Phone Password Security Explained In A Simple-Minded Way
By David Grace (www.DavidGraceAuthor.com)
I wrote a post on the Apple-iPhone security issue (Here’s How Apple Can Make iPhones That Are Both Secure And Accessible By Search Warrant And Why It Should Do That) and the thing that surprised me about the feedback I received was how much trouble some people had understanding the basics of how public/private key encryption works.
The purpose of this post is to try to dumb-down phone password encryption basics to the level where people who are confused by the concept will be able to understand it.
Not Technically Accurate
I’m not going to talk about prime numbers or factoring or any of the technical things. I’m not going to use any example numbers or example passwords that bear any relationship to real keys or real passwords.
I’m going to change some terms, for example, I’m going to refer to the private key as the “Secret Number” and the public key as the “Encryption Number” because those terms are easier for some people to understand.
All this means that in some ways I’m not going to be technically accurate. My goal is not technical accuracy, but rather to explain the basic concept of how public/private key systems work so that people who are not versed in computer science or mathematics will be able to get the gist of it.
Let’s start with languages.
The Difference Between English Words And Encrypted Words
The world is full of languages, English, French, etc.
If you put the word “street” into the English side of an English-Spanish translator, “calle” will come out on the Spanish side. If you put “calle” into the Spanish side, “street” will come out on the English side. “Calle” always means “street” and “street” always means “calle”.
The English-Spanish translator works the same both ways.
A Different Kind Of Language
Let’s say that there’s a new language that we’ll call “Crypto” but Crypto isn’t at all like other languages.
If you put the word “chair” into the English side of one English-to-Crypto translator it may come out as “heart” on the Crypto side, but there is no way to enter “heart” on the Crypto side to get its English equivalent, “chair” out the other end. That’s because the translator only goes one way. It only goes from English to Crypto. Without knowing a “secret code” there is no way to go from Crypto back to English.
Crypto Is A One-Way Language
Each version of Crypto uses a number to control how it translates English to Crypto. For this article let’s call it the “Encryption Number” (AKA the “public key”).
Early in the phone’s production process, the phone’s designer, e.g. Apple, creates a pair of numbers for each phone, the Encryption Number or public key and a Secret Number or private key. These two numbers have a mathematical relationship to each other but in practical terms it is impossible to determine what one number is by looking at the other number.
For example, it has been estimated that it would take over a hundred years of super-computer time to work backward from a 128 digit long Encryption Number to calculate its paired Secret Number.
The company, Apple for example, gives an Encryption Number to the factory for each phone that will be built, and that number is stored on the phone. The other number, the Secret Number, isn’t revealed to anyone and never leaves the company’s design lab, OR the company may choose to destroy the Secret Number and never keep a copy of it at all.
Each phone can use a different Encryption Number to encrypt that phone’s password in a different way.
One machine speaking Crypto with one Encryption Number will use that Encryption Number to cause “chair” to be translated into “heart.” The next machine speaking Crypto with a different Encryption Number may use that different Encryption Number to translate “chair” into “shelf.” The next machine speaking Crypto with yet a third Encryption Number may use that different Encryption Number to translate “chair” into “table.” And so on.
If you enter “heart” into the version of Crypto that translated “chair” into “heart” you won’t get “chair” back out. You might get “opera” out. If you enter “opera” you’ll get something else again, maybe “table.”
Someone could take your phone apart and learn what your Encryption Number is and that the Crypto translation for your password is “heart” but that wouldn’t help them learn that your password is “chair.”
In order to go from “heart” back to “chair” you need to know the Secret Number, and that Secret Number is only stored where the phone’s pair of secret and encryption numbers were originally created, if it is saved at all.
How Does Crypto Use My Password To Open My Phone?
You turn on your phone and you type in your password, “chair.” Your phone’s version of Crypto translates “chair” into “heart.” Your phone looks at its memory chip and finds “heart” saved there. Since “heart” in the memory matches the translation Crypto just performed on what you typed in, it unlocks your phone.
Can The Information On The Phone Be Used To Figure Out My Password?
Let’s say that your phone has serial number 6,142,312 (not a real serial number) and Encryption Number is 19,234,768 (not a real public key number). Those were both installed at the factory. Your phone also has the Crypto translation of your password, “heart” which your phone saved when you initially created your password.
When your phone’s designer gave the manufacturing plant in China or Korea or wherever your phone’s Encryption Number, 19,234,768, it also created the phone’s Secret Number which never left the deepest, darkest levels of company’s design lab, or maybe the Secret Number wasn’t saved at all.
The Secret Number is not in any way involved in the manufacturing process, is never disclosed to anyone, and is never contained on the phone.
If the Encryption Number is a long number, e.g. 128 digits, no one using current super computers can, in your lifetime, work backward from the Encryption Number to discover the Secret Number.
What Good Is The Secret Number?
The Secret Number allows the company to build a Crypto-to-English translator for a password created by the specific version of Crypto on your phone. Let’s say that the Secret Number for your phone is 9,843,364 (not a real private key number).
How Does This Translation Happen?
If the company enters your Crypto password “heart” and your Secret Number, 9,843,364, into a special software program, the English version of your password, “chair” will pop out.
Of course, if your password is a four digit number then there are only 9,999 possible passwords so if someone could try each of them one at a time eventually they would hit on the correct four-digit number by random chance.
That’s why the phone can be set to erase certain vital data after ten wrong tries. It is believed that on the phone used by the San Bernardino terrorists the FBI was able to backup that vital data so that every time it was erased it could be restored and the guessing could continue until they hit on the password.
Click here to read my post: Here’s How Apple Can Make iPhones That Are Both Secure And Accessible By Search Warrant And Why It Should Do That
— David Grace
