Schneier on Security

Clive Robinson • March 1, 2016 7:30 AM

And so the dance continues, at each round the FBI appears to lose ground not just with public opinions but in their honesty, thus trustworthyness.

As I’ve observed Hoovers ghost is still walking the FBI HQ corridors…

Just think what might have remained unknown if the FBI / DOJ had not told the press even before the magistrate had inked their paper…

Which has the obvious rider of “What is yet to be known?”.

Clive Robinson • March 2, 2016 11:43 PM

@ Gurka,

I really don’t get this. At all. No matter how many articles I read, none talks about the technical specifics. How can a backdoor possibly be inserted after the fact?

Actually there have been several overviews of the technical specifics, and we have talked about them.

But here we go again,

The phone has data stored on it encrypted under keys derived from a secret 256bit AES master key. The FBI want that data and the only feasible way is to get the master key.

The same reasoning applies to all attackers, their target is also to get the secret 256bit AES master key.

Knowing this Apple does not permanently store the 256bit AES key on the phone or anywhere else. So there is no “key store” to target.

What Apple does is to get the OS to build the key when the phone is unlocked from two secrets. This is done in a way that makes knowing either secret alone not helpfull. Thus the FBI and all other attackers have to take a step back and attack the way the master key is built.

To do this you need both secrets. The first is a random number unique to the phone. The second is the user passphrase. Thus you need the physical phone to get the first secret and the users mind to get the second secret.

The first secret is stored in the phone in a way that makes accessing it a,very difficult and risky physical process (the “acid and laser” technique some like ARS have mentioned). The secret is also sufficiently large and random that guessing or “brute forcing” it like the 256bit AES key is so improbable in human lifetime scales it’s effectivly impossible. Thus you not only need the phone you need it with the first secret intact.

However Apple know, like most security researchers do, that humans have very bad memories and can not even remember 4digit random numbers reliably. Thus humans generaly use very very weak passphrases which is why you see these password guessing contests.

All of which means the second secret in the users memory is likely to be brute forcible in reasonable human time scales.

Apple like most other security researchers know this, so they took steps to render brute force guessing highly improbable. Firstly they made entering the passphrase “manual only”, secondly they made trying each guess take successively longer and thirdly they gave an option to the user so that if selected after ten bad guesses the phone would overwrite the first secret, thus making access to the data as hard as brute forcing the 256bit AES master key.

But Apple had another option for the user which was to “backup the data to iCloud”. If this was selected by the user then the backup of the data was not encrypted via the two secrets, which gave a way to bypass them. But for some reason on FBI orders the owner of the phone SB County made changes to stop automated backups working, thus effectivly slamming that door (if it was actually open). Which is why along with other FBI behaviour quite a few people believe this was deliberatly orchestrated by the FBI with considerable malice to force the use of the AWA on Apple as a very public “pissing contest” to show whose are brass and whose are steel.

What the AWA application suggests is Apple write a new OS to update the iPhone with that will bybass the protections against brut forcing the passphrase. The FBI also add a load of disprovable nonsence about it being unique to that single iPhone.

The reality is that unless Apple have taken other protective steps they are not talking about for “Trade Secret” reasons, the part of such a new OS that bypasses the security features will be generic and wrapping it up in extra code to try to make it unique to that phone will not make the part of the code that bypasses the passphrass protection any less generic.

But as the FBI and DOJ know they can not legaly give a promise to Apple that this new bypass OS will not be made compleatly public at some point in the future.

The problem is that if it is possible to write the bypass code, once the code is known to exist and work, there is nothing to stop other LEOs in the US and other brutal regimes going down the same route and thus Apple would be subject to a very undue burden. And as the FBI very deliberately chose to make it all public, it adds further fuel to the notion it’s a pissing contest the aim of which is to destroy Apple’s credability in the world markets and thus set an example to the worlds manufacturers that you “Don’t mess with the Feds”.

The thing is it’s not just the LEO’s and brutal regimes this generic bypass code will help, it’s many other udesirables as well. The FBI want the code to run from RAM, and without going into details this could easily be to sidestep other unstated protection mechanisms. If the generic part of this update that bypasses the passphrase security does run from within RAM you then have to think are there other ways to get the code into RAM and get it to run without using the update process?

History tells us that yes there almost definitely is, and that it will not take even “low hanging fruit malware” criminals long to find it, let alone more sophisticated undesirables…

Clive Robinson • March 4, 2016 8:52 AM

@ Gurka,

… the only logical conclusion is that Apples security is bogus.

