• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: file encription/decriptoin iOS
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: file encription/decriptoin iOS

  • Subject: Re: file encription/decriptoin iOS
  • From: Jens Alfke <email@hidden>
  • Date: Thu, 29 Jun 2017 09:45:50 -0700
> On Jun 29, 2017, at 5:33 AM, Dave Fernandes <email@hidden>
> wrote:
>
> Ah. Thinking about the new device use case helps. Everything must be
> accessible and decryptable using only the iCloud passphrase. But if the same
> passphrase is used both to authorize access to the data and to decrypt it,
> then Apple has the passphrase to decrypt each time the user logs in, do they
> not? So encryption prevents against third parties seeing the data, but not
> Apple itself. Or perhaps the passphrase is used to generate two independent
> secrets and the passphrase itself is never sent over the wire?

Any competent* online service does not store your password. They only store a
hashed version of it.

With web-based logins the password does usually get sent to the server, but it
only keeps it long enough to verify the hash, never storing it persistently.

A login system like Apple’s is probably sending a random challenge value to the
device, which then gets somehow transformed using the password in a way that
can be verified using the hash (I’m hand-waving here, but there are many
algorithms for this.) Or alternatively, the password defines an asymmetric
key-pair**, of which Apple stores the public key, and the login then consists
of signing the challenge value and sending it back, letting Apple verify the
signature.

—Jens

* Unfortunately there are still incompetent services still out there. Match.com
<http://match.com/> is one, for example, or was a few years ago when I briefly
tried using it. If you tell it you forgot your password, it *emails your
password to you*. My jaw hit the floor and I deleted the account immediately.

** Deriving a key-pair from a password isn’t feasible with RSA, but it can be
done with e.g. Curve25519.
_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >file encription/decriptoin iOS (From: email@hidden)
 >Re: file encription/decriptoin iOS (From: Alastair Houghton <email@hidden>)
 >Re: file encription/decriptoin iOS (From: Alex Zavatone <email@hidden>)
 >Re: file encription/decriptoin iOS (From: Jens Alfke <email@hidden>)
 >Re: file encription/decriptoin iOS (From: Sandor Szatmari <email@hidden>)
 >Re: file encription/decriptoin iOS (From: Jean-Daniel <email@hidden>)
 >Re: file encription/decriptoin iOS (From: Sandor Szatmari <email@hidden>)
 >Re: file encription/decriptoin iOS (From: Jens Alfke <email@hidden>)
 >Re: file encription/decriptoin iOS (From: Dave Fernandes <email@hidden>)
 >Re: file encription/decriptoin iOS (From: Jens Alfke <email@hidden>)
 >Re: file encription/decriptoin iOS (From: Dave Fernandes <email@hidden>)

  • Prev by Date: How to Correctly Add subviews considering auto layout
  • Next by Date: NSDocument willPresentError(_:) in Swift 4 : Override not called
  • Previous by thread: Re: file encription/decriptoin iOS
  • Next by thread: Re: file encription/decriptoin iOS
  • Index(es):
    • Date
    • Thread