Was iPhone encryption cracked?

I've heard lots of discussions today about how clever researchers at Russian computer security company ElcomSoft managed to crack the AES-256 encryption used to protect data on iPhones.

But this wasn't really an attack on AES-256.

Instead, it's an attack on the weak 4-digit PINs that most users use to control access to their keys. If you try to buy the application that does this attack for you, you'll find that this is actually part of the ElcomSoft Phone Password Breaker application.

Controlling access to keys is part of key management, not encryption. That means that this particular attack is really an attack on weak key management, not on encryption. Cracking an AES-256 key is still so hard that it's essentially impossible.

So the lesson learned from this particular attack should be that if you protect a 256-bit key with a 4-digit PIN, you're not getting 256 bits of cryptographic strength. Instead, you're getting more like 13 bits of strength: 104 PINs = 213.3 PINs, so a 4-digit PIN gives about 13 bits of cryptographic strength. And because 13 bits of strength isn't enough to resist even an attacker with access to a low-cost desktop PC, it's not really providing a meaningful level of protection at all.   

  • MelanieAnderson

    I have been searching for this kind of iPhone case for awhile now. So, really appreciate you taking the time to write about it. Truly was difficult to find, so I wanted to post my first comment out of gratitude. Thank you =)


Leave a Reply

Your email address will not be published. Required fields are marked *