Privacy Watch Weekly – 2016-08-19

Privacy Watch – Friday 19th of August 2016

Warning — Bitcoin Users Could Be Targeted by State-Sponsored Hackers

Another day, another bad news for Bitcoin users.

A leading Bitcoin information site is warning users that an upcoming version of the Blockchain consolidation software and Bitcoin wallets could most likely be targeted by “state-sponsored attackers.”

Recently, one of the world’s most popular cryptocurrency exchanges, Bitfinex, suffered a major hack that resulted in a loss of around $72 Million

Omegle, the Popular ‘Chat with Strangers’ Service Leaks Your Dirty Chats and Personal Info

Ever since the creation of online chat rooms and then social networking, people have changed the way they interact with their friends and associates.

However, when it comes to anonymous chatting services, you don’t even know what kinds of individuals you are dealing with.

Sharing identifiable information about yourself with them could put you at risk of becoming a victim of stalking,

Microsoft Open Sources PowerShell; Now Available for Linux and Mac OS X

‘Microsoft loves Linux’ and this has never been so true than now.

Microsoft today made its PowerShell scripting language and command-line shell available to the open source developer community on GitHub under the permissive MIT license.
<!– adsense –>
The company has also launched alpha versions of PowerShell for Linux (specifically Red Hat, Ubuntu, and CentOS) and Mac OS X, in addition,

Crypto & CHES 2016: 20 years of leakage, leakage, leakage

Paul Kocher was invited to give an invited presentation at Crypto and CHES, which was certainly deserved on the 20th anniversary of his paper that has more than 3500 citations on Google Scholar. The content of his talk ranged from tales of his work over philosophical considerations on security to an outlook to the future.

It was interesting to see how Kocher, a biologist by training, got into cryptography and managed to break implementations via side channels with rather cheap equipment, including parts from a toy electronics kit. He claimed that they could break every smart card at the time, which was of course disputed by the vendors.

In the philosophy part of the talk, the speaker brought up various analogies that I found interesting even though they did not provide direct advice. For example, he compared security to fractals that provide ever more detail the closer you look. More practically, Kocher mentioned building codes and the aviation industry. Both minimize risks by best practices that include safety margins even though these incur extra costs. However, I could not help thinking that aviation killed a fair amount of people before the standards improved.

On the outlook, Kocher did not seem particularly optimistic. The world is already complex and full of devices that regularly exhibit security problems, but it will get worse with the Internet of Things, where there will be more devices with longer life spans produced by vendors with less security knowledge while the impact of vulnerabilities will be even higher. He predicted that the security breaches will get worse for 3-5 years at least.

In terms of constructive ideas, he suggested to move the security into chips because it won’t be ruined by the lower layer there. There already has been a significant move in that direction with Intel’s SGX, but there are of course other approaches.

Taverniti | Vashishth LLP Blog

Survey shows broad support for national precision medicine study

In a recent survey designed to measure public attitudes about the Precision Medicine Initiative Cohort Program, a majority of respondents expressed willingness to participate in the nationwide research effort.

The NSA Hack — What, When, Where, How, Who & Why?

You might have heard about the recent ongoing drama of NSA hack that has sparked a larger debate on the Internet concerning abilities of US intelligence agencies as well as their own security.

Saturday morning the news broke that a mysterious group of hackers calling themselves “The Shadow Brokers” claimed it hacked an NSA-linked group and released some NSA hacking tools with a promise to

Crypto 2016: Network Oblivious Transfer

On the first day of CRYPTO 2016, Adam Sealfon presented his work with Ranjit Kumaresan and Srinivasan Raghurama on Network Oblivious Transfer. Oblivious transfer (OT) is a two party protocol in which party $A$ inputs two strings and party $B$ a bit $b$: $B$ receives exactly one of the strings according to his bit and finds out nothing about the other string, while $A$ does not find out which of the two strings $B$ chose. If two parties are able to engage in an OT protocol, we say that there is an OT channel between them. OT channels are a good thing to study because they are:
  • Useful: OT has been called MPC (multi-party computation) complete, and the Atom of MPC, since many MPC protocols can be realised using OT;
  • Achievable: e.g. trapdoor permutations can be used to realise them.

