SlideShare a Scribd company logo

6.1. iCloud keychain and iOS 7 data protection

defconmoscow
defconmoscow

This document summarizes iCloud Keychain and iOS 7 data protection. It discusses how keychain encryption has evolved from AES-CBC to AES-GCM encryption. It also explains how iOS uses file-level encryption with per-file keys based on protection classes. The document then analyzes the security of iCloud Keychain, describing how it uses an escrow proxy and key-value stores. It identifies a risk in how default iCloud Keychain setups allow for near-instant decryption of synced keychain records. The document recommends using a complex iCloud security code or random password to prevent offline guessing of the escrowed encryption key.

Internet
1 of 35
Download to read offline
iCloud Keychain and iOS 7 Data Protection Andrey Belenko Sr. Security Engineer @ viaForensics
/whoami • Current: viaForensics • Mobile security, mobile forensics, mobile app development • Previous: Elcomsoft • Password recovery, GPUs, mobile forensics
iOS Data Protection Keychain: encryption since the very beginning • Before iOS 4: AES-CBC, per-device key • iOS 4: AES-CBC, per-record key based on desired item accessibility • iOS 5+: AES-GCM, per-record key, encrypts metadata
iOS Data Protection Storage encryption since iOS 4* • File-level (much like Windows EFS), so carving is challenging • Per-file key based on protection class: NSFileProtectionNone or NSFileProtectionComplete • iOS 5 adds …CompleteUntilFirstUserAuthentication and … CompleteUnlessOpen (uses DJB’s curve25519) ! * Pre-iOS 4 encryption was used to wipe data
iOS 7 • ‘Secure Enclave’ – SEP coprocessor • No visible changes to file encryption (i.e. existing tools work and don’t screw things up) • Keychain record format has changed • ASN.1 BER encoding instead of proprietary Binary Property List encoding • Keychain encryption has not changed: AES-GCM with per-record key
iOS 8 • kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly • Keychain ACLs and Touch ID support • WWDC 2014 Session 711
iCloud Keychain Image: Apple Inc.
Motivation http://support.apple.com/kb/HT4865
iCloud
The Big Picture *.keyvalueservice.icloud.com *.escrowproxy.icloud.com Keychain (encrypted) Keybag (encrypted) Some Secret HTTPS NO PINNING
Setup Options
4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code 1234 PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
Key-Value Store • Not new • Used extensively by many apps e.g. to keep preferences in sync across devices • iCloud Keychain utilises two stores: • com.apple.security.cloudkeychainproxy3 • com.apple.sbd3 (securebackupd3)
Key-Value Store Key Description com.apple.securebackup.enabled Is Keychain data saved in KVS? com.apple.securebackup.record Keychain records, encrypted SecureBackupMetadata iCSC complexity, timestamp, country BackupKeybag Keybag protecting Keychain records BackupUsesEscrow Is keybag password escrowed? BackupVersion Version, currently @“1” BackupUUID UUID of the backup
Escrow Proxy • Designed to store precious secrets • Access to service requires auth token • Access to escrowed data requires iCSC • Need to receive SMS challenge • Must successfully complete SRP auth • User-Agent: com.apple.lakitu (iOS/OS X) Image: mariowiki.com
Secure Remote Password • Zero-knowledge password proof scheme • Combats sniffing/MITM • One password guess per connection attempt • Password verifier is not sufficient for impersonation • Escrow Proxy uses SRP-6a
Key Negotiation a ← random, A ← g^a b ← random, B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A SALT, B M H(A, M, K) Password verifier: ! SALT ← random x ← H(SALT,Password) v ← g^x Agreed-upon parameters: ! H – one-way hash function N, g – group parameters k ← H(N, g)
Key Negotiation a ← random, A ← g^a b ← random, B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A, SMS CODE SALT, B M, SMS CODE H(A, M, K) Password verifier: ! SALT ← random x ← H(SALT,Password) v ← g^x Agreed-upon parameters: ! H – SHA-256 N, g – RFC 5054 w. 2048-bit group k ← H(N, g)
Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] /recover [UUID, DsID, M, SMS CODE] [IV, AES-CBC(KSRP, Escrowed Record)] *Displaypurposesonly
Escrow Proxy Endpoints Endpoint Description get_club_cert [?] Obtain certificate enroll Submit escrow record get_records List escrowed records get_sms_targets List SMS numbers for escrowed records generate_sms_challenge Generate and send challenge code srp_init First step of SRP protocol recover Second step of SRP protocol alter_sms_target Change SMS number
Escrow Record Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code 1234 PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-Wrap Keys RFC 3394 AES-GCM 256 bit *.keyvalueservice.icloud.com Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword)
• This is stored by Apple • iCSC is 4 digits by default Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) Can you spot the problem yet?
Image:@karmalizzardofdeviantart.com
Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) • Offline iCSC guessing is possible • Almost instant recovery [for default settings] • iCSC decrypts keybag password • Keybag password unlocks keybag keys • Keybag keys decrypt Keychain items
Apple, or other adversary with similar access level, can near- instantly decrypt “master” password and read synced iCloud Keychain records ! (for default settings)
Setup Options
Complex iCSC Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit Backup Keybag Key 1 Key 2 Key 3 *.escrowproxy.icloud.com AES-Wrap Keys RFC 3394 AES-GCM 256 bit *.keyvalueservice.icloud.com
Complex iCSC • Mechanics are the same as with simple iCSC • Offline password recovery attack is still possible, although pointless if password is complex enough
Setup Options
Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-Wrap Keys RFC 3394 AES-GCM 256 bit *.keyvalueservice.icloud.com iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Random iCSC
Random iCSC • Escrow Proxy is not used • Random iCSC (or derived key) stored on the device [haven’t verified]
Conclusions Image: Apple Inc.
Conclusions • Trust your vendor but verify his claims • Never ever use simple iCloud Security Code • Do not think that SMS Apple sends you is a 2FA • Yet, iCK is reasonably well engineered although not without shortcomings
Thank You! Questions are welcome :-) ! ! @abelenko ABelenko@viaforenscs.com

