Apple's Case Is Not About Cracking Cryptography!
The Apple iPhone has an equivalent encryption key of ... 16.6 bits!
If it was about encryption ... not even Apple would be able to access the data on the iPhone ... and they wouldn't have access to the key. Apple, in this case, have the complete control on gaining access to the device, as it is a screen lock protected by a simple PIN code. This also breaches one of the basic laws of cryptography ... if I encrypt for Alice ... only Alice will have the key to read the data. Even Bob, who created the encrypted message, should not be able to read Alice's message.
The iPhone unlock is thus a backdoor, but a one-way back door ... for Apple. If you lose your encryption key for Bitlocker ... not even Microsoft will be able to restore your data, as it is a proper encryption key (and stored in the TPM chip).
The weakness of most type encryption is often related to how the encryption key is protected. If it is a PIN number the key strength will move from 128-bits to just 20-bits for passwords (such as for one million possible passwords) or to just 16.6 bits for PIN numbers (100,000 PIN numbers).
To give some idea of scope, the current limit for cracking keys with supercomputers is 72-bit (by brute force) ... and the difference between 16 bits and 72 bits provides a complexity of ... double ... double ... double ... double ... double ... double ... double ... double ... (in fact, in total, 56 doubles).
Personally .. I know exactly how law enforcement would crack this security .. and it is not too difficult ... just modify the firmware to change the operation of the code, and that should be a standard method that is well know to those who work in the field. Proper cryptography would not allow this to happen!
Introduction
There has been so much talk about cracking cryptography recently. So when it comes to cracking the communication in a tunnel, such as with HTTPs/SSL, we need to look at ways of cracking keys (such as generating a private key from a public key). On the other hand when it's a matter of changing a line of code in the operation system, in order to stop it from erasing the data on a device ...
that is not cryptography cracking!
A fundamental thing here is that Apple hold the secret to unlocking the phone, as their iOS has the privilege to be able to communicate with the fingerprint reader (and/or PIN code entry system) and then access the encryption key stored on the device. To provide a piece of software which can try all the different PIN code without a reset is not a difficult thing to do, as there will be a line of code which says something like:
if (wrong_pin_count>10) erase_memory()
If this line can be modified so that there is a special unlocking sequence (such as pressing a few buttons to set a variable), a flag can be set in the phone to identify that it is for law enforcement purposes (or criminal purposes), and the code changed to:
if (wrong_pin_count>10 && law_enforcement==false) erase_memory()
then all of the PIN codes can be tried.
Even a manual entry of PIN codes from 00000 to 99999 doesn't take too long, as, on average, it will take 50,000 attempts for a 5-digit PIN code. So if a human tries each code at a rate of 2 per second, it will take around 7 hours to crack. If it's a 4-digit PIN code, it will take around 41 minutes.
So the issue here is not the security of PIN codes, but the erasing of the device after a certain number of attempts. The only way thus that PIN codes can be made secure is that they lead to a lock-out, and, if possible, to a data erase. So investigators (or criminals) don't want to take the risk in trying a few PIN codes. The odds are not in their favour, but compared to cracking encryption keys, it is ...
A billion, billion, billion times easier.
Within the Apple case, we are not talking about cracking the encryption ... we are just cracking a PIN number which provides access to the encryption key. So the chances of getting a 5-digital PIN number right after 10 attempts is approximately:
1 in 10,000
and the chances of cracking a 128-bit encryption is:
1 in 340,000,000,000,000,000,000,
000,000,000,000,000
So the security of a PIN number is trivial, as only implements a basic level of security when it is used with an erase.
If we take one iPhone with 4-digit PIN numbers, and can try 10 guesses, the probability of cracking it will be:
1 in 500
So it we took 500 iPhones, we would be able to get into one of them, on average, purely by generating random PIN numbers ... hardly the security that encryption provides.
So just examining call records, contact lists, and so on, law enforcement doesn't need to crack the encryption key ... just the PIN number.
Conclusions
The case of cracking the iPhone is not about cracking the encryption of the data storage, as the operating system can get access to the key, and the key is basically just protected by a simple pass code. Get the pass code correct, and you gain access to the key. There's no cracking of encryption keys involved. The security that encryption gives is reduced to almost zero by protecting the key with a PIN number. Why even use 128-bit encryption keys for encrypting the data on the disk, when you have a key entropy key of (log2(100,000)):
16.6 bits
Professor (RIT, FLCC, Syracuse University, edX), Course Developer, Author, Technical Editor, Industry Consultant, TV News/Talk Radio Guest Expert | 11 Teaching Awards | 47 Industry Certifications | @CSCPROF: X, Instagram
9 å¹´iOS introduces a delay after every incorrect PIN entry, so your timeframes are off.
Strive to improve the world by your doing
9 å¹´Good article: I'm surprised that they include a secure element but seems not to use pin and fingerprint to protect the keys. While in this case they might even have the "finger"
Spiritual & Psychic Mentor, Clinical Reflexologist & Mindful Meditation Teacher
9 å¹´Nice post Bill. When you read this, you understand why Apple are so nervous about supposedly cracking the "uncrackable".
Digital Identity & adv. Cryptography - PHE & FHE(MS SEAL), AGI - RAG, Vector Database, Knowledge Graph, Langchain, Langgraph and Agent Frameworks, Advanced Python, OpenCV, Spring-Boot Microservices Enterprise Application
9 å¹´Reading through this article suggests @vassilios K seems right. issues are more commercial than technical !
BCS Influence Board | Forensic Scientist | Cyber Awareness Evangelist | Expert Witness (Digital Evidence) | Doctoral Candidate |Visiting Lecturer, Sheffield Hallam Uni |
9 å¹´Very interesting Bill as always! The assumption when it comes to Apple though is that they do not have a back door. If they admitted to the US Government that they had one, then all hell would break loose and nobody would trust their iPhones! From the corporate perspective, if Apple has a backdoor key, they will have to keep it to themselves.