

 Menu
Menu
A Few Thoughts on Cryptographic
Engineering

Some random thoughts about crypto. Notes from a

course I teach. Pictures of my dachshunds.

Ma hew Green in Apple January 16, 2018January 18, 2018 1,486 Words

Apple in China: who holds the keys?

Last week Apple made an announcement describing changes to the iCloud service
(h ps://support.apple.com/en-us/HT208352) for users residing in mainland China.
Beginning on February 28th, all users who have
specified China as their country/region will
have their iCloud data transferred to the GCBD
(h ps://english.gzdata.com.cn/) cloud services
operator in Guizhou, China.

Chinese news sources

(h ps://tech.sina.cn/apple/2018-01-10/detail-
ifyqiwuw8935143.d.html?
from=wap) optimistically describe the move as
a way to offer improved network performance
to Chinese users, while Apple admits (h ps://support.apple.com/en-us/HT208352) that the
change was mandated by new Chinese regulations (h ps://www.ft.com/content/b302269c-
44ff-11e7-8519-9f94ee97d996) on cloud services. Both explanations are almost certainly true.
But neither answers the following question: regardless of where it’s stored, how secure is this
data?

Apple offers the following (h ps://www.theverge.com/2018/1/10/16873698/apple-china-

icloud-data-government-regulations):

Apple has strong data privacy and security protections in place and no backdoors will be created
into any of our systems”
That sounds nice. But what, precisely, does it mean? If Apple is storing user data on Chinese
services, we have to at least accept the possibility that the Chinese government might wish
to access it — and possibly without Apple’s permission. Is Apple saying that this is
technically impossible?

This is a question, as you may have guessed, that boils down to encryption.

Does Apple encrypt your iCloud backups?

Unfortunately there are many different answers to this question, depending on which part of
iCloud you’re talking about, and — ugh — which definition you use for “encrypt”. The
dumb answer is the one given in the chart on the right: all iCloud data probably is
encrypted. But that’s the wrong question. The right question is: who holds the key(s)?

There’s a pre y simple thought experiment you

can use to figure out whether you (or a
provider) control your encryption keys. I call it
the “mud puddle test”
(h ps://blog.cryptographyengineering.com/2012
/04/05/icloud-who-holds-key/). It goes like this:

Imagine you slip in a mud puddle, in the process (1)

destroying your phone, and (2) developing temporary
amnesia that causes you to forget your password.
Can you still get your iCloud data back? If you can
(with the help of Apple Support), then you don’t
control the key.

With one major exception — iCloud Keychain

(h ps://support.apple.com/en-us/HT204085),
which I’ll discuss below — iCloud fails the mud This (h ps://support.apple.com/en-
puddle test. That’s because most Apple files are us/HT202303) kind of thing is Not Helpful.
not end-to-end encrypted. In fact, Apple’s iOS
security guide (h ps://www.apple.com/business/docs/iOS_Security_Guide.pdf) is clear that
it sends the keys for encrypted files out to iCloud.

However, there is a wrinkle. You see, iCloud isn’t entirely an Apple service, not even here in
the good-old U.S.A. In fact, the vast majority of iCloud data isn’t actually stored by Apple at
all. Every time you back up your phone, your (encrypted)

data is transmi ed directly to a variety of

third-party cloud service providers including
Amazon, Google and Microsoft.
And this is, from a privacy perspective, A list of HTTPS requests made during an
mostly** fine! Those services act merely as iCloud backup from an iPhone. The bo om two
“blob stores”, storing unreadable encrypted addresses are Amazon and Google Cloud
data files uploaded by Apple’s customers. At Services “blob” stores.
least in principle, Apple controls the
encryption keys for that data, ideally on a
server located in a dedicated Apple datacenter.*

So what exactly is Apple storing in China?

Good question!

You see, it’s entirely possible that the new Chinese cloud stores will perform the same task
that Amazon AWS, Google, or Microsoft do in the U.S. That is, they’re storing encrypted
blobs of data that can’t be decrypted without first contacting the iCloud mothership back in
the U.S. That would at least be one straightforward reading of Apple’s announcement, and
it would also be the most straightforward mapping from iCloud’s current architecture and
whatever it is Apple is doing in China.

Of course, this interpretation seems hard to swallow. In part this is due to the fact that some
of the new Chinese regulations appear to include guidelines
(h p://www.pillarlegalpc.com/en/news/wp-content/uploads/2017/06/Pillar-Legal-China-
Regulation-Watch-China-to-Strengthen-Regulatory-Oversight-of-Cloud-Services-2017-06-
16.pdf) for user monitoring. I’m no lawyer, and certainly not an expert in Chinese law — so
I can’t tell you if those would apply to backups. But it’s at least reasonable to ask whether
Chinese law enforcement agencies would accept the total inability to access this data
without phoning home to Cupertino, not to mention that this would give Apple the ability
to instantly wipe all Chinese accounts. Solving these problems (for China) would require
Apple to store keys as well as data in Chinese datacenters.

