When you think of an encrypted device that would cause the NSA to throw its hands up and give up trying to crack it, you imagine some industrial grade server, possibly made by IBM. What you don’t expect is a smartphone that can be purchased for a hundred bucks. But the rise of AES hardware encryption in devices such as the iPhone and BlackBerry has made it all but impossible for the government forensic experts to extract desired info.
According to Technology Review, it’s not just the use of AES encryption that makes the iPhone such a formidable device to crack, but also because Apple’s phones erase the most readily-accessible key every time it’s powered off, and has a PIN-system that will wipe the phone after 10 incorrect attempts.
At the heart of Apple’s security architecture is the Advanced Encryption Standard algorithm (AES), a data-scrambling system published in 1998 and adopted as a U.S. government standard in 2001. After more than a decade of exhaustive analysis, AES is widely regarded as unbreakable. The algorithm is so strong that no computer imaginable for the foreseeable future-even a quantum computer-would be able to crack a truly random 256-bit AES key. The National Security Agency has approved AES-256 for storing top-secret data.
Apple did not respond to requests for comment on this story. But the AES key in each iPad or iPhone “is unique to each device and is not recorded by Apple or any of its suppliers,” the company said in a security-related whitepaper. “Burning these keys into the silicon prevents them from being tampered with or bypassed, and guarantees that they can be access only by the AES engine.”
Thus, as Technology Review goes on to explain, investigators are left with few other options besides trying every possible AES key permutation, which given its 256-bits of security, is not something us mere mortals can conquer. Yes there is a copy of the key deep in the memory, but it requires the PIN. If the auto-wipe is turned on, retrieving the encrypted phone data really becomes mission impossible, Even if there’s just a eight-digit pin in effect, retrieving the data would take 15 years.
And as someone who fully expects an Orwellian state to arrive sooner rather than later, I’m glad our most intimate devices are locked down so thoroughly. [TechReview]