Category Archives: Encryption
Some Apple CPUs have an "unfixable" security flaw and they’re leaking secret encryption keys – TechRadar
Researchers have discovered a new side-channel vulnerability in Apples M-series of processors that they claim could be used to extract secret keys from Mac devices when theyre performing cryptographic operations.
Academic researchers from the University of Illinois Urbana-Champaign, University of Texas at Austin, Georgia Institute of Technology, University of California, University of Washington, and Carnegie Mellon University, explained in a research paper that the vulnerability, dubbed GoFetch, was found in the chips data memory-dependent prefetcher (DPM), a optimization mechanism that predicts the memory addresses of data that active code could access in the near future.
Since the data is loaded in advance, the chip makes performance gains. However, as the prefetchers make predictions based on previous access patterns, they also create changes in state that the attackers can observe, and then use to leak sensitive information.
The vulnerability is not unlike the one abused in Spectre/Meltdown attacks as those, too, observed the data the chips loaded in advance, in order to improve the performance of the silicon.
The researchers also noted that this vulnerability is basically unpatchable, since its derived from the design of the M chips themselves. Instead of a patch, the only thing developers can do is build defenses into third-party cryptographic software. The caveat with this approach is that it could severely hinder the processors performance for cryptographic operations.
Apple has so far declined to discuss the researchers findings, and stressed that any performance hits would only be visible during cryptographic operations.
While the vulnerability itself might not affect the regular Joe, a future patch hurting the devices performance just might.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Those interested in reading about GoFetch in depth, should check out the research paper here.
Via Ars Technica
Originally posted here:
Some Apple CPUs have an "unfixable" security flaw and they're leaking secret encryption keys - TechRadar
High-security learning-based optical encryption assisted by disordered metasurface – Nature.com
Working principle
The whole process can be divided into two stages: optical encryption and learning-based decryption, as shown in Fig.1. In the optical encryption stage (Fig. 1a), the sender (Alice) projects a light beam of two different polarizations (P(i) or P(j)) (ij) onto a plaintext, which is firstly encrypted by a QR code phase pattern (security key) and then traveling through the DM as the secondary infilling of the plaintext, generating a speckle pattern (ciphertext). The DM scatters light differently with different input polarizations due to the spin-multiplexing random phase design. The relationship among the speckle, plaintext, security key, and DM can be expressed as:
$$U(x,, y,, z)=iint {U}_{{{{{{rm{P}}}}}}}({x}_{0},, {y}_{0}){U}_{{{{{{rm{S}}}}}}}{left({x}_{0},, {y}_{0}right)U}_{{{{{{{rm{DM}}}}}}}}left({x}_{0},, {y}_{0}right)hleft(x-{x}_{0},, y-{y}_{0},, zright){{{{{rm{d}}}}}}{x}_{0}{{{{{rm{d}}}}}}{y}_{0},$$
(1)
where UP(x0, y0), US(x0, y0), and UDM(x0, y0) correspond to the functions of the plaintext, security key, and DM, respectively, and h(x, y, z) is an impulse response. From Eq. (1), it is very clear that the security key and the DM are applied encryption on the plaintext in sequence to achieve double-secure function. In addition, as UDM(x0, y0) varies with the change of incident beam polarization according to the design, multi-channel encryption can be implemented by changing the polarization of the incident beam.
a Optical encryption. The sender (Alice) illuminates light beams with two different polarizations of P(i) and P(j) onto the phase profiles of the superposition of plaintexts (human face images) and security keys (QR codes), which propagates through DM, generating ciphertexts (speckles). b Learning-based decryption. Two deep neural networks (DNN) of the same structure, e.g., P(i)-DMNet and P(j)-DMNet, are trained with data obtained with incident beams of P(i) and P(j), respectively. After recording the ciphertext and being authorized by Alice to acquire the security key and the polarization of the incident beam, the receiver (Bob) can feed the ciphertext and the security key into the corresponding neural network to decrypt the plaintext. The mark above the straight line with arrows at both ends indicates that the information cannot be commutative. DM disordered metasurface.
In the learning-based decryption stage, several different deep neural networks (DNN) sharing the same structure, termed as P(i)-DMNet and P(j)-DMNet (Fig.1b), are trained with data from incident beams of P(i) and P(j), in which ciphertext and the security key serve as the inputs to decode the plaintext. The receiver (Bob) needs authorization from Alice to acquire the security key and the polarization of the incident beam. Assuming that Bob can receive the ciphertext at the output terminal in real time by himself, he can directly get access to the plaintext by feeding the ciphertext and QR code into the polarization-matched network. For hackers who can even have access to the ciphertext, they cannot decrypt the plaintext without the authentication from Alice (i.e., lack of the security key and the polarization of the incident beam).
