Archive for February 21, 2024

Wednesday, February 21, 2024

iMessage With PQ3

Apple (via Ivan Krstić, because there is no RSS feed, Hacker News, MacRumors):

Today we are announcing the most significant cryptographic security upgrade in iMessage history with the introduction of PQ3, a groundbreaking post-quantum cryptographic protocol that advances the state of the art of end-to-end secure messaging. With compromise-resilient encryption and extensive defenses against even highly sophisticated quantum attacks, PQ3 is the first messaging protocol to reach what we call Level 3 security — providing protocol protections that surpass those in all other widely deployed messaging apps. To our knowledge, PQ3 has the strongest security properties of any at-scale messaging protocol in the world.

[…]

To mitigate risks from future quantum computers, the cryptographic community has been working on post-quantum cryptography (PQC): new public key algorithms that provide the building blocks for quantum-secure protocols but don’t require a quantum computer to run — that is, protocols that can run on the classical, non-quantum computers we’re all using today, but that will remain secure from known threats posed by future quantum computers.

[…]

To best protect end-to-end encrypted messaging, the post-quantum keys need to change on an ongoing basis to place an upper bound on how much of a conversation can be exposed by any single, point-in-time key compromise — both now and with future quantum computers. Therefore, we believe messaging protocols should go even further and attain Level 3 security, where post-quantum cryptography is used to secure both the initial key establishment and the ongoing message exchange, with the ability to rapidly and automatically restore the cryptographic security of a conversation even if a given key becomes compromised.

[…]

Support for PQ3 will start to roll out with the public releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4, and is already in the corresponding developer preview and beta releases. iMessage conversations between devices that support PQ3 are automatically ramping up to the post-quantum encryption protocol.

The obvious question is, but what about iCloud backups? Advanced Data Protection is off by default, and most users leave it off, so most messages are not truly end-to-end encrypted, and this won’t change that. Jason Snell implies that iCloud backup with Advanced Data Protection does support PQ3, but Apple’s blog post doesn’t mention backups or ADP at all.

Steve Troughton-Smith:

Apple’s encryption may be quantum-computer-proof, but it’s not lawmaker-proof. And that’s a weak link that absolutely will be exploited, someday. E2EE is a luxury that can be snatched away in an instant, a false sense of security in an increasingly dangerous world.

Previously:

Update (2024-02-23): Nick Heer:

Apple says this protocol will begin rolling out with the public releases of iOS 17.4, iPadOS 17.4, MacOS 14.4, and WatchOS 10.4 — missing from that list is VisionOS, though I am not sure I should read anything into that — but it is not clear to me if these operating systems are required for PQ3 encryption. In other words, if a device has not been updated or cannot be updated to these software versions, does that preclude messages from being encrypted using this protocol? If so, that might be true of all iMessage contacts, and it does not appear there is any way of knowing which encryption protocol is being used.

[…]

These are among the many questions I have for Apple, and I expect to hear more as this update approaches its release. However, I do not think I will get an answer to the thing I am most curious about: is a protocol similar to PQ3 going to be used by Apple to secure other end-to-end encrypted data against future threats? It would make sense.

Update (2024-02-27): Bill Toulas:

A significant innovation within PQ3 is its periodic post-quantum rekeying mechanism, a first of its kind for large-scale cryptographic messaging protocols.

This mechanism frequently regenerates new quantum-resistant keys, ensuring maximum security balanced with low impact on user experience.

[…]

Signal’s president Meredith Whittaker stated that they too considered a similar feature, but decided against implementing it until a more mature solution is devised.

John Gruber:

One hole in iMessage’s security story is old devices — those that can’t be upgraded to the latest OS. It’s great that Apple devices tend to be useful for years after they’re no longer capable of running the current OS, but that means that iMessage communication is only as secure as the oldest device in the chat.

[…]

Another hole remains iCloud backups, which, by default, continue to include iMessage message history using keys that Apple controls — which in turn means keys that Apple can, and does, use to turn over data to law enforcement when issued a warrant.

[…]

And even if you have Advanced Data Protection enabled, there’s no way for you to know whether the people you communicate with using iMessage have it enabled.

Bruce Schneier:

I am of two minds about this. On the one hand, it’s probably premature to switch to any particular post-quantum algorithms. The mathematics of cryptanalysis for these lattice and other systems is still rapidly evolving, and we’re likely to break more of them—and learn a lot in the process—over the coming few years. But if you’re going to make the switch, this is an excellent choice. And Apple’s ability to do this so efficiently speaks well about its algorithmic agility, which is probably more important than its particular cryptographic design. And it is probably about the right time to worry about, and defend against, attackers who are storing encrypted messages in hopes of breaking them later on future quantum computers.

