![4-digit iCSC [Default]](https://image.slidesharecdn.com/icloudkeychain-140901102731-phpapp02/75/icloud-keychain-24-2048.jpg?cb=1664991203)
![4-digit iCSC [Default]
Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4](https://image.slidesharecdn.com/icloudkeychain-140901102731-phpapp02/75/icloud-keychain-25-2048.jpg?cb=1664991203)
![4-digit iCSC [Default]
Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
Keychain Passwords
yMa9ohCJ
tzzcVhE7
sDVoCnb
Backup Keybag
Key 1
Key 2
Key 3
AES-GCM
256 bit](https://image.slidesharecdn.com/icloudkeychain-140901102731-phpapp02/75/icloud-keychain-26-2048.jpg?cb=1664991203)
![4-digit iCSC [Default]
Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
Keychain Passwords
yMa9ohCJ
tzzcVhE7
sDVoCnb
Backup Keybag
Key 1
Key 2
Key 3
AES-GCM
256 bit
AES-Wrap Keys
RFC 3394](https://image.slidesharecdn.com/icloudkeychain-140901102731-phpapp02/75/icloud-keychain-27-2048.jpg?cb=1664991203)
![4-digit iCSC [Default]
Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
Keychain Passwords
yMa9ohCJ
tzzcVhE7
sDVoCnb
Backup Keybag
Key 1
Key 2
Key 3
AES-GCM
256 bit
AES-Wrap Keys
RFC 3394
*.keyvalueservice.icloud.com](https://image.slidesharecdn.com/icloudkeychain-140901102731-phpapp02/75/icloud-keychain-28-2048.jpg?cb=1664991203)
![4-digit iCSC [Default]
iCloud Security Code
1234 PBKDF2
Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
SHA-256 x 10’000
Keychain Passwords
yMa9ohCJ
tzzcVhE7
sDVoCnb
Backup Keybag
Key 1
Key 2
Key 3
AES-GCM
256 bit
AES-Wrap Keys
RFC 3394
*.keyvalueservice.icloud.com](https://image.slidesharecdn.com/icloudkeychain-140901102731-phpapp02/75/icloud-keychain-29-2048.jpg?cb=1664991203)
![4-digit iCSC [Default]
iCloud Security Code
1234 PBKDF2
Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
SHA-256 x 10’000
AES-CBC
256 bit
*.escrowproxy.icloud.com
Keychain Passwords
yMa9ohCJ
tzzcVhE7
sDVoCnb
Backup Keybag
Key 1
Key 2
Key 3
AES-GCM
256 bit
AES-Wrap Keys
RFC 3394
*.keyvalueservice.icloud.com](https://image.slidesharecdn.com/icloudkeychain-140901102731-phpapp02/75/icloud-keychain-30-2048.jpg?cb=1664991203)
![Escrowed Data Recovery
/get_records
List of escrowed records
/get_sms_targets
List of phone numbers*
/generate_sms_challenge
OK
/srp_init [DsID, A, SMS CODE]
[UUID, DsID, SALT, B]
*Display purposes only](https://image.slidesharecdn.com/icloudkeychain-140901102731-phpapp02/75/icloud-keychain-38-2048.jpg?cb=1664991203)
![Escrowed Data Recovery
/get_records
List of escrowed records
/get_sms_targets
List of phone numbers*
/generate_sms_challenge
OK
/srp_init [DsID, A, SMS CODE]
[UUID, DsID, SALT, B]
/recover [UUID, DsID, M, SMS CODE]
[IV, AES-CBC(KSRP, Escrowed Record)]
*Display purposes only](https://image.slidesharecdn.com/icloudkeychain-140901102731-phpapp02/75/icloud-keychain-39-2048.jpg?cb=1664991203)
![Escrow Proxy Endpoints
Endpoint Description
get_club_cert [?] Obtain certificate
enroll Submit escrow record
get_records List escrowed records
get_sms_targets List SMS numbers for escrowed records
generate_sms_challenge Generate and send challenge code
srp_init First step of SRP protocol
recover Second step of SRP protocol
alter_sms_target Change SMS number](https://image.slidesharecdn.com/icloudkeychain-140901102731-phpapp02/75/icloud-keychain-40-2048.jpg?cb=1664991203)
![Escrow Record
Key ← PBKDF2-SHA256(iCSC, 10’000)
• Offline iCSC guessing is possible
• Almost instant recovery [for default settings]
• iCSC decrypts keybag password
• Keybag password unlocks keybag keys
• Keybag keys decrypt Keychain items](https://image.slidesharecdn.com/icloudkeychain-140901102731-phpapp02/75/icloud-keychain-48-2048.jpg?cb=1664991203)
![Random iCSC
• Escrow Proxy is not used
• Random iCSC (or derived key) stored on the device
[haven’t verified]](https://image.slidesharecdn.com/icloudkeychain-140901102731-phpapp02/75/icloud-keychain-57-2048.jpg?cb=1664991203)
iCloud keychain
•87 likes•203,385 views
Report
Share
Download to read offline
IF YOU ARE CONCERNED ABOUT CLOUD SECURITY PLEASE READ http://blog.hackapp.com/2014/09/what-if-i-was-cloud.html
Recommended
![M08_あなたの知らない Azure インフラの世界 [Microsoft Japan Digital Days]](https://cdn.slidesharecdn.com/ss_thumbnails/m08azure-211027131016-thumbnail.jpg?width=384&fit=bounds)
More Related Content
What's hot
What's hot(20)
Viewers also liked
Viewers also liked(17)
Similar to iCloud keychain
Similar to iCloud keychain(20)
Recently uploaded
Recently uploaded(12)
iCloud keychain
- 1. iCloud Keychain and iOS 7 Data Protection Andrey Belenko Sr. Security Engineer @ viaForensics ! Alexey Troshichev @hackappcom founder
- 3. What’s inside? • Documents • Photos • Backups (SMS, application data, etc) • Keychain
- 9. Brought to you by hackapp.com ! github.com/hackappcom/ibrute @hackappcom
- 10. iCloud Keychain Image: Apple Inc.
