I thought iMessage private keys are somehow based on data in the "secure enclave" chip, and thus not able to be stored in the cloud. It's my understanding that Apple could add new "devices" to listen in on future conversations, but it can't read iMessage conversations in transit between existing devices.
It can also read iCloud backups of conversation content, which are created by the client device after decrypting the message. But that's not the same as storing the private key itself in the backup.
If you lose your device and buy a new one and restore your device with a back up, all your messages will be returned.
There’s no way to accomplish this without having the private key in the backup.
EDIT: When I say there is no way to accomplish this, I’m talking specifically about the process that exists today where the user doesn’t have to remember a password other than their iCloud password (which today, can also be reset).
Maybe we're talking about different private keys? To clarify, here's how I think it works:
1) To send you a new iMessage, someone else's iPhone Z encrypts it with your public key and sends it through the iMessage network. Apple can't read this message since they don't have your iMessage private key, which is only on your device.
2) Your iPhone A receives the encrypted iMessages and decrypts them with your iMessage private key on your device.
3) iPhone A stores the decrypted iMessage content in its filesystem, which is encrypted locally with the device private key (derived from your device passcode).
4) Time to backup... iPhone A decrypts its filesystem with your device private key, and sends filesystem contents as plaintext, through an encrypted tunnel, to an iCloud backup server, which encrypts the backup locally with an iCloud server private key, and stores it.
5) You get a new iPhone, let's call it iPhone B. iPhone B asks iCloud for a restore. The iCloud server locally decrypts the backup, and sends it to iPhone B as plaintext through an encrypted tunnel. iPhone B receives the backup as plaintext and stores it locally, encrypting it locally with the device private key.
6) iPhone B iMessage client loads the plaintext old iMessages into the Messages client for you to read.
At no point in this process would Apple have or store your iMessage private key or your device private key.
The encryption is a bit complex on the iPhone, because keys are typically held by the secure enclave which enforces policy on use. These keys are both used to encrypt the base filesystem, and can be applied by policy against individual files.
Example policies from the Secure Enclave would be that a private key is available on first unlock, only while unlocked, only while a PIN is set, and/or whether the key should be shared with other trusted devices.
The base filesystem is encrypted with a key released on boot, while individual files can be encrypted with some set of these policies. I believe this can be done either on individual files in an app's data, or as an entitlement to apply by default to the entire app. https://developer.apple.com/documentation/bundleresources/en...
My understanding is that files set with a policy that they are only available while the device is unlocked will still be backed up in the locally encrypted form. So, assuming Signal/WhatsApp/etc set a single flag their data is stored encrypted in iCloud.
Further, per your list I suspect that the backup data is sent to/from iCloud already encrypted by a secret - but that secret is shared with iCloud for recovery and shared further on official government request. The goal there is to limit the amount of unencrypted user data sent to third party servers (in this case in the US I believe Azure-hosted storage for backups).
The keys are separately stored on Apple-controlled servers in non-China countries. In China, I believe they were required by law to have the key storage instead hosted by a Chinese data center.
You are right; Apple isn't storing your private key, they simply have access to an unencrypted dump of your iPhone at the time of iCloud backup creation. My comment implies that once you take a backup, Apple would have the ability to read all your future messages as well.
> There’s no way to accomplish this without having the private key in the backup.
Uh, no. There's no way to accomplish that without some kind of user-managed escrow (even a pass phrase would be fine). It's maybe not the seamless experience Apple wants to offer, but it's certainly not impossible.
Frankly the kind of dummyproof restore being offered is fundamentally incompatible with private backups.
Your messages are returned via the backup, not via the "iMessage servers". Once the messages are at rest on your device, they're no longer encrypted using your "iMessage private key".
I would think that you could, however, encrypt that private key with a user-controlled password. (Granted, this should be optional and have big red warnings about being unable to recover without the password)
The secure enclave is a feature to secure the device and the data on it from casual threats. Apple gets a bit evasive any time the subject of security shifts to their cloud services. (i.e. they will talk about how a particular feature is e2e encrypted but their security talking points seem to mostly end at the device)
I think a better way to look at what they're selling you is a device that provides you pretty-to-very good protection from casual hacking and theft. But in the event of a government knocking on their door for more information, they'll quietly hand over what they can which probably is quite a bit more than the average consumer thinks it is. All bets are off as to what the full story is when the government/jurisdiction involved is not the United States.
> Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn't stored by Apple.
But wait does it mean that if you haven't iCloud backup activated but use local backup you can actually sync message without storing private key... the wording here is important would be nice if someone clarify.
It's not uncommon for software to claim to offer this feature. Windows does it for example, and it was a bug in such a feature for WebCrypto in Firefox that made the news recently here.
Invariably such features are weak and a sufficiently capable attacker can override them. In Windows for example you could reach into the opaque data structure and toggle the Boolean that forbids exporting keys...
It can also read iCloud backups of conversation content, which are created by the client device after decrypting the message. But that's not the same as storing the private key itself in the backup.
Happy to have my understanding updated...