backups for the people you're talking to
    - Jtsummers 2 months ago
      > ADP is a total joke if it doesn't also disable plaintext backups for the people you're talking to
      Do you consider all security to be a joke then? If you send me a message, how will you actually guarantee that I do not make a copy of it once it's on my own computer?
    - j16sdiz 2 months ago
      https://support.apple.com/en-us/102651
      > With Advanced Data Protection, the number of data categories that use end-to-end encryption rises to 25 and includes your iCloud Backup,...
      > iCloud Backup (including device and Messages backup) (3)
      > (3) .... Advanced Data Protection: iCloud Backup and everything inside it is end-to-end encrypted, including the Messages in iCloud encryption key.
- eddyg 2 months ago
  More people need to watch Ivan Krstic's Black Hat presentation to understand the efforts Apple goes through to ensure sensitive data (like the User Escrow Keys which get stored in Apple's Cloud Key Vault) is protected from adversarial attacks... even from inside Apple.
  https://www.youtube.com/watch?v=BLGFriOKz6U&t=26m50s
  (Be sure to watch through the section from 34m to 36m...)
  - rasz 2 months ago
    > even from inside Apple
    sure, reminder 'Apple pays millions to woman after explicit photos posted online'
    'Technicians posted the private photos and video from her iPhone after she sent it to Apple for repair, according to legal documents'
    https://www.telegraph.co.uk/business/2021/06/06/apple-pays-m...
  - dogleash 2 months ago
    The problem isn't that the technical challenges aren't addressed. The problem is that no amount of tech can un-do a design that forces in a "just trust me bro" control relationship.
    For some people it isn't a concern and that's fine, just so long as we acknowledge that it is a real and legitimate concern for other people, and that's also fine.
  - modeless 2 months ago
    Rogue insider threats are far from the only thing e2ee protects against.
- isodev 2 months ago
  I think the story around privacy and security in general has become diluted in marketing talk. Every single default on both iOS and macOS effectively makes one’s data, well, accessible and not private.
  The gap between perception and reality when it comes to Apple as a “privacy champion” has never been so big as it is today.
  - 9dev 2 months ago
    Most customers do want it this way, but Apple still allows to exchange comfort for privacy, if you want to. I actually think it's a pretty sensible approach to capture both the big segment of people who don't care, and those who do and know which knobs to tweak.
    You can still turn everything compromising off and end up with a device secured to paranoid levels. That's definitely more than an empty promise, or what other vendors provide.
    - znpy 2 months ago
      > Apple still allows to exchange comfort for privacy, if you want to.
      Does it really? There is no option to use my own hardware/software for backup storage. I mean what would usually go to icloud.
      That i would really trust.
      So to me the answer is no.
    - StopDisinfo910 2 months ago
      > Most customers do want it this way, but Apple still allows to exchange comfort for privacy […] more than an empty promise, or what other vendors provide.
      That’s pretty much exactly what all the other vendors in the market provide: insecure and spying by default.
      I don’t really understand why Apple should somehow get good points for their stance on privacy when they are actually doing pretty much the same thing than everyone else.
    - iamkonstantin 2 months ago
      > Most customers do want it this way, but Apple still allows
      I don't believe this is the case. Apple generally prefers to diminish the importance and risks of specific actions unless they have some monetary advantage. e.g. Apple is happy to warn you (multiple times) that an alternative marketplace is "dangerous" and yet iMessage iCloud Backups are just a click away with a friendly "so your messages are available everywhere".
      Another example is Photos - Apple has no problem activating features that collect "anonymized" information from my pictures. Yes, there is an opt-out, but having all that on by default is not in the spirit of a privacy-minded operation.
      And about the choice - someone already pointed out in other comments, there really is no way to replace iCloud with anything else for backups and app data sync. So the choice is not really a choice.
- conradev 2 months ago
  Not if you have "Advanced Data Protection" turned on: https://support.apple.com/en-us/108756
  - modeless 2 months ago
    Unlike Google's comparable backup encryption feature, ADP is off by default. And ADP protects your messages from Apple only to the extent that everyone you message also turns on this non-default option; otherwise your messages are still Apple's to read as they please with no notification to you.
    - commandersaki 2 months ago
      To be clear, ADP default on would mean a massive influx in support requests for people that lose their data because they don't have the recovery key.
      Same reason FileVault isn't on by default on macs.
  - ThePowerOfFuet 2 months ago
    Not if you live in the UK.
    - joshstrange 2 months ago
      I’m not sure how that, specifically, is Apple’s fault. Maybe I’m missing something obvious but I think disabling that in the UK was Apple’s least abhorrent option. They also put down their foot rather firmly on not providing a backdoor.
