My source, while I wholly acknowledge this is anecdotal and not evidence, is someone in law enforcement tasked with retrieving message logs for investigations. I was pretty skeptical but I've yet found any proof or documentation from Apple's support docs disproving this.
I also recall from the San Bernadino case that the FBI/Apple had the ability to get historic message history from the iCloud backup but the FBI pushed for decrypting the device because of the most recent and not backed up messages.
As for your scenario -- doesn't that explicitly confirm that the messages are not encrypted safely at rest? You can restore to an entirely new device, using the same backup, and retrieve the messages.
Which includes a section about iCloud security, including the following section:
iCloud secures the content by encrypting it when sent
over the Internet, storing it in an encrypted format,
and using secure tokens for authentication.
I am no security expert, but I am pretty sure FBI wouldn't have a huge fight with Apple if they had any way to get to the data directly (and once they figured out they could use a vuln in the old iOS to break into the device, they did indeed drop the fight).
> FBI/Apple had the ability to get historic message history from the iCloud backup
Right, because they reset the shooter's Apple ID password. Not because the backup was in plaintext.
> As for your scenario -- doesn't that explicitly confirm that the messages are not encrypted safely at rest? You can restore to an entirely new device, using the same backup, and retrieve the messages.
How does that follow? You still need to supply your password to decrypt the backup before you can restore it. From the same security whitepaper:
When files are created in Data Protection classes that aren’t accessible
when the device is locked, their per-file keys are encrypted using the
class keys from the iCloud Backup keybag. Files are backed up to iCloud
in their original, encrypted state. Files in Data Protection class
No Protection are encrypted during transport.
The iCloud Backup keybag contains asymmetric (Curve25519) keys for each
Data Protection class, which are used to encrypt the per-file keys. For
more information about the contents of the backup keybag and the iCloud
Backup keybag, see “Keychain Data Protection” in the Encryption and Data
Protection section.
The backup set is stored in the user’s iCloud account and consists of a
copy of the user’s files, and the iCloud Backup keybag. The iCloud Backup
keybag is protected by a random key, which is also stored with the backup
set. (The user’s iCloud password isn’t utilized for encryption so that
changing the iCloud password won’t invalidate existing backups.)
While the user’s Keychain database is backed up to iCloud, it remains
protected by a UID-tangled key. This allows the Keychain to be restored
only to the same device from which it originated, and it means no one
else, including Apple, can read the user’s Keychain items.
On restore, the backed-up files, iCloud Backup keybag, and the key for
the keybag are retrieved from the user’s iCloud account. The iCloud Backup
keybag is decrypted using its key, then the per-file keys in the keybag
are used to decrypt the files in the backup set, which are written as new
files to the file system, thus re-encrypting them as per their
Data Protection class.
I also recall from the San Bernadino case that the FBI/Apple had the ability to get historic message history from the iCloud backup but the FBI pushed for decrypting the device because of the most recent and not backed up messages.
As for your scenario -- doesn't that explicitly confirm that the messages are not encrypted safely at rest? You can restore to an entirely new device, using the same backup, and retrieve the messages.