Apple v. FBI: How to Sound Smart about Encryption

Apple v. FBI: How to Sound Smart about Encryption

Apple v. FBI has started a serious debate about the line between security and privacy. The FBI says this is a case about the contents of one specific iPhone 5c. Apple says this is a case about securing data for everyone. I framed both arguments in a previous essay entitled “Apple v. FBI: How to Do Your Part.”

No one seems to want to have a civil, Socratic discussion about what it means to evolve the governance of a digital democracy. Instead, most people want to voice their opinions about terrorism, the law, and Apple. People also want to know if this particular iPhone 5c (or any iPhone) can be hacked, and if offers to hack it from white hat hackers, such as John McAfee, are real.

The Apple v. FBI subject device, an iPhone 5c, can be hacked. This is true because of iOS 8 (the operating system running on the subject device) and the way all iPhone 5c’s were manufactured. Current vintage iPhones (5s, 6, 6s) could not be hacked the same way, so we should not be talking about this particular phone; we should be talking about encryption writ large, and how it is used in our daily lives.

What Is Encryption?

Encryption is the process of using algorithms to encode information with the specific goal of preventing unauthorized parties from accessing it. For digital communication, there are two popular methods of encryption: symmetric key and public key.

  • Symmetric key encryption requires both the sending and receiving parties to have the same key – hence the term “symmetric.”
  • Public key encryption is far more popular because the encryption key is publicly available, but only the receiving party has access to the decryption key.

How Can There Be Such a Thing as a “Public” Encryption Key?

One of the most popular ways to create public encryption keys is to use a mathematical problem known as prime factorization (aka integer factorization). You start with two relatively large prime numbers. (Quick 6th Grade Math Refresher: A prime number is only divisible by 1 and itself.) Let’s call them P1 and P2. When you multiply them, the product is a composite number we’ll call “C.”

(P1 x P2 = C)

C is a very special number with very special properties. It’s called a semiprime number. Semiprime numbers are only divisible by 1, themselves and the two prime factors that made them. This special property enables the number to be used for public key encryption.

You use C for the public key and you keep P1 and P2 as the private key pair. While it is very easy to generate C, if the number is large enough and thoughtfully generated, it can take thousands, millions or even billions or trillions of tries to factor. (There are mathematical strategies to speed up the process, but in practice, prime factoring must be done by trial and error.)

Pretty Good Privacy, the Encryption We Mostly Use

The OpenPGP standard is one of the most popular versions of public key encryption, aka Pretty Good Privacy or PGP. There is a very good chance that your corporate IT department uses some version of PGP to encrypt your files – after all, it’s pretty good.

How good? Using current computer technology, a 2048-bit OpenPGP encrypted file cannot be decrypted. Someday it might be possible with a fully functional quantum computer, but these are still, for all practical purposes, theoretical devices.

Now, you’re going to push back with an argument that goes something like this: “Hey Shelly, you may think that a file encoded with 2048-bit OpenPGP encryption is unbreakable, but you don’t know that for sure. You have no idea what the NSA can or cannot do! How do you know that quantum computers don’t exist? Nothing is impossible!”

Yeah … no. 2048-bit OpenPGP encryption can’t be decrypted without a key because of the way computers work today. In the future, with new hardware and processor and bus speeds that are currently undreamt of, the computation may be able to be done in reasonable time – but not today. Without your private key, the computational time required to break a 2048-bit key in a secure SSL certificate would take over 6.4 quadrillion years.

How Can the “Now Famous” iPhone 5c Be Hacked?

For the iPhone 5c in question, you don’t need to hack the encryption key; you need to “make” the encryption key. It is generated from a combination of the user-created PIN or password and a unique key that Apple embeds in each iPhone 5c when it is manufactured. The FBI is asking Apple to create a new operating system with the ability to disable certain security protocols – specifically to defeat the limit on failed passcode attempts and to remove the delay caused by failed attempts. With this new weaker security protocol and forensic software written to try every possible PIN or password combination, the FBI hopes to regenerate the unique key required to open the phone.

It is important to note that this whole idea is only possible on iPhones older than the 5c running iOS 8 or earlier. iPhones with fingerprint scanners such as the 5s, 6 and 6s use a second processor called “secure enclave.” Even Apple can’t hack an iPhone that includes a secure enclave processor – not without creating a “backdoor.”

This is what Apple is worried about. You should be too. If the government served Apple with a lawful writ or subpoena to deliver the key to an iPhone 6s, it would not be able to comply. This case asks the question, should the government be allowed to compel any company that creates a digital security product to create a “backdoor” and make it available for any reason (lawful or other)?

The important thing about an iOS 9 “backdoor” in Apple’s case is that it could not be guessed or randomly generated; it would have to be an actual file – a metaphorical “skeleton key.” There’s a problem with skeleton keys, even digital ones: they can be copied. Importantly, they can be copied or stolen without the owner’s knowledge. The idea of creating a “skeleton key” defeats the purpose of encrypting it in the first place. If a key exists, it will be copied by both good and bad actors – that’s just a fact of digital life.