The DM consists of elliptical titanium dioxide (TiO2) meta-pillars, as shown in Fig.2a. The meta-pillars are 600nm tall (h) and rest on a square lattice with a periodic constant (P) of 350nm, and the design wavelength is 488nm. The length of two axis (u and v) of meta-pillars varies in the range of 70320nm, such that a controllable propagation phase ({phi }_{{{{{{{rm{propagation}}}}}}}}) is introduced for both LCP and RCP light beams. The simulated phase delays (({varphi }_{{xx}}) and ({varphi }_{{yy}})) of the meta-pillar for two orthogonal linear polarizations (x and y) versus lengths based on a commercial software Lumerical FDTD are shown in Fig.2b. The propagation phase of the structure can be calculated from ({varphi }_{{xx}}) and ({varphi }_{{yy}}), i.e., ({phi }_{{{{{{{rm{propagation}}}}}}}}={arg }left(({{{{{{rm{e}}}}}}}^{1{{{{{rm{i}}}}}}*{varphi }_{{xx}}}-{{{{{{rm{e}}}}}}}^{1{{{{{rm{i}}}}}}*{varphi }_{{yy}}})/2right)) (more details are discussed in Supplementary Note1). The birefringent meta-pillar is rotated with a rotation angle of that is able to perform circular polarization (CP) conversion ({|L}rangle to {e}^{i2delta })|R and ({|R}rangle to {e}^{-i2delta }{|L}rangle), i.e., the LCP and RCP beams are converted to the opposite spin with a geometric phase (or PancharatnamBerry (PB) phase) ({phi }_{{{{{{{rm{geometric}}}}}}}}) of (2delta) and (-2delta), respectively. The combination of the propagation phase and geometric phase enables the decoupling of RCP and LCP light at the designed wavelength for multiplexing wavefront modulation applications30. Given the desired phase of two orthogonal CP light ({phi }_{{{{{{{rm{RCP}}}}}}}}) and ({phi }_{{{{{{{rm{LCP}}}}}}}}), the required propagation phase and geometric phase at each meta-pillar can be calculated as31
$${phi }_{{{{{{{rm{propagation}}}}}}}}=frac{({phi }_{{{{{{{rm{RCP}}}}}}}}+{phi }_{{{{{{{rm{LCP}}}}}}}})}{2}$$
(2)
$${phi }_{{{{{{{rm{geometric}}}}}}}}=frac{left({phi }_{{{{{{{rm{LCP}}}}}}}}-{phi }_{{{{{{{rm{RCP}}}}}}}}right)}{4}$$
(3)
Therefore, phase profiles of the DM for RCP and LCP incident beam are randomly distributed for the generation of speckle images.
a A TiO2 unit meta-pillar of the DM with designed parameters is arranged in a square lattice on a fused silica substrate. b The simulated phase delays of the meta-pillar for two orthogonally linear polarizations (along x and y directions) versus lengths of the two axis of the DM. c Seven different polarization states between the LCP and RCP are defined by tuning the fast axis of QWP in the setup (Fig.3a) and the recorded speckles corresponding to the 7 polarization states. d Speckle PCC versus polarization of incident beam, with the speckle associated with incident LCP as the reference. e Top (left) and perspective (right) views of SEM images of the fabricated DM. The scale bar in (e) is 1mm. DM disordered metasurface, PCC Pearsons correlation coefficient, RCP right-handed circular polarization, LCP left-handed circular polarization.
Specific parameters of meta-pillar structures selected in the experiment can be found in Supplementary Note2. As any polarization can be decomposed into two orthogonal polarization states (RCP and LCP in this study) with different weights32, speckles generated from the DM vary with the polarization of the incident beam. A combination of a half-wave plate (HWP) and a quarter-wave plate (QWP) after the spatial light modulator (SLM) as shown in Fig.3a is used to alter the polarization of the incident beam. Two specific orthogonal optical channels are defined by the two circular polarization states, i.e., P(1): LCP and P(7): RCP. In addition to these two orthogonal channels, 5 intermediate polarization channels, P(2) to P(6), located between P(1) and P(7), are created by rotating the QWP with an interval of 15, as shown in the second row in Fig.2c. Figures in the third row of Fig.2c shows the recorded speckles corresponding to these 7 incident polarizations. Variation of Pearson correlation coefficient (PCC) of the speckles, taking the speckle of incident LCP as the reference, is illustrated in Fig.2d. It can be seen that the speckle is highly sensitive to the rotation angle: the PCC gradually decreases from 1 to 0.08. Such a decrease of PCC can significantly impair the recovery efficiency of the input information. Meanwhile, it suggests the independence of each polarization state. It should be noted that only part of the diffused light field needs to be collected due to the complex mapping between the input and output light fields for information decryption33, which further introduces benefits to the enhancement of the spatial security and the information capacity. Scanning electron microscope (SEM) images of the top and perspective views of the DM are shown in Fig.2e (please refer Methods for more details).
a The schematic diagram of the optical setup. b Examples of plaintext for encryption. c The corresponding ciphertexts, i.e., the speckles. d Exampled QR codes. e The decrypted information by inputting (c, d) into the DMNet. The DMNet herein is trained by the RCP data. Inset numbers below each image in (d) are formatted as PCC(SSIM) between b the ground truth and e the decrypted images. SLM spatial light modulator, DM disordered metasurface, HWP half-wave plate, L1, L2 lens, PCC Pearsons correlation coefficient, RCP right-handed circular polarization, QR quick response, QWP quarter-wave plate, HWP quarter-wave plate, SSIM structure similarity.
The schematic diagram of the optical setup for data collection is illustrated in Fig.3a. A collimated continuous-wave coherent laser beam with a wavelength of 488nm (OBIS, Coherent, USA) is expanded to illuminate the aperture of a reflective SLM (HOLOEYE PLUTO VIS056, German), although a transmissive SLM for better visual observation is shown in Fig.3a. Phase patterns are pre-loaded on the SLM to modulate the laser beam, which is polarized and tuned by a pair of a HWP and a QWP with controllable polarization state and then is slightly focused on the DM using a lens (L1) to generate optical speckles captured by a CMOS camera (FL3-U3-32S2M-CS, PointGrey, Canada). Another lens (L2) put in front of the camera is used to adjust the grain size of the recorded speckles. Sine the decryption is not a trivial inverse of the scattering process like other works16,20,21 (more detailed discussion will be given in Discussion), a DNN named DMNet is specifically designed to match the physical process, with details provided in Supplementary Note3.
