The quick summary involves public-key cryptography, which uses a pair of keys to encrypt and decrypt messages. Messages encrypted using the public key can only be decrypted with the corresponding private key, and vice-versa. Essentially, when Bob joins iMessage, his device generates a public/private key pair and sends the public key to Apple. The private key never leaves his device. If Alice wants to send a message to Bob, her phone obtains Bob’s public key from Apple, encrypts the message, and then passes it to Apple who forwards it to Bob. Since Apple doesn’t have Bob’s private key, they have no way of reading the message.
There’s actually a second pair of public/private keys used as well, which Alice uses to digitally sign her message, so that Bob’s device can tell it came from her and not someone else. If Bob has multiple devices, then each one has its own set of keys, and Alice encrypts the message such that each of Bob’s private keys can decrypt it.1
The key takeaway here is that Apple can’t read Alice’s messages to Bob without considerable effort on their part. If the system works as designed, Apple never has a decryption key, so they have no special ability to decrypt messages.
The “as designed” is important: Alice has to trust that her software works as described. On iOS, there is no way to independently verify how iMessage is implemented. Furthermore, since Apple handles the key distribution, they might be able to implement a Man-in-the-Middle attack: instead of sending Alice Bob’s actual public key, they could send a public key that they control, decrypt the message, and then re-encrypt using Bob’s public key.2
Given Apple’s recent SSL flaw (1, 2) and the NSA’s claimed iOS exploits, it’s not unreasonable to be wary of Apple’s security claims, but I still feel comfortable with the system for iMessage. It’s already more secure than e-mail or text messaging, and Apple has no real incentive to compromise their users’ privacy.
(via Daring Fireball)
Apparently, this involves encrypting the entire message multiple times if it’s short, or using the public key to encrypt a symmetric key—presumably similar to the way PGP works.↩
The white paper is not clear on whether Alice signs the encrypted message or the plaintext. If she authenticates the encrypted message, then I don’t think this attack could work.↩