We already know that iOS 17.4 will be a game-changing update for the iPhone, with support for app stores and alternative payments in the EU, a handful of new emoji, and virtual numbers for Apple Cards Cash, but Apple has an additional feature in store when it launches in the coming weeks. In a post on its Security Research blog, Apple introduced a new industry-leading security upgrade for iMessage that “has the strongest security properties of any large-scale messaging protocol in the world.”
This is all very technical, but Apple will be rolling out Post-Quantum Level 3 (PQ3) cryptography, which “is used to secure both the initial key establishment and the ongoing message exchange, with the ability to quickly and automatically restore the cryptographic security of a conversation even if a given key is compromised. This means that a hacker would have to hack two symmetric keys that go beyond all available methods used in even the most sophisticated attacks.
Apple
Apple notes that Signal was the first large-scale messaging service to use post-quantum cryptography with the recent addition of PQXDH support, which raised the app’s security from Level 1 to Level 2. However, Apple says that the new PQ3 protocol of iMessage takes a further step. Here’s how Apple describes the protocol in action:
When Alice’s device instantiates a new session with Bob’s device, her device queries the IDS server for the keyset associated with Bob’s device. The subset of the key group that contains the authentication key and device version information is validated using Contact Key Verification. The device then validates the signature covering the encryption keys and timestamps, which certifies that the keys are valid and have not expired.
Alice’s device can then use the two public encryption keys to share two symmetric keys with Bob. The first symmetric key is calculated via an ECDH key exchange that combines Alice’s ephemeral encryption key with Bob’s recorded P-256 public key. The second symmetric key is obtained from a Kyber key wrapper with Bob’s post-quantum public key.
This combination ensures that the initial session state cannot be derived without knowing both shared secrets, meaning that an attacker would have to break both algorithms to recover the resulting secret, thus satisfying our hybrid security requirement.
iMessage has been used in high-profile zero-click government attacks, including Israeli group NSO’s Pegasus spyware. Apple says the new system is essential to protect against known and unknown future attacks and will protect against agents who have already collected encrypted data for future decryption.
Apple says the new protocol will begin rolling out with public releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4, and is already in public and developer betas.
News Source : www.macworld.com
Gn tech