Suppose we have a network in which all parties have secure connections to all other parties, and some of the parties also have OT channels between them. What can we say about the ability of the network to allow computation of OT-based MPC? In 2007, Harnik et al. asked How Many Oblivious Transfers are Needed for Secure Multiparty Computation? and give a lower bound on the number of OT channels a network must have. The paper presented gave an upper bound which matches the lower bound of the aforementioned paper, and hence allows a complete characterisation of the networks in which OT channels can be established to enable secure MPC.

For some intuition as to what this all means, consider the following three graphs. Nodes represent parties in the network, and edges represent OT channels. All parties are assumed to have secure connections to all other parties and we want to have an OT channel between $A$ and $B$.

In Figure 1, $A$ and $B$ have an OT channel between them, so we’re done. In Figure 2, it turns out that the connections in place already suffice to provide $A$ and $B$ with an OT channel. However, in Figure 3, we cannot form an OT channel between $A$ and $B$.

The reason some graphs admit OT channels between certain parties and some do not concerns a property known as splittability. A graph $G$ is called $k$-unsplittable (for $k<n/2$) if for any two disjoint sets of $k$ vertices, there is an edge from a vertex in one set to a vertex in the other; $G$ is called $k$-splittable if this does not hold. The main theorem of the paper states that, assuming a semi-honest adaptive adversary controlling no more than $t$ parties, two parties, $A$ and $B$, in the network can establish an OT channel if and only if

  1. $t<n/2$, or
  2. $t ge n/2$ and the graph is $(n-t)$-splittable.

Adding the edge $(A,B)$ to Figures 2 and 3 shows this at least looks like it says the right thing, since doing so in Figure 3 shows every 2-split of the graph has an edge between the two partitions.

In proving this theorem, the paper provides a good description of the limits of OT-based MPC.

Someone is Spying on Researchers Behind VeraCrypt Security Audit

After TrueCrypt mysteriously discontinued itself, VeraCrypt became the most popular open source disk encryption software used by activists, journalists, and privacy conscious people.

Due to the huge popularity of VeraCrypt, security researchers from the OSTIF (The Open Source Technology Improvement Fund) announced at the beginning of this month that it had agreed to audit VeraCrypt

Sophos Home rated “Best Free Mac Antivirus” by Tom’s Guide

Sophos HomeWe know how good Sophos Home is. That’s why we keep talking about it. But it’s always nice to hear an independent review (or two or three!) to back that up.

The old adage “Macs don’t get malware” simply isn’t true, and if you run a Mac, you need to be running an antivirus.

Tom’s Guide recently undertook a review of the Best Mac Antivirus Software and Sophos Home came out top of the free products!


Its verdict:

Sophos offers best-in-class protection and parental controls for free while leaving a small performance impact.

Why not try it for yourself?

Sophos Home is available for both PCs and Macs. You can protect up to ten computers from one account, so you can make sure your whole family is taken care of. Go to to get signed up.

And, as Tom’s Guide puts it, “Best of all, you won’t pay a penny.”

Try Sophos Home for free

Filed under: Corporate Tagged: free security, Free tools, Mac anti-virus, Mac antivirus, Reviews, Sophos Home

Internet Traffic Hijacking Linux Flaw Affects 80% of Android Devices

An estimated 80 percent of Android smartphones and tablets running Android 4.4 KitKat and higher are vulnerable to a recently disclosed Linux kernel flaw that allows hackers to terminate connections, spy on unencrypted traffic or inject malware into the parties’ communications.

Even the latest Android Nougat Preview is considered to be vulnerable.
<!– adsense –>
The security flaw was first

China Launches World’s 1st ‘Hack-Proof’ Quantum Communication Satellite

China has taken one more step forward towards achieving success in Quantum communication technology.

China has launched the world’s first quantum communications satellite into orbit aboard a Long March-2D rocket earlier today in order to test the fundamental laws of quantum mechanics at space.

‘Hack-Proof’ Communications System

The satellite, dubbed Quantum Science Satellite, is designed

Crypto 2016: A subfield lattice attack on overstretched NTRU assumptions

This year’s Crypto kicked off this morning in sunny Santa Barbara. The early afternoon session in track A covered asymmetric Ccryptography and cryptanalysis. Shi Bai presented A subfield lattice attack on overstretched NTRU assumptions: Cryptanalysis of some FHE and Graded Encoding Schemes, which is joint work with Martin Albrecht and Leo Ducas. The talk consisted of three main parts, an introduction, a presentation of the subfield attack and a discussion on its implications.