It’s not just Apple’s security it’s everybody’s security when it comes to consumer products.

The reason is the customers are by and large fairly flawed humans, and human failings are the root cause of nearly all security issues.

In this case to human failings are at the bottom of it,

1, The human minds cognitive inacuracy.
2, The problem of “it’s not my fault” syndrome.

Because humans make mistakes, things go wrong, peoples feelings get hurt and fingers get pointed, names get called and biased stories get told. Ask anybody in a customer facing part of a service industry and they will have war stories about “(ab)users” and “Custards” to fill a quiet afternoon or four. To make matters worse there are the triumptive of blaim givers “Sales, Marketing and Advertising” who only agree on one thing “Customers pay, they must be right, even when they are wrong” which gives the dreaded “Customer is King” and other such meaningless managment speak.

So when a Custard comes in and complains that they can nolonger get at their data because “of the stupid design”, the triumptive demand the engineers don’t let this happen… And as engineers opinions are worth less than “roach dung” that is what engineering have to do. So because some customers do stupid things the Engineers have to “backdoor” their own products to keep the triumptive with their “every customer is precious” idioms happy.

Which brings me to what is and is not a “backdoor” the simple and base definition is “Any deliberate method or process that bypasses a security method or process” which is only different to that of a vulnerability where the word “deliberate” is left out. That is at a base level a “backdoor” is a vulnerability that has been made and inserted by conscious design. In practice a backdoor means many different things to many different people, and can have a technology or method bias.

What Apple is saying is that the encrypted data on the iPhone is “secure” which is true enough based on our current understanding of AES. That is the data is protected by keys derived from a 256bit AES master key. Further Apple are claiming that the master key is not stored on the iPhone when it’s locked, nore any other place which it’s not, so is factually correct. They also claim that the 256bit AES master key is built from two secrets one built into the phone the other known only to the user. They further claim that the secret built into the phone can be deleted in various ways to make it not possible to build the 256bit master key… All true.

What Apple have not mentioned is that the second secret –that the user knows– is a real lame duck due to human failings (customers don’t like being called usless / stupid / idiots / fools / etc ).

Security proffessionals and Apple know that even a four digit pin code is a challenge to a significant fraction of their customers. Worse they know that of the 10,000 pins only a couple of hundred will actually be used by the majority (ie birthdays, famous days, mathmatical constants and easy numbers like 1000 or the equivalent in a different base for the geeks). Further Apple and security proffessionals know humans are oh so lazy, if there is a way to make life easy then that’s the way most humans will go, so you would expect 1111, 3333, 5555, 7777, 9999 and 0000 to be high on the frequently used PIN list. It’s this knowledge frequently shown to be true by PassWord Cracking Contests, that show just how easily tech beats brains when it comes to security. But to make it worse the PIN due to frequent use wears away the numbers it uses more than the other numbers, so often the four digits are known it’s just the order that remains unknown…

Knowing this real human failing Apple took steps to limit the damage it causes. That is the second secret –that the user knows– is not realy a secret because it’s just a guess or two away in many cases, that is potentialy the PIN entropy is five bits or less. Further Apple know that even if the user was given full alpha numeric upto fifty chars in length the average user will use a four digit PIN at best, and won’t set the option to deleate the first secret if too many guesses are made. Thus they added an increasing time between retrys and only passphrase entry from the screen.

That is what we know, from that point on we are guessing based on what appears to be likely assumptions. Which is what the FBI / DOJ have done for their submission to the magistrate, and at this point Apple are saying little or nothing for good reason.

When it comes to this sort of security it realy has a high degree of obsfication or obscurity at it’s base and Apple quite rightly regard it as a Trade Secret. Thus Apple give the equivalent of the nutural “no comment” that the FBI / DOJ / CIA / NSA / MIL and all LEO’s do when questioned.

