According to Apple, iMessage is secure:
End-to-end encryption protects your iMessage and FaceTime conversations across all your devices. With watchOS, iOS and iPadOS, your messages are encrypted on your device so they can’t be accessed without your passcode. iMessage and FaceTime are designed so that there’s no way for Apple to read your messages when they’re in transit between devices.
But why do China, Iran and Russia allow iMessage while they ban the others? That is a very curious question and I think I have the answer in this article. If you hate maths and cryptography, you may want to skip the following section and jump straight to the last section.
For starters, let us assume that your iPhone, Mac or iPad is secure and has not been compromised in any way. The question is, how strong is Apple’s iMessage encryption?
This section is for cryptography and math geeks
For this, let’s turn to this section of Apple Platform Security white-paper on iMessage:
When a user turns on iMessage on a device, the device generates encryption and signing pairs of keys for use with the service. For encryption, there is an encryption RSA 1280-bit key as well as an encryption EC 256-bit key on the NIST P-256 curve.
RSA 1280-bit key for encryption? That is cryptographically weak!! An adversary with the resource of a nation-state can crack it.
Next, why is Apple using the P-256 curve for the EC 256-bit key? There are speculations that the NSA has back-doored the P-256 curve and 6 years ago, the NSA had deprecated it.
Next, how is the EC 256-bit key used? Is it used in conjunction with RSA 1280-bit key? Or is it used as an alternative? To answer this question, I need to turn to this section of the white paper:
The user’s outgoing message is individually encrypted for each of the receiver’s devices. The public encryption keys and signing keys of the receiving devices are retrieved from IDS. For each receiving device, the sending device generates a random 88-bit value and uses it as an HMAC-SHA256 key to construct a 40-bit value derived from the sender and receiver public key and the plain text. The concatenation of the 88-bit and 40-bit values makes a 128-bit key, which encrypts the message with it using AES in Counter (CTR) Mode. The 40-bit value is used by the receiver side to verify the integrity of the decrypted plaintext. This per-message AES key is encrypted using RSA-OAEP to the public key of the receiving device. The combination of the encrypted message text and the encrypted message key is then hashed with SHA-1 and the hash is signed with the Elliptic Curve Digital Signature Algorithm (ECDSA) using the sending device’s private signing key. In iOS 13 or later and iPadOS 13.1 or later, devices may use an Elliptic Curve Integrated Encryption Scheme (ECIES) encryption instead of RSA encryption.
This paragraph raises more questions than answers. The last sentence says that ECIES encryption (that is, the above-mentioned EC 256-bit key) MAY be used instead of RSA encryption. My question is, under what circumstances will it be used instead of RSA (which is very weak cryptographically)? Can I speculate that RSA will be used in countries like China, Iran and Russia while ECIES will be used for the rest of the world?
This is quite murky.
To put it very simply, here is what it seems to mean:
- Most of the time, the encryption of your iMessage is done using RSA 1280-bit key, which is cryptographically strong.
- If you have iOS/iPadOS 13 or later, EC 256-bit encryption key using the P-256 curve MAY be used instead of RSA. Under what circumstances will it be used? Apple didn’t say.
- Since the EC 256-bit encryption key uses the P-256 curve, there are speculations and concerns that this elliptic curve may be compromised by the NSA.
To make matters worse, the per-message encryption key (which in itself was encrypted by the above-mentioned RSA or EC 256-bit key) is effectively only 88-bits long. I speculate that encryption keys of such short length can be cracked by adversaries with the resources of a nation-state.
For the lay-person
For the lay-person, this section is all you need to know.
I don’t like what I see regarding iMessage security in Apple Platform Security white paper. It seems to me that Apple’s iMessage encryption is strong enough to prevent government mass surveillance. But it is weak enough for a major government to crack a specific individual’s messages. That explains why iMessage is allowed in countries like China, Iran and Russia while the rest (e.g. WhatsApp, Telegram) are banned.
The next question is, will Apple ever upgrade iMessage’s encryption strength? I doubt it. China is a huge and important market for Apple. If they make iMessage as strong as Signal messaging app’s encryption, it is likely that China will ban iPhones.
So, in conclusion, iMessage is good enough for most people. But if you are a very special individual (e.g. high-profile political dissident), then you shouldn’t be trusting iMessage.