Recommended

Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13
viaForensics
 
Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secrets
Excella
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
DynamicInfraDays
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
Nicolas Corrarello
 
A tale of application development
A tale of application developmentA tale of application development
A tale of application development
Nicolas Corrarello
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 

Recommended

Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13
viaForensics
 
Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secrets
Excella
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
DynamicInfraDays
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
Nicolas Corrarello
 
A tale of application development
A tale of application developmentA tale of application development
A tale of application development
Nicolas Corrarello
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Introduction to Shield and kibana
Introduction to Shield and kibanaIntroduction to Shield and kibana
Introduction to Shield and kibana
Knoldus Inc.
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS
☁ Bryan Krausen
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
Felipe Prado
 
Asterisk, HTML5 and NodeJS; a world of endless possibilities
Asterisk, HTML5 and NodeJS; a world of endless possibilitiesAsterisk, HTML5 and NodeJS; a world of endless possibilities
Asterisk, HTML5 and NodeJS; a world of endless possibilities
Dan Jenkins
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
Taswar Bhatti
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
Ramit Surana
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 
Rock Solid WordPress
Rock Solid WordPressRock Solid WordPress
Rock Solid WordPress
Erik Osterman
 
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs SecretsUsing Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
Taswar Bhatti
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Vault
VaultVault
Vault
dawnlua
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
Vic Hargrave
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
OpenStack Swift production deployments
OpenStack Swift production deploymentsOpenStack Swift production deployments
OpenStack Swift production deployments
Atul Jha
 
Demystifying Software Defined Networking (SDN)
Demystifying Software Defined Networking (SDN)Demystifying Software Defined Networking (SDN)
Demystifying Software Defined Networking (SDN)
Matt Bynum
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
DynamicInfraDays
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and Encryption
Urvashi Kataria
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
Peter Teufl
 

More Related Content

What's hot

Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Introduction to Shield and kibana
Introduction to Shield and kibanaIntroduction to Shield and kibana
Introduction to Shield and kibana
Knoldus Inc.
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS
☁ Bryan Krausen
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
Felipe Prado
 