It’s at this point I enter the anals of “Philosophical Cruelty to Cats” that many prior have entered in search of analogies of which Shrodinger and his cat in a box is one of the better known. It is highly likely that the assumption that Apples security on the passphrase can be bypassed is not just that of those outside of Apple but those within Apple as well. That is nobody and I do mean nobody there has actually done anything other than make assumptions about the existing code. The reason is much like that of Sportsmen like boxers “psyching the opponent” if somebody looks unbeatable, then their opponent looses an edge as they subconciously believe the “invincibility” and don’t actually go all out. You see this in research if people don’t know something can be done they try not to do it, that is they move forward in baby steps not major jumps, it’s why we have the phrase “the leading edge is the bleeding edge” the little steps are resource expensive, the big steps are reputation expensive if wrong. So Apples passphrase protecting code “is the assumed cat in the box” you realy don’t know untill you lift the lid firstly if it’s there and secondly if it’s a pussy or hell cat thus what sort of fight you will get with it. Apple want people to think it’s not just a hellcat but fully soul stealing demonic as well, so that people won’t try. But as I noted the other day we use the Onion as an analogy where each of the many layers is “assumed” to be as equally difficult. But as history shows in reality an egg would be a better analogy, because although when you crack the shell you have a mess on your hands, it’s realy easy to get the bits you want. The latest such is the Special DROWN attack which Mat Green has blogged about. The original DROWN attack required high levels of resources and as such was a High or State Level attack. However on having cracked the initial step the investigators quickly found ways to reduce the resources needed down to that you might expect of a back bedroom scriptkiddy.

Now as far as assumptions go you have to make your mind up who was in the driving seat when Apple developed their passphrase protecting code, the security people or accounts people? That is what level of resources went into it’s development?

As I’ve mentioned before there are various techniques well known to Copy Protection and Malware developers, that can be used to make bypassing the passphrase code to a level where the “Acid & Laser” physical attack would be a better use of resources. If the security people were in the driving seat that’s what I would expect Apple to have gone after development wise. If however it’s the accountants then just a quick “grasp and glance” at the source code would be sufficient. At which point on this line the iPhone actually rests is unknown, the FBI want people to think it’s a quick “feal of the source” Apple want you to think more at the “get out the nitric”. It’s likely that as Apple are going down the hardware “enclave” route that they actually put some effort into making the code secure in of it’s self in various ways prior to adding several layers of obsfication on top of that to make looking at disassembly output a real challenge, it’s certainly what I would do, and as it’s code it has a one off development cost, not as with the hardware enclave a per item manufactured cost.

Which brings us around to the two step update whereby the existing passphrase protection code can be replaced in some way. My guess is that this is a vulnerability, not a backdoor and was caused by the triumptive that causes Customer Service such pain with their “Customer is always right” mantra.

At a pure guess I would say that the security people were aware of the update process and specified that it did not cover certain asspects of the security code. But… the triumptive backed by manufacturing with “recall scare” tactics had the security people over ruled. The result a great big gaping security vulnerability that is going to prove quite costly to Apple that could easily have been avoided. It’s also why I said the otherday that I would expect the next general release of an iOS update to contain a piece of code putting things the way the security people originaly intended.

Of course Apple could go down the Amazon way, “just capitulate for a quiet life” and turn off all customer security… Which is not the way to get the confidence of your customers. It will be interesting to see what Google and their manufacturing customers do with Android and Nokia/MS and RIM.

That’s the way I currently see things as an outsider.

But on to your specific concerns,

But, as I said, I cannot see that you can put a backdoor in after the fact.

I suspect and the rest of your paragraph suggests is the case that you are limiting what you consider a backdoor to the actual encryption algorithm. In which case you would be correct. But as I explained above, the FBI is not interested in backdooring the encryption, the key generation, first secret protection or even the passphrase expansion / streaching. All the FBI say they want is to backdoor the passphrase retry protection so they can brute force it. Which they assume unrolls all the other security protections. But in reality I don’t think they actually care wether it does or not as long as they think they can make Jon Q Citizen think Apple is “aiding terrorists, thus is a traitor to the US people” they damage Apple and scare the other Silicon Valley Corps. Better still if they can “divide and conquer” and on the process inflict more damage on Apple (please note I’m very far from being a “fan boi” and the last Apple product I purchased was an Apple ][ back befor IBM PCs had been thought of).

So, Apple must already have screwed up the security beforehand for this to work.

As I noted above yes they appear to have with the update function, which as I also noted they can partialy fix with a global update to the updater code to stop the security code in the OS being overwritten in future.

So the only thing FBI really has to do is to use the algorithm without the delays, running on a ordinary computer, to brute force a weak passphrase.