The critical point is that these two interpretations are not compatible. One implies that Apple is
simply doing business as usual. The other implies that they may have substantially
weakened the security protections of their system — at least for Chinese users.

And here’s my problem. If Apple needs to fundamentally rearchitect iCloud to comply with
Chinese regulations, that’s certainly an option. But they should say explicitly and
unambiguously what they’ve done. If they don’t make things explicit, then it raises the
possibility that they could make the same changes for any other portion of the iCloud
infrastructure without announcing it.

It seems like it would be a good idea for Apple just to clear this up a bit.
You said there was an exception. What about iCloud
Keychain?

I said above that there’s one place where iCloud passes the mud puddle test. This is Apple’s
Cloud Key Vault (h ps://www.schneier.com/blog/archives/2016/09/apples_cloud_ke.html),
which is currently used to implement iCloud Keychain (h ps://support.apple.com/en-
us/HT204085). This is a special service that stores passwords and keys for applications,
using a much stronger protection level than is used in the rest of iCloud. It’s a good model
for how the rest of iCloud could one day be implemented.

For a description, see here (h ps://blog.cryptographyengineering.com/2016/08/13/is-apples-

cloud-key-vault-crypto/). Briefly, the Cloud Key Vault uses a specialized piece of hardware
called a Hardware Security Module (HSM) to store encryption keys. This HSM is a physical
box located on Apple property. Users can access their own keys if and only if they know
their iCloud Keychain password — which is typically the same as the PIN/password on
your iOS device. However, if anyone a empts to guess this PIN too many times, the HSM
will wipe that user’s stored keys.

The critical thing is that the “anyone” mentioned above includes even Apple themselves. In
short: Apple has designed a key vault that even they can’t be forced to open. Only
customers can get their own keys.

What’s strange about the recent Apple announcement is that users in China will apparently
still have access to (h ps://support.apple.com/en-us/HT208352) iCloud Keychain. This
means that either (1) at least some data will be totally inaccessible to the Chinese
government, or (2) Apple has somehow weakened the version of Cloud Key Vault deployed
to Chinese users. The la er would be extremely unfortunate, and it would raise even deeper
questions about the integrity of Apple’s systems.

Probably there’s nothing funny going on, but this is an example of how Apple’s vague (and
imprecise) explanations make it harder to trust their infrastructure around the world.

So what should Apple do?

Unfortunately, the problem with Apple’s disclosure of its China’s news is, well, really just a
version of the same problem that’s existed with Apple’s entire approach to iCloud.

Where Apple provides overwhelming detail about their best security systems (file
encryption, iOS, iMessage
(h ps://www.apple.com/business/docs/iOS_Security_Guide.pdf)), they provide
distressingly li le technical detail about the weaker links like iCloud encryption. We know
that Apple can access and even hand over iCloud backups
(h ps://www.theverge.com/2016/2/22/11093798/apple- i-encryption-fight-icloud-san-
bernardino) to law enforcement. But what about Apple’s partners? What about keychain
data? How is this information protected? Who knows.

This vague approach to security might make it easier for Apple to brush off the security
impact of changes like the recent China news (“look, no backdoors!”) But it also confuses
the picture, and calls into doubt any future technical security improvements that Apple
might be planning to make in the future. For example, this article from 2016 claims that
Apple is planning stronger overall encryption for iCloud
(h ps://9to5mac.com/2016/02/25/apple-working-on-stronger-icloud-backup-encryption-and-
iphone-security-to-counter- i-unlock-requests/). Are those plans scrapped? And if not, will
those plans fly in the new Chinese version of iCloud? Will there be two technically different
versions of iCloud? Who even knows?

And at the end of the day, if Apple can’t trust us enough to explain how their systems work,
then maybe we shouldn’t trust them either.

Notes:

* This is actually just a guess. Apple could also outsource their key storage to a third-party
provider, even though this would be dumb.

** A big caveat here is that some iCloud backup systems use convergent encryption
(h ps://en.wikipedia.org/wiki/Convergent_encryption), also known as “message locked
encryption”. The idea in these systems is that file encryption keys are derived by hashing
the file itself. Even if a cloud storage provider does not possess encryption keys, it might be
able to test if a user has a copy of a specific file. This could be problematic. However, it’s not
really clear from Apple’s documentation if this a ack is feasible. (Thanks to RPW
(h ps://twi er.com/esizkur) for pointing this out.)

Menu