Will your encrypted data be safe in future?

Much of the data handled by our Macs is encrypted to ensure its safe keeping. On models with T2 or Apple silicon chips, the whole of the Data volume, including Home folders and more, is encrypted even if you haven’t enabled FileVault. All data held in iCloud is encrypted, even if you haven’t enabled Advanced Data Protection. Every message exchanged using iMessage is encrypted for the whole of its journey between Macs and devices. Yet, as you’ve probably heard, current methods of encryption are likely to be broken in the future with the advent of quantum computing. This article considers the impact that’s likely to have on all our encrypted data. Will government agencies and even hackers gain access to all our secrets?

Pre-quantum encryption

Preferred methods of encryption have changed over the years, to keep pace with increasing abilities to discover the secret keys required to brute-force their decryption. Given sufficient computing resources and determination, it’s ultimately possible to break any practical means of encryption, so the goal is to make that so difficult that it would take far too long to be feasible for any likely attacker. If that’s just a regular hacker or criminal, they’re not going to have access to vast computing resources, and are likely to abandon attempts quickly. The biggest danger comes from state security services and their proxies, who are likely to be more determined, and could already be gathering and storing data from today until better techniques become available in the future, what’s known as Harvest Now, Decrypt Later.

Quantum computing

Conventional computers work with absolute values, binary 0s and 1s. Everything in your Mac reduces to those bits, either 0 or 1 and never anything in between. Quantum computing adds quantum physics, and instead of crisp binary, deals with qubits that are measured in terms of probability, making them non-deterministic. This changes the way they work, and some tough problems in the binary world can be speeded up so much that, given a suitable quantum computer, they could compute in far shorter times. This has already been applied to greatly reduce search times in big data, and has the potential to break most current forms of encryption.

Progress in making real quantum computers has been painfully slow. They’re normally measured in terms of the number of qubits they can handle. The first two-qubit quantum computer was demonstrated in 1998; Google and NASA claimed in 2019 that they had reached 54 qubits, and this year Finland is hoping to reach 50 qubits too. Attaining the modest target of 300 qubits is likely to take another few years, and it’s still speculation as to whether such quantum computers will ever come into wide use. If and when they do, they should transform approaches to robust encryption.

Post-quantum solutions

Just as quantum computing is being used to attack existing methods of encryption, so it’s being used to develop techniques that will make encryption more robust. One of these, quantum key distribution, was proposed as a defence against attacks on encrypted data using quantum computing as long ago as 1984. Post-quantum cryptography has therefore been flourishing long before quantum computers become available to break current methods of encryption.

Initial implementations of post-quantum cryptography have been mainly directed at systems such as encrypted message transfer like iMessage, as they rely on public-key encryption methods and their encrypted data is carried over connections that are relatively easy to intercept. Before your Mac can send an encrypted message via iMessage, it requires a public key provided by the recipient to use for that encryption; that has a paired secret key held on the recipient Mac that’s used to decrypt the message. An attacker who can intercept both the exchange of public keys and those encrypted messages could at some time in the future use those with quantum computing to discover the secret keys and decrypt all those messages.

Apple has announced that iMessage is going to start using new cryptographic protocols this year to ensure robust protection when quantum computing becomes feasible. Those include changing keys used during a session, known as rekeying, a new encryption algorithm PQ3, and Contact Key Verification, already available as an option when all Macs and devices at both ends of the connection support it.

Data storage

Data that needs to be protected in storage, most notably that on the Data volume of your Macs and devices, doesn’t use those asymmetric encryption techniques with their pairs of public and private keys, nor is that data transmitted across external communication systems where it can be intercepted by an attacker.

In Intel Macs with T2 chips and Apple silicon Macs, encryption keys are protected by the Secure Enclave, never leave it, and are never exposed to the main CPU. Attempts to gain access through the Secure Enclave are subject to robust defences: for example, the Secure Enclave Processor allows only 5 attempts to enter a Mac’s password before it increases the time interval enforced between entry attempts, and after 30 unsuccessful attempts no more are allowed at all, and the Mac has to be fully wiped and reset.

Trying to remove internal storage is also designed to frustrate the attacker. Although internal storage is referred to as an SSD, the storage used isn’t complete in the sense that you couldn’t remove it and install it in another computer, and most of its disk controller functionality is performed by sections in the host chip, including its Secure Enclave. Even models like the Mac Studio that have socketed storage don’t make this easy: remove its special SSD module and it won’t work in another Studio unless it has been completely wiped and reset, destroying its keys and contents.

Apple’s strategy for the protection of encrypted internal storage is thus intended to block access at every level, so that post-quantum brute-force decryption would have little if any impact should it become available in a few years. The encryption method currently used, AES-256 in XTS mode, may need to be revised as quantum decryption becomes more feasible.

Summary

Macs use encryption widely to protect data. Although methods remain robust at present, in the future quantum computing is likely to make it feasible to decrypt some or all of that data without its password.
This is already important for encrypted data sent outside a Mac or device, in particular via iMessage, where state security services could already be gathering data on the basis of Harvest Now, Decrypt Later.
Apple is introducing a new encryption algorithm, PQ3, rekeying, and other techniques to prevent later decryption of stored iMessage data.
Stored encrypted data, such as the contents of the Data volume, rely instead on protection of encryption keys in the Secure Enclave, limited attempts to guess the password, and inaccessibility of internal storage. Those currently aren’t threatened by future availability of quantum computing.