SlideShare a Scribd company logo

iCloud keychain

A
Alexey Troshichev

IF YOU ARE CONCERNED ABOUT CLOUD SECURITY PLEASE READ http://blog.hackapp.com/2014/09/what-if-i-was-cloud.html

Internet
1 of 61
Download to read offline
iCloud Keychain and iOS 7 Data Protection Andrey Belenko Sr. Security Engineer @ viaForensics ! Alexey Troshichev @hackappcom founder
What is iCloud?
What’s inside? • Documents • Photos • Backups (SMS, application data, etc) • Keychain
Hacker’s view
Bruteforce protection?
Bruteforce protection?
Bruteforce protection?
Find My iPhone
Brought to you by hackapp.com ! github.com/hackappcom/ibrute @hackappcom
iCloud Keychain Image: Apple Inc.
Motivation http://support.apple.com/kb/HT4865
Intercepting SSL SSL Proxy (Burp, Charles, …) Root CA cert Proxy settings
Authentication GET /authenticate AppleID, Password DsID, mmeAuthToken, fmipAuthToken icloud.com
/getAccountSettings
/getAccountSettings
Setup Options
The Big Picture *.keyvalueservice.icloud.com *.escrowproxy.icloud.com Keychain items (encrypted) Keybag (encrypted) Some Secret
Key-Value Store • Not new • Used extensively by many apps e.g. to keep preferences in sync across devices • iCloud Keychain utilises two stores: • com.apple.security.cloudkeychainproxy3 • Syncing between devices • com.apple.sbd3 (securebackupd3) • Copy to restore if no other devices
Escrow Proxy • New; Designed to store precious secrets • Need to know iCSC to recover escrowed data • Need to receive SMS challenge • Must successfully complete SRP auth • User-Agent: com.apple.lakitu (iOS/OS X) Image: mariowiki.com
Key-Value Store com.apple.security.cloudkeychainproxy3 S(usrPwd, D2_pub) S(D2_priv, (D1_pub, D2_pub)) S(D1_priv, D1_pub) S(userPwd, D1_pub) S(D1_priv, (D1_pub, D2_pub)) S(userPwd, (D1_pub, D2_pub))
Key-Value Store com.apple.sbd3 Key Description com.apple.securebackup.enabled Is Keychain data saved in KVS? com.apple.securebackup.record Keychain records, encrypted SecureBackupMetadata iCSC complexity, timestamp, country BackupKeybag Keybag protecting Keychain records BackupUsesEscrow Is keybag password escrowed? BackupVersion Version, currently @“1” BackupUUID UUID of the backup
4-digit iCSC [Default]
4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit
4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394
4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
4-digit iCSC [Default] iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
4-digit iCSC [Default] iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
Secure Remote Password • Zero-knowledge password proof scheme • Combats sniffing/MITM • One password guess per connection attempt • Password verifier is not sufficient for impersonation • Escrow Proxy uses SRP-6a
Key Negotiation a ← random, A ← g^a b ← random, B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A SALT, B M H(A, M, K) Password verifier: ! SALT ← random x ← H(SALT,Password) v ← g^x Agreed-upon parameters: ! H – one-way hash function N, g – group parameters k ← H(N, g)
Key Negotiation a ← random, A ← g^a b ← random, B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A, SMS CODE SALT, B M, SMS CODE H(A, M, K) Password verifier: ! SALT ← random x ← H(SALT,Password) v ← g^x Agreed-upon parameters: ! H – SHA-256 N, g – RFC 5054 w. 2048-bit group k ← H(N, g)
Escrowed Data Recovery *Display purposes only
Escrowed Data Recovery /get_records List of escrowed records *Display purposes only
Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* *Display purposes only
Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK *Display purposes only
Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] *Display purposes only
Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] /recover [UUID, DsID, M, SMS CODE] [IV, AES-CBC(KSRP, Escrowed Record)] *Display purposes only
Escrow Proxy Endpoints Endpoint Description get_club_cert [?] Obtain certificate enroll Submit escrow record get_records List escrowed records get_sms_targets List SMS numbers for escrowed records generate_sms_challenge Generate and send challenge code srp_init First step of SRP protocol recover Second step of SRP protocol alter_sms_target Change SMS number
Escrow Record iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com
Escrow Record iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword)
Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword)
Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple
Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default
Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default
Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default Can you spot the problem yet?
Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) • Offline iCSC guessing is possible • Almost instant recovery [for default settings] • iCSC decrypts keybag password • Keybag password unlocks keybag keys • Keybag keys decrypt Keychain items
Apple, or other adversary with access to stored data, can near-instantly decrypt “master” password and read synced iCloud Keychain records ! (for default settings)
Setup Options
Complex iCSC correct horse battery staple PBKDF2 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb iCloud Security Code Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit Backup Keybag Key 1 Key 2 Key 3 *.escrowproxy.icloud.com AES-Wrap Keys RFC 3394 AES-GCM 256 bit *.keyvalueservice.icloud.com
Complex iCSC • Mechanics are the same as with simple iCSC • Offline password recovery attack is still possible, although pointless if password is complex enough
Setup Options
Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Random iCSC
Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Random iCSC
Random iCSC Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com
Random iCSC • Escrow Proxy is not used • Random iCSC (or derived key) stored on the device [haven’t verified]
Setup Options iCloud Keychain Keychain Sync Keychain Backup Master Password Escrow No iCloud Security Code Random iCloud Security Code Complex iCloud Security Code Simple iCloud Security Code
Conclusions Image: Apple Inc.
Conclusions • Trust your vendor but verify his claims • Never ever use simple iCloud Security Code • Do not think that SMS Apple sends you is a 2FA • Yet, iCK is reasonably well engineered although not without shortcomings
Thank You! Questions are welcome :-) ! ! @abelenko @hackappcom

