It was always known that the 5c, which is the device the FBI accessed, was less secure because it does not contain a Secure Enclave like later iPhones.

Is there anything state actors can't break into? There will always be vulnerabilities to fix. Apple's and other companies' hope is not to fall too many steps behind the state actors.

PGP worked well enough for Snowden, right?

Snowden had the element of surprise. They weren't actively trying to monitor his comms because they didn't know he was a risk until after the leaks. If the state wants to decrypt your messages badly enough, they have resources that they can devote to that (as well as multiple side channels that are probably easier than forcibly decrypting, including the infamous "beat with a wrench" trick). It's not trivial to defeat strong encryption, but it is doable given sufficient interest.

Is there any evidence that any actor in the world is (in general) capable of figuring out the contents of e.g. an AES-encrypted message with the key unknown, assuming good opsec and a good implementation? I agree with your statement that state-level actors have strong capabilities, but this seems like a blanket statement which is likely untrue.

I know it's not worth anything, but I used to work with an ex-NSA cryptographer (whom I personally knew in meatspace and yes, actually had worked at the NSA) who claimed that they could create purpose-built machines to factor out keys and read the contents of encrypted messages. The target would have to be high-value as this was a costly exercise. He may have been yanking our chain, but for what it's worth, that's what he would claim. He didn't specify which individual ciphers this applied to.

However, there are so many ways to circumvent encryption that it seems that there aren't a lot of cases where a hard decryption of a previously-coded message would really be required (the target can often be compelled or tricked into giving up his keys, a plaintext version may be intercepted at some point, etc.).

Almost certainly not. Most likely no one in the world has that capability, at least as far as I can tell. It would be extremely surprising if any government somehow broke AES without researchers around the world figuring it out within the same general time-frame given some new advancement.

The issue is getting perfect implementation and perfect opsec. With enough time, and willingness an opportunity will find itself.

No, and I doubt that this capability would be revealed for something at the level of San Bernardino, or anything short of "ISIS is going to do a WMD attack against Manhattan".

> It's not trivial to defeat strong encryption, but it is doable given sufficient interest.

That is as wrong as saying that, given enough effort, you can make 1 + 1 = 3. Cryptography deals with unimaginably large numbers, to the point that for some algorithms and keylengths an exhaustive bruteforce attack would require more energy than exists in the universe.

You don't do brute force. And any information you already know about the message can theoretically help you decipher it. In fact, there is no such thing as unbreakable encryption, even if you disallow brute force methods.

One time pad using a TRNG - impossible to break, even in the case of chosen plaintext attacks. Now you could argue that having a key as long as the plaintext is impractical, but if that is your concern then let me direct your attention back to my original point. There is a big difference between what is mathematically possible and what is possible within the constraints of thermodynamics.

You're correct, of course. But you can still side-channel a one-time pad.

That isn't an attack on the encryption, which is a very important distinction to make. But I'm curious what exactly you have in mind - we are repeatedly performing the same xor instruction, so power analysis won't work, and there is no branching, so timing wouldn't work either.