When the training of DMNets in this experiment is done (more details can be found in Methods), the encryption process is ready. Notably, the DMNet trained and tested with the data generated via an RCP incident beam, i.e., P(7) polarization in Fig.2c, serves as the example in this part, i.e., the RCP-DMNet or P(7)-DMNet. As shown in Fig.3, by feeding both the ciphertext (i.e., speckles in Fig.3c) and the security key (i.e., the QR code in Fig.3d) into the well-trained DMNet, decrypted images can be retrieved with high quality, as shown in Fig.3e. Many fine features on the retrieved human faces can be identically mapped to the ground truth images (plaintext, Fig.3b)34. Metrics for evaluation, as well, indicate excellent performance with averaged PCC=0.941 and structural similarity index measure (SSIM)=0.833. An example with PCC and SSIM as high as 0.97 and 0.93, respectively, as listed in the second column in Fig.3. The network is therefore proved to accomplish accurate information reconstruction from the speckles. Nevertheless, such success depends on another two factors which strictly ensure the decryption: the second input (i.e., QR code used in this study) and the matched polarization between speckles and the network. Other datasets such as fMNIST and Quickdraw (quantitative analysis of information complexity for different datasets can be referred to Supplementary Note4) have also been tried, and the results can be referred to Supplementary Note5.
As discussed in our previous work21, speckle-based cryptosystem benefits from the complexity of the physical secret key demonstrating high-level security. Nevertheless, if the ciphertext (i.e., speckles) is accidentally obtained by the hackers, it is expected that the system still has the ability to protect itself. As designed in this study, additional authorized security key (i.e., the QR code) from the sender is needed for decryption at the receiver terminal. Several ciphertexts are generated when different QR codes (100 in this study) are paired up with each single plaintext. The performance of the decryption is therefore set to be sensitive to the change from the correct one in Input 2 in Fig.3, given that the Input 1 or the ciphertext is correct. Likewise, RCP data serves as the example and five samples are randomly chosen for demonstrations, as shown in Fig.4. As seen, if a uniform matrix is fed as Input 2 (Fig.4aII), the DMNet merely outputs faces without recognizable features, whose PCC and SSIM (0.080 and 0.109, respectively) are both far below the performance with correct QR code (0.941 and 0.833, respectively; Fig.4aI). Furtherly, excellent protection from the brutal attack for Input 2 is also achieved (Fig.4aIII). By randomly generating one million binary-amplitude matrices to attack Input 2, the guessed plaintext is similar with that in Fig.4aII. Notably, metrics to quantify the performance of brutal attack are not the average in Fig.4bIII but the maximum, since the brutal attack succeed if one trial passes the guess regardless of its number of realizations. Nevertheless, the low PCC and SSIM (0.005 and 0.121, respectively) validate the safety of the designed network against the brutal attack for Input 2. Cases with mismatched pairs for the two inputs, for example, Input 1 is accurate but Input 2 is a correct QR code corresponding to another plaintext, can be found in Supplementary Note6. The DMNet output (denoted as Mismatched output) also fails to visualize the human faces but with similar patterns as shown in Rows II and III in Fig.4a.
a, b Attack analysis regarding Input 2. Decryption with correct ciphertext (i.e., Input 1: speckles) by varying Input 2 with a correct QR code (Row I), a uniform pattern (Row II), and a random binary pattern (Row III) for a qualitative demonstration and b the statistics, quantifying the PCC and SSIM between the plaintext and decrypted images for Rows IIII. PCC Pearsons correlation coefficient, SSIM structure similarity index. The metrics for both Correct and Uniform are averaged over 2000 samples, and metrics for the Random group is the average of 1,000,000 randomly generated binary-amplitude attacks. c Cross-validation for the decryption by inputting speckles with seven different polarization states (i.e., P(i)-speckles, i=1,2,3,4,5,6,7) into DMNet with seven different states (i.e., P(i)-DMNet, i=1,2,3,4,5,6,7). (d) Averaged decryption PCC corresponding to the cross-validation arrangement in (c) and each is averaged over 2000 samples. QR quick response, PCC Pearsons correlation coefficient, SSIM structure similarity.
In Fig.2c, d, we have demonstrated the sensitivity of speckles to the incident polarization. Here, the data independency in these 7 polarization channels will be further verified. Seven DMNets are individually trained using these seven polarized datasets, and each DMNet trained with P(i) data is denoted as P(i)-DMNet (i=1,2,3,4,5,6,7). With correct QR code (not shown in the Fig. 4c for simplicity), the plaintexts can only be correctly deciphered when the polarization state of the speckle matches that of the corresponding DMNet, as shown in the diagonal in Fig.4c: P(i) speckles are input into the P(i)-DMNet, resulting in decryption PCCs of ~0.94. Once the polarization channels between the input data and network are mismatched, e.g., P(1)-speckles (LCP) input into P(7)-DMNet (RCP) or P(7)-speckles (RCP) input into P(1)-DMNet (LCP), the decrypted plaintext exhibits unrecognizable faces, with decryption PCCs of 0.0158 and 0.0268, respectively. In statistical analysis in Fig.4d, it can be observed that the decryption PCCs for matched polarization states (~0.94 on the diagonal) are orders of magnitude higher than those with mismatched polarizations (<0.06 off the diagonal). That said, realizations for multi-channel decryption do not necessarily rely on the orthogonality of the polarization. The additional polarization states between the orthogonal ones can also support independence among the polarization channels. By jointly adjusting a half-wave plate and a quarter-wave plate, more polarization states can be created. In principle, arbitrary polarization state could be an encryption channel, with the polarization regulation as discussed in the Working principle section. Therefore, the feasibility of achieving multi-channel encryption, which requires independence of polarization channel and the realization of multi-polarization channels based on the DM, is assured.
