SlideShare a Scribd company logo
1 of 61
Download to read offline
iCloud Keychain 
and 
iOS 7 Data Protection 
Andrey Belenko 
Sr. Security Engineer @ viaForensics 
! 
Alexey Troshichev 
@hackappcom founder
What is iCloud?
What’s inside? 
• Documents 
• Photos 
• Backups (SMS, application data, etc) 
• Keychain
Hacker’s view
Bruteforce protection?
Bruteforce protection?
Bruteforce protection?
Find My iPhone
Brought to you by 
hackapp.com 
! 
github.com/hackappcom/ibrute 
@hackappcom
iCloud Keychain 
Image: Apple Inc.
Motivation 
http://support.apple.com/kb/HT4865
Intercepting SSL 
SSL Proxy 
(Burp, Charles, …) 
Root CA cert 
Proxy settings
Authentication 
GET /authenticate 
AppleID, Password 
DsID, mmeAuthToken, fmipAuthToken 
icloud.com
/getAccountSettings
/getAccountSettings
iCloud keychain
iCloud keychain
Setup Options
The Big Picture 
*.keyvalueservice.icloud.com 
*.escrowproxy.icloud.com 
Keychain items (encrypted) 
Keybag (encrypted) 
Some Secret
Key-Value Store 
• Not new 
• Used extensively by many apps e.g. to keep preferences 
in sync across devices 
• iCloud Keychain utilises two stores: 
• com.apple.security.cloudkeychainproxy3 
• Syncing between devices 
• com.apple.sbd3 (securebackupd3) 
• Copy to restore if no other devices
Escrow Proxy 
• New; Designed to store precious secrets 
• Need to know iCSC to recover escrowed data 
• Need to receive SMS challenge 
• Must successfully complete SRP auth 
• User-Agent: com.apple.lakitu (iOS/OS X) 
Image: mariowiki.com
Key-Value Store 
com.apple.security.cloudkeychainproxy3 
S(usrPwd, D2_pub) 
S(D2_priv, (D1_pub, D2_pub)) 
S(D1_priv, D1_pub) 
S(userPwd, D1_pub) 
S(D1_priv, (D1_pub, D2_pub)) 
S(userPwd, (D1_pub, D2_pub))
Key-Value Store 
com.apple.sbd3 
Key Description 
com.apple.securebackup.enabled Is Keychain data saved in KVS? 
com.apple.securebackup.record Keychain records, encrypted 
SecureBackupMetadata iCSC complexity, timestamp, country 
BackupKeybag Keybag protecting Keychain records 
BackupUsesEscrow Is keybag password escrowed? 
BackupVersion Version, currently @“1” 
BackupUUID UUID of the backup
4-digit iCSC [Default]
4-digit iCSC [Default] 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
4-digit iCSC [Default] 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
Backup Keybag 
Key 1 
Key 2 
Key 3 
AES-GCM 
256 bit
4-digit iCSC [Default] 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
Backup Keybag 
Key 1 
Key 2 
Key 3 
AES-GCM 
256 bit 
AES-Wrap Keys 
RFC 3394
4-digit iCSC [Default] 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
Backup Keybag 
Key 1 
Key 2 
Key 3 
AES-GCM 
256 bit 
AES-Wrap Keys 
RFC 3394 
*.keyvalueservice.icloud.com
4-digit iCSC [Default] 
iCloud Security Code 
1234 PBKDF2 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
SHA-256 x 10’000 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
Backup Keybag 
Key 1 
Key 2 
Key 3 
AES-GCM 
256 bit 
AES-Wrap Keys 
RFC 3394 
*.keyvalueservice.icloud.com
4-digit iCSC [Default] 
iCloud Security Code 
1234 PBKDF2 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
SHA-256 x 10’000 
AES-CBC 
256 bit 