Asterisk, HTML5 and NodeJS; a world of endless possibilities
Asterisk, HTML5 and NodeJS; a world of endless possibilitiesAsterisk, HTML5 and NodeJS; a world of endless possibilities
Asterisk, HTML5 and NodeJS; a world of endless possibilities
Dan Jenkins
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
Taswar Bhatti
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
Ramit Surana
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 
Rock Solid WordPress
Rock Solid WordPressRock Solid WordPress
Rock Solid WordPress
Erik Osterman
 
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs SecretsUsing Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
Taswar Bhatti
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Vault
VaultVault
Vault
dawnlua
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
Vic Hargrave
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
OpenStack Swift production deployments
OpenStack Swift production deploymentsOpenStack Swift production deployments
OpenStack Swift production deployments
Atul Jha
 
Demystifying Software Defined Networking (SDN)
Demystifying Software Defined Networking (SDN)Demystifying Software Defined Networking (SDN)
Demystifying Software Defined Networking (SDN)
Matt Bynum
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
DynamicInfraDays
 

What's hot (20)

Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Introduction to Shield and kibana
Introduction to Shield and kibanaIntroduction to Shield and kibana
Introduction to Shield and kibana
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 
Asterisk, HTML5 and NodeJS; a world of endless possibilities
Asterisk, HTML5 and NodeJS; a world of endless possibilitiesAsterisk, HTML5 and NodeJS; a world of endless possibilities
Asterisk, HTML5 and NodeJS; a world of endless possibilities
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
 
Rock Solid WordPress
Rock Solid WordPressRock Solid WordPress
Rock Solid WordPress
 
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs SecretsUsing Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Vault
VaultVault
Vault
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
OpenStack Swift production deployments
OpenStack Swift production deploymentsOpenStack Swift production deployments
OpenStack Swift production deployments
 
Demystifying Software Defined Networking (SDN)
Demystifying Software Defined Networking (SDN)Demystifying Software Defined Networking (SDN)
Demystifying Software Defined Networking (SDN)
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
 

Viewers also liked

iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and Encryption
Urvashi Kataria
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
Peter Teufl
 
Smart phone security ios system
Smart phone security ios systemSmart phone security ios system
Smart phone security ios system
Jamil S. Alagha
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to know
NowSecure
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS security
Sumanth Veera
 
Security and Encryption on iOS
Security and Encryption on iOSSecurity and Encryption on iOS
Security and Encryption on iOS
Graham Lee
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
Tom Eston
 

Viewers also liked (7)

iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and Encryption
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
 
Smart phone security ios system
Smart phone security ios systemSmart phone security ios system
Smart phone security ios system
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to know
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS security
 
Security and Encryption on iOS
Security and Encryption on iOSSecurity and Encryption on iOS
Security and Encryption on iOS
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
 

Similar to 6.1. iCloud keychain and iOS 7 data protection

7.3. iCloud keychain-2
7.3. iCloud keychain-27.3. iCloud keychain-2
7.3. iCloud keychain-2
defconmoscow
 
2014.11 asfws
2014.11 asfws2014.11 asfws
2014.11 asfws
Cyber Security Alliance
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
DefconRussia
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
Alexey Troshichev
 
Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019
Michel Schudel
 
12 symmetric key cryptography
12 symmetric key cryptography12 symmetric key cryptography
12 symmetric key cryptography
drewz lin
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
Erik LaBianca
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
SherefHesham
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 
AllBits presentation - Security in Theory
AllBits presentation - Security in TheoryAllBits presentation - Security in Theory
AllBits presentation - Security in Theory
AllBits BVBA (freelancer)
 
Dodging WebCrypto API Landmines
Dodging WebCrypto API LandminesDodging WebCrypto API Landmines
Dodging WebCrypto API Landmines
Ernie Turner
 
iOS Keychain 介紹
iOS Keychain 介紹iOS Keychain 介紹
iOS Keychain 介紹
ShengWen Chiou
 
Us 17-radocea-intercepting-i cloud-keychain
Us 17-radocea-intercepting-i cloud-keychainUs 17-radocea-intercepting-i cloud-keychain
Us 17-radocea-intercepting-i cloud-keychain
Alex Radocea
 
Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003
Martin Kobetic
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
n|u - The Open Security Community
 
Local Authentication par Pierre-Alban Toth
Local Authentication par Pierre-Alban TothLocal Authentication par Pierre-Alban Toth
Local Authentication par Pierre-Alban Toth
CocoaHeads France
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systems
Ahmed Habib
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
Fwdays
 
Cryptography for developers
Cryptography for developersCryptography for developers
Cryptography for developers
Kai Koenig
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
thomashtkim
 

Similar to 6.1. iCloud keychain and iOS 7 data protection (20)

7.3. iCloud keychain-2
7.3. iCloud keychain-27.3. iCloud keychain-2
7.3. iCloud keychain-2
 
2014.11 asfws
2014.11 asfws2014.11 asfws
2014.11 asfws
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
 
Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019
 
12 symmetric key cryptography
12 symmetric key cryptography12 symmetric key cryptography
12 symmetric key cryptography
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
AllBits presentation - Security in Theory
AllBits presentation - Security in TheoryAllBits presentation - Security in Theory
AllBits presentation - Security in Theory
 
Dodging WebCrypto API Landmines
Dodging WebCrypto API LandminesDodging WebCrypto API Landmines
Dodging WebCrypto API Landmines
 
iOS Keychain 介紹
iOS Keychain 介紹iOS Keychain 介紹
iOS Keychain 介紹
 
Us 17-radocea-intercepting-i cloud-keychain
Us 17-radocea-intercepting-i cloud-keychainUs 17-radocea-intercepting-i cloud-keychain
Us 17-radocea-intercepting-i cloud-keychain
 
Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Local Authentication par Pierre-Alban Toth
Local Authentication par Pierre-Alban TothLocal Authentication par Pierre-Alban Toth
Local Authentication par Pierre-Alban Toth
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systems
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
 
Cryptography for developers
Cryptography for developersCryptography for developers
Cryptography for developers
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 

More from defconmoscow

7.5. Pwnie express IRL
7.5. Pwnie express IRL7.5. Pwnie express IRL
7.5. Pwnie express IRL
defconmoscow
 
7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]
defconmoscow
 
7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking
defconmoscow
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenment
defconmoscow
 
6.4. PHD IV CTF final
6.4. PHD IV CTF final6.4. PHD IV CTF final
6.4. PHD IV CTF final
defconmoscow
 
6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail
defconmoscow
 
6.2. Hacking most popular websites
6.2. Hacking most popular websites6.2. Hacking most popular websites
6.2. Hacking most popular websites
defconmoscow
 
6. [Bonus] DCM MI6
6. [Bonus] DCM MI66. [Bonus] DCM MI6
6. [Bonus] DCM MI6
defconmoscow
 
5.3. Undercover communications
5.3. Undercover communications5.3. Undercover communications
5.3. Undercover communications
defconmoscow
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensics
defconmoscow
 
5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]
defconmoscow
 
5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt
defconmoscow
 
4.5. Contests [extras]
4.5. Contests [extras]4.5. Contests [extras]
4.5. Contests [extras]
defconmoscow
 
4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware
defconmoscow
 
4.3. Rat races conditions
4.3. Rat races conditions4.3. Rat races conditions
4.3. Rat races conditions
defconmoscow
 
4.2. Web analyst fiddler
4.2. Web analyst fiddler4.2. Web analyst fiddler
4.2. Web analyst fiddler
defconmoscow
 
4.1. Path traversal post_exploitation
4.1. Path traversal post_exploitation4.1. Path traversal post_exploitation
4.1. Path traversal post_exploitation
defconmoscow
 
3.3. Database honeypot
3.3. Database honeypot3.3. Database honeypot
3.3. Database honeypot
defconmoscow
 
3.2. White hat
3.2. White hat3.2. White hat
3.2. White hat
defconmoscow
 
3.1. Face recognition
3.1. Face recognition3.1. Face recognition
3.1. Face recognition
defconmoscow
 

More from defconmoscow (20)