The set-up of the problem is the usual one. Let $Phi_m$ be a cyclotomic power-of-two polynomial and let $R$ be the ring $R = mathbb{Z}[x]/Phi_m$. We let $lambda$ be the security parameter, $n=phi(m)=poly(lambda)$, $q=q(lambda)$ and $sigma = poly(lambda)$. The NTRU problem is the following.

NTRU Problem: We are given a ring $R$ of rank $n$, a modulus $q$, a distribution $D$ and a target norm $tau$. Given an element $h = [gf^{-1}]_q$ (subject to $f$’s invertibility modulo $q$) for $f, g leftarrow D$, the NTRU$(R,q,D,tau)$ problem is to find a vector $(x,y)neq (0,0) in R^2 mod q$ of Euclidean norm smaller than $tausqrt{2n}$ in the lattice

$Lambda_h^q = { (x,y)in R^2 : hx-y = 0 mod q }$.

We call the above the NTRU lattice.

What the authors mean by overstretched NTRU assumption is the use of super-polynomial modulus $q$ which is utilised in the context of NTRUEncrypt, signature schemes, Fully Homomorphic Encryption schemes and some candidate multilinear maps.

The starting point of the attack is that whenever

$ |f| approx |g| approx sqrt{n}sigma ll sqrt{nq}$,

then the NTRU lattice has an unusually short vector. We also note that, for some target norm, recovering a short enough vector is sufficient to carry the attack. In particular, finding a vector of length $o(q)$ would break applications such as encryption. We note however that in practice, parameters can indeed be set so as to avoid this attack.

The attack

Let $K$ be the cylotomic field $mathbb{Q}(x)/Phi_m$ and $L = mathbb{Q}(x)/Phi_{m’}$ a subfield, where we have that $m’|m$ and we let $zeta_m$ and $zeta_m’$ be the $m^{th}$, respectively $m’^{th}$ roots of unity. The authors here work with power-of-two cyclotomics, but we note that such a subfield can always be found; indeed we can take the maximal real subfield.

The strategy is as follows. We use the fact that $L$ is a subfield of $K$ to use the norm map

$N_{K/L}: K rightarrow L$

to map down NTRU instances to the subfield, assuming we are working on overstretched large modulus $q$. We then apply lattice reduction (e.g. BKZ) to the subfield, solving a potentially easier problem.

For an NTRU instance $(h,f,g)$ in the full field, we norm it down to an instance $(h’,g’,g’)$ of the subfield. Now the vector $(f’,g’)$ is in the subfield NTRU lattice $Lambda_{h’}^q$ and depending on the parameters, it may be unusually short. The attack then proceeds by running a lattice reduction algorithm on the subfield, which produces a vector $(x’,y’)$. Then, if that vector is short enough, it is in fact an $mathcal{O}_K$-multiple of $(f’,g’)$ and we have $(x’,y’)=v(f’,g’)$. This allows to lift $(x’,y’)$ to the full NTRU lattice $Lambda_{h}^q$ and thus potentially recover non-trivial information on $f$ and $g$.


This produces a sub-exponential attack on bootstrappable YASHE. The work also implies an attack on the latest GGH construction without an encoding of zero. Depending on the multilinear degree, this can even go down to a polynomial attack. Compared to the prior state of the art, this is the best attack there is.

In terms of limitations, if the normed down vector $(f’,g’)$ is not unusually short, then this attack fails. Equally, NTRU-743, NTRU-401 and BLISS are essentially immune. The conclusion of this talk was that in an NTRU assumption set-up, the presence of a subfield, a large modulus and a small $sigma$ should be considered insecure.

Crypto 2016: Provable Security for Symmetric Cryptography

On the morning that the CAESAR competition entered its third round, track A of CRYPTO 2016 begin with a session on provable security for symmetric cryptography. It contained 5 talks, all of which were very well presented. In each case the results were given in context, along with a sketch of the key techniques behind their proofs, and very clear diagrams.