*.escrowproxy.icloud.com 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
Backup Keybag 
Key 1 
Key 2 
Key 3 
AES-GCM 
256 bit 
AES-Wrap Keys 
RFC 3394 
*.keyvalueservice.icloud.com
Secure Remote Password 
• Zero-knowledge password proof scheme 
• Combats sniffing/MITM 
• One password guess per connection attempt 
• Password verifier is not sufficient for impersonation 
• Escrow Proxy uses SRP-6a
Key Negotiation 
a ← random, A ← g^a 
b ← random, B ← kv + g^b 
u ← H(A, B) u ← H(A, B) 
x ← H(SALT, Password) 
S ← (B - kg^x) ^ (a + ux) 
K ← H(S) 
S ← (Av^u) ^ b 
K ← H(S) 
Key Verification 
M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) 
(Aborts if M is invalid) 
ID, A 
SALT, B 
M 
H(A, M, K) 
Password verifier: 
! 
SALT ← random 
x ← H(SALT,Password) 
v ← g^x 
Agreed-upon parameters: 
! 
H – one-way hash function 
N, g – group parameters 
k ← H(N, g)
Key Negotiation 
a ← random, A ← g^a 
b ← random, B ← kv + g^b 
u ← H(A, B) u ← H(A, B) 
x ← H(SALT, Password) 
S ← (B - kg^x) ^ (a + ux) 
K ← H(S) 
S ← (Av^u) ^ b 
K ← H(S) 
Key Verification 
M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) 
(Aborts if M is invalid) 
ID, A, SMS CODE 
SALT, B 
M, SMS CODE 
H(A, M, K) 
Password verifier: 
! 
SALT ← random 
x ← H(SALT,Password) 
v ← g^x 
Agreed-upon parameters: 
! 
H – SHA-256 
N, g – RFC 5054 w. 2048-bit group 
k ← H(N, g)
Escrowed Data Recovery 
*Display purposes only
Escrowed Data Recovery 
/get_records 
List of escrowed records 
*Display purposes only
Escrowed Data Recovery 
/get_records 
List of escrowed records 
/get_sms_targets 
List of phone numbers* 
*Display purposes only
Escrowed Data Recovery 
/get_records 
List of escrowed records 
/get_sms_targets 
List of phone numbers* 
/generate_sms_challenge 
OK 
*Display purposes only
Escrowed Data Recovery 
/get_records 
List of escrowed records 
/get_sms_targets 
List of phone numbers* 
/generate_sms_challenge 
OK 
/srp_init [DsID, A, SMS CODE] 
[UUID, DsID, SALT, B] 
*Display purposes only
Escrowed Data Recovery 
/get_records 
List of escrowed records 
/get_sms_targets 
List of phone numbers* 
/generate_sms_challenge 
OK 
/srp_init [DsID, A, SMS CODE] 
[UUID, DsID, SALT, B] 
/recover [UUID, DsID, M, SMS CODE] 
[IV, AES-CBC(KSRP, Escrowed Record)] 
*Display purposes only
Escrow Proxy Endpoints 
Endpoint Description 
get_club_cert [?] Obtain certificate 
enroll Submit escrow record 
get_records List escrowed records 
get_sms_targets List SMS numbers for escrowed records 
generate_sms_challenge Generate and send challenge code 
srp_init First step of SRP protocol 
recover Second step of SRP protocol 
alter_sms_target Change SMS number
Escrow Record 
iCloud Security Code 
1234 PBKDF2 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
SHA-256 x 10’000 
AES-CBC 
256 bit 
*.escrowproxy.icloud.com 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
AES-Wrap Keys 
RFC 3394 
Backup Keybag 
Key 1 
Key 2 
Key 3 
AES-GCM 
256 bit 
*.keyvalueservice.icloud.com
Escrow Record 
iCloud Security Code 
1234 PBKDF2 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
SHA-256 x 10’000 
AES-CBC 
256 bit 
*.escrowproxy.icloud.com 
Key ← PBKDF2-SHA256(iCSC, 10’000) 