So again, I find myself begging you to engage in a civil, Socratic discussion about what kind of future we want to live in. Encryption enables banking (commercial and consumer) and commerce. Without it, our digital lives would be very, very different. How do you want to evolve the governance of our digital democracy? Where is the line between security and privacy? What do we want to ask our lawmakers to do? Hopefully this short story will inspire you to learn more about encryption so you can draw your own conclusions and join this techno-political debate.

About Shelly Palmer

Named one of LinkedIn’s Top 10 Voices in Technology, Shelly Palmer is President & CEO of Palmer Advanced Media, a strategic advisory and business development practice focused at the nexus of technology, media and marketing with a special emphasis on data science and data-driven decision making. He isFox 5 New York's on-air tech and digital media expert and a regular commentator on CNBC and CNN. Follow @shellypalmer or visit shellypalmer.com or subscribe to our daily email https://ow.ly/WsHcb

Dr. Prakash Chandrasekaran, MIET

MBSE Evangelist | Mentor | Design Thinker | Architect

8 年

Kandy Z. I would guess that Apple's iOS source code is still secure. If anyone had a copy, then there should be much better quality knock offs and more exploits in the wild

回复
Robert Odle

Simple Rational Philosopher

8 年

Great article. Thanks so much for putting things in layman's terms. I still say that despite the best of intentions, if anyone, government or otherwise, is given the ability to hack into that many phones that power would be irresistible to people with bad intentions. I imagine someone, somewhere right now is ringing their hands and drooling over the prospect. There is evil in the world today. The last thing we need to do is give it yet another weapon to use against innocent people.

Kandy Z.

Cyber Strategist, Cyber OSINT

8 年

Yes, Prakash Chandrasekaran, but you must have the source code to create a hidden backdoor. This is an issue of the total lack of trust sown by spyboy ed. That was the point of his campaign, which has eroded trust on a global scale. More harm than good. There is no way I would trust China to not build a hidden backdoor, since they have been exposed a multitude of times before doing just that. And, remember, spyboy ed went to China first, then every government agency in the US was hacked.

Dr. Prakash Chandrasekaran, MIET

MBSE Evangelist | Mentor | Design Thinker | Architect

8 年

Kandy Z. letting someone view source code is different from creating signed binaries to circumvent security policies. In the former, it is easy for the other party to spot vulnerabilities. Whereas, in the latter one is creating vulnerable code intentionally!!

要查看或添加评论,请登录

Shelly Palmer的更多文章

  • The Famous “P&G Memo”

    The Famous “P&G Memo”

    Want to be a better strategic thinker? For most businesspeople, the time-tested P&G (Procter & Gamble) Memo is a great…

    7 条评论
  • Uber and Lyft Are Doomed

    Uber and Lyft Are Doomed

    Autonomous vehicles (AVs) are about to dramatically change the world of on-demand car services. Viewed through that…

    29 条评论
  • I Don’t Have Time for the Truth!

    I Don’t Have Time for the Truth!

    I was checking out my Twitter feed the other day and I came upon a tweet from Richard Dawkins. He is one of my favorite…

    2 条评论
  • You’re Worried about Facial Recognition? WTF?

    You’re Worried about Facial Recognition? WTF?

    In a rare show of bipartisan unity this past Wednesday, Republicans and Democrats on the House Oversight Committee…

    2 条评论
  • What is a Radio Brand?

    What is a Radio Brand?

    Cumulus Media confirmed that New York City’s iconic FM radio station 95.5 PLJ will sign off for the last time on…

    1 条评论
  • A “Duty of Care” for Facebook

    A “Duty of Care” for Facebook

    French regulators have recommended requiring a “duty of care” for big social networks, meaning social networks should…

    3 条评论
  • Digital Transformation Is Seriously Misnamed

    Digital Transformation Is Seriously Misnamed

    Our main business is helping big brands, big media, and big tech with their digital transformation journeys. This is an…

    8 条评论
  • An EPCOT for the 5th Industrial Revolution: Showcasing the Possible

    An EPCOT for the 5th Industrial Revolution: Showcasing the Possible

    In 1877 Thomas Edison invented the phonograph. He liked to demonstrate his device by allowing people to speak into the…

    1 条评论
  • Music by AI – A Warning Label Is Now Required

    Music by AI – A Warning Label Is Now Required

    Last week, The Verge asked the question, “AI is capable of making music, but does that make AI an artist?” Wow, is that…

    6 条评论
  • The Next Great Decoupling: AI Takes Control

    The Next Great Decoupling: AI Takes Control

    Last night I binge-watched the latest three episodes of Star Trek Discovery, which set up the season 2 finale – spoiler…

    210 条评论

社区洞察

其他会员也浏览了