Stability of the decryption performance is critical in real applications but has seldom been discussed in earlier works due to the nature of CSM used in experiment. In this study, the system has been collecting data intermittently for 135h (Periods 114 in Fig.5a), whose status is characterized by the background PCC (blue dots). The background PCC is defined as the PCC between instant background speckle pattern and the initial one at Time=0. All background speckle patterns are generated with the same uniform phase pattern displayed on the SLM as described in Methods. Thereby, the initial status of the cryptosystem is defined in Period 1 in Fig. 5a, whose data is fed into RCP-DMNet for training with average decryption PCC (red bar) of around 0.94, as demonstrated in previous sessions. In other words, test data in the Periods 214 are new data for the network, which are collected under temporally varying medium status and have never been learned or probed by the network. Without additional training, decryption PCC in the following periods (Periods 214) changes accordingly with the background PCC, which is positively correlated. More importantly, the varying status can recover back to the initial status, e.g., Periods 26, Periods 7 to 8, and Periods 1214, whose corresponding averaged decryption PCC recovers from 0.82 to 0.93, from 0.73 to 0.90, and from 0.68 to 0.90, respectively. The decrypted images can be seen in Fig.5b. One should be noted that during such 135h, the experiment is performed on the seventh floor and the environmental perturbations are general and diverse, including switching the laser/SLM/camera, other experiments on the same optical table, traffic around the building, large machine noise from adjacent machine room, etc. As seen, in our cryptosystem, the DM provides excellent stability against those everyday perturbations and the deviation from the initial status is reversible. Such a phenomenon can hardly be seen in CSM-based implementations (Ground glass diffuser, DG-10-220, Thorlabs) for such a long duration of time as shown in Fig.5c: with everyday perturbations, the background PCC of the CSM-based system (with the same setup as the DM-based implementations) decreases obviously (down to around 0.2) without recovery back to the initial status. As seen in Fig.5d, starting from period 2, the decryption performance also deteriorates over time. The fine facial features gradually erode, resulting in significant deviations from the ground truth images. This highlights an additional advantage of utilizing DM over CSM: for those media like ground glass diffusers, the deviation from the initial state is highly unpredictable and often irreversible. However, our proposed DM-based system exhibits reversibility (Fig.5a). This remarkable feature can be attributed to single-layered nature of the DM, which ensures a wider range of the memory effect24. This characteristic physically enables a more relaxed optical conjugation of the DM with the input wavefront compared to typical multi-layered diffusers. Therefore, our system can be practically recovered back to the initial status, as quantified by the background PCC of the recorded speckle (i.e., 0.98) when the perturbations become similar to those at initial status or when simply tuning the system is feasible. Furthermore, since no additional training for the network is needed over time, encrypting new plaintext with the proposed cryptosystem becomes practically feasible even though long period of time has elapsed since the network was trained.
a, b Stability analysis for the DM-based decryption performance. a Background PCC (blue dots) and decryption PCC (red columns) based on the data collected in 14 periods. b Decryption performance for three representative examples with respect to the 14 periods in (a). Digits below each reconstructed images are the Decryption PCCs between the decrypted image and the ground truth image. c, d Stability analysis for the CSM-based decryption performance. c, d are the counterparts of (a, b), respectively, under the same experiment conditions with a ground glass to replace the DM as the scattering medium. GT ground truth, DM disordered metasurface, CSM conventional scattering medium, PCC Pearsons correlation coefficient.
Follow this link:
High-security learning-based optical encryption assisted by disordered metasurface - Nature.com
Vulnerability found in Apple’s Silicon M-series chips and it can’t be patched – Mashable
A new security vulnerability has been discovered in Apple's Mac and MacBook computers and the worst part is that it's unpatchable.
Academic researchers discovered the vulnerability, first reported by Ars Technica, which allows hackers to gain access to secret encryption keys on Apple computers with Apple's new Silicon M-Series chipset. This includes the M1, M2, and M3 Apple MacBook and Mac computer models.
Basically, this vulnerability can be found in any new Apple computer released from late 2020 to today.
The issue lies with prefetchers components meant to predictively retrieve data before a request to increase processing speed and the opening they leave for malicious attacks from bad actors.
The researchers have dubbed the attack "GoFetch," which they describe as "a microarchitectural side-channel attack that can extract secret keys from constant-time cryptographic implementations via data memory-dependent prefetchers (DMPs)."
A side-channel attack is a type of cyber attack that uses extra information that's left vulnerable due to the design of a computer protocol or algorithm.
The researchers explained the issue in an email to Ars Technica:
Prefetchers usually look at addresses of accessed data (ignoring values of accessed data) and try to guess future addresses that might be useful. The DMP is different in this sense as in addition to addresses it also uses the data values in order to make predictions (predict addresses to go to and prefetch). In particular, if a data value "looks like" a pointer, it will be treated as an "address" (where in fact it's actually not!) and the data from this "address" will be brought to the cache. The arrival of this address into the cache is visible, leaking over cache side channels.
Our attack exploits this fact. We cannot leak encryption keys directly, but what we can do is manipulate intermediate data inside the encryption algorithm to look like a pointer via a chosen input attack. The DMP then sees that the data value "looks like" an address, and brings the data from this "address" into the cache, which leaks the "address." We dont care about the data value being prefetched, but the fact that the intermediate data looked like an address is visible via a cache channel and is sufficient to reveal the secret key over time.
Basically, the researchers discovered that the DMPs in Apple's Silicon chipsets M1, M2 and, M3 can give hackers access to sensitive information, like secret encryption keys. The DMPs can be weaponized to get around security found in cryptography apps, and they can do so quickly too. For example, the researchers were able to extract an 2048-bit RSA key in under one hour.
Usually, when a security flaw is discovered nowadays, a company can patch the issue with a software fix. However, the researchers say this one is unpatchable because the issue lies with the "microarchitectural" design of the chip. Furthermore, security measures taken to help mitigate the issue would require a serious degradation of the M-series chips' performance.
Researchers say that they first brought their findings to Apple's attention on December 5, 2023. They waited 107 days before disclosing their research to the public.