Recommended

2014.11 asfws
2014.11 asfws2014.11 asfws
2014.11 asfws
Cyber Security Alliance
 
iOS Keychain 介紹
iOS Keychain 介紹iOS Keychain 介紹
iOS Keychain 介紹
ShengWen Chiou
 
Introduction to FIDO Alliance
Introduction to FIDO AllianceIntroduction to FIDO Alliance
Introduction to FIDO Alliance
FIDO Alliance
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
FIDO Alliance
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
FIDO2 & Microsoft
FIDO2 & MicrosoftFIDO2 & Microsoft
FIDO2 & Microsoft
FIDO Alliance
 
Office365のIdentity管理
Office365のIdentity管理Office365のIdentity管理
Office365のIdentity管理
Naohiro Fujie
 

Recommended

2014.11 asfws
2014.11 asfws2014.11 asfws
2014.11 asfws
Cyber Security Alliance
 
iOS Keychain 介紹
iOS Keychain 介紹iOS Keychain 介紹
iOS Keychain 介紹
ShengWen Chiou
 
Introduction to FIDO Alliance
Introduction to FIDO AllianceIntroduction to FIDO Alliance
Introduction to FIDO Alliance
FIDO Alliance
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
FIDO Alliance
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
FIDO2 & Microsoft
FIDO2 & MicrosoftFIDO2 & Microsoft
FIDO2 & Microsoft
FIDO Alliance
 
Office365のIdentity管理
Office365のIdentity管理Office365のIdentity管理
Office365のIdentity管理
Naohiro Fujie
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
Guido Marchetti
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
Ransomeware Recovery by Veeam
Ransomeware Recovery by VeeamRansomeware Recovery by Veeam
Ransomeware Recovery by Veeam
Tanawit Chansuchai
 
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2
FIDO Alliance
 
FIDO Masterclass
FIDO MasterclassFIDO Masterclass
FIDO Masterclass
FIDO Alliance
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
FIDO Alliance
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
FIDO Alliance
 
MicrosoftのDID/VC実装概要
MicrosoftのDID/VC実装概要MicrosoftのDID/VC実装概要
MicrosoftのDID/VC実装概要
Naohiro Fujie
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An Introduction
Venkatesh Narayanan
 
AWS IoT Device Defender による IoT デバイスのセキュリティ管理
AWS IoT Device Defender による IoT デバイスのセキュリティ管理AWS IoT Device Defender による IoT デバイスのセキュリティ管理
AWS IoT Device Defender による IoT デバイスのセキュリティ管理
Amazon Web Services Japan
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
Michael Torres
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Oracle Database Security
Oracle Database SecurityOracle Database Security
Oracle Database Security
Troy Kitch
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
confluent
 
