Skip to main content
banner image
venafi logo

Fans Geek Over Leaked iOS 14 Secrets. And That’s Without Backdoors. [Encryption Digest 33]

Fans Geek Over Leaked iOS 14 Secrets. And That’s Without Backdoors. [Encryption Digest 33]

leaked iOS secrets
March 20, 2020 | Katrina Dobieski


We interrupt this broadcast to bring you something that might distract you from the ongoing developments of the coronavirus crisis. At least for a minute. While COVID-19 threatens to break down respiratory health at a cellular level, it is almost the biological play-out of what happens when code (be it cryptographic, DNA or otherwise) gets hacked, manipulated, breached. Fundamentally, a virus works the same way across “platforms” and attacks good health, or strong code. In our case, cryptographic code. Try not to draw any parallels as we explore what’s good, bad and tricky about keeping our encrypted assets secure. And how, exactly, we do it. Whether it’s crypto or corona, please take care of yourselves and stay safe.

 

 

 

The Story Behind the Diffie-Hellman Key Exchange. Meet Whit.



Whit Diffie, co-inventor of the Diffie-Hellman Key Exchange
 

Meet Whit Diffie, the bookish, brainy "average-achiever" who landed a spot at MIT and solved the encryption enigma.
 

“Shouldn’t we be encrypting this stuff?”
 

This was essentially the question Bailey Whitfield Diffie asked mentor Marvin Minsky at MIT’s Artificial Intelligence lab in 1966. He was there for work with the Mitre Corporation after attending MIT as an undergrad. Prior to MIT, his performance in school had been lackluster, only obtaining admission by some astronomical test scores.
 

Not receiving the answer he wanted (“the NSA is working on that, but it’s for government only”) he eventually moved west and landed at John McCarthy’s Stanford AI School, where he met Martin Hellman, an assistant professor of electrical engineering, former MIT associate, and fellow crypto-head. “It was a meeting of the minds,” Hellman later said.
 

Together, the two puzzled over the practical workings of a commoditized encryption reality, until they got a lead from IBM. A posting from the National Bureau of Standards (NBS) highlighted work between the tech company and the US government which proposed a new encryption algorithm (previously the main purview of government agencies). It was the Data Encryption Standard, or DES. While feeling there was something “left out” of the document, the two researchers nevertheless pored over its contents and used it as a litmus test against their own evolving theories.
 

Then, at an informal crypto seminar hosted by Hellman and Diffie, Berkley computer scientist Peter Blatman mentioned a problem being worked on by a colleague; the issue of two strangers—who could not have exchanged secret keys prior—communicating securely on an encrypted network. This got to the heart of the unsolvable question Diffie had been trying to answer.


Until then, all Diffie had found were one-way solutions, passwords or trapdoors with no way of authenticating the return. At best, there were symmetric key pairs, in which the same key that encrypted also decrypted the message, making distribution a shaky business as it exponentiated the risk of discovery.
 

What if, Diffie thought, we did the unthinkable and made one of the keys public (unheard of) and then made the other key different. Asymmetrical. One could provide the lock, the message would contain a trap door, and only the person holding the other non-matching mate could unlock it.
 

With that, cryptography as we know it was born and Alice and Bob explain the rest. We’ll do a little demo rehashing here just for nostalgia:
 

Alice wants to talk to Bob. She finds his public key—could be in an address book for all we care, it’s public—and scrambles the message. It’s a one-way mathematic formula. You can’t unscramble it unless you have several lifetimes to compute, or Bob’s private key. Which you don’t. Bob is the sole possessor of his private key, which allows him to read his mail, and open (unscramble) the encrypted message from Alice. If anyone intercepts the message in transit, tough luck. This isn’t symmetric encryption where the initial key is all you need to encrypt or decrypt. Alice’s public key is no use. Alice encrypts the message with a public key, Bob checks his mail with the private key, and Walt Diffie and Martin Hellman namesake perhaps the most widely used encryption protocol of the 20th century.
 

Now you know.
 

Related posts

SHAKEN and STIR – FCC Demands Accountability on Robocalls


Ajit Pai, Chairman of the Federal Communications Commission
 

It's guaranteed that when Whit Diffie and Martin Hellman came up with public key cryptography they had loftier goals than this, but we have to thank them for getting this nuisance off our backs.
 

On March 31, the FCC will vote on a measure that will require all phone carriers to implement the SHAKEN/STIR protocols to ferret out robocallers operating under false pretenses. The FCC presented this as a voluntary measure a year ago, with predictably limited buy in (kudos to Spring and TDS for leading the charge).
 

Now, nobody's asking.
 

Show Yourself

Drummed up last year, the SHAKEN/STIR protocols would prevent robocallers from hiding their identity in a swiped real number. Flagged callers could get outed with a warning or blocked, depending on the carrier.
 

Thanks to Diffie and Hellman (see above), digital certificates and public-key exchange will be used to authenticate caller and number. Once verified, receivers (us, with the caller ID) will receive a notification if the number is suspect.
 



We All Have to Play

For this to work, all carriers have to participate. Since public-key cryptography requires sender and receiver to authenticate, both the network receiving and the one sending the call must have the protocols implemented. The patchwork adoption seen over the course of 2019 wasn’t cutting it, and now, Congress is stepping in.
 

The TRACED Act, inked in December of last year, outlines the government’s requirement on the FCC for ensuring this transparency.
 

Soon, we’ll have the gratification of knowing just whose number we are blocking, and better yet—of not getting a host of solicitous calls to begin with.
 

The solution doesn’t translate well to overseas callers (prime offenders?) but with the mandate up for a vote, we can at least hope to cancel out some domestic noise for now.
 

Unless you want to enter your survey responses for a chance to win a timeshare.
 

Related posts


 

Fans Geek over Leaked iOS 14 Secrets. And That’s Without Backdoors.

It looks like some prime deets for the upcoming iOS 14 June release were somehow leaked and can now be found for consumer perusal on fan-based Apple advisory boards. How nice.
 

However, this shows more than a demand from overnight Apple Store campers (all Apple stores are currently closed for COVID-19).
 

The perspicuity with which the inner workings of the OS are scrutinized only gives us a glimpse into what information would be more readily accessible to bad actors should lawful-access backdoors be implemented.
 

“Embedded in this is the unspoken idea that the world is divided neatly into goodies and baddies, that only people wearing white hats will use this backdoor,” reads an article from Apple Insider.
 

The Impossible Dream

At this point, either there is fundamental misunderstanding or avarice at play, but the issue has been rehearsed by cryptographers (and plenty of thoughtful cybersecurity experts) that a selective backdoor just isn’t possible. If Bob’s key is weak, it’ll be weak for the criminal who steals it, too. It doesn’t magically transform (and change math) on transfer. They're mathematicians, not magicians.
 

So, rather than letting the landscape be equally porous for everyone, a lot of experts, like the DoD, advise that it be equally safe.
 



Special departments of the US government already have allocated forces for cracking the cryptography of iPhones, Androids and encrypted apps, like those that came out in the autopsy of the FBI handling of Apple in the 2015 San Bernardino shooting case. Making a doable job even easier would now make an impossible one doable for the bad guys.

If fans’ rabid enthusiasm is any indication, the secrets of iOS 14 (or any OS) are a payload valued for all the right (and wrong) reasons.

Let’s not make it any easier.



 

 

Related posts

 

 

Like this blog? We think you will love this.
solarwinds-lawsuit-cios-cisos-concerned-unprotected-code-signing
Featured Blog

CIOs in Hot Seat: SolarWinds Sued by Investors for Supply Chain Attack

SolarWinds lawsuit claims company officia

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more