Hacking an Encrypted Phone

Recent news has the media atwitter with misinformation about hacking phones and encrypted data. Here are some of the basic issues:

Encryption is the process of using a coding technique to obscure information. Simple substitution techniques like using a number for each letter of the alphabet have been in use for many years. These techniques can be easy to crack. But modern encryption uses complex mathematical formulas that have been designed to be “uncrackable”, which really means it takes too long to crack them to be worth the effort.

These modern cryptographic algorithms are public knowledge and can be reproduced in computer programs. The important part is the “key” that is used to encrypt the data. The complexity and length of the key usually determines how long it takes to “crack” the key. Cracking the key can be accomplished by a “brute force” attack that tries every possible combination of possible characters until the correct key is found.

If the key character set is limited to “AB” and the length of the key is two characters, the possible keys are: AA, AB, BA and BB.

If the character set is “ABC” and the length is three characters, the possible keys include: AAA, AAB, AAC, ABA, ABB, ABC, ACA, ACB, ACC, BAA, BAB, BAC, BBA, BBB, BBC, BCA, BCB, BCC, CAA, CAB, CAC, CBA, CBB, CBC, CCA, CCB, and CCC.

If the character set is “abcdefghijklmonopqrstuvwxyzABDEFGHIJKLMNOPQRSTUVWXYZ1234567890” and the length is thirty characters, the list of possible keys becomes huge and the amount of time it takes to try all of them becomes very long even with a powerful computer.

When a modern encryption technique that has no mathematical flaws is used and a long key is selected from a long and complex character set, even the most powerful computers may take thousands of years to find the key, making the brute force technique not reliably usable.

The idea that any encryption can be cracked without the key is false – at least within a reasonable amount of time.

It becomes clear from studying encryption that the encryption key is important. And in order for the key to be used, it must be stored somewhere and it must be stored securely. This is accomplished using a special “one-way” form of encryption called a cryptographic hash. The hash is one-way because it can never be decrypted. The hashing algorithm is mathematically designed to create a relatively short string of characters that are absolutely unique to the input used to create it and designed to not be reversible.

Here’s how it works using the SHA256 hashing algorithm:

INPUT = “Now is the time for all good men to come to the aid of their country”
OUTPUT = “bff59e3dee9bfa690dd1bd7b031cfbb4a1270d887c861e2cd3dc61699e9e8038”

To demonstrate, we change a single character:
INPUT = “Xow is the time for all good men to come to the aid of their country”
OUTPUT = “6dac2844f0879aea4045d8e2aee5af8c63d65532522b98f0aa2dee9ed0fcc872”

Hashing is commonly used for integrity checking, because any trivial change in the data creates a totally different hash, making it easy to detect the change.

Hashes are also used to protect passwords and keys. When you create a password or key on your device, it is hashed and then stored. Since the hash cannot be reversed, it never can be decrypted. However, it can be checked against input from a password prompt by recalculating the hash. If we put in the correct password, the hash will match and the password has been verified.

Even though a hash can never be decrypted, it can be “cracked” using the brute force technique of trying combinations of characters, hashing them and checking against the original hash for a match. This takes time.

For encryption, the key allows the process of decrypting the encrypted data. For device access, once the hash is matched, the access is allowed. A device can use both a hashed password to control access to the device and an encryption key to control access to encrypted data.

In the current news case, the DOJ/FBI is trying to force Apple Computer to help them gain access to a phone used by a terrorist. There is no privacy issue involved in this case, because the phone is owned by the County Dept of Health and they have given their consent to access their phone.

The issue centers around the use of a brute force attack against the passcode used on the phone. The operating system protects the passcode by erasing the encryption key after ten consecutive failed attempts to guess the passcode. The phone operating system also inserts delays into the passcode entry process, which greatly extends the time needed to use a brute force attack.

The FBI is asking Apple to create a new version of the operating system that disables that guessing protection and install it on the phone so that they can use a brute force attack to crack the passcode. The FBI needs help from Apple to accomplish this because the operating system won’t accept updates that have not been digitally signed by Apple. The court case will turn on whether or not the government has the right to force a company to help them enforce the law.

Apple can not “crack” the encryption on the phone without the encryption key. Neither can anybody else.

Comments are closed.