iMessage Security: is it strong?
This week Apple disclosed technical document about security of its mobile platform, iOS, with detailed description of methods being used to protect operating system, encrypting files, securing network, encrypting iMessage messages and much more.
iMessage Security Details
The fragment about iMessage security is of specific interest, since a question remains: can law-enforcement institutions read user messages by getting access to Apple servers?
According to iMessage specification, it uses Apple Push Notifications (APN). Messages are not stored on any server. Messages are encrypted using end-to-end cryptography. Thus, nobody except sender and recipient has a chance to read them, even Apple. Specification says, that even Apple would not be able to decrypt messages.
When iMessage is initialized on a device, it generates two pair of keys: 1280-bit RSA for encrypting and 256-bit ECDSA for signing messages. For each pair of keys, the secret key is saved in local keychain, and public key is sent to central repository (IDS). There it is linked with user’s phone number or email, and APN address of device.
If users connects other devices, where he desires to get copies of messages, then corresponding information is added to IDS. Apple always informs user, when another device, phone number of email connects to his account.
When chat session is being started, iDevice talks to IDS asking for public key and APN address of recipient. Each outgoing message is encrypted by AES-128 in CTR mode for each recipient device and passed to APN in encrypted form. Metadata, such as timestamp and route path is not encrypted. Connection with APN is protected using TLS. User messages and files are encrypted using random key and transferred using iCloud.
In group chats, the steps above are repeated for each recipient. A message is deleted from server as soon as it’s delivered. If recipient is not available, message is stored on server for duration of 7 days.
iMessage security is extremely important to Apple, in light of its huge popularity. According to statement of company’s CEO, Tim Cook, users of iPhone, iPad and Mac send over 40 billions of messages daily.