SC-900 Intro
SC-900 IntroSC-900 Intro
SC-900 Intro
FredBrandonAuthorMCP
 
Σεμινάριο Κυβερνοασφάλειας για μή τεχνικό προσωπικό απο την Tictac Data Recov...
Σεμινάριο Κυβερνοασφάλειας για μή τεχνικό προσωπικό απο την Tictac Data Recov...Σεμινάριο Κυβερνοασφάλειας για μή τεχνικό προσωπικό απο την Tictac Data Recov...
Σεμινάριο Κυβερνοασφάλειας για μή τεχνικό προσωπικό απο την Tictac Data Recov...
TicTac Data Recovery
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud
IBM Security
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber
 
Icloud seminar report
Icloud seminar reportIcloud seminar report
Icloud seminar reportRicha Dewani
 
iCloud - Apple Technology
iCloud - Apple TechnologyiCloud - Apple Technology
iCloud - Apple Technology
Asmita Kalena
 

More Related Content

What's hot

Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
Guido Marchetti
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
Ransomeware Recovery by Veeam
Ransomeware Recovery by VeeamRansomeware Recovery by Veeam
Ransomeware Recovery by Veeam
Tanawit Chansuchai
 
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2
FIDO Alliance
 
FIDO Masterclass
FIDO MasterclassFIDO Masterclass
FIDO Masterclass
FIDO Alliance
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
FIDO Alliance
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
FIDO Alliance
 
MicrosoftのDID/VC実装概要
MicrosoftのDID/VC実装概要MicrosoftのDID/VC実装概要
MicrosoftのDID/VC実装概要
Naohiro Fujie
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An Introduction
Venkatesh Narayanan
 
AWS IoT Device Defender による IoT デバイスのセキュリティ管理
AWS IoT Device Defender による IoT デバイスのセキュリティ管理AWS IoT Device Defender による IoT デバイスのセキュリティ管理
AWS IoT Device Defender による IoT デバイスのセキュリティ管理
Amazon Web Services Japan
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
Michael Torres
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Oracle Database Security
Oracle Database SecurityOracle Database Security
Oracle Database Security
Troy Kitch
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
confluent
 
SC-900 Intro
SC-900 IntroSC-900 Intro
SC-900 Intro
FredBrandonAuthorMCP
 
Σεμινάριο Κυβερνοασφάλειας για μή τεχνικό προσωπικό απο την Tictac Data Recov...
Σεμινάριο Κυβερνοασφάλειας για μή τεχνικό προσωπικό απο την Tictac Data Recov...Σεμινάριο Κυβερνοασφάλειας για μή τεχνικό προσωπικό απο την Tictac Data Recov...
Σεμινάριο Κυβερνοασφάλειας για μή τεχνικό προσωπικό απο την Tictac Data Recov...
TicTac Data Recovery
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud
IBM Security
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber
 

What's hot (20)

Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Ransomeware Recovery by Veeam
Ransomeware Recovery by VeeamRansomeware Recovery by Veeam
Ransomeware Recovery by Veeam
 
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2
 
FIDO Masterclass
FIDO MasterclassFIDO Masterclass
FIDO Masterclass
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
 
MicrosoftのDID/VC実装概要
MicrosoftのDID/VC実装概要MicrosoftのDID/VC実装概要
MicrosoftのDID/VC実装概要
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An Introduction
 
AWS IoT Device Defender による IoT デバイスのセキュリティ管理
AWS IoT Device Defender による IoT デバイスのセキュリティ管理AWS IoT Device Defender による IoT デバイスのセキュリティ管理
AWS IoT Device Defender による IoT デバイスのセキュリティ管理
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
Oracle Database Security
Oracle Database SecurityOracle Database Security
Oracle Database Security
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
SC-900 Intro
SC-900 IntroSC-900 Intro
SC-900 Intro
 
Σεμινάριο Κυβερνοασφάλειας για μή τεχνικό προσωπικό απο την Tictac Data Recov...
Σεμινάριο Κυβερνοασφάλειας για μή τεχνικό προσωπικό απο την Tictac Data Recov...Σεμινάριο Κυβερνοασφάλειας για μή τεχνικό προσωπικό απο την Tictac Data Recov...
Σεμινάριο Κυβερνοασφάλειας για μή τεχνικό προσωπικό απο την Tictac Data Recov...
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 