Read more here:
Vulnerability found in Apple's Silicon M-series chips and it can't be patched - Mashable
The DOJ Puts Apple’s iMessage Encryption in the Antitrust Crosshairs – WIRED
The argument is one that some Apple critics have made for years, as spelled out in an essay in January by Cory Doctorow, the science fiction writer, tech critic, and coauthor of Chokepoint Capitalism. The instant an Android user is added to a chat or group chat, the entire conversation flips to SMS, an insecure, trivially hacked privacy nightmare that debuted 38 years agothe year Wayne's World had its first cinematic run, Doctorow writes. Apple's answer to this is grimly hilarious. The company's position is that if you want to have real security in your communications, you should buy your friends iPhones.
In a statement to WIRED, Apple says it designs its products to work seamlessly together, protect peoples privacy and security, and create a magical experience for our users, and it adds that the DOJ lawsuit threatens who we are and the principles that set Apple products apart in the marketplace. The company also says it hasn't released an Android version of iMessage because it couldn't ensure that third parties would implement it in ways that met the company's standards.
If successful, [the lawsuit] would hinder our ability to create the kind of technology people expect from Applewhere hardware, software, and services intersect, the statement continues. It would also set a dangerous precedent, empowering government to take a heavy hand in designing peoples technology. We believe this lawsuit is wrong on the facts and the law, and we will vigorously defend against it.
Apple has, in fact, not only declined to build iMessage clients for Android or other non-Apple devices, but actively fought against those who have. Last year, a service called Beeper launched with the promise of bringing iMessage to Android users. Apple responded by tweaking its iMessage service to break Beeper's functionality, and the startup called it quits in December.
Apple argued in that case that Beeper had harmed users' securityin fact, it did compromise iMessage's end-to-end encryption by decrypting and then re-encrypting messages on a Beeper server, though Beeper had vowed to change that in future updates. Beeper cofounder Eric Migicovsky argued that Apple's heavyhanded move to reduce Apple-to-Android texts to traditional text messaging was hardly a more secure alternative.
Its kind of crazy that were now in 2024 and there still isn't an easy, encrypted, high-quality way for something as simple as a text between an iPhone and an Android, Migicovsky told WIRED in January. I think Apple reacted in a really awkward, weird wayarguing that Beeper Mini threatened the security and privacy of iMessage users, when in reality, the truth is the exact opposite.
Even as Apple has faced accusations of hoarding iMessage's security properties to the detriment of smartphone owners worldwide, it's only continued to improve those features: In February it upgraded iMessage to use new cryptographic algorithms designed to be immune to quantum codebreaking, and last October it added Contact Key Verification, a feature designed to prevent man-in-the-middle attacks that spoof intended contacts to intercept messages. Perhaps more importantly, it's said it will adopt the RCS standard to allow for improvements in messaging with Android usersalthough the company did not say whether those improvements would include end-to-end encryption.
More:
The DOJ Puts Apple's iMessage Encryption in the Antitrust Crosshairs - WIRED
A vulnerability in Apple M-series chips could expose encryption keys and harm performance and the flaw is … – ITPro
A vulnerability etched into the design of Apple M-series chips has been uncovered by researchers which could allow attackers to extract encryption secret keys when performing cryptographic operations.
Six academic researchers at institutions across the US authored a paper outlining a vulnerability they dubbed GoFetch, which leaks cryptographic data from the CPU cache that hackers can use to piece together a cryptographic key.
GoFetch is a microarchitectural side-channel attack that can extract secret keys from constant-time cryptographic implementations via data memory-dependent prefetchers (DMPs). stated a blog published by the authors.
GoFetch relies on exploiting a relatively new microarchitectural design feature only found on Apple M-series chips and Intels Raptor Lake microarchitecture intended to reduce memory-access latency a common CPU bottleneck.
DMPs proactively load data into the CPU cache before it is directly required, helping to reduce latency between the main memory and CPU.
This technology is vulnerable to cache side-channel attacks which observe the side effects of the victim programs secret-dependent accesses to the processor cache, according to the paper.
During the prefetching process, the DMP must make a series of predictions on what data will be required, based on previous access patterns, and attackers can exploit this side channel to steal information.
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
A popular workaround neutralizing this threat is constant-time programming, which standardizes the execution time for operations regardless of the size of the input by ensuring the data has no secret-dependent memory accesses.
The new paper from Chen et al. demonstrates how DMPs often compromise the security of constant-time programming by mixing up memory content with pointer values that are used to direct the DMP to load other data.
We show that even if a victim correctly separates data from addresses by following the constant-time paradigm, the DMP will generate secret-dependent memory access on the victim's behalf, resulting in variable-time code susceptible to our key-extraction attacks:, Chen et al explained.
Applications using the GoFetch attack can manipulate data to look like a pointer value, which the DMP treats as an address and brings the data from this location into the cache, which is then visible and leaked over cache side channels.
The vulnerability can be exploited when the cryptographic operation being targeted is running on the same CPU cluster as the malicious application.
The authors stated they will release proof-of-concept code demonstrating GoFetchs attack path soon.
This vulnerability cannot be patched directly as it stems from the microarchitectural design of the silicon itself, the paper stated.
Notably, Intels Raptor Lake CPU architecture doesnt share this vulnerability with its M-series counterparts, despite sharing the same prefetcher as Apples chips.
This shows that the vulnerability can be addressed by altering the silicon, but this will only be available for future Apple M-series architectures, where the CPU architecture will need to be redesigned.
As a result, current M-series chips exposed to the vulnerability cannot be patched in the silicon, and businesses using these devices can only try to mitigate the potential damage a successful exploit could incur using third-party software.
But integrating extra layers of protection into third-party cryptographic software will take a significant toll on encryption and decryption performance, leaving developers with a difficult choice between efficiency and security.
At the time of writing, Apple has not published any release dates for an official fix.