      Maybe people think that was all for show but I’m struggling to think of other examples of massive companies saying that so publicly/firmly. See also, all the times the police/FBI/etc have complained or even tried to force Apple to provide a backdoor.
      All that said, I guess a, very legitimate, argument could be made that if Apple provided ways to swap out iCloud for whatever service you wanted then there might be an escape hatch of sorts even if iCloud was compromised/limited.
  - charliebwrites 2 months ago
    Do we have any guarantee that enabling ADP utilizes a new key that isn’t already in a previous non-ADP back up?
    Would be a shame if they claimed they can’t decrypt but an old back up had the keys to the kingdom
    - conradev 2 months ago
      You're trusting a whole lot of trust in the first place. But I imagine that they did not do that.
      I can't sign into Apple Music on Android because it doesn't support security keys – small price to pay.
- dostick 2 months ago
  What about the “Advanced Data Protection” end to end encryption? Or by “sending copy of keys to iCloud” you mean those? It even says that “Apple will not be able to help you recover if you switch to End to end advanced data protection”.
  - modeless 2 months ago
    ADP is overkill. Apple already end-to-end encrypts keychain passwords, health data, and other stuff even if you don't enable ADP. They need to do the same with iMessage, or otherwise they need to stop falsely advertising iMessage as a strong e2ee system when it literally uploads its encryption keys to Apple by default.
    Also, even if you enable ADP Apple can likely still read the vast majority of your messages in other people's default-non-e2ee backups. The bad default is the problem here.
    - CharlesW 2 months ago
      > ADP is overkill.
      "No, not like that." :O) But seriously, you can also just turn off iCloud Backups for Messages. (iCloud > Storage > Messages > Turn Off and Delete from iCloud)
      > …otherwise they need to stop falsely advertising iMessage as a strong e2ee system when it literally uploads its encryption keys to Apple by default.
      iMessage is E2EE, but iCloud Backup is not, which I understand is a distinction probably not well understood by most HN readers, much less your average consumer.
- int_19h 2 months ago
  > the only cloud backup solution Apple allows you to use
  Not quite. You can still have automatic local backups set up for iOS and macOS devices to your own NAS. And that NAS can then do cloud backups of whatever is on it in any way you want. It's certainly more effort than the stock iCloud solution, but it's still an option.
  - modeless 2 months ago
    OK, if you have or buy a $599+ Mac from Apple in addition to your iOS device, and first connect your iOS device with a USB cable, and then enable the optional Wi-Fi sync, and regularly connect the Mac and the iOS device to the same Wi-Fi network while the Mac is not sleeping, and configure an e2ee cloud backup on the Mac to include the iOS backup, then that is actually a way to achieve a third-party e2ee cloud backup. Though it's stretching the definition a bit due to the requirement to have the Mac connected to the same Wi-Fi for the backup to occur, I'd consider a true cloud backup solution to work on any network connection or even cellular.
    I'm willing to bet that the number of people who have ever set all of that up as described is in the triple digits worldwide. A rounding error.
    - int_19h 1 month ago
      I'm pretty sure your estimate is wrong by at least several orders of magnitude. Lots of iPhone users also own MacBooks, for starters, and iPhone will nudge you to set backup when you connect it to any Mac. And of course they are going to be on the same Wi-Fi network most of the time, too, when that person is at home. I'm not sure how sleep plays into it exactly, but MacBooks do wake up on their own to do their backups and things like app updates, so I wouldn't be surprised if an iPhone can actually wake up a sleeping MacBook to back up to it.
      So the only case that is relatively unusual is having the Mac back up to a local NAS, but that's only because NAS themselves are a power user thing. Still, turnkey ones like Synology etc are much more common than "triple digits worldwide", and if you have a Mac and a NAS, why wouldn't you set up Time Machine to backup to said NAS?
  - ysleepy 2 months ago
    How? Genuine Question, this is something I really want.
    macOS yes, but iOS?
    - miki123211 2 months ago
      via USB (or possibly local Wi-Fi) and your computer.
      iTunes (or Mac OS's built-in iPhone sync) is the recommended way to do this, although the protocol has been reverse-engineered to hell and back and third-party software exists for it. iMazing is the most notable one, although there are probably others, and you could hack something on top of libimobiledevice if you really wanted to.
      Getting those backups from your computer to the NAS is an exercise for the reader.
- snowwrestler 2 months ago
  Only if you have “Messages in iCloud” turned on, which is optional.