EscrowRecord ← AES-CBC(Key, RandomPassword)
Escrow Record 
Key ← PBKDF2-SHA256(iCSC, 10’000) 
EscrowRecord ← AES-CBC(Key, RandomPassword)
Escrow Record 
Key ← PBKDF2-SHA256(iCSC, 10’000) 
EscrowRecord ← AES-CBC(Key, RandomPassword) 
• This is stored by Apple
Escrow Record 
Key ← PBKDF2-SHA256(iCSC, 10’000) 
EscrowRecord ← AES-CBC(Key, RandomPassword) 
• This is stored by Apple 
• iCSC is 4 digits by default
Escrow Record 
Key ← PBKDF2-SHA256(iCSC, 10’000) 
EscrowRecord ← AES-CBC(Key, RandomPassword) 
• This is stored by Apple 
• iCSC is 4 digits by default
Escrow Record 
Key ← PBKDF2-SHA256(iCSC, 10’000) 
EscrowRecord ← AES-CBC(Key, RandomPassword) 
• This is stored by Apple 
• iCSC is 4 digits by default 
Can you spot the problem yet?
Escrow Record 
Key ← PBKDF2-SHA256(iCSC, 10’000) 
• Offline iCSC guessing is possible 
• Almost instant recovery [for default settings] 
• iCSC decrypts keybag password 
• Keybag password unlocks keybag keys 
• Keybag keys decrypt Keychain items
Apple, or other adversary with 
access to stored data, can near-instantly 
decrypt “master” 
password and read synced iCloud 
Keychain records 
! 
(for default settings)
Setup Options
Complex iCSC 
correct horse battery staple PBKDF2 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
iCloud Security Code 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
SHA-256 x 10’000 
AES-CBC 
256 bit 
Backup Keybag 
Key 1 
Key 2 
Key 3 
*.escrowproxy.icloud.com 
AES-Wrap Keys 
RFC 3394 
AES-GCM 
256 bit 
*.keyvalueservice.icloud.com
Complex iCSC 
• Mechanics are the same as with simple iCSC 
• Offline password recovery attack is still possible, 
although pointless if password is complex enough
Setup Options
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
AES-Wrap Keys 
RFC 3394 
Backup Keybag 
Key 1 
Key 2 
Key 3 
AES-GCM 
256 bit 
*.keyvalueservice.icloud.com 
iCloud Security Code 
correct horse battery staple PBKDF2 
SHA-256 x 10’000 
AES-CBC 
256 bit 
*.escrowproxy.icloud.com 
Random iCSC
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
AES-Wrap Keys 
RFC 3394 
Backup Keybag 
Key 1 
Key 2 
Key 3 
AES-GCM 
256 bit 
*.keyvalueservice.icloud.com 
iCloud Security Code 
correct horse battery staple PBKDF2 
SHA-256 x 10’000 
AES-CBC 
256 bit 
*.escrowproxy.icloud.com 
Random iCSC
Random iCSC 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
AES-Wrap Keys 
RFC 3394 
Backup Keybag 
Key 1 
Key 2 
Key 3 
AES-GCM 
256 bit 
*.keyvalueservice.icloud.com
Random iCSC 
• Escrow Proxy is not used 
• Random iCSC (or derived key) stored on the device 
[haven’t verified]
Setup Options 
iCloud 
Keychain 
Keychain 
Sync 
Keychain 
Backup 
Master 
Password 
Escrow 
No iCloud Security Code 
Random iCloud Security Code 
Complex iCloud Security Code 
Simple iCloud Security Code
Conclusions 
Image: Apple Inc.
Conclusions 
• Trust your vendor but verify his claims 
• Never ever use simple iCloud Security Code 
• Do not think that SMS Apple sends you is a 2FA 
• Yet, iCK is reasonably well engineered although not 
without shortcomings
Thank You! 
Questions are welcome :-) 
! 
! 
@abelenko @hackappcom