7.5. Pwnie express IRL
7.5. Pwnie express IRL7.5. Pwnie express IRL
7.5. Pwnie express IRL
 
7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]7.4. Show impact [bug bounties]
7.4. Show impact [bug bounties]
 
7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking7.2. Alternative sharepoint hacking
7.2. Alternative sharepoint hacking
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenment
 
6.4. PHD IV CTF final
6.4. PHD IV CTF final6.4. PHD IV CTF final
6.4. PHD IV CTF final
 
6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail6.3. How to get out of an inprivacy jail
6.3. How to get out of an inprivacy jail
 
6.2. Hacking most popular websites
6.2. Hacking most popular websites6.2. Hacking most popular websites
6.2. Hacking most popular websites
 
6. [Bonus] DCM MI6
6. [Bonus] DCM MI66. [Bonus] DCM MI6
6. [Bonus] DCM MI6
 
5.3. Undercover communications
5.3. Undercover communications5.3. Undercover communications
5.3. Undercover communications
 
5.2. Digital forensics
5.2. Digital forensics5.2. Digital forensics
5.2. Digital forensics
 
5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]5.1. Flashback [hacking AD]
5.1. Flashback [hacking AD]
 
5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt5. [Daily hack] Truecrypt
5. [Daily hack] Truecrypt
 
4.5. Contests [extras]
4.5. Contests [extras]4.5. Contests [extras]
4.5. Contests [extras]
 
4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware4.4. Hashcracking server on generic hardware
4.4. Hashcracking server on generic hardware
 
4.3. Rat races conditions
4.3. Rat races conditions4.3. Rat races conditions
4.3. Rat races conditions
 
4.2. Web analyst fiddler
4.2. Web analyst fiddler4.2. Web analyst fiddler
4.2. Web analyst fiddler
 
4.1. Path traversal post_exploitation
4.1. Path traversal post_exploitation4.1. Path traversal post_exploitation
4.1. Path traversal post_exploitation
 
3.3. Database honeypot
3.3. Database honeypot3.3. Database honeypot
3.3. Database honeypot
 
3.2. White hat
3.2. White hat3.2. White hat
3.2. White hat
 
3.1. Face recognition
3.1. Face recognition3.1. Face recognition
3.1. Face recognition
 

Recently uploaded

一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 

Recently uploaded (12)