Continue reading here:
A vulnerability in Apple M-series chips could expose encryption keys and harm performance and the flaw is ... - ITPro
New Apple silicon security flaw could allow the extraction of encryption keys, but don’t dust down that old Intel Mac just yet – iMore
Apple silicon has transformed the Mac since the M1's introduction and that continued with the M2 and the latest M3, the chip that powers the latest MacBook Air and other best MacBooks. It brought with it a level of performance and battery life that was previously not possible when using Intel's chips and the fluidity of the chipmaker's roadmap made it difficult to plan products around. But while the M-series chips have been a revelation, they aren't perfect as news of a newly found security flaw proves.
The flaw, which just so happens to be unpatchable, has the potential to open the doors to Mac's encryption keys. That's bad news for anyone who values their privacy and security, although there is a discussion to be had about just how much of a problem the flaw really is. What we do know is that the flaw is real, however, and it's present in all M1, M2, and M3 Macs as well as potentially future models as well.
This isn't the first Apple silicon security flaw of course, but any new flaw is sure to be a thorn in the side of Apple's much-flaunted silicon team.
The flaw was first reported by ArsTechnica and the outlet explains that the issue comes thanks to the way that modern chips, like the M-series, process information. The Dara Memory-dependent Prefetchers (DMP) are used to optimize the performance of chips and are actually an expansion of prefetchers that have been around for years.
"The threat resides in the chips data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future," Ars explains. "By loading the contents into the CPU cache before its actually needed, the DMP, as the feature is abbreviated, reduces latency between the main memory and the CPU, a common bottleneck in modern computing."
But researchers have spotted a bug in the DMP which, because of the nature of the beast, cannot be fixed. A workaround could be done via software, but it'll likely have a notable impact on performance when performing cryptographic tasks.
Researchers say that "prefetchers usually look at addresses of accessed data (ignoring values of accessed data) and try to guess future addresses that might be useful. The DMP is different in this sense as in addition to addresses it also uses the data values in order to make predictions (predict addresses to go to and prefetch). In particular, if a data value 'looks like' a pointer, it will be treated as an 'address' (where in fact it's actually not!) and the data from this address will be brought to the cache. The arrival of this address into the cache is visible, leaking over cache side channels." It's the leaking that the researchers have been able to use when developing their attack on the system.
iMore offers spot-on advice and guidance from our team of experts, with decades of Apple device experience to lean on. Learn more with iMore!
"We cannot leak encryption keys directly, but what we can do is manipulate intermediate data inside the encryption algorithm to look like a pointer via a chosen input attack," the researchers told Ars via email. "The DMP then sees that the data value 'looks like' an address, and brings the data from this 'address' into the cache, which leaks the 'address.' We dont care about the data value being prefetched, but the fact that the intermediate data looked like an address is visible via a cache channel and is sufficient to reveal the secret key over time.
However, as problematic as this might be, it's unlikely to be an issue for the vast majority of people. The tool the researchers created as a proof of concept requires a little less than an hour to do its work, and that's to extract a 2048-bit RSA key. The stronger the key, the more time is required all the way to around 10 hours for a Dilithium-2 key. That means people would need to unwittingly download and run an unknown app and then have it running for around an hour before there would be any chance of anything being extracted. And considering most Macs are configured not to run apps that have not been signed by Apple by default, that's even less likely to happen.
Here is the original post:
New Apple silicon security flaw could allow the extraction of encryption keys, but don't dust down that old Intel Mac just yet - iMore
Apricorn Introduces Industry’s First 24TB Hardware Encrypted USB Drive – PR Newswire
Massive 24 TB Aegis Padlock DT and Padlock DT FIPS Desktop Drives Offer Encrypted Storage for Healthcare, Finance, Government and other Industries' Data at Rest
POWAY, Calif., March 21, 2024 /PRNewswire/ -- Apricorn, the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB data storage devices, today announced the release of a 24TB version of its Aegis Padlock DT and Padlock DT FIPS Desktop Drives. Continuing its position as an industry leader, Apricorn is the first to bring a 24TB encrypted drive to market, delivering high performance and mass capacity to industries such as healthcare, financial services, education, and government, while ensuring the security of users' data. This is the third time Apricorn has brought to market the industry's largest capacity hardware encrypted USB drive, having previously done so in 20TB and 22TB sizes.
"Microsoft this month disclosed that the nation state attack it identified in January wasstill not fully contained. Since Microsoft is so deeply entrenched in just about every facet of our workflow, encrypting and storing data offline adds a layer of protection and resilience in the face of potential future attacks that could stem from breaches of this nature," said Kurt Markley, U.S. Managing Director at Apricorn. "The Aegis Padlock DT line is an ideal way for large organizations to protect vast amounts of data at rest in a highly secure and economic way."
Both the Padlock DT and Padlock DT FIPS Desktop Drives come with AegisWare - the proprietary firmware and feature set unique to Apricorn's Aegis Secure Drives and Secure Keys. Consistent with the Apricorn line of secure drives, passwords and commands are entered by way of the device's on-board keypad. All authentication and encryption processes take place within the device itself and never involve software or share critical security parameters (such as passwords) with the host computer. Additionally, all have military grade 256-bit AES XTS encryption so firmware is locked down and can't be updated or modified, defending against malware and ensuring data remains secure and accessible only by the user.
"Across both the public and private-sectors, organizations are creating more data year-over-year, while also dealing with increased rates of breach brought on by ransomware and other cyber threats. It is more critical than ever to create a secure backup and resiliency program that includes encrypting data offline," continued Markley. "The Aegis Padlock DT has proven to be an ideal option for organizations that need to ensure their sensitive data stays secure. Apricorn is the only vendor to offer a hardware encrypted 24TB option, making it easier than ever for our customers to store staggering amounts of data securely."
Featuring the largest encrypted external USB storage capacity in its class, the Aegis Padlock DT and Aegis Padlock DT FIPS Desktop Drives offer 11 capacities ranging from 2TB, up to the new 24TB of secure storage. Fully hardware-based and 256-bit AES XTS encrypted, the Padlock DT series bolsters on-board keypad PIN authentication and ultra-fast USB 3.2 (3.0) data transfer speeds. All data is encrypted on the fly as it's being written to the drive, and the devices' PINs and data remain encrypted when the drives are at rest.
Apricorn devices provide a simple and secure method for transporting sensitive data outside the firewall or storing offline, and help companies in regulated industries adhere to compliance regulations including finance, government, power & energy, legal and healthcare. Visit http://www.apricorn.com for more information on the Aegis Padlock DT FIPS Desktop Drives.
About Apricorn
Apricorn provides secure storage innovations to the most prominent companies in the categories of finance, healthcare, education, and government throughout North America and EMEA. Apricorn products have become the trusted standard for a myriad of data security strategies worldwide. Founded in 1983, numerous award-winning products and patents have been developed under the Apricorn brand as well as for a number of leading computer manufacturers on an OEM basis.
Media ContactSarah Hawley Origin Comms t. +1 480-292-4640 e. [emailprotected]
SOURCE Apricorn
See original here:
Apricorn Introduces Industry's First 24TB Hardware Encrypted USB Drive - PR Newswire
Surviving the quantum apocalypse with fully homomorphic encryption – Help Net Security
In the past few years, an increasing number of tech companies, organizations, and even governments have been working on one of the next big things in the tech world: successfully building quantum computers.
These actors see a lot of potential in the technology. Quantum computing spreads across a wide range of disciplines both on the hardware research and application development fronts, including elements of computer science, physics, and mathematics. The goal is to combine these subjects to create a computer that utilizes quantum mechanics to solve complex problems faster than on classical computers.
Despite this description evoking images and scenarios fit for a sci-fi blockbuster, it is still hard to pinpoint what a quantum computer would do. Indeed, it seems that the only major application which people have identified is that of cryptanalysis.
Quantum computing has the potential to break cryptosystems that are the foundations of the technology protecting the privacy of data and information created and shared every day. When (and if) an applicable quantum computer is created, we will need to upgrade all our digital security protocols.
A traditional (digital) computer processes zeros and ones, so called bits. These, to a first order approximation, are represented as on/off electrical signals. A quantum computer, though, processes quantum states; these are units that can be thought of as being both zero and one at the same time. Such a state is called a quantum bit, or qubit.
If you hold n bits in a traditional computer then these n bits can represent any number between zero and 2^n-1, but a single bit can only represent one number at a time. If you had n qubits, then the quantum computer can represent EVERY number between 0 and 2^n-1 simultaneously.
The physics of quantum phenomena is counter-intuitive. For example, two qubits can be entangled so that even though they can be separated by a large distance, an operation performed on one of the entangled qubits can have an instantaneous effect on the other qubit.
This is where the privacy concern around quantum computers comes from: they not only store data differently, but also process it differently, giving users a very different form of computational model. With this model, quantum computers could be faster than traditional ones with regards to a few known tasks: unluckily, the two main tasks which quantum computers are good at are factoring large numbers and solving so-called discrete logarithm problems. I say unluckily, as it is precisely these two hard mathematical problems which lie at the base of all current security protocols on the internet.
The ability of a quantum system to solve these two mathematical problems will break the internet and all the systems we use day to day. The advent of a quantum computer and its effect on cybersecurity and data privacy is often dubbed the quantum apocalypse.
Thankfully, the advent of a suitably powerful quantum computer capable of breaking current cryptographic solutions does not yet seem to be on the horizon. But organizations and businesses that truly care about the privacy of their users and customers should start preparing for the worst by looking to integrate existing technologies and solutions in their operations and processes.
There are currently two distinct approaches to face an impending quantum apocalypse. The first uses the physics of quantum mechanics itself and is called Quantum Key Distribution (QKD). However, QKD only really solves the problem of key distribution, and it requires dedicated quantum connections between the parties. As such, it is not scalable to solve the problems of internet security; instead, it is most suited to private connections between two fixed government buildings. It is impossible to build internet-scale, end-to-end encrypted systems using QKD.
The second solution is to utilize classical cryptography but base it on mathematical problems for which we do not believe a quantum computer gives any advantage: this is the area of post-quantum cryptography (PQC). PQC algorithms are designed to be essentially drop-in replacements for existing algorithms, which would not require many changes in infrastructure or computing capabilities. NIST (the US standards institute) has recently announced standards for public key encryption and signatures which are post-quantum secure. These new standards are based on different mathematical problems, the most prominent of which is a form of noisy linear algebra, called the Learning-with-Errors problem (LWE).
NISTs standards only consider traditional forms of public key encryption and signatures. Fully homomorphic encryption (FHE) is different from traditional public key encryption in that it allows the processing of the data encrypted within the ciphertexts, without the need to decrypt the ciphertexts first.
As a first approximation, one can view traditional public key encryption as enabling efficient encryption of data in transit, whilst FHE offers efficient encryption of data during usage. Most importantly, with FHE nobody would be able to see your data but you because they wouldnt have your key.
All modern FHE encryption schemes are based on the LWE problem, thus FHE is already able to be post-quantum secure. So, if you deploy an FHE system today, then there is no need to worry about the future creation of a quantum computer.
Read the original:
Surviving the quantum apocalypse with fully homomorphic encryption - Help Net Security
Growing concenrs about quantum computers’ ability to break commonly used encryption – NL Times
There are growing concerns about quantum computers eventual ability to circumvent commonly used encryption. That could still be decades away, but 20 Members of the European Parliament, led by Dutch MEP Bart Groothuis, want organizations to start preparing themselves. The Dutch intelligence service AIVD shares the concerns, NOS reports.
Cryptographic keys are currently the most used way to prevent unauthorized persons from reading communications, from sensitive communications between governments to text messages on WhatsApp. The encryption mathematically scrambles the data. Regular computers cannot crack that key in practice because the number of possible mathematical combinations is so high. But there are growing fears that quantum computers, which work fundamentally differently, will eventually be able to do that.