More Related Content

What's hot

Office 365 incident Response: BSides Vancouver 2018
Office 365 incident Response: BSides Vancouver 2018Office 365 incident Response: BSides Vancouver 2018
Office 365 incident Response: BSides Vancouver 2018Alex Parsons
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
B2C企業向けクラウドID基盤「 SELMID 」のご紹介 - OpenID Summit 2020
B2C企業向けクラウドID基盤「 SELMID 」のご紹介 - OpenID Summit 2020B2C企業向けクラウドID基盤「 SELMID 」のご紹介 - OpenID Summit 2020
B2C企業向けクラウドID基盤「 SELMID 」のご紹介 - OpenID Summit 2020OpenID Foundation Japan
 
S13_レガシー ID 管理者でも分かる Verifiable Credentials のセッション [Microsoft Japan Digital D...
S13_レガシー ID 管理者でも分かる Verifiable Credentials のセッション [Microsoft Japan Digital D...S13_レガシー ID 管理者でも分かる Verifiable Credentials のセッション [Microsoft Japan Digital D...
S13_レガシー ID 管理者でも分かる Verifiable Credentials のセッション [Microsoft Japan Digital D...日本マイクロソフト株式会社
 
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --Jun Kurihara
 
【JEUG】 オープンSIEMの世界へ
【JEUG】 オープンSIEMの世界へ【JEUG】 オープンSIEMの世界へ
【JEUG】 オープンSIEMの世界へHibino Hisashi
 
MicrosoftのDID/VC実装概要
MicrosoftのDID/VC実装概要MicrosoftのDID/VC実装概要
MicrosoftのDID/VC実装概要Naohiro Fujie
 
体系的に学ばないXSSの話
体系的に学ばないXSSの話体系的に学ばないXSSの話
体系的に学ばないXSSの話Yutaka Maehira
 
AzureActiveDirectoryの認証の話(Azure周りの自動化編)
AzureActiveDirectoryの認証の話(Azure周りの自動化編)AzureActiveDirectoryの認証の話(Azure周りの自動化編)
AzureActiveDirectoryの認証の話(Azure周りの自動化編)Masahiko Ebisuda
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]Alex Pruden
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
並列データベースシステムの概念と原理
並列データベースシステムの概念と原理並列データベースシステムの概念と原理
並列データベースシステムの概念と原理Makoto Yui
 
Elastic Cloudを活用!!ゼロトラストセキュリティの「はじめの一歩」
Elastic Cloudを活用!!ゼロトラストセキュリティの「はじめの一歩」Elastic Cloudを活用!!ゼロトラストセキュリティの「はじめの一歩」
Elastic Cloudを活用!!ゼロトラストセキュリティの「はじめの一歩」Hibino Hisashi
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing FunctionsYusuf Uzun
 
Distribution of public keys and hmac
Distribution of public keys and hmacDistribution of public keys and hmac
Distribution of public keys and hmacanuragjagetiya
 
[CB19] Autopsyで迅速なマルウェアのスキャンとディスク内の簡単調査 by ターナー・功
[CB19] Autopsyで迅速なマルウェアのスキャンとディスク内の簡単調査 by ターナー・功[CB19] Autopsyで迅速なマルウェアのスキャンとディスク内の簡単調査 by ターナー・功
[CB19] Autopsyで迅速なマルウェアのスキャンとディスク内の簡単調査 by ターナー・功CODE BLUE
 

What's hot (20)

Office 365 incident Response: BSides Vancouver 2018
Office 365 incident Response: BSides Vancouver 2018Office 365 incident Response: BSides Vancouver 2018
Office 365 incident Response: BSides Vancouver 2018
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
 
B2C企業向けクラウドID基盤「 SELMID 」のご紹介 - OpenID Summit 2020
B2C企業向けクラウドID基盤「 SELMID 」のご紹介 - OpenID Summit 2020B2C企業向けクラウドID基盤「 SELMID 」のご紹介 - OpenID Summit 2020
B2C企業向けクラウドID基盤「 SELMID 」のご紹介 - OpenID Summit 2020
 
S13_レガシー ID 管理者でも分かる Verifiable Credentials のセッション [Microsoft Japan Digital D...
S13_レガシー ID 管理者でも分かる Verifiable Credentials のセッション [Microsoft Japan Digital D...S13_レガシー ID 管理者でも分かる Verifiable Credentials のセッション [Microsoft Japan Digital D...
S13_レガシー ID 管理者でも分かる Verifiable Credentials のセッション [Microsoft Japan Digital D...
 
