Your SlideShare is downloading. ×
0
iCloud Keychain 
and 
iOS 7 Data Protection 
Andrey Belenko 
Sr. Security Engineer @ viaForensics 
! 
Alexey Troshichev 
@...
What is iCloud?
What’s inside? 
• Documents 
• Photos 
• Backups (SMS, application data, etc) 
• Keychain
Hacker’s view
Bruteforce protection?
Bruteforce protection?
Bruteforce protection?
Find My iPhone
Brought to you by 
hackapp.com 
! 
github.com/hackappcom/ibrute 
@hackappcom
iCloud Keychain 
Image: Apple Inc.
Motivation 
http://support.apple.com/kb/HT4865
Intercepting SSL 
SSL Proxy 
(Burp, Charles, …) 
Root CA cert 
Proxy settings
Authentication 
GET /authenticate 
AppleID, Password 
DsID, mmeAuthToken, fmipAuthToken 
icloud.com
/getAccountSettings
/getAccountSettings
Setup Options
The Big Picture 
*.keyvalueservice.icloud.com 
*.escrowproxy.icloud.com 
Keychain items (encrypted) 
Keybag (encrypted) 
S...
Key-Value Store 
• Not new 
• Used extensively by many apps e.g. to keep preferences 
in sync across devices 
• iCloud Key...
Escrow Proxy 
• New; Designed to store precious secrets 
• Need to know iCSC to recover escrowed data 
• Need to receive S...
Key-Value Store 
com.apple.security.cloudkeychainproxy3 
S(usrPwd, D2_pub) 
S(D2_priv, (D1_pub, D2_pub)) 
S(D1_priv, D1_pu...
Key-Value Store 
com.apple.sbd3 
Key Description 
com.apple.securebackup.enabled Is Keychain data saved in KVS? 
com.apple...
4-digit iCSC [Default]
4-digit iCSC [Default] 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
4-digit iCSC [Default] 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
B...
4-digit iCSC [Default] 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
B...
4-digit iCSC [Default] 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
B...
4-digit iCSC [Default] 
iCloud Security Code 
1234 PBKDF2 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
SHA-256 x 10’00...
4-digit iCSC [Default] 
iCloud Security Code 
1234 PBKDF2 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
SHA-256 x 10’00...
Secure Remote Password 
• Zero-knowledge password proof scheme 
• Combats sniffing/MITM 
• One password guess per connecti...
Key Negotiation 
a ← random, A ← g^a 
b ← random, B ← kv + g^b 
u ← H(A, B) u ← H(A, B) 
x ← H(SALT, Password) 
S ← (B - k...
Key Negotiation 
a ← random, A ← g^a 
b ← random, B ← kv + g^b 
u ← H(A, B) u ← H(A, B) 
x ← H(SALT, Password) 
S ← (B - k...
Escrowed Data Recovery 
*Display purposes only
Escrowed Data Recovery 
/get_records 
List of escrowed records 
*Display purposes only
Escrowed Data Recovery 
/get_records 
List of escrowed records 
/get_sms_targets 
List of phone numbers* 
*Display purpose...
Escrowed Data Recovery 
/get_records 
List of escrowed records 
/get_sms_targets 
List of phone numbers* 
/generate_sms_ch...
Escrowed Data Recovery 
/get_records 
List of escrowed records 
/get_sms_targets 
List of phone numbers* 
/generate_sms_ch...
Escrowed Data Recovery 
/get_records 
List of escrowed records 
/get_sms_targets 
List of phone numbers* 
/generate_sms_ch...
Escrow Proxy Endpoints 
Endpoint Description 
get_club_cert [?] Obtain certificate 
enroll Submit escrow record 
get_recor...
Escrow Record 
iCloud Security Code 
1234 PBKDF2 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
SHA-256 x 10’000 
AES-CB...
Escrow Record 
iCloud Security Code 
1234 PBKDF2 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
SHA-256 x 10’000 
AES-CB...
Escrow Record 
Key ← PBKDF2-SHA256(iCSC, 10’000) 
EscrowRecord ← AES-CBC(Key, RandomPassword)
Escrow Record 
Key ← PBKDF2-SHA256(iCSC, 10’000) 
EscrowRecord ← AES-CBC(Key, RandomPassword) 
• This is stored by Apple
Escrow Record 
Key ← PBKDF2-SHA256(iCSC, 10’000) 
EscrowRecord ← AES-CBC(Key, RandomPassword) 
• This is stored by Apple 
...
Escrow Record 
Key ← PBKDF2-SHA256(iCSC, 10’000) 
EscrowRecord ← AES-CBC(Key, RandomPassword) 
• This is stored by Apple 
...
Escrow Record 
Key ← PBKDF2-SHA256(iCSC, 10’000) 
EscrowRecord ← AES-CBC(Key, RandomPassword) 
• This is stored by Apple 
...
Escrow Record 
Key ← PBKDF2-SHA256(iCSC, 10’000) 
• Offline iCSC guessing is possible 
• Almost instant recovery [for defa...
Apple, or other adversary with 
access to stored data, can near-instantly 
decrypt “master” 
password and read synced iClo...
Setup Options
Complex iCSC 
correct horse battery staple PBKDF2 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
iCloud Security Code 
...
Complex iCSC 
• Mechanics are the same as with simple iCSC 
• Offline password recovery attack is still possible, 
althoug...
Setup Options
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
AES-Wrap Keys 
RFC 3394 
...
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
AES-Wrap Keys 
RFC 3394 
...
Random iCSC 
Random Password 
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 
Keychain Passwords 
yMa9ohCJ 
tzzcVhE7 
sDVoCnb 
AES-Wrap Key...
Random iCSC 
• Escrow Proxy is not used 
• Random iCSC (or derived key) stored on the device 
[haven’t verified]
Setup Options 
iCloud 
Keychain 
Keychain 
Sync 
Keychain 
Backup 
Master 
Password 
Escrow 
No iCloud Security Code 
Rand...
Conclusions 
Image: Apple Inc.
Conclusions 
• Trust your vendor but verify his claims 
• Never ever use simple iCloud Security Code 
• Do not think that ...
Thank You! 
Questions are welcome :-) 
! 
! 
@abelenko @hackappcom
iCloud keychain
iCloud keychain
Upcoming SlideShare
Loading in...5
×

