Apple phones are AES-tough, says forensics expert

Aug 14, 2012 by Nancy Owano weblog

(Phys.org) -- Monday's Technology Review carries a glowing tribute to Apple iPhone security according to its author, Simson Garfinkel, a contributing editor who works in computer forensics and is highly regarded as a leader in digital forensics. He says Apple has passed a threshold “Today the Apple iPhone 4S and iPad 3 are trustworthy mobile computing systems that can be used for mobile payments, e-commerce, and the delivery of high-quality paid programming,” thanks to Apple’s heavy investment in iPhone security. That is where “threshold” comes in. Apple has crossed it. Even law enforcement cannot perform forensic examinations of Apple devices seized from criminals, he said.

has a architecture that is so sturdy and so tightly woven into its hardware and software that it is easy for consumers to use encryption on their phones and difficult for someone else to steal the encrypted information, he stated.

The key to 's security architecture strengths is the Advanced Encryption Standard algorithm (AES), a data-scrambling system adopted as a U.S.government standard in 2001. After over ten years of exhaustive analysis, he said, AES is still widely regarded as unbreakable.

(In August last year, AES was cracked, by a team of researchers from Microsoft, Research, KU Leuven and ENS Paris. It was a theoretical, or “academic” crack, with no practical implications. Despite being four times easier than other methods, the number of steps required to crack AES-128 was an 8 followed by 37 zeroes, said one of the team members."To put this into perspective: on a trillion machines, that each could test a billion keys per second, it would take more than two billion years to recover an AES-128 key," the Leuven University researcher added. Still, their attack unsettled some assumptions about AES.)

Nonetheless, the algorithm is so strong that no computer imaginable for the foreseeable future, even a quantum computer, said Garfinekel, would be able to crack a truly random 256-bit AES key. The National Security Agency has approved AES-256 for storing top-secret data.

A white paper from Apple dated earlier this year about its security features explained that the device’s unique ID (UID) and a device group ID (GID) are AES 256-bit keys fused into the application processor during manufacturing. “Burning these keys into the silicon prevents them from being tampered with or bypassed, and guarantees that they can be accessed only by the AES engine.”

Apple is no doubt fortunate that this security threshold information is circulating, as Garfinkel is a solid authority on the subject of security.

The timing is excellent for Apple branding, considering the exposure another report had recently, where a Wired journalist’s digital life was changed in one day which involved Apple and Amazon. The hackers didn't use any sophisticated algorithms or brute-force attacks to gain access to Mat Honan's online information. They simply called Apple, pretending to be the victim and convinced the Apple specialist to reset the AppleID password. Apple subsequently said it would review its-over-the-phone verification system to prevent such incidents from happening again.

Explore further: Researcher aims to develop system to detect app clones on Android markets

More information: images.apple.com/ipad/business… S_Security_May12.pdf
www.technologyreview.com/news/… -security-threshold/

Related Stories

World's toughest encryption scheme found 'vulnerable'

Aug 23, 2011

It was announced last week that cryptography researchers have found a “vulnerability” in the encryption scheme used in the vast majority of secure online transactions – a scheme known as AES-256. ...

Hacking nightmare victim chastises Apple and Amazon

Aug 07, 2012

(Phys.org) -- Wheezes, whispers, coughs and sidebar remarks might one day crash into a deafening roar: There is a disconnect problem in data management policies involving the technology industry as deployed and utilized. ...

JailBreakMe creator lands internship at Apple

Aug 27, 2011

A 19-year-old New York man who created a program that allows iPhone users to "jailbreak" the device to run unauthorized applications claims to have landed an internship at Apple.

Recommended for you

Gamers' funding fuels meteoric rise of 'Star Citizen'

23 hours ago

Chris Roberts' brain spun out a grand vision: a rich, immersive galaxy; exquisite spaceships traversing between infinite star systems with thousands of computer gamers manning the cockpits, racing, dogfighting and defending ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

Shifty0x88
5 / 5 (1) Aug 15, 2012
So are they saying the new NSA supercomputer can't break little old AES?

I find this kinda hard to believe since I would expect government communications and other stuff the NSA would like to know about would be protected with better encryption.
alfie_null
5 / 5 (2) Aug 15, 2012
Burning these keys into the silicon ... guarantees that they can be accessed only by the AES engine.

Famous last words? Tell me how this prevents other access to this information. People are resourceful when figuring out how to get to this sort of supposedly protected information. In any case, AES isn't a panacea. It's just a symmetric key algorithm.
Telekinetic
not rated yet Aug 15, 2012
"... a glowing tribute to Apple iPhone security according to its author, Simson Garfinkel,"
Except he can't possibly like the sound quality while listening to Simon and Garfunkel.
tkjtkj
not rated yet Aug 17, 2012
"A white paper from Apple dated earlier this year about its security features explained that the device's unique ID (UID) and a device group ID (GID) are AES 256-bit keys fused into the application processor during manufacturing. "Burning these keys into the silicon prevents them from being tampered with or bypassed, and guarantees that they can be accessed only by the AES engine.""


This is OUTRAGEOUS!! Burning in any key at manufacture EQUATES to the 'burner people' having records of what they burned!!!!! And it is trivial to associate any such key, therefore, with any purchaser of the device!!!
Are we seen as fools, gullible to this totally unacceptable scheme????

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.