- 12. Intercepting SSL SSL Proxy (Burp, Charles, …) Root CA cert Proxy settings
- 13. Authentication GET /authenticate AppleID, Password DsID, mmeAuthToken, fmipAuthToken icloud.com
- 18. Setup Options
- 19. The Big Picture *.keyvalueservice.icloud.com *.escrowproxy.icloud.com Keychain items (encrypted) Keybag (encrypted) Some Secret
- 20. Key-Value Store • Not new • Used extensively by many apps e.g. to keep preferences in sync across devices • iCloud Keychain utilises two stores: • com.apple.security.cloudkeychainproxy3 • Syncing between devices • com.apple.sbd3 (securebackupd3) • Copy to restore if no other devices
- 21. Escrow Proxy • New; Designed to store precious secrets • Need to know iCSC to recover escrowed data • Need to receive SMS challenge • Must successfully complete SRP auth • User-Agent: com.apple.lakitu (iOS/OS X) Image: mariowiki.com
- 22. Key-Value Store com.apple.security.cloudkeychainproxy3 S(usrPwd, D2_pub) S(D2_priv, (D1_pub, D2_pub)) S(D1_priv, D1_pub) S(userPwd, D1_pub) S(D1_priv, (D1_pub, D2_pub)) S(userPwd, (D1_pub, D2_pub))
- 23. Key-Value Store com.apple.sbd3 Key Description com.apple.securebackup.enabled Is Keychain data saved in KVS? com.apple.securebackup.record Keychain records, encrypted SecureBackupMetadata iCSC complexity, timestamp, country BackupKeybag Keybag protecting Keychain records BackupUsesEscrow Is keybag password escrowed? BackupVersion Version, currently @“1” BackupUUID UUID of the backup
- 25. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
- 26. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit
- 27. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394
- 28. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
- 29. 4-digit iCSC [Default] iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
- 30. 4-digit iCSC [Default] iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
- 31. Secure Remote Password • Zero-knowledge password proof scheme • Combats sniffing/MITM • One password guess per connection attempt • Password verifier is not sufficient for impersonation • Escrow Proxy uses SRP-6a
- 32. Key Negotiation a ← random, A ← g^a b ← random, B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A SALT, B M H(A, M, K) Password verifier: ! SALT ← random x ← H(SALT,Password) v ← g^x Agreed-upon parameters: ! H – one-way hash function N, g – group parameters k ← H(N, g)
- 33. Key Negotiation a ← random, A ← g^a b ← random, B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A, SMS CODE SALT, B M, SMS CODE H(A, M, K) Password verifier: ! SALT ← random x ← H(SALT,Password) v ← g^x Agreed-upon parameters: ! H – SHA-256 N, g – RFC 5054 w. 2048-bit group k ← H(N, g)
- 34. Escrowed Data Recovery *Display purposes only
- 35. Escrowed Data Recovery /get_records List of escrowed records *Display purposes only
- 36. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* *Display purposes only
- 37. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK *Display purposes only
- 38. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] *Display purposes only
- 39. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] /recover [UUID, DsID, M, SMS CODE] [IV, AES-CBC(KSRP, Escrowed Record)] *Display purposes only
- 40. Escrow Proxy Endpoints Endpoint Description get_club_cert [?] Obtain certificate enroll Submit escrow record get_records List escrowed records get_sms_targets List SMS numbers for escrowed records generate_sms_challenge Generate and send challenge code srp_init First step of SRP protocol recover Second step of SRP protocol alter_sms_target Change SMS number
- 41. Escrow Record iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com
- 42. Escrow Record iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword)
- 43. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword)
- 44. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple
- 45. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default
- 46. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default
- 47. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default Can you spot the problem yet?
- 48. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) • Offline iCSC guessing is possible • Almost instant recovery [for default settings] • iCSC decrypts keybag password • Keybag password unlocks keybag keys • Keybag keys decrypt Keychain items
- 49. Apple, or other adversary with access to stored data, can near-instantly decrypt “master” password and read synced iCloud Keychain records ! (for default settings)
- 50. Setup Options
- 51. Complex iCSC correct horse battery staple PBKDF2 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb iCloud Security Code Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit Backup Keybag Key 1 Key 2 Key 3 *.escrowproxy.icloud.com AES-Wrap Keys RFC 3394 AES-GCM 256 bit *.keyvalueservice.icloud.com
- 52. Complex iCSC • Mechanics are the same as with simple iCSC • Offline password recovery attack is still possible, although pointless if password is complex enough
- 53. Setup Options
- 54. Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Random iCSC
- 55. Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Random iCSC
- 56. Random iCSC Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com
- 57. Random iCSC • Escrow Proxy is not used • Random iCSC (or derived key) stored on the device [haven’t verified]
- 58. Setup Options iCloud Keychain Keychain Sync Keychain Backup Master Password Escrow No iCloud Security Code Random iCloud Security Code Complex iCloud Security Code Simple iCloud Security Code
- 59. Conclusions Image: Apple Inc.
- 60. Conclusions • Trust your vendor but verify his claims • Never ever use simple iCloud Security Code • Do not think that SMS Apple sends you is a 2FA • Yet, iCK is reasonably well engineered although not without shortcomings
- 61. Thank You! Questions are welcome :-) ! ! @abelenko @hackappcom