First up was Viet Tung Hoang, presenting joint work with Stefano Tessaro on the multi-user security of Key-alternating Ciphers. Key Alternating Ciphers can be seen as a generalisation of the Evan-Mansour construction, and are a natural idealisation of the AES design. Often work is done in the single-user setting, leaving multi-user security to be reaching via a hybrid argument. However, this leads to a reduction in security linear in the number of users.

The speaker explained two ways in which their work improves upon the previous techniques for applying the H-coefficient techinque to bound adversarial advantages using the statistical distance between possible sets of transcripts, allowing them to achieve tighter bounds.would have possible previously. They termed the first of these the “Expectation Method”, where they replace an upper bound with an expected value bound to significantly improve the tightness of one of the internal bounds (specifically, when one is measuring the total probability of an adversary being able to distinguish the systems from a good transcript), while the second is a tightening of the hybrid (by pushing the hybridisation step back to the transcript stage rather than waiting until the final bound has been collected). These are both very neat observations, and it will be interesting to see how easily they can be applied to other related problems.

Next, Yannick Seurin gave the first of his two talks, on the Counter-in-Tweak (CTRT) mode for bootstrapping AE from a TBC, based on joint work with Thomas Peyrin. In this work, the authors set out to construct an AE scheme that was:

  • Beyond-Birthday-Bound Secure in the nonce-respecting case
  • Birthday-bound secure in the nonce-abusing case

They do so using a generic-composition style approach, demonstrating that a slight variant of SIV mode can be used to combine an encryption and an authentication mechanism that each meet these security requirements such that their composition inherits this security. For their result, an encryption routine is required that takes both a random IV and a nonce. To get this, Yannick explained how one can use a Tweakable Block Cipher to improve upon the classic counter mode, by instead putting the counter into the tweak. Thus their scheme uses a counter (in the tweak) that is initialised with a random IV to encrypt the nonce, security of which is proven using a neat little balls-and-bins game.

After a short break, Bart Mennink introduced the XPX construction. His construction generalises single-round most tweakable Even-Mansour constructions by considering them all as being equal to the TBC

[ begin{array}{cccccccc} & t_{11}K oplus t_{12}P(K) & & t_{21}K oplus t_{22}P(K) \ & downarrow & & downarrow \ m & to oplus to & P & to oplus to & c \ end{array} ]

under certain sets of tweaks $(t_{11},t_{12},t_{21},t_{22}) in mathcal{T}$ (apologies for the terrible diagram!). After describing conditions for such Tweak sets to be weak (ie, totally insecure), he explains that all other sets are in fact reasonably secure. Developing this further, the work then investigates certain forms of related key security, and the conditions one must impose on the tweak set to achieve these. Bart then explained how these results apply to some preexisting schemes, recovering the security of the CAESAR candidates MinAlpha and Prost-COPA (for which the work also demonstrates a certain degree of related key security). Finally, he showed how these results can be applied to the Chaskey MAC algorithm, and suggested a possible modification that would (at the cost of slightly more expensive key rotation) provide some related key security, a method that might also be applicable to sponge-based schemes.

The penultimate talk was on “Indifferentiability of 8-Round Feistel Networks” by
Yuanxi Dai describing his work with John Steinberger. It is next in a long line of papers seek to best describe the extent to which one can substitute a Fiestel network in for a random permutation, even when the adversary has access to the internal functions. The presentation was well delivered and described the overall intuition behind the proof, and the design of their simulator, but the details of such results are generally very complicated indeed.

Finally, Yannick Seurin returned to describe “EWCDM”, a block-cipher based MAC construction that one could use to more efficiently instantiate the CTRT mode described previously, based on joint research with Benoît Cogliati, which looks something like:
[ begin{array}{cccccccc} & & & & N & to & downarrow \ & & & & downarrow & & downarrow \ & & & & E_{k_1} & & downarrow \ & & & & downarrow & & downarrow \ M&to&text{Hash} & to & oplus & leftarrow & leftarrow \ & & & & downarrow & & \ & & & & E_{k_2} & & \ & & & & downarrow & & \ & & & & T & & \ end{array} ]
It is secure up to ~$2^{n/2}$ queries under nonce-reuse, and achieves security for $2^{2n/3}$ queries in the nonce-respecting setting. Moreover, for the nonce-respecting case the actual security level might be even better, since the best known attack in the currently sits at around $2^{n}$ queries, leaving scope for further research.

