Replies

I know you have done it dozens of times, but can you please post up details of how secure this phone is, and the absurdity that someone can just demand apple to “break into” it?

Glad to. . .

Essentially, your passcode can be any character string combination. That gives you the possibility of having up to 223²⁵⁶ passcode combinations. I'm not going to try and figure out how much smaller a number the Apple limitation of no consecutive characters would make it, since that would eliminate double, triple, quadruple, etc., all the way up to 256 identical characters in the passcode. I'm not sure I would even know where to begin calculating that. . . But no matter, it's still a huge number.
Think about that very huge number. Just 16 numeric numbers plus a four digit date code makes it almost impossible for fraudsters to hit on a valid credit card number. Adding the three digit security code makes it even harder. Nine numbers in our Social Security numbers makes it almost impossible to hit valid SSNs. Here we have a possible combinations almost infinitely larger than either of those that can be used to encrypt your data.
But it is even better than that, Cold Heat . . . because after YOU select your passcode to use, your Apple computer or device entangles that passcode with the 128 bit Universally Unique Identifier (UUID) assigned to your device. Now, that gives a potential 223³⁴⁸ possible passcode combinations. That combined, entangled KEY is then converted to a HASH on your device so that it cannot be reverse calculated from the HASH, and then used to encrypt your data to a 256 bit Advanced Encryption Standard (AES) file, unlockable only with the original key. . . which is kept only on the device as a hash.
A Googol, is 10^100, a very large number indeed. This number of possible passcode combinations is FAR larger than a Googol.
Most people are NOT going to use a 256 character passcode. But a sufficiently complex shorter one is sufficient.
Apple may be required to hand over to the government what they are holding. . . and even be required to help the government gain access to what they have. But what can they do if they do not have the technology to do ANYTHING to gain access to the data they have stored?That is the situation as it stands.
How long would it take to try every possible combination of characters and numbers and symbols that could have been used to encrypt your databy brute force, n o? Good question. Because that is what would be required, unless they can force YOU to reveal your passcode.
Let's assume your Passcode was a short, but complex, 16 character code. Recall, however, that it was entangled with your computer's or device's 128 character UUID, so the base is now 16 + 128 or 223¹⁴⁴, not quite so large as the that previous number, but still huge. . . and quite a bit larger than a Googol.
1,052,019,282,033,700,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000.000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000
That's 1.052 duovigintillion possible combinations, give or take a few.
If the government's supercomputer could check 50,000 passcodes every second, It therefore test 1.5 TRILLION possible passcodes a year. Let's grant the government agency a 100% faster supercomputer and say they could check 3 TRILLION passcodes a year, OK? That means it would take their supercomputer only a mere. . .
5,260,096,410,168,500,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000,000,000.000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 YEARS
to check all the possible passcodes to decipher your encrypted file that had been encoded with your 16 character complex passcode entangled with a 128 character UUID. It is possible they could, if they were outrageously lucky, get the data deciphered next week, but it more likely will take them a good portion of 5.26 Billion Vigintillion (10¹⁹⁵) Years to break into your data. Double, triple, quintuple, or even multiply the speed of the government's super computer by a factor of 1000. . . it makes only infinitesimal differences in the amount of time it would take to break your passcode. That's the law of very large numbers at work.

But, DesertRhino, it's even worse than that. The actual encryption key is not made of the user's passcode. It's constructed of FOUR elements of which the user's passcode is only peripherally related. That passcode is used to start the process. It is used to create a ONE-WAY mathematical HASH which is calculated each and every time it is entered to be compared with a stored HASH that was first calculated when it was first entered. If it is the same, then an Algorithm is used to entangle that created HASH with the OTHER THREE components of the encryption key. Those components that make up the rest of the encryption/decryption key are:

The UUID mentioned above which was randomly created at the silicon foundry when the Secure Enclave was burned. It is a random string of characters that only exist inside the Secure Enclave and which are NOT RECORDED anywhere. It will likely look something like this "b(e5IBa3d!0MºG≤971c4ß4189ec$fe2d1∆ß¨aNSG^Fbcd@*6¶6be˚¥˙®7*8fhr•§¢09ejl43db©m306øˆå5™dfw¬˚ekœ´¨t40…˚61ep3. . ."
The Unique Device ID (UDID) which is a 40 character string that is the same for every device in a model line and looks something like this: "2b6f0cc904d137be2e1730235f5664094b831186"
A Completely RANDOM number generated by an algorithm using inputs from the environment surrounding the iOS device at the moment the user finishes inputing his/her passcode for the very first time, taken from the devices camera, microphone, position sensors, etc., so that each one is truly unique. Apple has never revealed the size or provided an example of the random number generated.

These three components are entangled with the ONE-WAY HASH created from the user's passcode, which recall can be any string from 4 to 256 characters from the 223 available on the virtual keyboard, to create the actual key used for the 256 bit Advanced Encryption Standard Key which can therefore be ridiculously long. All of which is done and kept inside the Secure Enclave's encryption processor which is NOT accessible to the iOS device's data processor or it's data bus. Apps and and radios have no connection to the Secure Enclave.

The user's passcode itself is at no time retained on the iPhone. That one-way HASH. if it could be read out of the Secure Enclave, cannot be used to reverse to find the user's passcode. Apple is never made aware of the user's passcode, the UUID, or the Environmental Random number. The only data that Apple knows is the UDID because they assign it to the all devices in that model.

I hope this covers what you wanted, DesertRhino.