  - tgma 2 months ago
    Actually it is the opposite. If you have Messages in iCloud, they do not store messages in "iCloud Backup" but keep it separate with some client-side device-to-device encryption key (UPDATE: which they also store a copy of inside iCloud backup unless ADP is on; thanks to 'modeless). If you enable iCloud Backup and Messages in iCloud is turned off, it will backup all your messages in a way visible to Apple servers. Of course, that is unless you enable Advanced Data Protection (the thing that UK hates).
    The fact that this is so unintuitive that I had to explain it and I am only 95% sure I got it right is precisely the problem.
    - modeless 2 months ago
      Yes but when Messages in iCloud is enabled that "client-side" encryption key is itself included in your iCloud backup (that Apple can read), as disclosed. So Apple can read your messages regardless of whether you enable or disable Messages in iCloud. The only things that prevent it are disabling cloud backups entirely, or enabling ADP. But even those don't really prevent it because unless everyone you message also does the same, Apple can still read your messages.
    - snowwrestler 2 months ago
      It is extremely simple, actually. Don’t use “Messages in iCloud” and don’t backup your Messages app to iCloud, and Apple cannot see your message content at all. Luckily these are the defaults.
  - modeless 2 months ago
    This is false. If you turn off the "Messages in iCloud" feature then your messages are included in your regular iCloud backup which Apple has the keys to decrypt, as disclosed.
    Of course iCloud backup is itself optional. But Apple gives you and the people you're messaging no other option for cloud backups. ADP actually encrypts your backups, but since it defaults to off your messages are almost certainly still readable by Apple thanks to the keys stored in other peoples' backups.
    - fmajid 2 months ago
      And of course ADP is off in the U.K., where I live. And iMessage sometimes randomly falls back to unencrypted SMS/MMS even when you ticked the checkbox disallowing this in System Settings.
    - snowwrestler 2 months ago
      > If you turn off the "Messages in iCloud" feature then your messages are included in your regular iCloud backup which Apple has the keys to decrypt, as disclosed.
      No, if you do not use “Messages in iCloud” then your iMessage private key does not leave your device.
- bayindirh 2 months ago
  You can remove said keys from your backups and devices, if you want, at least when you're outside UK.
- jwr 2 months ago
  You can turn it off.
- 2 months ago
- IceHegel 2 months ago
  [flagged]
  - Hilift 2 months ago
    iOS is a second class operating system platform, with Android not far behind. iMessage has been the subject of multiple device takeover zero days, no user intervention required. "20 zero-days patched by Apple in 2023".
    https://www.infosecurity-magazine.com/news/apple-update-extr...
    https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zer...
  - fsflover 2 months ago
    Speak for yourself. Sent from my Librem 5 GNU/Linux smartphone.
cornelisjohann 1 month ago
[dead]
cornelisjohann 1 month ago
[dead]
methuselah_in 2 months ago
[flagged]
- frontfor 2 months ago
  Both of us know this is a non-starter for most people, even technically inclined ones.
  - methuselah_in 1 month ago
    well, if not there are hundreds of servers(public you can choose from). And Encryption is there as well. So server administrator can't even read your texts, if you are not so tech savy.
- 9dev 2 months ago
  Nice! That way you can chat with yourself at all times! I mean, everyone else will continue using a different messenger, but they don't have anything interesting to say anyway!
  - ezst 2 months ago
    Not OP, so I don't have to bear the snark, but also, let's not pretend that iMessage is some virtuous and ethical standard worth recommending in general. It's nothing but a tool by the monopolist Apple to execute vendor lock-in and subjugate its users into a closed ecosystem. Of course, that says nothing about the quality of said ecosystem (or that of XMPP, for that matter), only about a well-placed sense of priorities that I find laudable.
  - methuselah_in 1 month ago
    If you are not dumb enough to let other people how companies sucking your data and giving and fixing you in their own silos. its about personal choice.
    - methuselah_in 1 month ago
      Also to be precise i have made 30+ people switch!
- azinman2 2 months ago
  What are the issues?
- some_furry 2 months ago
  Ah yes, so you can host your own plaintext on your XMPP server and not get end-to-end encryption.
  - ezst 2 months ago
    For the record, XMPP has OMEMO as its standard E2E/PFS-preserving encryption protocol (based on your usual double-ratchet aka Signal encryption), which is regularly audited for security (and as recently as last month in the case of the Conversations Android client).
    XMPP being used by several law enforcement agencies and institutions like NATO, I wouldn't default to making fun of its security.
    - some_furry 2 months ago
      https://soatok.blog/2024/08/04/against-xmppomemo/
      OMEMO is not always-on like Signal, so it doesn't even compare.