一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 

6.1. iCloud keychain and iOS 7 data protection

  • 1. iCloud Keychain and iOS 7 Data Protection Andrey Belenko Sr. Security Engineer @ viaForensics
  • 2. /whoami • Current: viaForensics • Mobile security, mobile forensics, mobile app development • Previous: Elcomsoft • Password recovery, GPUs, mobile forensics
  • 3. iOS Data Protection Keychain: encryption since the very beginning • Before iOS 4: AES-CBC, per-device key • iOS 4: AES-CBC, per-record key based on desired item accessibility • iOS 5+: AES-GCM, per-record key, encrypts metadata
  • 4. iOS Data Protection Storage encryption since iOS 4* • File-level (much like Windows EFS), so carving is challenging • Per-file key based on protection class: NSFileProtectionNone or NSFileProtectionComplete • iOS 5 adds …CompleteUntilFirstUserAuthentication and … CompleteUnlessOpen (uses DJB’s curve25519) ! * Pre-iOS 4 encryption was used to wipe data
  • 5. iOS 7 • ‘Secure Enclave’ – SEP coprocessor • No visible changes to file encryption (i.e. existing tools work and don’t screw things up) • Keychain record format has changed • ASN.1 BER encoding instead of proprietary Binary Property List encoding • Keychain encryption has not changed: AES-GCM with per-record key
  • 6. iOS 8 • kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly • Keychain ACLs and Touch ID support • WWDC 2014 Session 711
  • 10.
  • 11. The Big Picture *.keyvalueservice.icloud.com *.escrowproxy.icloud.com Keychain (encrypted) Keybag (encrypted) Some Secret HTTPS NO PINNING
  • 13. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code 1234 PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
  • 14. Key-Value Store • Not new • Used extensively by many apps e.g. to keep preferences in sync across devices • iCloud Keychain utilises two stores: • com.apple.security.cloudkeychainproxy3 • com.apple.sbd3 (securebackupd3)
  • 15. Key-Value Store Key Description com.apple.securebackup.enabled Is Keychain data saved in KVS? com.apple.securebackup.record Keychain records, encrypted SecureBackupMetadata iCSC complexity, timestamp, country BackupKeybag Keybag protecting Keychain records BackupUsesEscrow Is keybag password escrowed? BackupVersion Version, currently @“1” BackupUUID UUID of the backup
  • 16. Escrow Proxy • Designed to store precious secrets • Access to service requires auth token • Access to escrowed data requires iCSC • Need to receive SMS challenge • Must successfully complete SRP auth • User-Agent: com.apple.lakitu (iOS/OS X) Image: mariowiki.com
  • 17. Secure Remote Password • Zero-knowledge password proof scheme • Combats sniffing/MITM • One password guess per connection attempt • Password verifier is not sufficient for impersonation • Escrow Proxy uses SRP-6a
  • 18. Key Negotiation a ← random, A ← g^a b ← random, B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A SALT, B M H(A, M, K) Password verifier: ! SALT ← random x ← H(SALT,Password) v ← g^x Agreed-upon parameters: ! H – one-way hash function N, g – group parameters k ← H(N, g)
  • 19. Key Negotiation a ← random, A ← g^a b ← random, B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A, SMS CODE SALT, B M, SMS CODE H(A, M, K) Password verifier: ! SALT ← random x ← H(SALT,Password) v ← g^x Agreed-upon parameters: ! H – SHA-256 N, g – RFC 5054 w. 2048-bit group k ← H(N, g)
  • 20. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] /recover [UUID, DsID, M, SMS CODE] [IV, AES-CBC(KSRP, Escrowed Record)] *Displaypurposesonly
  • 21. Escrow Proxy Endpoints Endpoint Description get_club_cert [?] Obtain certificate enroll Submit escrow record get_records List escrowed records get_sms_targets List SMS numbers for escrowed records generate_sms_challenge Generate and send challenge code srp_init First step of SRP protocol recover Second step of SRP protocol alter_sms_target Change SMS number
  • 22. Escrow Record Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code 1234 PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-Wrap Keys RFC 3394 AES-GCM 256 bit *.keyvalueservice.icloud.com Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword)
  • 23. • This is stored by Apple • iCSC is 4 digits by default Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) Can you spot the problem yet?
  • 25. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) • Offline iCSC guessing is possible • Almost instant recovery [for default settings] • iCSC decrypts keybag password • Keybag password unlocks keybag keys • Keybag keys decrypt Keychain items
  • 26. Apple, or other adversary with similar access level, can near- instantly decrypt “master” password and read synced iCloud Keychain records ! (for default settings)
  • 28. Complex iCSC Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit Backup Keybag Key 1 Key 2 Key 3 *.escrowproxy.icloud.com AES-Wrap Keys RFC 3394 AES-GCM 256 bit *.keyvalueservice.icloud.com
  • 29. Complex iCSC • Mechanics are the same as with simple iCSC • Offline password recovery attack is still possible, although pointless if password is complex enough
  • 31. Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-Wrap Keys RFC 3394 AES-GCM 256 bit *.keyvalueservice.icloud.com iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Random iCSC
  • 32. Random iCSC • Escrow Proxy is not used • Random iCSC (or derived key) stored on the device [haven’t verified]
  • 34. Conclusions • Trust your vendor but verify his claims • Never ever use simple iCloud Security Code • Do not think that SMS Apple sends you is a 2FA • Yet, iCK is reasonably well engineered although not without shortcomings
  • 35. Thank You! Questions are welcome :-) ! ! @abelenko ABelenko@viaforenscs.com