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
 
【JEUG】 オープンSIEMの世界へ
【JEUG】 オープンSIEMの世界へ【JEUG】 オープンSIEMの世界へ
【JEUG】 オープンSIEMの世界へ
 
MicrosoftのDID/VC実装概要
MicrosoftのDID/VC実装概要MicrosoftのDID/VC実装概要
MicrosoftのDID/VC実装概要
 
体系的に学ばないXSSの話
体系的に学ばないXSSの話体系的に学ばないXSSの話
体系的に学ばないXSSの話
 
AzureActiveDirectoryの認証の話(Azure周りの自動化編)
AzureActiveDirectoryの認証の話(Azure周りの自動化編)AzureActiveDirectoryの認証の話(Azure周りの自動化編)
AzureActiveDirectoryの認証の話(Azure周りの自動化編)
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
 
Biometric Authentication.pdf
Biometric Authentication.pdfBiometric Authentication.pdf
Biometric Authentication.pdf
 
Ntlm Unsafe
Ntlm UnsafeNtlm Unsafe
Ntlm Unsafe
 
並列データベースシステムの概念と原理
並列データベースシステムの概念と原理並列データベースシステムの概念と原理
並列データベースシステムの概念と原理
 
Elastic Cloudを活用!!ゼロトラストセキュリティの「はじめの一歩」
Elastic Cloudを活用!!ゼロトラストセキュリティの「はじめの一歩」Elastic Cloudを活用!!ゼロトラストセキュリティの「はじめの一歩」
Elastic Cloudを活用!!ゼロトラストセキュリティの「はじめの一歩」
 
Jhon the ripper
Jhon the ripper Jhon the ripper
Jhon the ripper
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing Functions
 
Distribution of public keys and hmac
Distribution of public keys and hmacDistribution of public keys and hmac
Distribution of public keys and hmac
 
[CB19] Autopsyで迅速なマルウェアのスキャンとディスク内の簡単調査 by ターナー・功
[CB19] Autopsyで迅速なマルウェアのスキャンとディスク内の簡単調査 by ターナー・功[CB19] Autopsyで迅速なマルウェアのスキャンとディスク内の簡単調査 by ターナー・功
[CB19] Autopsyで迅速なマルウェアのスキャンとディスク内の簡単調査 by ターナー・功
 

Viewers also liked

Icloud seminar report
Icloud seminar reportIcloud seminar report
Icloud seminar reportRicha Dewani
 
iCloud - Apple Technology
iCloud - Apple TechnologyiCloud - Apple Technology
iCloud - Apple TechnologyAsmita Kalena
 
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything elseVlad Garbuz
 
How apple can read your i messages
How apple can read your i messagesHow apple can read your i messages
How apple can read your i messagesArtem I. Baranov
 
SkyDrive vs. SkyDrive Pro - Hans Brender
SkyDrive vs. SkyDrive Pro - Hans Brender SkyDrive vs. SkyDrive Pro - Hans Brender
SkyDrive vs. SkyDrive Pro - Hans Brender Michael Greth
 
iPhone forensics on iOS5
iPhone forensics on iOS5iPhone forensics on iOS5
iPhone forensics on iOS5Satish b
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
 
Icloud keynote2
Icloud keynote2Icloud keynote2
Icloud keynote2avsorrent
 
Bio-Molecular Engineering is the Future of Molecular Biology
Bio-Molecular Engineering is the Future of Molecular BiologyBio-Molecular Engineering is the Future of Molecular Biology
Bio-Molecular Engineering is the Future of Molecular BiologyBob Eisenberg
 
soft-computing
 soft-computing soft-computing
soft-computingstudent
 

Viewers also liked (17)