See also: Douglas Stebila.

Signal Usernames

Randall Sarafa (Mastodon, Hacker News):

If you use Signal, your phone number will no longer be visible to everyone you chat with by default.

[…]

If you don’t want to hand out your phone number to chat with someone on Signal, you can now create a unique username that you can use instead (you will still need a phone number to sign up for Signal). Note that a username is not the profile name that’s displayed in chats, it’s not a permanent handle, and not visible to the people you are chatting with in Signal. A username is simply a way to initiate contact on Signal without sharing your phone number.

[…]

If you don’t want people to be able to find you by searching for your phone number on Signal, you can now enable a new, optional privacy setting. This means that unless people have your exact unique username, they won’t be able to start a conversation, or even know that you have a Signal account – even if they have your phone number.

Tjaden Hess:

How does this work under the hood? Let’s take a look!

Previously:

Update (2024-03-11): Devin Coldewey (via Hacker News):

“Let me start by kind of explaining that with an example. In India recently, it has become a requirement, in order to obtain a SIM card, to submit to a biometric facial recognition scan. That is not just happening in India, we’re seeing a number of jurisdictions where to obtain a phone number, you are required to provide more and more personal information. Some, in some places like Taiwan, that is linked to government ID databases that often get breached and cause a lot of problems,” she said.

[…]

It’s a problem that far larger organizations have trouble addressing, as millions or billions of users register and change names that could in themselves be rules violations — a name is just a short string, and can as easily be “RainbowBubbles” as it can be “Kill_all_[insert slur here].” Impersonation, scams, all kinds of issues are equally possible in username fields as they are in posts or profile fields.

Signal’s solution to this is, basically, to eliminate the ways these methods cause harm at scale, rather than trying to prevent them altogether.

Kaleidoscope 4.3.1

Florian Albrecht:

Now I have several pieces of text in Kaleidoscope, each represented by an entry in the File Shelf. In this case, we can see that “files” in File Shelf can also be temporary clipboard content. Further on in this post, we will also see that they can be the results of Unix pipes or Git revisions of a file.

Most of the time, it’s much quicker to take parts from two different versions that I like. But even then, I tend to change a few bits.

To solve that puzzle, we need a slightly different approach. First, I make sure that the two best versions are selected as A and B. Then I select Merge > New Merge from Comparison from the menu. This opens a new merge document with the two previously selected results as A and B and a merged version in the middle. Now I can copy from A and B to the result as I like, and I can also freely edit the merged result.

Florian Albrecht:

It’s not uncommon that files will be moved or renamed over time in a Git repository. Kaleidoscope can now track those changes. It shows the entire history of a file, across name and path changes. The commit details popover informs about any change in files name or location for that commit. The filter at the bottom of the File History allows searching for all past names of a file.

[…]

Kaleidoscope 4.3 looks at the remote of a Git repository. When it detects a common one, such as a GitHub, GitLab or Bitbucket URL, it tries to be smart and automatically offers links to tickets, commits, and branches.

[…]

The beauty with Kaleidoscope 4.3 is that this Markdown content is now being rendered properly, making digging into past work on a file much easier and more fun.

Previously:

VirnetX v. Apple Over Because VPN Patents Invalidated

Juli Clover (2023):

Apple has been embroiled in a patent dispute with VirnetX for well over a decade, and the company today won an appeals verdict that could ultimately save it from having to pay VirnetX $502.8 million in patent infringement fees.

[…]

Apple in 2020 was ordered to pay VirnetX $503 million for infringing on VPN patents owned by VirnetX with the iPhone’s VPN on demand feature. The two patents that have been invalidated were involved in that lawsuit, and now Apple might get the entire judgment vacated.

[…]

Regardless of how this case plays out, Apple was forced to pay VirnetX $440 million for violating VirnetX’s communications security patents with the FaceTime and iMessage features.

Juli Clover:

The United States Supreme Court today said that it will not hear the VirnetX vs. Apple patent case, putting an end to a 14-year-long legal battle and ultimately saving Apple $502.8 million.

[…]

After Apple appealed the initial 2020 ruling, it was able to point to the invalidation of the patents and get the initial award vacated by the federal appeals court. VirnetX attempted to escalate the patent invalidation case to the Supreme Court, but has been denied.

Previously: