The bit tying in to my comment a few days ago is they note that apple wont
confirm but no doubt does provide a signed private app that takes the
encrypted key material off the device for brute forcing.  And an app for
dumping all data off the device if thats also not possible without jail
breaking.

Maybe they even quietly sign apps by elcomsoft et al for sale or service
provision to law enforcement only that do the job.

And you cant tell me that a PIN 4 or 6 digits is of any credible security no
matter what iterator is used for PBKDF2 - its a joke period.  Obviously
because the login delay has to be acceptable to the user on a puny phone
processor, vs a GPU optimized or FPGA massively parallel, or amazon
flash-rented server farm brute force of the same.  QED.

These days the same pretty much applies to any 8 char alphanumeric password. Passwords are dead. People need to face reality and adapt.

(And by that I mean improve the crypto away from 1980s era password based
protocols, not give up.)

Adam

On Thu, Apr 05, 2012 at 11:42:16PM -0400, Jeffrey Walton wrote:
On Wed, Apr 4, 2012 at 3:45 PM, Jeffrey Walton <[email protected]> wrote:
Hi All,

Older iOS devices used a 4 digit PIN code, which was next to no
protection. Newer iOS allow passcodes which consist of a full
(fuller?) alphabet.

Assuming a weak password policy (for example, 4 or 6 characters) are
there any real benefits over PINs?

What is the state of the art for mobile password cracking on iOS and Android?
Ask and you shall receive (Ars Technica dropped it yesterday):

http://arstechnica.com/apple/news/2012/04/can-apple-give-police-a-key-to-your-encrypted-iphone-data-ars-investigates.ars

Does Apple have a backdoor that it can use to help law enforcement
bypass your iPhone's passcode? That question became front and center
this week when training materials (PDF) for the California District
Attorneys Association started being distributed online with a line
implying that Apple could do so if the appropriate request was filed
by police.

As with most things, the answer is complex and not very
straightforward. Apple almost definitely does help law enforcement get
past iPhone security measures, but how? Is Apple advising them using
already well-known cracking techniques, or does the company have
special access to our iDevices that we don't know about? Ars decided
to try to find out.
...

If Apple does keep device key records, they could be given to law
enforcement for a faster brute-force session off-device. "It is pretty
much impractical to break a six-character passcode on the device
itself, but may be entirely practical offline using specialized
systems. So to me it seems like it might be possible for Apple to help
[a law enforcement official], but not directly, if they really store
these hardware keys, but again, nobody knows if they do that or not,"
[Charlie] Miller said.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to