Icloud seminar report
Icloud seminar reportIcloud seminar report
Icloud seminar report
 
iCloud - Apple Technology
iCloud - Apple TechnologyiCloud - Apple Technology
iCloud - Apple Technology
 
iCloud by Apple
iCloud by AppleiCloud by Apple
iCloud by Apple
 
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything else
 
How apple can read your i messages
How apple can read your i messagesHow apple can read your i messages
How apple can read your i messages
 
SkyDrive vs. SkyDrive Pro - Hans Brender
SkyDrive vs. SkyDrive Pro - Hans Brender SkyDrive vs. SkyDrive Pro - Hans Brender
SkyDrive vs. SkyDrive Pro - Hans Brender
 
Icloud
IcloudIcloud
Icloud
 
iPhone forensics on iOS5
iPhone forensics on iOS5iPhone forensics on iOS5
iPhone forensics on iOS5
 
iCloud
iCloudiCloud
iCloud
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
Icloud keynote2
Icloud keynote2Icloud keynote2
Icloud keynote2
 
Bio-Molecular Engineering is the Future of Molecular Biology
Bio-Molecular Engineering is the Future of Molecular BiologyBio-Molecular Engineering is the Future of Molecular Biology
Bio-Molecular Engineering is the Future of Molecular Biology
 
icloud
icloudicloud
icloud
 
Apple iCloud
Apple iCloudApple iCloud
Apple iCloud
 
soft-computing
 soft-computing soft-computing
soft-computing
 
SkyDrive
SkyDriveSkyDrive
SkyDrive
 
Bluejacking
BluejackingBluejacking
Bluejacking
 

Similar to iCloud keychain

Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13viaForensics
 
7.3. iCloud keychain-2
7.3. iCloud keychain-27.3. iCloud keychain-2
7.3. iCloud keychain-2defconmoscow
 
6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protectiondefconmoscow
 
Protect Sensitive Data with Ada Keystore
Protect Sensitive Data with Ada KeystoreProtect Sensitive Data with Ada Keystore
Protect Sensitive Data with Ada KeystoreStephane Carrez
 
Dodging WebCrypto API Landmines
Dodging WebCrypto API LandminesDodging WebCrypto API Landmines
Dodging WebCrypto API LandminesErnie Turner
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Paula Januszkiewicz
 
Cryptography for Smalltalkers 2
Cryptography for Smalltalkers 2Cryptography for Smalltalkers 2
Cryptography for Smalltalkers 2ESUG
 
Encryption Boot Camp at Øredev
Encryption Boot Camp at ØredevEncryption Boot Camp at Øredev
Encryption Boot Camp at ØredevMatthew McCullough
 
Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003Martin Kobetic
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
Security and Encryption on iOS
Security and Encryption on iOSSecurity and Encryption on iOS
Security and Encryption on iOSGraham Lee
 
12 symmetric key cryptography
12   symmetric key cryptography12   symmetric key cryptography
12 symmetric key cryptographydrewz lin
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developersMichel Schudel
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyRiscure
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyNiek Timmers
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Futuretcloudcomputing-tw
 
Overview and evolution of password-based authentication schemes
Overview and evolution of password-based authentication schemesOverview and evolution of password-based authentication schemes
Overview and evolution of password-based authentication schemesIgnat Korchagin
 
Cryptography for Smalltalkers
Cryptography for SmalltalkersCryptography for Smalltalkers
Cryptography for SmalltalkersESUG
 

Similar to iCloud keychain (20)

Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13
 
7.3. iCloud keychain-2
7.3. iCloud keychain-27.3. iCloud keychain-2
7.3. iCloud keychain-2
 
6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Protect Sensitive Data with Ada Keystore
Protect Sensitive Data with Ada KeystoreProtect Sensitive Data with Ada Keystore
Protect Sensitive Data with Ada Keystore
 
Dodging WebCrypto API Landmines
Dodging WebCrypto API LandminesDodging WebCrypto API Landmines
Dodging WebCrypto API Landmines
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
 
