How robust is your Mac’s encryption?

For well over a decade, those of us who’ve been using Messages have enjoyed end-to-end encryption, ensuring that our communications remain confidential, and can’t be read by anyone else. This allows us to exchange bank details and discuss private matters without the fear of someone else learning those secrets. For those who live or work in states that spy on citizens, for journalists who report on controversial matters, and for many others, robust encryption can literally be a life-saver. For others who live in what used to be liberal and open democracies where the use of robust encryption is now under threat, I wonder how long it will be before those dangers extend to countries like the UK.

Apple has recently announced changes to encryption used by Messages, or to give it the name of its underlying service, iMessage. This article explains why this is necessary, and how it affects us now and in the future.

No method of encryption can be perfect. Given sufficient computing resources and determination, it’s ultimately possible to break any practical means of encryption. The goal is to make that so difficult that it would take far too long to be feasible for any likely attacker. If that’s just a regular hacker or criminal, then they’re not going to have access to vast computing resources, and are likely to abandon attempts quickly. The biggest danger comes from state security services and their proxies, who may well be prepared to wait years until better methods become available, such as those likely to come in quantum computing.

Quantum computing

Conventional computers work with absolute values, in binary 0s and 1s. Everything in your Mac reduces to those bits, either 0 or 1 and never anything in between. Quantum computing adds quantum physics, and instead of crisp binary, deals with qubits that are measured in terms of probability, making them non-deterministic. This changes the way that they work, and some tough problems in the binary world can be speeded up so much that, given a suitable quantum computer, they could compute in much shorter times. This has already been applied to greatly reduce search times in big data, and has the potential to break most forms of encryption.

Progress in making real quantum computers has been painfully slow. These are normally measured in terms of the number of qubits they can handle. The first two-qubit quantum computer was demonstrated in 1998; Google and NASA claimed in 2019 that they had reached 54 qubits, and this year Finland is hoping to reach 50 qubits too. Attaining the modest target of 300 qubits is likely to take another few years, and it’s still speculation as to whether such quantum computers will ever come into wide use. If and when they do, they’ll transform approaches to robust encryption.

Post-quantum solutions

Just as quantum computing is being used to attack existing methods of encryption, so it’s being used to develop techniques that will make encryption more robust. One of these, quantum key distribution, was proposed as a defence against attacks on encrypted data using quantum computing as long ago as 1984. Post-quantum cryptography has therefore been flourishing long before quantum computers become available to break current methods of encryption.

Almost a month ago, Apple’s Security Engineering and Architecture (SEAR) team announced that iMessage is going to adopt new cryptographic protocols to ensure robust protection when quantum computing becomes feasible. PQ3 and Contact Key Verification have been designed and developed to make the encryption used in iMessage robust against attack by quantum computers of the future, specifically in what Apple terms Harvest Now, Decrypt Later attacks, where today’s encrypted data are stored until methods become available to decrypt them.

Contact Key Verification

Apple added this new feature to iMessage late last year, as an option for those whose Macs and devices are all running the current version of their operating systems. This addresses potential weaknesses in the way that iMessage provides keys used to perform its end-to-end encryption.

When encrypting data locally, protecting the keys used is vital, and in modern Macs is accomplished by protecting them in the Secure Enclave and wrapping them in an additional layer. For iMessage to work, your Macs and devices have to give others a means of encrypting data that can be decrypted at your end, and that’s performed using asymmetric keys, where the other end can use a public key to encrypt data that can then only be decrypted using your private key.

That in turn requires iMessage to maintain a key directory service, from where public keys can be accessed. Contact Key Verification provides a key directory service that can’t be compromised to provide false keys, or to monitor the provision of keys, so an adversary could subvert key provision. Apple provides technical details in this article.

Post-quantum encryption

Although the encryption method used in iMessage remains secure at present, there’s the real danger that at some time in the foreseeable future it will be more readily broken if quantum computing becomes available to those most determined to intercept and decrypt your messages. The next step is therefore to improve the encryption method used by iMessage to make it resistant to future attack by quantum computing. That not only requires improving encryption methods used, but protection provided to the keys as well. Those must be achievable on today’s Macs and devices, and not themselves rely on being run on a quantum computer.

Apple has most recently explained how it’s introducing a new method, PQ3, designed to be robust to quantum computer attack. This combines the current Elliptic Curve method with additions to protect from a post-quantum attack, and enhances protection for keys. Changing to PQ3 isn’t instant, and Apple is rolling this out progressively across its iMessage service. It’s likely to depend on the use of Contact Key Verification; for your Macs and devices to take advantage of that, a first step is to bring them all up to date with the latest release of their operating system, and enable it.

Post-quantum encryption is likely to be computationally more demanding than using only the current method, although Apple hasn’t yet warned of any additional hardware requirements.

Rekeying

When you open a session in Messages with another person, encryption keys are set for that session. If an attacker were to gain access to a key to enable decryption, the whole of that session would become available to them. Apple changed that in 2019, when iMessage switched from RSA to Elliptic Curve encryption and started protecting keys in the Secure Enclave of Macs that have one. At that same time, iMessage started to change keys periodically in what’s known as rekeying, so that each decryption key only works for part of a session, limiting the damage in the event that any encryption key is compromised.

With these changes now being made to address the threat posed by quantum computing, iMessage will rekey more frequently, in what Apple terms post-quantum rekeying. This is accomplished inside a session by exchanging the new keys to be used. As those too are protected by post-quantum encryption, they could only be compromised at the time of the exchange, and not retrospectively using stored, encrypted data retained in a Harvest Now, Decrypt Later strategy.

