Privacy is in the eye of the beholder

Recent articles - like this and this - state that FBI and NSA are greatly concerned about the new encryption algorithm that the latest iPhone models use.

Apple has tried hard to persuade iPhone users, by also updating their policy, that their privacy is well guarded and that even government authorities have a hard time breaking the encryption of their devices. The phone encrypts emails, photos and contacts based on a complex mathematical algorithm that uses a code created by, and unique to, the phone’s user — and that Apple says it will not possess.

As of 2009, non-military cryptography exports from the U.S. are controlled by the Department of Commerce's Bureau of Industry and Security. Some restrictions still exist, even for mass market products, particularly with regard to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license. Furthermore, encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits". In addition, other items require a one-time review by or notification to BIS prior to export to most countries. For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required. Export regulations have been relaxed from pre-1996 standards, but are still complex. Other countries, notably those participating in the Wassenaar Arrangement, have similar restrictions.

The Wassenaar Arrangement has been established in order to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations. Participating States seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities which undermine these goals, and are not diverted to support such capabilities. Category 5 - Part 2 of Wassenaar Arrangement is titled Information Security and states the rules that govern 'The status of "information security" equipment, "software", systems, application specific "electronic assemblies", modules, integrated circuits, components or functions is determined in Category 5, Part 2 even if they are components or "electronic assemblies" of other equipment'. 

Though I am not a lawyer, and I also hate conspiracy theories, I cannot but deduce that government authorities in the US are fully aware of the encryption technology that is exported. This does not automatically solve their problem to eavesdrop encrypted data, but it gives them a good head start.

According to an Apple technical guide, breaking the code could take “more than 5 1/2 years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers". This statement made me use the passfault password analyzer, a free tool offered by OWASP.

The scenario is simple, a 6 character alphanumeric password that follows simple password complexity rules.

Under the best encryption algorithm provided by the tool (Unix BCrypt Hash), it takes from 3 days to 1 year and 9 months to break the password, depending on the equipment used. And yes, the 3 days corresponds to government-level equipment.

The choice is yours...