Cryptography for Smalltalkers 2
Cryptography for Smalltalkers 2Cryptography for Smalltalkers 2
Cryptography for Smalltalkers 2
 
Encryption Boot Camp at Øredev
Encryption Boot Camp at ØredevEncryption Boot Camp at Øredev
Encryption Boot Camp at Øredev
 
Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
Security and Encryption on iOS
Security and Encryption on iOSSecurity and Encryption on iOS
Security and Encryption on iOS
 
12 symmetric key cryptography
12   symmetric key cryptography12   symmetric key cryptography
12 symmetric key cryptography
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Future
 
Overview and evolution of password-based authentication schemes
Overview and evolution of password-based authentication schemesOverview and evolution of password-based authentication schemes
Overview and evolution of password-based authentication schemes
 
Cryptography for Smalltalkers
Cryptography for SmalltalkersCryptography for Smalltalkers
Cryptography for Smalltalkers
 

Recently uploaded

SQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptxSQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptxJustineGarcia32
 
如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?krc0yvm5
 
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...hasimatwork
 
Tungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and BeyondTungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and BeyondContinuent
 
Google-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdfGoogle-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdfMaria Adalfio
 
overview of Virtualization, concept of Virtualization
overview of Virtualization, concept of Virtualizationoverview of Virtualization, concept of Virtualization
overview of Virtualization, concept of VirtualizationRajan yadav
 
Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019Eric Johnson
 
Generalities about NFT , as a new technology
Generalities about NFT , as a new technologyGeneralities about NFT , as a new technology
Generalities about NFT , as a new technologysoufianbouktaib1
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
Benefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptxBenefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptxlibertyuae uae
 

Recently uploaded (10)

SQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptxSQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptx
 
如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?
 
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
 
Tungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and BeyondTungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and Beyond
 
Google-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdfGoogle-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdf
 
overview of Virtualization, concept of Virtualization
overview of Virtualization, concept of Virtualizationoverview of Virtualization, concept of Virtualization
overview of Virtualization, concept of Virtualization
 
Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019
 
Generalities about NFT , as a new technology
Generalities about NFT , as a new technologyGeneralities about NFT , as a new technology
Generalities about NFT , as a new technology
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
Benefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptxBenefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptx
 