Yes, but due to the first secret it has to be run on the actual phone it’s self, not an ordinary computer. As I noted above the passphrase has little real entropy just a few bits, it’s why a brute force search of the passphrase space might work if the passphrase is short. The bulk of the entropy that makes a brute force search on the 256bit AES key impractical is in that first secret, it’s getting at the first secret to get the master key generation to work that is the target if data recovery is the aim of the FBIs actions (which as I noted it most probably is not).

So, I take it that FBI want Apple to assist them to exploit an already present vulnerability. This implies that FBI can make this totally on their own, as can everyone else and iphones are already accessible for hacker, nation states, terrorist group and so on.

Yes the best interpretation is “the FBI are cheapskates” and would rather use the DOJ budget and Apples profits rather than do it themselves.

However there are several assumptions in there,

1, A disassembly of the iOS code that protects the passphrase is reliably possible.

2, That any bypass code written will run in RAM.

3, An attacker has another way to get the code into RAM and execute.

4, Or Apple have been slipshod with the way they protect their code signing keys and process.

The important thing to note is the vulnerability in question on the updater in iOS is realy only exploitable by Apple if 4 is not true.

If someone steals/seizes a device and can access the data without the owners assistance, the security simply must had to be broken _before_ the user started to encrypt things.

No, the security rests on the two secrets, the first appears reasonably well protected, the second –the user passphrase– the protection depends largely on the user. The FBI know that what they propose will only work if the user had a short or weak passphrase. If the user passphrase is strong then the brute force may well still be going when the FBI is no more.

It’s the same with,

The old saying that physical access means that all bets are off, presupposes that the rightful user at some time in the future access his or her device and enters the password and this is snooped by a keylogger or similar.

The first secret is required to build the 256bit AES masterckey, this is made to be a “write only” / “one way” / “hidden variable” with the bulk of the entropy of the AES key. If it can not be read out of the device then it has to be bypassed some way to get the master key built in RAM. There are quite a few attacks via physical side channels that might leak the key by remote interogation, but if somebody knows this can be done they’ve certainly not said anything.

Likewise if you can “shoulder surf” the user when they unlock or use the phone then you may see their passphrase or see individual file content (that might alow some kind of plaintext crypto analysis, but is unlikely).

The problem with a key logger is actually getting it on the phone in the first place, if you can, you could as easily put on code that would read the keys out of RAM and either send them out or store them somewhere where they won’t get wiped when the phone locks.

Again there might be an RF side channel where key presses could be detected a few feet or so from a user as they unlock the phone, and this might also get cross modulated onto the GSM etc carrier when the phone rings etc. You would have to experiment and I’m reasonably sure that some US Gov agencies have done this as a matter of “normal investigations”. The NSA would have certainly done it for the “ObamaBerry”.

With regards,

My foggy understanding at this point is that the key stretch algorithm is faulty with artificial delays instead of computably dictated ones.

As far as I know the key stretch algorithm does what it was designed to do, which is add an 80mS or there abouts delay. The time interval chosen is a compromise and is based on how long can you delay without causing the valid user to complain of slow response that gave rise to lost calls etc. The longer delays when incorrect passphrases are entered, are not nor reasonably could be based on anything other than a simple timer.

As for,

Please don’t get me wrong here: but if FBI prevails in this, the only logical conclusion is that Apples security is bogus.

No it’s not bogus, it’s based on compromises that were reasonable at the design time. The vulnerability that people are talking about is predicated on access to Apple’s code signing key. If the FBI can not get to that key or force Apple to use it then this whole case is just the FBI using FUD to get it’s very undemocratic way to scare Silicon Valley Corps.

This FBI attack can only work if the signing key or direct access to it is in the US jurisdiction. One way Apple could have avoided the issue was by not having the signing key usable in any one jurisdiction. And there are a couple of ways this could be done. Firstly reorganise the company structure such that even though “head-office” is in US jurisdiction the company doing the signing was both in a seperate jurisdiction and not sub-ordinate in the legal sense to head-office (such setups are common for tax reduction purposes so are known entities). Secondly and more importantly split the signing key in several jurisdictions, such that the updater will only work with all parts signing. A very simple way is multiple signing such that there are say three public keys in the updater and the code has to be signed by all three private keys that are in different jurisdictions. However such a simple system has a number of disadvantages, which is why combining a key sharing system with a public key system such that there are three or more private keys and a single public key in the updater is a better way to go. You can build such a system using RSA, but ECC would be better, it’s something I’m looking into but my maths is not what it once was.