NSA’s Hacking Group Hacked! Bunch of Private Hacking Tools Leaked Online

It seems like the NSA has been HACKED!

Update: The NSA Hack — What, When, Where, How, Who & Why? Explained Here.

An unknown hacker or a group of hackers just claimed to have hacked into “Equation Group” — a cyber-attack group allegedly associated with the United States intelligence organization NSA — and dumped a bunch of its hacking tools (malware, private exploits, and hacking tools)

Computer scientists reveal history of third-party web tracking

Researchers have presented the first-ever comprehensive analysis of third-party web tracking across three decades and a new tool, TrackingExcavator, which they developed to extract and analyze tracking behaviors on a given web page. They saw a four-fold increase in third-party tracking on top sites from 1996 to 2016, and mapped the growing complexity of trackers stretching back decades.

SINGAPORE: Singapore’s enforcement of data protection law on the rise

Singapore’s Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA). Following the release of its first nine enforcement decisions in April this year, the PDPC has published a further enforcement decision in June and two decisions in July, and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank. The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures, which organisations should consider carefully.

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions:

  • A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015. The enforcement decision was made even though there was no evidence that any personal data had actually been misused.
  • A document processing company was fined SGD5,000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange.
  • A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holder’s chiropractor) to obtain further medical information about the policy holder in September 2015. The PDPC found that the disclosure of the policy holder’s bank account details, being of a sensitive financial nature, was not for a reasonable purpose.

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA. Although the PDPA does not have a separate definition of “sensitive personal data” which requires additional protection, the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions.

As recently noted by Mr Leong Keng Thai, Chairman of the PDPC, the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data.

Investigation on a multinational bank’s data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bank’s disposal of client documents. In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bank’s headquarters in Singapore.

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customers’ data.

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions, the PDPC has published new guides on data protection clauses for agreements relating to data processing, securing personal data in electronic medium and building websites for small to medium enterprises.

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing, IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the PDPA regarding content on withdrawal of consent and access requests. Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices.

Some interesting issues to note:

  • The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts. Such data protection clauses should contain specific security measures, a schedule containing the authorised personnel who are permitted to access the personal data on a ‘need to know’ basis, a requirement for a written undertaking about return or deletion of personal, as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA.
  • The PDPC’s guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration, shredding or pulping. In relation to shredding, different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example, it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals).

CHINA: Stricter PRC online advertising regulation in response to search scandal

The China State Administration of Industry and Commerce recently issued the Online Advertising Regulation (Regulation) which will come into force on September 1, 2016. The Regulation has been widely regarded as the response to a recent scandal regarding paid search results.

Earlier this year, a promising college student in China, Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine. The hospital promised that the treatment would be effective and charged Wei US$30,000. The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of “paid search results” but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement, and thus subject to the Advertising Law. As such, the Regulation means, inter alia, paid search results:

  • must not be misleading;
  • cannot be used in relation to the advertisement of prescription medication and tobacco products;
  • cannot be used in relation to the advertisement of medical services, medicine, medical formula food, medical devices, pesticides, veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities; and
  • must be able to be closed with “one click” and must not interfere with a users’ internet experience.

The Regulation also requires online advertising service providers to establish internal systems for, inter alia, identifying clients who use paid search results and storing their details and advertisements.

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results.

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement.

Our team of lawyers in China is ready to advise you on the preparations you need to make ahead of the implementation of the Regulation.

DDoSCoin — New Crypto-Currency Pays Users for Participating in DDoS Attacks

It’s 2016, and now, you can earn some dollars by contributing into well-organized DDoS attack scheme.

Do you know while mining Bitcoins you are actually contributing a significant computational power to keep the Bitcoin network running?

In Bitcoins, the miners actually build and maintain massive public ledger containing a record of every Bitcoin transaction in history.

When one user tries

Bitcoin Exchange Offers $3.5 Million Reward for Information of Stolen Bitcoins

Hong Kong-based Bitcoin exchange ‘Bitfinex’ that lost around $72 Million worth of its customers’ Bitcoins last week is now offering a reward of $3.5 Million to anyone who can provide information that leads to the recovery of the stolen Bitcoins.

