Apple announced plans to introduce a security-enhancing feature on the iMessage called ‘Contact Key Verification.’
This new feature promises to make the app more resistant to man-in-the-middle attacks and raise user trust that they exchange communications only with intended recipients.
iMessage is Apple’s default messaging service on iOS and macOS, providing users with end-to-end encrypted communications and supporting SMS/MMS, text, media (video, images, documents) attachments, contact information, and group chats.
Bolstering iMessage security
In a new post on Apple’s security research blog, the consumer electronics giant explains that despite the security-bolstering features it has added to the app since it launched in 2011, most notably, BlastDoor, Lockdown Mode, and stronger cryptographic methods using the Secure Enclave, concerns around the security of the key directory persist.
The key directory, which in Apple’s case is the “Identity Directory Service” (IDS), is a centralized service that manages and supplies cryptographic keys for users who engage in encrypted communications. IDS generates a public and private key upon user registration and then manages the former while storing the latter on the user’s device.
Apple’s concern is that the key directory service could be breached by adversaries who would then be able to replace legitimate public keys with their own, opening the way to man-in-the-middle attacks where they can intercept and decrypt the messages of others.
Apple’s engineers plan to address this security problem through Contact Key Verification, which will employ a new mechanism named ‘Key Transparency’ (KT). This mechanism is inspired by Certificate Transparency that offers cryptographic proof and can be audited for consistency, ensuring that the public keys distributed to users are genuine and have not been compromised.
This key verification check will be automatic, requiring no intervention or action by the user. The iMessage protocol will now include an additional account-level signing key generated locally on the device, which will be used to verify the authenticity of the encryption keys they use in their conversations.
In addition to the above, users can cross-check short verification codes to confirm the identity of their conversation partners. These verification codes remain consistent for each user account, so they’re tied to persons rather than devices.
Apple says Contact Key Verification is already tested in the developer previews of iOS 17.2, macOS 14.2, and watchOS 10.2, meaning that the new security feature should be made widely available in the upcoming releases of Apple’s operating systems.