ASecuritySite Podcast
Aggelos Kiayias is a professor at the University of Edinburgh and the chief science officer at Input Output Global (formerly IOHK). He received his PhD in 2002 from City University of New York. He is chair in cyber security and privacy, and director of the Blockchain Technology Laboratory at the University of Edinburgh. In 2021, Aggelos was elected Fellow of the Royal Society of Edinburgh (FRSE), and was recently awarded the BCS Lovelace Medal 2024 for his transformative contributions to the theory and practice of cyber security and cryptography. H works in areas of blockchain technology...
info_outlineASecuritySite Podcast
Anna is a Professor of Computer Science at Brown University. Her research spans many areas of advanced cryptography including with digital signatures, group signatures, blind signatures, e-cash and anonymous digital credentials. She was originally from Ukraine, and undertook her masters degree at MIT in 1999, and then went onto a PhD in 2002 in the areas of Signature Schemes and Applications to Cryptographic Protocol Design. She joined Brown University in 2002, and was made a full professor in 2013. She is a member of the board of directors at the IACR, along with serving on...
info_outlineASecuritySite Podcast
The fallback for law enforcement agencies has always been the place where files are stored, and all the best encryption within end-to-end communications will not stop unencrypted files at rest from being examined. But when the user encrypts data into the Cloud and where they hold their own keys, that’s when the nightmare begins for them. The rise of cybersecurity on the Internet Let’s pinpoint the start of cybersecurity on the Internet to the 1970s. This saw the rise of the Lucifer cipher and saw banks properly protect their communications. This led to the 56-bit DES encryption method, and...
info_outlineASecuritySite Podcast
YouTube: Yesterday, I gave two short presentations on PQC (Post Quantum Cryptography), and next week, I’m in London to give a more focused talk on the subject. And so, it’s great to see that Samsung is driving forward the adoption of PQC methods in their new S25 smartphone. There are two companies that have a core focus on creating trusted hardware for consumers: Apple and Samsung. Apple has always had a core focus on making sure they use the best cryptography to not only secure their devices but also to make them privacy-aware. Samsung, too, has strived for improved security but, at...
info_outlineASecuritySite Podcast
Aysegul Sensoy has over 20 years of management experience with blockchain, emerging technologies, fintech, business development, marketing and sales. She is currently the chair of the Istanbul Blockchain Women Association and CIS Regional Manager of Fuze Finance. She received her bachelor's degree in economics from Istanbul University and her master's degree in marketing communications management from Galatasaray University, as well as getting an executive MBA. She entered the tech sector after working in national and multinational companies as a marketing director, country manager, and...
info_outlineASecuritySite Podcast
Amit is a professor of computer science at UCLA and is the director of the Center for Encrypted Functionalities. Amit has been cited in his research work over 63,000 times and has an h-index of 91. In 2000, he graduated with a PhD from MIT and then moved to Princeton. In 2004, he then moved to UCLA. Over the years, he has made so many great advancements, including being the co-inventor of many areas of cryptography, including indistinguishability obfuscation schemes, functional encryption, attribute-based encryption, Zero-Knowledge Proofs and Multiparty Computation. In 2018, he was...
info_outlineASecuritySite Podcast
Bart is a Professor in the Electrical Engineering department at KU Leuven in Belgium. He co-invented the Miyaguchi (Meya-Goochy)–Preneel scheme and which converts a block cipher into a hash function. Bart is also one of the co-inventors of the RIPEMD-160 hashing method, and which is used in Bitcoin addresses. He also co-designed the stream ciphers MUGI and Trivium, the MAC Algorithms Chaskey and MDxMAC and the authenticated encryption algorithm AEGIS that is used to encryption of data at rest ion Google cloud. Bart was the President of the International Association for Cryptologic Research...
info_outlineASecuritySite Podcast
Ivan Damgard is a professor in the Department of Computer Science at Aarhus University in Denmark. He is the co-inventor of the Merkle-Damgard construction, and which was used in MD5, SHA-1 and SHA-2. In 2020, he received the Test of Time Award for a paper entitled "A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System", and in 2021 he received an ACM award for the Test of Time for a paper entitled "Multiparty unconditionally secure protocols. In 2010, he was elected as a Fellow of the International Association for Cryptologic...
info_outlineASecuritySite Podcast
Chris is a Professor in the Computer Science and Engineering department at the University of Michigan. He completed his PhD in 2006 at the MIT Computer Science and AI Laboratory under the mentorship of Silvio Micali. He received a Test of Time award at Crypto 2008 for a paper entitled "A Framework for Efficient and Composable Oblivious Transfer" and also a TCC Test of Time award for his paper on “Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices,” in 2006. In 2024, Chris was elected as a Fellow of the International Association for Cryptologic...
info_outlineASecuritySite Podcast
Clifford Cocks is a British mathematician and cryptographer. While working at GCHQ, he invented public key encryption, and which predates the work of the RSA and Diffie-Hellman methods. He studied mathematics as an undergraduate at Kings College, Cambridge, and then joined the Communications-Electronics Security Group (CESG) at GCHQ in 1973. After his discovery of a usable public key encryption method, he went on to create one of the first Identity-Based Encryption methods and which is based on quadratic residues rather than bilinear pairings. In 2008, he was made a Companion of...
info_outlineThe fallback for law enforcement agencies has always been the place where files are stored, and all the best encryption within end-to-end communications will not stop unencrypted files at rest from being examined. But when the user encrypts data into the Cloud and where they hold their own keys, that’s when the nightmare begins for them.