Other encryption

Encryption is used extensively in macOS and Apple’s other OSes to provide security and protect privacy. While these enhancements to iMessage are important, it’s by no means the only way that an adversary could use quantum computing to attack encryption. Encrypted email traffic is also open to attack, and can be retained for later attempts at decryption, but that conforms to different standards and protocols that Apple doesn’t control. Otherwise, almost all sensitive data that is currently protected by encryption remains on the Mac or device, where most keys are now protected by the Secure Enclave, where that’s available.

Summary

Quantum computing poses a real threat to current encryption methods in the future.
Current iMessage sessions could well be decrypted if they are stored under a Harvest Now, Decrypt Later strategy.
Apple is now introducing changes to iMessage to protect Messages sessions from future attempts at decryption.
To benefit from those improvements, you will need to enable Contact Key Verification on Macs with a Secure Enclave, and be running the current macOS.

10Comments

Add yours

1

John Woods on April 16, 2024 at 9:56 am

Thanks Howard, I don’t see why PQ3 (Kyber) would require contact verification, this is an added security, validating authenticity of pub keys, by validating in person the long lived signature keys.

LikeLiked by 1 person
- 2
  
  hoakley on April 16, 2024 at 11:12 am
  
  I don’t see that PQ3 itself is reliant on CKV, but if you read Apple’s description of how the new system works it assumes that CKV is enabled. For instance:
  “When Alice’s device instantiates a new session with Bob’s device, her device queries the IDS server for the key bundle associated with Bob’s device. The subset of the key bundle that contains the device’s authentication key and versioning information is validated using Contact Key Verification. The device then validates the signature covering the encryption keys and timestamps, which attests that the keys are valid and have not expired.”
  As the requirements for CKV and PQ3 are the same – running the current version of macOS 14, iOS/iPadOS 17, etc. – I think it would be strange for them to operate independently of one another. And even if they did, why would you want PQ3 without CKV?
  Howard.
  
  LikeLike
  - 3
    
    John Woods on April 16, 2024 at 11:14 am
    
    And even if they did, why would you want PQ3 without CKV?
    
    For the same reason ECC based crypto is useful in non-PQ3 iMessage. Signature on ephemeral keys is nice to have to verify your partner, but is required for authentication not secrecy.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on April 16, 2024 at 11:16 am
      
      But without secure authentication, how can you rely on the secrecy? The keys could have been compromised.
      Howard.
      
      LikeLike
    - 5
      
      John Woods on April 16, 2024 at 11:21 am
      
      For the same reason end to end encryption in iMessage was useful prior to CKV, you had to trust the initial setup with your partner (when their phone number/email address turns blue in iMessage), and afterwards you enjoy private communications unless the initial pub keys used for long lived signature are man-in-the-middled (which we assume they aren’t).
      
      CKV is a nice to have, but I’ve used it for a handful of contacts I know well, it’s not practical otherwise. PQ3 will be the same, you are less certain it’s definitely the person you think it is without CKV, but it’s still better to trust the signature on ephemeral keys and still have encryption than choose between CKV+trusted long lived signature keys + PQ3/E2E encryption OR no encryption at all.
      
      LikeLiked by 1 person
    - 6
      
      hoakley on April 16, 2024 at 11:26 am
      
      But I don’t see those options.
      In iMessage currently, what option is there not to have E2E encryption?
      As all users able to operate PQ3 are also going to be able to use CKV, why would Apple offer them separately?
      I think you’ll see two iMessage modes: traditional E2E using ECC and without CKV, and the whole set of CKV+PQ3.
      Howard.
      
      LikeLike
    - 7
      
      John Woods on April 16, 2024 at 11:31 am
      
      I think you’ll see two iMessage modes: traditional E2E using ECC and without CKV, and the whole set of CKV+PQ3.
      Howard.
      
      Maybe, but that’s not my read of their docs, and Kyber (or any PQ primitive) is ofc, a PQ resistant key-encapsulation mechanism, and their use of ECC is used to perform elliptic curve Diffie Hellman as a key agreement mechanism, thus both Kyber and ECC essentially perform the same task of establishing a symmetric key. It wouldn’t make sense to gate PQ3 behind CKV, it has much more value with CKV being optional.
      
      LikeLiked by 1 person
    - 8
      
      hoakley on April 16, 2024 at 11:53 am
      
      I’m afraid you’ve lost me completely here.
      CKV is supported on Macs running 14.x and devices on 17.x, and requires all devices using the same iMessage account to be enabled to use CKV.
      PQ3 will be supported on Macs running later versions of 14 (we expect, although it could be delayed until 15), and devices on later versions of 17 (same caveat), and will require all devices using the same iMessage account to be enabled to use it.
      So who on earth is going to want to run, or be confined to running, a Mac or device running PQ3 but unable to enable CKV?
      An option only makes sense when it’s an advantage, surely?
      Howard.
      
      LikeLike
9

Kevin Kirlin on April 18, 2024 at 1:36 pm

If I understand correctly, iMessage encryption breaks down when texting to Android devices. Will Apple’s adoption of RCS have any impact on encryption when texting between iOS & Android devices?

LikeLiked by 1 person
- 10
  
  hoakley on April 18, 2024 at 7:49 pm
  
  I don’t know. It isn’t something that Apple has detailed yet, as far as I’m aware. Even with the current pre-quantum system, key exchange would appear to be something of a hurdle, and that would be no easier with its post-quantum system.
  Howard.
  
  LikeLike