Security of Mac Keychain, Filevault
Matt Johnston
matt at ucc.asn.au
Tue Nov 3 10:08:40 EST 2009
On Mon, Nov 02, 2009 at 03:25:53PM -0500, Jerry Leichter wrote:
>
> I've actually tried to look at Keychain, but most of the guts are built
> on the Apple crypto provider framework, which is quite a large
> collection of code to digest with no previous knowledge. So I didn't
> get anywhere interesting in the time I was in a position to invest.
>
> I've been referring specifically to Keychain, about which there appears
> to be nothing at all published. But the situation is only slightly
> better - a single 2+ year old paper - for encrypted disk images in
> general an Filevault in particular. And it's also the same for iPhone's
> and iPod Touches, which are regularly used to hold passwords (for mail,
> at the least).
I took a look at the Mac OS X keychain format a few years
back, http://matt.ucc.asn.au/src/extractkeychain-0.1/ is
what I came up with. The scheme looked roughly OK to me
though I'm not really qualified to give a good analysis of
its cryptographic security.
In summary it's using PBKDF2 (sha1, 1000 iterations, 20 byte
salt) on the password to create a master key, that in turn
encrypts a file key, which in turn encrypts item keys. It's
using 3DES-EDE3 in CBC mode, different IVs for each part,
though also some wrapping scheme that I don't know the
purpose of. Integrity checking is performed using
something a bit like a HMAC (but different), possibly for
backwards-compatibility reasons (my code ignores that).
Matt
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list