Bitfinex revealed on August 2 that the cryptocurrency exchange had suffered a major security breach, which resulted in the loss of nearly 120,000 BTC

Is Apple’s Cloud Key Vault a crypto backdoor?

TL;DR: No, it isn’t. If that’s all you wanted to know, you can stop reading.

Still, as you can see there’s been some talk on Twitter about the subject, and I’m afraid it could lead to a misunderstanding. That would be too bad, since Apple’s new technology is kind of a neat experiment.

So while I promise that this blog is not going to become all-Apple-all-the-time, I figured I’d take a minute to explain what I’m talking about. This post is loosely based on an explanation of Apple’s new escrow technology that Ivan Krstic gave at BlackHat. You should read the original for the fascinating details.

What is Cloud Key Vault (and what is iCloud Keychain)?

A few years ago Apple quietly introduced a new service called iCloud Keychain. This service is designed to allow you to back up your passwords and secret keys to the cloud. Now, if backing up your sensitive passwords gives you the willies, you aren’t crazy. Since these probably include things like bank and email passwords, you really want these to be kept extremely secure.

And — at least going by past experience — security is not where iCloud shines:

The problem here is that passwords need to be secured at a much higher assurance level than most types of data backup. But how can Apple ensure this? We can’t simply upload our secret passwords the way we upload photos of our kids. That would create a number of risks, including:

  1. The risk that someone will guess, reset or brute-force your iCloud password. Password resets are a particular problem. Unfortunately these seem necessary for normal iCloud usage, since people do forget their passwords. But that’s a huge risk when you’re talking about someone’s entire password collection.
  2. The risk that someone will break into Apple’s infrastructure. Even if Apple gets their front-end brute-forcing protections right (and removes password resets), the password vaults themselves are a huge target. You want to make sure that even someone who hacks Apple can’t get them out of the system.
  3. The risk that a government will compel Apple to produce data. Maybe you’re thinking of the U.S. government here. But that’s myopic: Apple stores iCloud data all over the world.

So clearly Apple needs a better way to protect these passwords. How do to it?

Why not just encrypt the passwords?

It is certainly possible for an Apple device to encrypt your password vault before sending it to iCloud. The problem here is that Apple doesn’t necessarily have a strong encryption key to do this with. Remember that the point of a backup is to survive the loss of your device, and thus we can’t assume the existence of a strong recovery key stored on your phone.

This leaves us with basically one option: a user password. This could be either the user’s iCloud password or their device passcode. Unfortunately for the typical user, these tend to be lousy. They may be strong enough to use as a login password — in a system that allows only a very limited number of login attempts. But the kinds of passwords typical users choose to enter on mobile devices are rarely strong enough to stand up to an offline dictionary attack, which is the real threat when using passwords as encryption keys.

(Even using a strong memory-hard password hash like scrypt — with crazy huge parameters — probably won’t save a user who chooses a crappy password. Blame phone manufacturers for making it painful to type in complicated passwords by forcing you to type them so often.)

So what’s Apple to do?

So Apple finds itself in a situation where they can’t trust the user to pick a strong password. They can’t trust their own infrastructure. And they can’t trust themselves. That’s a problem. Fundamentally, computer security requires some degree of trust — someone has to be reliable somewhere.

Apple’s solution is clever: they decided to make something more trustworthy than themselves. To create a new trust anchor, Apple purchased a bunch of fancy devices called Hardware Security Modules, or HSMs. These are sophisticated, tamper-resistant specialized computers that store and operate with cryptographic keys, while preventing even malicious users from extracting them. The high-end HSMs Apple uses also allow the owner to include custom programming.

Rather than trusting Apple, your phone encrypts its secrets under a hardcoded 2048-bit RSA public key that belongs to Apple’s HSM. It also encrypts a function of your device passcode, and sends the resulting encrypted blob to iCloud. Critically, only the HSM has a copy of the corresponding RSA decryption key, thus only the HSM can actually view any of this information. Apple’s network sees only an encrypted blob of data, which is essentially useless.