iCloud keychain

135,800

Published on

IF YOU ARE CONCERNED ABOUT CLOUD SECURITY PLEASE READ

http://blog.hackapp.com/2014/09/what-if-i-was-cloud.html

Published in: Internet
0 Comments
80 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
135,800
On Slideshare
0
From Embeds
0
Number of Embeds
106
Actions
Shares
0
Downloads
733
Comments
0
Likes
80
Embeds 0
No embeds

No notes for slide

Transcript of "iCloud keychain"

  1. 1. iCloud Keychain and iOS 7 Data Protection Andrey Belenko Sr. Security Engineer @ viaForensics ! Alexey Troshichev @hackappcom founder
  2. 2. What is iCloud?
  3. 3. What’s inside? • Documents • Photos • Backups (SMS, application data, etc) • Keychain
  4. 4. Hacker’s view
  5. 5. Bruteforce protection?
  6. 6. Bruteforce protection?
  7. 7. Bruteforce protection?
  8. 8. Find My iPhone
  9. 9. Brought to you by hackapp.com ! github.com/hackappcom/ibrute @hackappcom
  10. 10. iCloud Keychain Image: Apple Inc.
  11. 11. Motivation http://support.apple.com/kb/HT4865
  12. 12. Intercepting SSL SSL Proxy (Burp, Charles, …) Root CA cert Proxy settings
  13. 13. Authentication GET /authenticate AppleID, Password DsID, mmeAuthToken, fmipAuthToken icloud.com
  14. 14. /getAccountSettings
  15. 15. /getAccountSettings
  16. 16. Setup Options
  17. 17. The Big Picture *.keyvalueservice.icloud.com *.escrowproxy.icloud.com Keychain items (encrypted) Keybag (encrypted) Some Secret
  18. 18. Key-Value Store • Not new • Used extensively by many apps e.g. to keep preferences in sync across devices • iCloud Keychain utilises two stores: • com.apple.security.cloudkeychainproxy3 • Syncing between devices • com.apple.sbd3 (securebackupd3) • Copy to restore if no other devices
  19. 19. Escrow Proxy • New; Designed to store precious secrets • Need to know iCSC to recover escrowed data • Need to receive SMS challenge • Must successfully complete SRP auth • User-Agent: com.apple.lakitu (iOS/OS X) Image: mariowiki.com
  20. 20. Key-Value Store com.apple.security.cloudkeychainproxy3 S(usrPwd, D2_pub) S(D2_priv, (D1_pub, D2_pub)) S(D1_priv, D1_pub) S(userPwd, D1_pub) S(D1_priv, (D1_pub, D2_pub)) S(userPwd, (D1_pub, D2_pub))
  21. 21. Key-Value Store com.apple.sbd3 Key Description com.apple.securebackup.enabled Is Keychain data saved in KVS? com.apple.securebackup.record Keychain records, encrypted SecureBackupMetadata iCSC complexity, timestamp, country BackupKeybag Keybag protecting Keychain records BackupUsesEscrow Is keybag password escrowed? BackupVersion Version, currently @“1” BackupUUID UUID of the backup
  22. 22. 4-digit iCSC [Default]
  23. 23. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
  24. 24. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit
  25. 25. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394
  26. 26. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
  27. 27. 4-digit iCSC [Default] iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
  28. 28. 4-digit iCSC [Default] iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
  29. 29. Secure Remote Password • Zero-knowledge password proof scheme • Combats sniffing/MITM • One password guess per connection attempt • Password verifier is not sufficient for impersonation • Escrow Proxy uses SRP-6a
  30. 30. Key Negotiation a ← random, A ← g^a b ← random, B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A SALT, B M H(A, M, K) Password verifier: ! SALT ← random x ← H(SALT,Password) v ← g^x Agreed-upon parameters: ! H – one-way hash function N, g – group parameters k ← H(N, g)
