On Apr 10, 2012, at 10:32 AM, Natanael wrote:

> Just FYI, there's been claims that these guys faked it. But on the other 
> hand, there ARE other tools that can extract data from iPhones so you can 
> bruteforce the encryption later.
> 

I'm pretty certain they faked it. The question is how they faked it. They may 
have faked it in a quasi-defensible way.

It takes ~1000 seconds to brute force a four-digit PIN, because the hardware 
calibrates each iteration to ~100ms (and it must be done on the device itself, 
because there's a hardware key that's part of the calculation, and if you don't 
want to destroy the device, you do it on the device. Thats 16 2/3 minutes.

If you then say that well, you can get one on average in 8 1/3 minutes, that 
has merit, but we've definitely wandered into marketing. If you note that some 
large percentage of PINs start with a zero or one, that average pulls down, 
particularly since you'll do everything starting with a one in ~100 seconds, 
and really, part of the human factors of pincodes is that a frighteningly large 
number of them are under 1231. 

If you're selling a forensic toolkit, it is not untrue that you could do it in 
a few minutes on average. It's not what I'd call responsible, though. It 
implies that the best pincode is 9999 or perhaps 9989 (no triple-repeated 
digit). :-)

        Jon


Attachment: PGP.sig
Description: PGP signature

_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to