When a user wishes to recover their secrets, they authenticate themselves directly to the HSM. This is done using a user’s “iCloud Security Code” (iCSC), which is almost always your device passcode — something most people remember after typing it every day. This authentication is done using the Secure Remote Password protocol, ensuring that Apple (outside of the HSM) never sees any function of your password.

Now, I said that device passcodes are lousy secrets. That’s true when we’re talking about using them as encryption keys — since offline decryption attacks allow the attacker to make an unlimited number of attempts. However, with the assistance of an HSM, Apple can implement a common-sense countermeasure to such attacks: they limit you to a fixed number of login attempts. This is roughly the same protection that Apple implements on the devices themselves.

The encrypted contents of the data sent to the HSM (source).

The upshot of all these ideas is that — provided that the HSM works as designed, and that it can’t be reprogrammed — even Apple can’t access your stored data except by logging in with a correct passcode. And they only get a limited number of attempts to guess correctly, after which the account locks.

This rules out both malicious insiders and government access, with one big caveat.

What stops Apple from just reprogramming its HSM?

This is probably the biggest weakness of the system, and the part that’s driving the “backdoor’ concerns above. You see, the HSMs Apple uses are programmable. This means that — as long as Apple still has the code signing keys — the company can potentially update the custom code it includes onto the HSM to do all sort sorts of things.

These things might include: programming the HSM to output decrypted escrow keys. Or disabling the maximum login attempt counting mechanism. Or even inserting a program that runs a brute-force dictionary attack on the HSM itself. This would allow Apple to brute-force your passcode and/or recover your passwords.

Fortunately Apple has thought about this problem and taken steps to deal with it. Note that on HSMs like the one Apple is using, the code signing keys live on a special set of admin smartcards. To remove these keys as a concern, once Apple is done programming the HSM, they run these cards through a process that they call a “physical one-way hash function”.

If that sounds complicated, here’s Ivan’s slightly simpler explanation.

So, with the code signing keys destroyed, updating the HSM to allow nefarious actions should not be possible. Pretty much the only action Apple can take is to wipe the HSM, which would destroy the HSM’s RSA secret keys and thus all of the encrypted records it’s responsible for. To make sure all admin cards are destroyed, the company has developed a complex ceremony for controlling the cards prior to their destruction. This mostly involves people making assertions that they haven’t made copies of the code signing key — which isn’t quite foolproof. But overall it’s pretty impressive.

The downside for Apple, of course, is that there had better not be a bug in any of their programming. Because right now there’s nothing they can do to fix it — except to wipe all of their HSMs and start over.

Couldn’t we use this idea to implement real crypto backdoors?

A key assertion I’ve heard is that if Apple can do this, then surely they can do something similar to escrow your keys for law enforcement. But looking at the system shows isn’t true at all.

To be sure, Apple’s reliance on a Hardware Security Module indicates a great deal of faith in a single hardware/software solution for storing many keys. Only time will tell if that faith is really justified. To be honest, I think it’s an overly-strong assumption. But iCloud Keychain is opt-in, so individuals can decide for themselves whether or not to take the risk. That wouldn’t be true of a mandatory law enforcement backdoor.

But the argument that Apple has enabled a law enforcement backdoor seems to miss what Apple has actually done. Instead of building a system that allows the company to recover your secret information, Apple has devoted enormous resources to locking themselves out. Only customers can access their own information. In other words, Apple has decided that the only way they can hold this information is if they don’t even trust themselves with it.

That’s radically different from what would be required to build a mandatory key escrow system for law enforcement. In fact, one of the big objections to such a backdoor — which my co-authors and I recently outlined in a report — is the danger that any of the numerous actors in such a system could misuse it. By eliminating themselves from the equation, Apple has effectively neutralized that concern.

If Apple can secure your passwords this way, then why don’t they do the same for your backed up photos, videos, and documents?

That’s a good question. Maybe you should ask them?

Guccifer 2.0 Leaks Personal Info of Nearly 200 Congressional Democrats

The hacker, who recently claimed responsibility for the high-profile hack of Democratic National Committee (DNC), has now taken credit for hacking into the Democratic Congressional Campaign Committee (DCCC) as well.

To prove his claims, the hacker, going by the moniker Guccifer 2.0, dumped on Friday night a massive amount of personal information belonging to nearly 200 Democratic House


Comments are closed