iMessages in iCloud feature = all unencrypted messages on Apple servers. How secure?

Question

With the presentation of iOS11 Apple introduced a new feature: "iMessages in the cloud". Now they've released iOS 11.3 beta with this feature included. I've read a lot of people are waiting for it, which means that almost everybody will use it and almost every conversation will be stored on Apple servers. Pretty scary.

According to an iOS white paper, iMessage messages are e2e encrypted, but there is absolutely no info about iMessages in iCloud. They say that messages will sync across devices, and that you can recover all messages without an iPhone backup. But how could that be, if every message was encrypted with a unique key and can be decrypted only with that key? Does that mean Apple syncs secret keys across devices?! Or does that means that Apple are going to store unencrypted messages in iCloud?

How secure is this feature?

Answer 1

You seem to have one of the more common misconceptions about end to end encrypted messengers. The end to end encryption is used for messages in transit from Alice to Bob, once they've reached Bob's device they're generally stored unencrypted (albeit usually with encryption at the system level). Encryption of stored messages and backups is a separate feature.

The only reference to iMessages stored in iCloud I could find in this document is the following:

iCloud also backs up information—including device settings, app data, photos, and videos in the Camera Roll, and conversations in the Messages app—daily over Wi-Fi. iCloud secures the content by encrypting it when sent over the Internet, storing it in an encrypted format, and using secure tokens for authentication......

Here’s what iCloud backs up:

• ...
• iMessage, text (SMS), and MMS messages (requires the SIM card that was in use during backup)
• ...

So it appears that all data backed up to iCloud is encrypted, but the key is almost certainly held by Apple. Since the SIM card is required to restore iMessages that hopefully means that iOS encrypts iMessages with a key derived from information on the SIM card before sending the data to iCloud, but I haven't seen any confirmation of this, and I'm not familiar enough with SIM cards to know how secure this would be.

As for syncing messages without a backup, all I see is:

The user’s outgoing message is individually encrypted for each of the receiver’s devices.

Which isn't so much "syncing" messages as automatically sending the same message to all of the recipient's devices. If the recipient activated a new device after the message was sent, it wouldn't appear on that device. This doesn't seem to line up with your claim of being able to sync and recover messages without an iCloud backup.

Answer 2

Apple addresses this question in their iCloud Security Overview support page. Pulling the relevant quotes from this article they claim that end to end encrypted services can only be accessed by the user.

For certain sensitive information, Apple uses end-to-end encryption. This means that only you can access your information, and only on devices where you’re signed in to iCloud. No one else, not even Apple, can access end-to-end encrypted information.

With a caveat!

To use end-to-end encryption, you must have two-factor authentication turned on for your Apple ID.

They then specifically address iMessages stored in iCloud.

Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, a copy of the key protecting your Messages is included in your backup. This ensures you can recover your Messages if you've lost access to iCloud Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and it is not stored by Apple.

The best I can tell is if you turn on iCloud backup along with iMessage backup the key is stored in the cloud. However, turning off iCloud backup for your phone will mean they don't have access to the private key.

Answer 3

I noticed your question went un-answered so I will try to fill you in on my understanding of the situation. I personally am not an Apple enthusiast but do believe they follow decent security procedures. After skiming their white paper I believe I have a decent idea how their iMessage encryption works.

The entire process is based on a combination of asymmetric and symmetric encryption. Apple utalizes two pairs of asymmetric keys for devices to authenticate themselves with one another and to encrypt data that can only be decrypted by the device it is destined for. The actual payload is encrypted with AES (symmetric) with the key being generated based on the public key of the receiver and randomly generated value from the sender. The AES key is re-generated for every message (good thing) and if the message is sent to a user who has two devices, this encryption protocol is undergone twice since the encrypted message will be different for each device.

Apple's version of what I just said is:

The user’s outgoing message is individually encrypted for each of the receiver’s devices. The public RSA encryption keys of the receiving devices are retrieved from IDS. For each receiving device, the sending device generates a random 88-bit value and uses it as an HMAC-SHA256 key to construct a 40-bit value derived from the sender and receiver public key and the plaintext. The concatenation of the 88-bit and 40-bit values makes a 128-bit key, which encrypts the message with it using AES in CTR mode.

It appears pretty similar to the open source Signal protocol created by Open Whisper Systems back in 2013. Wikipedia Page. Of course in good Apple fashion they will never admit they are pretty much using standardized open source protocols leveraged by many major corporations such as Facebook in their new secure chat mode on FB Messenger cause they are Apple and must justify their absurd prices.

Anyways, if you want to know more I would recommend reading more about the Signal protocol. It is considered arguably the safest end-to-end encryption protocol in existence and is open source and well documented. Apple will always be cagey about what they do but to firmly answer your question, I am quite confident Apple is telling the truth and they truly cannot read the messages since to do so, they would have to break RSA which would be ground-breaking should that ability even leak.

Hope it helps!