Viewers also liked

Icloud seminar report
Icloud seminar reportIcloud seminar report
Icloud seminar reportRicha Dewani
 
iCloud - Apple Technology
iCloud - Apple TechnologyiCloud - Apple Technology
iCloud - Apple Technology
Asmita Kalena
 
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything else
Vlad Garbuz
 
How apple can read your i messages
How apple can read your i messagesHow apple can read your i messages
How apple can read your i messages
Artem I. Baranov
 
SkyDrive vs. SkyDrive Pro - Hans Brender
SkyDrive vs. SkyDrive Pro - Hans Brender SkyDrive vs. SkyDrive Pro - Hans Brender
SkyDrive vs. SkyDrive Pro - Hans Brender
Michael Greth
 
iPhone forensics on iOS5
iPhone forensics on iOS5iPhone forensics on iOS5
iPhone forensics on iOS5Satish b
 
iCloud
iCloudiCloud
iCloud
Andri Yadi
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
Icloud keynote2
Icloud keynote2Icloud keynote2
Icloud keynote2
avsorrent
 
Bio-Molecular Engineering is the Future of Molecular Biology
Bio-Molecular Engineering is the Future of Molecular BiologyBio-Molecular Engineering is the Future of Molecular Biology
Bio-Molecular Engineering is the Future of Molecular Biology
Bob Eisenberg
 
soft-computing
soft-computing soft-computing
soft-computingstudent
 
SkyDrive
SkyDriveSkyDrive
SkyDrive
Elaine Giles
 
Bluejacking
BluejackingBluejacking
Bluejacking
Jyoti Chintadi
 

Viewers also liked (17)

Icloud seminar report
Icloud seminar reportIcloud seminar report
Icloud seminar report
 
iCloud - Apple Technology
iCloud - Apple TechnologyiCloud - Apple Technology
iCloud - Apple Technology
 
iCloud by Apple
iCloud by AppleiCloud by Apple
iCloud by Apple
 
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything else
 
How apple can read your i messages
How apple can read your i messagesHow apple can read your i messages
How apple can read your i messages
 
SkyDrive vs. SkyDrive Pro - Hans Brender
SkyDrive vs. SkyDrive Pro - Hans Brender SkyDrive vs. SkyDrive Pro - Hans Brender
SkyDrive vs. SkyDrive Pro - Hans Brender
 
Icloud
IcloudIcloud
Icloud
 
iPhone forensics on iOS5
iPhone forensics on iOS5iPhone forensics on iOS5
iPhone forensics on iOS5
 
iCloud
iCloudiCloud
iCloud
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
Icloud keynote2
Icloud keynote2Icloud keynote2
Icloud keynote2
 
Bio-Molecular Engineering is the Future of Molecular Biology
Bio-Molecular Engineering is the Future of Molecular BiologyBio-Molecular Engineering is the Future of Molecular Biology
Bio-Molecular Engineering is the Future of Molecular Biology
 
icloud
icloudicloud
icloud
 
Apple iCloud
Apple iCloudApple iCloud
Apple iCloud
 
soft-computing
soft-computing soft-computing
soft-computing
 
SkyDrive
SkyDriveSkyDrive
SkyDrive
 
Bluejacking
BluejackingBluejacking
Bluejacking
 

Similar to iCloud keychain

Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13
viaForensics
 
7.3. iCloud keychain-2
7.3. iCloud keychain-27.3. iCloud keychain-2
7.3. iCloud keychain-2
defconmoscow
 
6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection
defconmoscow
 
Protect Sensitive Data with Ada Keystore
Protect Sensitive Data with Ada KeystoreProtect Sensitive Data with Ada Keystore
Protect Sensitive Data with Ada Keystore
Stephane Carrez
 
Dodging WebCrypto API Landmines
Dodging WebCrypto API LandminesDodging WebCrypto API Landmines
Dodging WebCrypto API Landmines
Ernie Turner
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Paula Januszkiewicz
 
Cryptography for Smalltalkers 2
Cryptography for Smalltalkers 2Cryptography for Smalltalkers 2
Cryptography for Smalltalkers 2
ESUG
 
Encryption Boot Camp at Øredev
Encryption Boot Camp at ØredevEncryption Boot Camp at Øredev
Encryption Boot Camp at Øredev
Matthew McCullough
 
Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003
Martin Kobetic
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
Svetlin Nakov
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
Francois Marier
 
Security and Encryption on iOS
Security and Encryption on iOSSecurity and Encryption on iOS
Security and Encryption on iOS
Graham Lee
 
12 symmetric key cryptography
12 symmetric key cryptography12 symmetric key cryptography
12 symmetric key cryptographydrewz lin
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
Michel Schudel
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
Niek Timmers
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
Riscure
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Future
tcloudcomputing-tw
 
Overview and evolution of password-based authentication schemes
Overview and evolution of password-based authentication schemesOverview and evolution of password-based authentication schemes
Overview and evolution of password-based authentication schemes
Ignat Korchagin
 
Cryptography for Smalltalkers
Cryptography for SmalltalkersCryptography for Smalltalkers
Cryptography for Smalltalkers
ESUG
 

Similar to iCloud keychain (20)

Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13
 
7.3. iCloud keychain-2
7.3. iCloud keychain-27.3. iCloud keychain-2
7.3. iCloud keychain-2
 
6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection6.1. iCloud keychain and iOS 7 data protection
6.1. iCloud keychain and iOS 7 data protection
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Protect Sensitive Data with Ada Keystore
Protect Sensitive Data with Ada KeystoreProtect Sensitive Data with Ada Keystore
Protect Sensitive Data with Ada Keystore
 
Dodging WebCrypto API Landmines
Dodging WebCrypto API LandminesDodging WebCrypto API Landmines
Dodging WebCrypto API Landmines
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
 
Cryptography for Smalltalkers 2
Cryptography for Smalltalkers 2Cryptography for Smalltalkers 2
Cryptography for Smalltalkers 2
 
Encryption Boot Camp at Øredev
Encryption Boot Camp at ØredevEncryption Boot Camp at Øredev
Encryption Boot Camp at Øredev
 
Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
Security and Encryption on iOS
Security and Encryption on iOSSecurity and Encryption on iOS
Security and Encryption on iOS
 
12 symmetric key cryptography
12 symmetric key cryptography12 symmetric key cryptography
12 symmetric key cryptography
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Future
 
Overview and evolution of password-based authentication schemes
Overview and evolution of password-based authentication schemesOverview and evolution of password-based authentication schemes
Overview and evolution of password-based authentication schemes
 
Cryptography for Smalltalkers
Cryptography for SmalltalkersCryptography for Smalltalkers
Cryptography for Smalltalkers
 

Recently uploaded

1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
ShahulHameed54211
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
Himani415946
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
TristanJasperRamos
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 

Recently uploaded (16)

