Security of Mac Keychain, Filevault

Matt Johnston matt at
Tue Nov 3 10:08:40 EST 2009

On Mon, Nov 02, 2009 at 03:25:53PM -0500, Jerry Leichter wrote:
> I've actually tried to look at Keychain, but most of the guts are built 
> on the Apple crypto provider framework, which is quite a large  
> collection of code to digest with no previous knowledge.  So I didn't  
> get anywhere interesting in the time I was in a position to invest.
> I've been referring specifically to Keychain, about which there appears 
> to be nothing at all published.  But the situation is only slightly 
> better - a single 2+ year old paper - for encrypted disk images in 
> general an Filevault in particular.  And it's also the same for iPhone's 
> and iPod Touches, which are regularly used to hold passwords (for mail, 
> at the least).

I took a look at the Mac OS X keychain format a few years
back, is
what I came up with. The scheme looked roughly OK to me
though I'm not really qualified to give a good analysis of
its cryptographic security.

In summary it's using PBKDF2 (sha1, 1000 iterations, 20 byte
salt) on the password to create a master key, that in turn
encrypts a file key, which in turn encrypts item keys. It's
using 3DES-EDE3 in CBC mode, different IVs for each part,
though also some wrapping scheme that I don't know the
purpose of. Integrity checking is performed using
something a bit like a HMAC (but different), possibly for
backwards-compatibility reasons (my code ignores that).


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list