iCloud keychain

  • 1. iCloud Keychain and iOS 7 Data Protection Andrey Belenko Sr. Security Engineer @ viaForensics ! Alexey Troshichev @hackappcom founder
  • 3. What’s inside? • Documents • Photos • Backups (SMS, application data, etc) • Keychain
  • 9. Brought to you by hackapp.com ! github.com/hackappcom/ibrute @hackappcom
  • 12. Intercepting SSL SSL Proxy (Burp, Charles, …) Root CA cert Proxy settings
  • 13. Authentication GET /authenticate AppleID, Password DsID, mmeAuthToken, fmipAuthToken icloud.com
  • 19. The Big Picture *.keyvalueservice.icloud.com *.escrowproxy.icloud.com Keychain items (encrypted) Keybag (encrypted) Some Secret
  • 20. Key-Value Store • Not new • Used extensively by many apps e.g. to keep preferences in sync across devices • iCloud Keychain utilises two stores: • com.apple.security.cloudkeychainproxy3 • Syncing between devices • com.apple.sbd3 (securebackupd3) • Copy to restore if no other devices
  • 21. Escrow Proxy • New; Designed to store precious secrets • Need to know iCSC to recover escrowed data • Need to receive SMS challenge • Must successfully complete SRP auth • User-Agent: com.apple.lakitu (iOS/OS X) Image: mariowiki.com
  • 22. Key-Value Store com.apple.security.cloudkeychainproxy3 S(usrPwd, D2_pub) S(D2_priv, (D1_pub, D2_pub)) S(D1_priv, D1_pub) S(userPwd, D1_pub) S(D1_priv, (D1_pub, D2_pub)) S(userPwd, (D1_pub, D2_pub))
  • 23. Key-Value Store com.apple.sbd3 Key Description com.apple.securebackup.enabled Is Keychain data saved in KVS? com.apple.securebackup.record Keychain records, encrypted SecureBackupMetadata iCSC complexity, timestamp, country BackupKeybag Keybag protecting Keychain records BackupUsesEscrow Is keybag password escrowed? BackupVersion Version, currently @“1” BackupUUID UUID of the backup
  • 25. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
  • 26. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit
  • 27. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394
  • 28. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
  • 29. 4-digit iCSC [Default] iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
  • 30. 4-digit iCSC [Default] iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
  • 31. Secure Remote Password • Zero-knowledge password proof scheme • Combats sniffing/MITM • One password guess per connection attempt • Password verifier is not sufficient for impersonation • Escrow Proxy uses SRP-6a
  • 32. Key Negotiation a ← random, A ← g^a b ← random, B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A SALT, B M H(A, M, K) Password verifier: ! SALT ← random x ← H(SALT,Password) v ← g^x Agreed-upon parameters: ! H – one-way hash function N, g – group parameters k ← H(N, g)
  • 33. Key Negotiation a ← random, A ← g^a b ← random, B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A, SMS CODE SALT, B M, SMS CODE H(A, M, K) Password verifier: ! SALT ← random x ← H(SALT,Password) v ← g^x Agreed-upon parameters: ! H – SHA-256 N, g – RFC 5054 w. 2048-bit group k ← H(N, g)
  • 34. Escrowed Data Recovery *Display purposes only
  • 35. Escrowed Data Recovery /get_records List of escrowed records *Display purposes only
  • 36. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* *Display purposes only
  • 37. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK *Display purposes only
  • 38. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] *Display purposes only
  • 39. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] /recover [UUID, DsID, M, SMS CODE] [IV, AES-CBC(KSRP, Escrowed Record)] *Display purposes only
  • 40. Escrow Proxy Endpoints Endpoint Description get_club_cert [?] Obtain certificate enroll Submit escrow record get_records List escrowed records get_sms_targets List SMS numbers for escrowed records generate_sms_challenge Generate and send challenge code srp_init First step of SRP protocol recover Second step of SRP protocol alter_sms_target Change SMS number
  • 41. Escrow Record iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com
  • 42. Escrow Record iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword)
  • 43. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword)
  • 44. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple
  • 45. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default
  • 46. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default
  • 47. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default Can you spot the problem yet?
  • 48. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) • Offline iCSC guessing is possible • Almost instant recovery [for default settings] • iCSC decrypts keybag password • Keybag password unlocks keybag keys • Keybag keys decrypt Keychain items
  • 49. Apple, or other adversary with access to stored data, can near-instantly decrypt “master” password and read synced iCloud Keychain records ! (for default settings)
  • 51. Complex iCSC correct horse battery staple PBKDF2 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb iCloud Security Code Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit Backup Keybag Key 1 Key 2 Key 3 *.escrowproxy.icloud.com AES-Wrap Keys RFC 3394 AES-GCM 256 bit *.keyvalueservice.icloud.com
  • 52. Complex iCSC • Mechanics are the same as with simple iCSC • Offline password recovery attack is still possible, although pointless if password is complex enough
  • 54. Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Random iCSC
  • 55. Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Random iCSC
  • 56. Random iCSC Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com
  • 57. Random iCSC • Escrow Proxy is not used • Random iCSC (or derived key) stored on the device [haven’t verified]
  • 58. Setup Options iCloud Keychain Keychain Sync Keychain Backup Master Password Escrow No iCloud Security Code Random iCloud Security Code Complex iCloud Security Code Simple iCloud Security Code
  • 60. Conclusions • Trust your vendor but verify his claims • Never ever use simple iCloud Security Code • Do not think that SMS Apple sends you is a 2FA • Yet, iCK is reasonably well engineered although not without shortcomings
  • 61. Thank You! Questions are welcome :-) ! ! @abelenko @hackappcom