[Cryptography] Apple iOS and Keychain Sharing Security

Jerry Leichter leichter at lrw.com
Fri Aug 12 11:44:49 EDT 2016


Ivan Krstić gave a take at Blackhat about how iOS security works:
 
https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf

Of interest is that it answers a question discussed on this list a while back about keychain synchronization:  Apple has always stated that it does not have access to passwords in keychains shared through iCloud, which seemed to be contradicted by its ability to send those secrets to a new iPhone (say) even if no existing user devices with those secrets were connected.

The answer is really quite clever, if obvious once it's described:  Apple datacenters have HSM's built on the same principles as the "secure enclaves" in current iPhone's.  The user's secrets are encrypted with a key known only to the HSM.  The HSM in turn encrypts that user-specific key with a key generated by "tangling" the user's login password with an HSM-specific random secret which the HSM will never divulge.  Assuming Apple doesn't store the user's password, it cannot retrieve the embedded key.  (Actually, the HSM never returns the embedded key - it just allows you to encrypt or decrypt with it.)  The HSM itself has anti-brute-forcing protection built into it, so seizing it doesn't let you guess the password.

Yes, a government could force Apple to divulge the user's password the next time he enters it.

Many interesting details about practical security engineering (like how to keep the security properties while allowing redundant storage of the information)  in that slide show.  Worth a look.
                                                        -- Jerry



More information about the cryptography mailing list