How robust is your Mac’s encryption?

For well over a decade, those of us who’ve been using Messages have enjoyed end-to-end encryption, ensuring that our communications remain confidential, and can’t be read by anyone else. This allows us to exchange bank details and discuss private matters without the fear of someone else learning those secrets. For those who live or work in states that spy on citizens, for journalists who report on controversial matters, and for many others, robust encryption can literally be a life-saver. For others who live in what used to be liberal and open democracies where the use of robust encryption is now under threat, I wonder how long it will be before those dangers extend to countries like the UK.

Apple has recently announced changes to encryption used by Messages, or to give it the name of its underlying service, iMessage. This article explains why this is necessary, and how it affects us now and in the future.

No method of encryption can be perfect. Given sufficient computing resources and determination, it’s ultimately possible to break any practical means of encryption. The goal is to make that so difficult that it would take far too long to be feasible for any likely attacker. If that’s just a regular hacker or criminal, then they’re not going to have access to vast computing resources, and are likely to abandon attempts quickly. The biggest danger comes from state security services and their proxies, who may well be prepared to wait years until better methods become available, such as those likely to come in quantum computing.

Quantum computing

Conventional computers work with absolute values, in binary 0s and 1s. Everything in your Mac reduces to those bits, either 0 or 1 and never anything in between. Quantum computing adds quantum physics, and instead of crisp binary, deals with qubits that are measured in terms of probability, making them non-deterministic. This changes the way that they work, and some tough problems in the binary world can be speeded up so much that, given a suitable quantum computer, they could compute in much shorter times. This has already been applied to greatly reduce search times in big data, and has the potential to break most forms of encryption.

Progress in making real quantum computers has been painfully slow. These are normally measured in terms of the number of qubits they can handle. The first two-qubit quantum computer was demonstrated in 1998; Google and NASA claimed in 2019 that they had reached 54 qubits, and this year Finland is hoping to reach 50 qubits too. Attaining the modest target of 300 qubits is likely to take another few years, and it’s still speculation as to whether such quantum computers will ever come into wide use. If and when they do, they’ll transform approaches to robust encryption.

Post-quantum solutions

Just as quantum computing is being used to attack existing methods of encryption, so it’s being used to develop techniques that will make encryption more robust. One of these, quantum key distribution, was proposed as a defence against attacks on encrypted data using quantum computing as long ago as 1984. Post-quantum cryptography has therefore been flourishing long before quantum computers become available to break current methods of encryption.

Almost a month ago, Apple’s Security Engineering and Architecture (SEAR) team announced that iMessage is going to adopt new cryptographic protocols to ensure robust protection when quantum computing becomes feasible. PQ3 and Contact Key Verification have been designed and developed to make the encryption used in iMessage robust against attack by quantum computers of the future, specifically in what Apple terms Harvest Now, Decrypt Later attacks, where today’s encrypted data are stored until methods become available to decrypt them.

Contact Key Verification

Apple added this new feature to iMessage late last year, as an option for those whose Macs and devices are all running the current version of their operating systems. This addresses potential weaknesses in the way that iMessage provides keys used to perform its end-to-end encryption.

When encrypting data locally, protecting the keys used is vital, and in modern Macs is accomplished by protecting them in the Secure Enclave and wrapping them in an additional layer. For iMessage to work, your Macs and devices have to give others a means of encrypting data that can be decrypted at your end, and that’s performed using asymmetric keys, where the other end can use a public key to encrypt data that can then only be decrypted using your private key.

That in turn requires iMessage to maintain a key directory service, from where public keys can be accessed. Contact Key Verification provides a key directory service that can’t be compromised to provide false keys, or to monitor the provision of keys, so an adversary could subvert key provision. Apple provides technical details in this article.

Post-quantum encryption

Although the encryption method used in iMessage remains secure at present, there’s the real danger that at some time in the foreseeable future it will be more readily broken if quantum computing becomes available to those most determined to intercept and decrypt your messages. The next step is therefore to improve the encryption method used by iMessage to make it resistant to future attack by quantum computing. That not only requires improving encryption methods used, but protection provided to the keys as well. Those must be achievable on today’s Macs and devices, and not themselves rely on being run on a quantum computer.

Apple has most recently explained how it’s introducing a new method, PQ3, designed to be robust to quantum computer attack. This combines the current Elliptic Curve method with additions to protect from a post-quantum attack, and enhances protection for keys. Changing to PQ3 isn’t instant, and Apple is rolling this out progressively across its iMessage service. It’s likely to depend on the use of Contact Key Verification; for your Macs and devices to take advantage of that, a first step is to bring them all up to date with the latest release of their operating system, and enable it.

Post-quantum encryption is likely to be computationally more demanding than using only the current method, although Apple hasn’t yet warned of any additional hardware requirements.

Rekeying

When you open a session in Messages with another person, encryption keys are set for that session. If an attacker were to gain access to a key to enable decryption, the whole of that session would become available to them. Apple changed that in 2019, when iMessage switched from RSA to Elliptic Curve encryption and started protecting keys in the Secure Enclave of Macs that have one. At that same time, iMessage started to change keys periodically in what’s known as rekeying, so that each decryption key only works for part of a session, limiting the damage in the event that any encryption key is compromised.

With these changes now being made to address the threat posed by quantum computing, iMessage will rekey more frequently, in what Apple terms post-quantum rekeying. This is accomplished inside a session by exchanging the new keys to be used. As those too are protected by post-quantum encryption, they could only be compromised at the time of the exchange, and not retrospectively using stored, encrypted data retained in a Harvest Now, Decrypt Later strategy.

Other encryption

Encryption is used extensively in macOS and Apple’s other OSes to provide security and protect privacy. While these enhancements to iMessage are important, it’s by no means the only way that an adversary could use quantum computing to attack encryption. Encrypted email traffic is also open to attack, and can be retained for later attempts at decryption, but that conforms to different standards and protocols that Apple doesn’t control. Otherwise, almost all sensitive data that is currently protected by encryption remains on the Mac or device, where most keys are now protected by the Secure Enclave, where that’s available.

Summary

Quantum computing poses a real threat to current encryption methods in the future.
Current iMessage sessions could well be decrypted if they are stored under a Harvest Now, Decrypt Later strategy.
Apple is now introducing changes to iMessage to protect Messages sessions from future attempts at decryption.
To benefit from those improvements, you will need to enable Contact Key Verification on Macs with a Secure Enclave, and be running the current macOS.