  31. 31. Key Negotiation a ← random, A ← g^a b ← random, B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A, SMS CODE SALT, B M, SMS CODE H(A, M, K) Password verifier: ! SALT ← random x ← H(SALT,Password) v ← g^x Agreed-upon parameters: ! H – SHA-256 N, g – RFC 5054 w. 2048-bit group k ← H(N, g)
  32. 32. Escrowed Data Recovery *Display purposes only
  33. 33. Escrowed Data Recovery /get_records List of escrowed records *Display purposes only
  34. 34. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* *Display purposes only
  35. 35. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK *Display purposes only
  36. 36. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] *Display purposes only
  37. 37. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] /recover [UUID, DsID, M, SMS CODE] [IV, AES-CBC(KSRP, Escrowed Record)] *Display purposes only
  38. 38. Escrow Proxy Endpoints Endpoint Description get_club_cert [?] Obtain certificate enroll Submit escrow record get_records List escrowed records get_sms_targets List SMS numbers for escrowed records generate_sms_challenge Generate and send challenge code srp_init First step of SRP protocol recover Second step of SRP protocol alter_sms_target Change SMS number
  39. 39. Escrow Record iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com
  40. 40. Escrow Record iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword)
  41. 41. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword)
  42. 42. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple
  43. 43. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default
  44. 44. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default
  45. 45. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default Can you spot the problem yet?
  46. 46. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) • Offline iCSC guessing is possible • Almost instant recovery [for default settings] • iCSC decrypts keybag password • Keybag password unlocks keybag keys • Keybag keys decrypt Keychain items
  47. 47. Apple, or other adversary with access to stored data, can near-instantly decrypt “master” password and read synced iCloud Keychain records ! (for default settings)
  48. 48. Setup Options
  49. 49. Complex iCSC correct horse battery staple PBKDF2 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb iCloud Security Code Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit Backup Keybag Key 1 Key 2 Key 3 *.escrowproxy.icloud.com AES-Wrap Keys RFC 3394 AES-GCM 256 bit *.keyvalueservice.icloud.com
  50. 50. Complex iCSC • Mechanics are the same as with simple iCSC • Offline password recovery attack is still possible, although pointless if password is complex enough
  51. 51. Setup Options
  52. 52. Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Random iCSC
  53. 53. Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Random iCSC
  54. 54. Random iCSC Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com
  55. 55. Random iCSC • Escrow Proxy is not used • Random iCSC (or derived key) stored on the device [haven’t verified]
  56. 56. Setup Options iCloud Keychain Keychain Sync Keychain Backup Master Password Escrow No iCloud Security Code Random iCloud Security Code Complex iCloud Security Code Simple iCloud Security Code
  57. 57. Conclusions Image: Apple Inc.
  58. 58. Conclusions • Trust your vendor but verify his claims • Never ever use simple iCloud Security Code • Do not think that SMS Apple sends you is a 2FA • Yet, iCK is reasonably well engineered although not without shortcomings
  59. 59. Thank You! Questions are welcome :-) ! ! @abelenko @hackappcom
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×