Quantum computing has not reached that point yet, and Q-Day may still be decades away. But governments and critical organizations must already start protecting themselves. We see an enormous hunger for data in countries like China, the AIVD told the broadcaster. These countries are already intercepting data in the hope that theyll be able to crack the encryption at some point. It is, therefore, important that organizations whose data will still be sensitive in a few decades time to already implement quantum-safe protection. Software developers need to work on that urgently, the AVID said.
We must start this now, MEP Groothuis told the broadcaster. He initiated a public letter by 20 MEPs calling on governments and organizations to implement other ways to protect their data. We cannot take that risk. The most important organizations must start doing this now.
Switching to other algorithms that are more resistant to quantum computers will be a complicated process because both the sender and receiver must use the same technology. With a banking website, for example, both the banks web server and the web browser must support the same new technology.
Visit link:
Growing concenrs about quantum computers' ability to break commonly used encryption - NL Times
Nevada’s Attack on End-to-End Encryption is an Attack on Online Safety | TechPolicy.Press – Tech Policy Press
Namrata Maheshwari is Senior Policy Counsel and Encryption Policy Lead at Access Now.
With potential repercussions for protecting privacy worldwide, Nevadas attack on end-to-end encryption (E2EE) should concern us all. The state of Nevadas Attorney General is seeking a court order restricting Meta from offering E2EE to minors using Facebook Messenger. This is, simply put, a bad idea. It is a textbook example of how good intentions, in isolation, can pave the way to bad outcomes that negatively impact civil liberties.
My organization, Access Now, joined a group of other civil society organizations, experts, and tech service providers in filing a friend-of-the-court brief to explain why removing E2EE from services such as Messenger will make children more vulnerable online, not less, while also jeopardizing everyone elses safety.
Making online spaces safer is rightly a priority for governments worldwide; but removing access to E2EE is not the way to do it. E2EE is non-negotiable for security. It ensures that no one other than the sender and intended recipient(s) of a message can access its contents, not even the platform used to send the message. In an online world where more data about each of us is generated, stored, and shared than we could ever verify, this is an incredible strength. E2EE provides individuals, including children, with a way to conduct private, even intimate conversations, to express themselves freely, to exchange sensitive information about their health or current location, or even to report abuse. If children are forced to rely on unencrypted messaging channels, unsafe from prying eyes, it could be far more dangerous for them to share their live location data, credit card or financial information, and passwords to personal accounts, to report experiences of abuse, or to reach out for assistance with sensitive healthcare matters, such as information on abortion or reproductive health.
Childrens rights organizations, such as the Child Rights International Network and Defend Digital Me, have emphasized the importance of encryption in enabling the full range of childrens rights, warning that a generalized ban on encryption would leave children vulnerable to a wide range of exploitation and abuse. They also note that the use of unencrypted messaging services can further harm already disadvantaged or marginalized children such as survivors of abuse.
Depriving minors of E2EE means depriving them of safe spaces online. In the offline world, we have private spaces for conversation. It is possible to ensure that there is no record of such conversation unless one of the parties chooses otherwise. Even when offline conversations are recorded, there are strict limitations on how, when, and why even law enforcement officials can seek access. Encryption is the boon that makes it possible to replicate this online. Without encryption, every word, image, and video recorded on the internet is susceptible to interception and potential abuse, including by law enforcement. As the UN Human Rights Council has noted, the same rights that people have offline must also be protected online, in particular freedom of expression, which is applicable regardless of frontiers and through any media of ones choice, in accordance with articles 19 of the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights.
In seeking to ban encryption and thus infringe on individuals right to communicate privately Nevada is at odds with global best practices, which increasingly recognize that generalized surveillance is anathema to human rights. The office of the UN Special Rapporteur on the Freedom of Expression has long recognized the importance of encryption, urging states not to compel platforms to compromise communications privacy and security by prohibiting encryption. Courts elsewhere are also rejecting mandates for the generalized surveillance enabled by removing encryption. The European Court of Human Rights recently rejected a Russian government request for Telegram and other communication service providers to enable decryption and to store users communication; essentially the same as not providing E2EE at all. And the African Commission on Human and Peoples' Rights has adopted a resolution calling on states to promote privacy-enhancing technologies and desist from prohibiting or weakening encryption.
It is widely accepted that any restrictions on human rights must meet the thresholds of necessity and proportionality. This means that measures imposed to achieve a particular aim must be effective, using the least intrusive methods possible. A blanket ban on E2EE for all Messenger users under the age of 18 fails on all these counts. It will not make children safer, and will rather expose their data to intrusions and misuse.
E2EE should be available by default, rather than users needing to opt-in a long-standing feature in Signal, Apples iMessage, and Metas WhatsApp, and one that Messenger introduced in late 2023. EE2E by default aligns with data protection and privacy-by-design best practices, by removing the burden from users to actively seek out the opt-in setting. This is particularly important when it comes to protecting the data of vulnerable individuals, such as children, who may be even less likely than most people to change their default privacy settings. Opt-out website options are criticized because they make rampant data collection the norm and privacy the exception that a user must actively seek out. Similarly, on messaging platforms, an opt in for encryption disadvantages the user, and merely offers plausible deniability to the platform to scour personal information and place the blame on the user for not opting in.
If the Nevada Attorney General gets his way, it could also set a dangerous precedent in emboldening other governments, within and beyond the US, to ban E2EE in the name of child safety. Nevadas courts must reject the states motion, not only to protect encryption and childrens rights at home, but also to set a strong precedent, in the domestic and international context. This will prevent others elsewhere from making such blatantly rights-harming demands, tone-deaf to global support for encryption, and strikingly at odds with fundamental human rights.
See the original post here:
Nevada's Attack on End-to-End Encryption is an Attack on Online Safety | TechPolicy.Press - Tech Policy Press