The rise of cybersecurity on the Internet
Let’s pinpoint the start of cybersecurity on the Internet to the 1970s. This saw the rise of the Lucifer cipher and saw banks properly protect their communications. This led to the 56-bit DES encryption method, and which led many to suspect that the size of the key had been crippled due to the demands of law enforcement agencies. But, there was an even greater threat to these agencies evolving: public key encryption.
The rise of public key encryption started in the mid-1970s when Whitfield Diffie and Marty Hellman first defined a method that allowed us to secure our communications using a key exchange method — the Diffie-Hellman key exchange method. And then, almost a year later, Rivest, Shamir and Adleman presented a way to digitally sign a hash of data with the RSA signature method, and where a server could sign a hash of data with its private key and for this to be verified with an associated public key. For almost the first time, we could digitally verify that we were connecting to a valid system. But, the RSA method could not only sign data, it could also encrypt things with a public key, and where the private key could now be used to decrypt the data. It was a nightmare come true for law enforcement agencies.
What was magical about these methods was that you could encrypt data with keys that could be created for every single session — and generated and stored on user devices. User devices could even pick the keys that they wanted and their sizes and security levels. The days of security being crippled were fading fast. While the first versions of SSL were crippled by the demands for limits on this security, eventually, SSL evolved into something that could not be controlled. But, still files could still be viewed on user devices, so it was not a major problem for investigators.
Then, in 2001, the AES method was standardized by NIST, along with the newly defined SHA-256 hashing method, and we basically had all the security methods in place. But all of this did not please law enforcement agencies. For them, the rise of cryptography removed the opportunities that they had had in the past and where they could mass harvest information from phone calls or from the postal service. For the first time in history, citizens were free from spying from both those who protect nations and those who attack citizens. The Wild West years of the early Internet — and where little could be trusted — have subsided, and now we have systems which take encryption from one service on a device to another service on another device — end-to-end encryption.
End-to-end encryption
For some, end-to-end encryption was the final nail in the coffin for those who wish to monitor the tracks of citizens. This is data in motion, and where law enforcement agencies could still peak at data at rest and where the data is actually stored. Once data in motion and data at rest were encrypted, the door was effectively closed for peaking at data.
And, so, companies such as Apple advanced new methods which protected data at rest, and where all of a citizen's data could be encrypted onto the Cloud without Apple having the encryption key to view any part of it. For this, they created the Advanced Data Protection service:

This service protects things like citizens' photos, iCloud Drive, and wallet passes. For almost the first time, we had almost perfect security — and where five decades of advancement were finally coming together. We now have end-to-end encryption in apps such as What’s App and Signal, and Apple provides secure data storage.
But, some governments around the world saw the rise of privacy as a threat to their security agencies, and where the usage of encryption with file storage and over-the-air would mean that they could not monitor their citizens for threats against society. It is — and always will be — a lose-lose store on both sides. And, so, many governments have been calling for a back door in cryptography so that a “good guy” could get access to the citizen data and communication, but not a “bad guy”. Unfortunately, that’s not the way that encryption works, and where backdoors are a bad thing and difficult to hide.
So, the UK government has put pressure on Apple to provide them with a backdoor into their secure systems. For this, Apple would have to either provide them with a magic key to open up encrypted communications and file store, or dump their Advanced Data Protection system, and leave files unencrypted for investigation.
Apple stepping back
It would have been a difficult choice for Apple, but they have decided to drop their Advanced Data Protection system for UK users, and not go with the nightmare of a backdoor in their systems. Imagine if a terrorist had stored their files in iCloud, and law enforcement agencies had requested these files. Well, Apple would have to hold their hands up and say that they didn’t have the encryption files to access them, as the encryption keys were held by the user.

I trust Apple and believe they have some of the best security around. When was the last time you heard of someone getting some malware on an Apple system? They support a proper secure enclave and are advancing a privacy-aware cloud infrastructure for machine learning. They have also brought forward homomorphic encryption applications. Of all the big tech companies, Apple leads the way in terms of supporting the privacy and the security of users.
Conclusions
I feel sorry for Apple, as they have been painted into a corner. From a cybersecurity point-of-view, it is disappointing that Apple has been forced to step back on the Advanced Data Protection tool, as it was a great advancement in overcoming large-scale data breaches. And, like it or not, there is no magic wand that stops a bad actor from using something that a good actor has access to. Basically, if you leave your front door key under the mat, you have no guarantee that someone else will find the key and use it.
We have advanced cybersecurity for the past few decades and now use end-to-end encryption in a way we should have done from the start of the Internet. Of course, there are no winners in this, and society must find ways to protect itself from bad people, but opening up the whole of iCloud seems like a disaster waiting to happen.
The door is open for other more agile companies to support enhanced security and privacy, as the large tech companies seem to be applying the brake on some of their security advancements.