19. The Big Picture
*.keyvalueservice.icloud.com
*.escrowproxy.icloud.com
Keychain items (encrypted)
Keybag (encrypted)
Some Secret
20. Key-Value Store
โข Not new
โข Used extensively by many apps e.g. to keep preferences
in sync across devices
โข iCloud Keychain utilises two stores:
โข com.apple.security.cloudkeychainproxy3
โข Syncing between devices
โข com.apple.sbd3 (securebackupd3)
โข Copy to restore if no other devices
21. Escrow Proxy
โข New; Designed to store precious secrets
โข Need to know iCSC to recover escrowed data
โข Need to receive SMS challenge
โข Must successfully complete SRP auth
โข User-Agent: com.apple.lakitu (iOS/OS X)
Image: mariowiki.com
23. Key-Value Store
com.apple.sbd3
Key Description
com.apple.securebackup.enabled Is Keychain data saved in KVS?
com.apple.securebackup.record Keychain records, encrypted
SecureBackupMetadata iCSC complexity, timestamp, country
BackupKeybag Keybag protecting Keychain records
BackupUsesEscrow Is keybag password escrowed?
BackupVersion Version, currently @โ1โ
BackupUUID UUID of the backup
30. 4-digit iCSC [Default]
iCloud Security Code
1234 PBKDF2
Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
SHA-256 x 10โ000
AES-CBC
256 bit
*.escrowproxy.icloud.com
Keychain Passwords
yMa9ohCJ
tzzcVhE7
sDVoCnb
Backup Keybag
Key 1
Key 2
Key 3
AES-GCM
256 bit
AES-Wrap Keys
RFC 3394
*.keyvalueservice.icloud.com
31. Secure Remote Password
โข Zero-knowledge password proof scheme
โข Combats sniffing/MITM
โข One password guess per connection attempt
โข Password verifier is not sufficient for impersonation
โข Escrow Proxy uses SRP-6a
32. Key Negotiation
a โ random, A โ g^a
b โ random, B โ kv + g^b
u โ H(A, B) u โ H(A, B)
x โ H(SALT, Password)
S โ (B - kg^x) ^ (a + ux)
K โ H(S)
S โ (Av^u) ^ b
K โ H(S)
Key Verification
M โ H(H(N) โ H(g), H(ID), SALT, A, B, K)
(Aborts if M is invalid)
ID, A
SALT, B
M
H(A, M, K)
Password verifier:
!
SALT โ random
x โ H(SALT,Password)
v โ g^x
Agreed-upon parameters:
!
H โ one-way hash function
N, g โ group parameters
k โ H(N, g)
33. Key Negotiation
a โ random, A โ g^a
b โ random, B โ kv + g^b
u โ H(A, B) u โ H(A, B)
x โ H(SALT, Password)
S โ (B - kg^x) ^ (a + ux)
K โ H(S)
S โ (Av^u) ^ b
K โ H(S)
Key Verification
M โ H(H(N) โ H(g), H(ID), SALT, A, B, K)
(Aborts if M is invalid)
ID, A, SMS CODE
SALT, B
M, SMS CODE
H(A, M, K)
Password verifier:
!
SALT โ random
x โ H(SALT,Password)
v โ g^x
Agreed-upon parameters:
!
H โ SHA-256
N, g โ RFC 5054 w. 2048-bit group
k โ H(N, g)
36. Escrowed Data Recovery
/get_records
List of escrowed records
/get_sms_targets
List of phone numbers*
*Display purposes only
37. Escrowed Data Recovery
/get_records
List of escrowed records
/get_sms_targets
List of phone numbers*
/generate_sms_challenge
OK
*Display purposes only
38. Escrowed Data Recovery
/get_records
List of escrowed records
/get_sms_targets
List of phone numbers*
/generate_sms_challenge
OK
/srp_init [DsID, A, SMS CODE]
[UUID, DsID, SALT, B]
*Display purposes only
39. Escrowed Data Recovery
/get_records
List of escrowed records
/get_sms_targets
List of phone numbers*
/generate_sms_challenge
OK
/srp_init [DsID, A, SMS CODE]
[UUID, DsID, SALT, B]
/recover [UUID, DsID, M, SMS CODE]
[IV, AES-CBC(KSRP, Escrowed Record)]
*Display purposes only
40. Escrow Proxy Endpoints
Endpoint Description
get_club_cert [?] Obtain certificate
enroll Submit escrow record
get_records List escrowed records
get_sms_targets List SMS numbers for escrowed records
generate_sms_challenge Generate and send challenge code
srp_init First step of SRP protocol
recover Second step of SRP protocol
alter_sms_target Change SMS number
41. Escrow Record
iCloud Security Code
1234 PBKDF2
Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
SHA-256 x 10โ000
AES-CBC
256 bit
*.escrowproxy.icloud.com
Keychain Passwords
yMa9ohCJ
tzzcVhE7
sDVoCnb
AES-Wrap Keys
RFC 3394
Backup Keybag
Key 1
Key 2
Key 3
AES-GCM
256 bit
*.keyvalueservice.icloud.com
42. Escrow Record
iCloud Security Code
1234 PBKDF2
Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
SHA-256 x 10โ000
AES-CBC
256 bit
*.escrowproxy.icloud.com
Key โ PBKDF2-SHA256(iCSC, 10โ000)
EscrowRecord โ AES-CBC(Key, RandomPassword)
44. Escrow Record
Key โ PBKDF2-SHA256(iCSC, 10โ000)
EscrowRecord โ AES-CBC(Key, RandomPassword)
โข This is stored by Apple
45. Escrow Record
Key โ PBKDF2-SHA256(iCSC, 10โ000)
EscrowRecord โ AES-CBC(Key, RandomPassword)
โข This is stored by Apple
โข iCSC is 4 digits by default
46. Escrow Record
Key โ PBKDF2-SHA256(iCSC, 10โ000)
EscrowRecord โ AES-CBC(Key, RandomPassword)
โข This is stored by Apple
โข iCSC is 4 digits by default
47. Escrow Record
Key โ PBKDF2-SHA256(iCSC, 10โ000)
EscrowRecord โ AES-CBC(Key, RandomPassword)
โข This is stored by Apple
โข iCSC is 4 digits by default
Can you spot the problem yet?
48. Escrow Record
Key โ PBKDF2-SHA256(iCSC, 10โ000)
โข Offline iCSC guessing is possible
โข Almost instant recovery [for default settings]
โข iCSC decrypts keybag password
โข Keybag password unlocks keybag keys
โข Keybag keys decrypt Keychain items
49. Apple, or other adversary with
access to stored data, can near-instantly
decrypt โmasterโ
password and read synced iCloud
Keychain records
!
(for default settings)
52. Complex iCSC
โข Mechanics are the same as with simple iCSC
โข Offline password recovery attack is still possible,
although pointless if password is complex enough
60. Conclusions
โข Trust your vendor but verify his claims
โข Never ever use simple iCloud Security Code
โข Do not think that SMS Apple sends you is a 2FA
โข Yet, iCK is reasonably well engineered although not
without shortcomings