1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 

iCloud keychain

  • 1. iCloud Keychain and iOS 7 Data Protection Andrey Belenko Sr. Security Engineer @ viaForensics ! Alexey Troshichev @hackappcom founder
  • 3. What’s inside? • Documents • Photos • Backups (SMS, application data, etc) • Keychain
  • 9. Brought to you by hackapp.com ! github.com/hackappcom/ibrute @hackappcom
  • 12. Intercepting SSL SSL Proxy (Burp, Charles, …) Root CA cert Proxy settings
  • 13. Authentication GET /authenticate AppleID, Password DsID, mmeAuthToken, fmipAuthToken icloud.com
  • 16.
  • 17.
  • 19. The Big Picture *.keyvalueservice.icloud.com *.escrowproxy.icloud.com Keychain items (encrypted) Keybag (encrypted) Some Secret
  • 20. Key-Value Store • Not new • Used extensively by many apps e.g. to keep preferences in sync across devices • iCloud Keychain utilises two stores: • com.apple.security.cloudkeychainproxy3 • Syncing between devices • com.apple.sbd3 (securebackupd3) • Copy to restore if no other devices
  • 21. Escrow Proxy • New; Designed to store precious secrets • Need to know iCSC to recover escrowed data • Need to receive SMS challenge • Must successfully complete SRP auth • User-Agent: com.apple.lakitu (iOS/OS X) Image: mariowiki.com
  • 22. Key-Value Store com.apple.security.cloudkeychainproxy3 S(usrPwd, D2_pub) S(D2_priv, (D1_pub, D2_pub)) S(D1_priv, D1_pub) S(userPwd, D1_pub) S(D1_priv, (D1_pub, D2_pub)) S(userPwd, (D1_pub, D2_pub))
  • 23. Key-Value Store com.apple.sbd3 Key Description com.apple.securebackup.enabled Is Keychain data saved in KVS? com.apple.securebackup.record Keychain records, encrypted SecureBackupMetadata iCSC complexity, timestamp, country BackupKeybag Keybag protecting Keychain records BackupUsesEscrow Is keybag password escrowed? BackupVersion Version, currently @“1” BackupUUID UUID of the backup
  • 25. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
  • 26. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit
  • 27. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394
  • 28. 4-digit iCSC [Default] Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
  • 29. 4-digit iCSC [Default] iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
  • 30. 4-digit iCSC [Default] iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 *.keyvalueservice.icloud.com
  • 31. Secure Remote Password • Zero-knowledge password proof scheme • Combats sniffing/MITM • One password guess per connection attempt • Password verifier is not sufficient for impersonation • Escrow Proxy uses SRP-6a
  • 32. Key Negotiation a ← random, A ← g^a b ← random, B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A SALT, B M H(A, M, K) Password verifier: ! SALT ← random x ← H(SALT,Password) v ← g^x Agreed-upon parameters: ! H – one-way hash function N, g – group parameters k ← H(N, g)
  • 33. Key Negotiation a ← random, A ← g^a b ← random, B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A, SMS CODE SALT, B M, SMS CODE H(A, M, K) Password verifier: ! SALT ← random x ← H(SALT,Password) v ← g^x Agreed-upon parameters: ! H – SHA-256 N, g – RFC 5054 w. 2048-bit group k ← H(N, g)
  • 34. Escrowed Data Recovery *Display purposes only
  • 35. Escrowed Data Recovery /get_records List of escrowed records *Display purposes only
  • 36. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* *Display purposes only
  • 37. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK *Display purposes only
  • 38. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] *Display purposes only
  • 39. Escrowed Data Recovery /get_records List of escrowed records /get_sms_targets List of phone numbers* /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] /recover [UUID, DsID, M, SMS CODE] [IV, AES-CBC(KSRP, Escrowed Record)] *Display purposes only
  • 40. Escrow Proxy Endpoints Endpoint Description get_club_cert [?] Obtain certificate enroll Submit escrow record get_records List escrowed records get_sms_targets List SMS numbers for escrowed records generate_sms_challenge Generate and send challenge code srp_init First step of SRP protocol recover Second step of SRP protocol alter_sms_target Change SMS number
  • 41. Escrow Record iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com
  • 42. Escrow Record iCloud Security Code 1234 PBKDF2 Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword)
  • 43. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword)
  • 44. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple
  • 45. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default
  • 46. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default
  • 47. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) EscrowRecord ← AES-CBC(Key, RandomPassword) • This is stored by Apple • iCSC is 4 digits by default Can you spot the problem yet?
  • 48. Escrow Record Key ← PBKDF2-SHA256(iCSC, 10’000) • Offline iCSC guessing is possible • Almost instant recovery [for default settings] • iCSC decrypts keybag password • Keybag password unlocks keybag keys • Keybag keys decrypt Keychain items
  • 49. Apple, or other adversary with access to stored data, can near-instantly decrypt “master” password and read synced iCloud Keychain records ! (for default settings)
  • 51. Complex iCSC correct horse battery staple PBKDF2 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb iCloud Security Code Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 SHA-256 x 10’000 AES-CBC 256 bit Backup Keybag Key 1 Key 2 Key 3 *.escrowproxy.icloud.com AES-Wrap Keys RFC 3394 AES-GCM 256 bit *.keyvalueservice.icloud.com
  • 52. Complex iCSC • Mechanics are the same as with simple iCSC • Offline password recovery attack is still possible, although pointless if password is complex enough
  • 54. Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Random iCSC
  • 55. Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit *.escrowproxy.icloud.com Random iCSC
  • 56. Random iCSC Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-Wrap Keys RFC 3394 Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit *.keyvalueservice.icloud.com
  • 57. Random iCSC • Escrow Proxy is not used • Random iCSC (or derived key) stored on the device [haven’t verified]
  • 58. Setup Options iCloud Keychain Keychain Sync Keychain Backup Master Password Escrow No iCloud Security Code Random iCloud Security Code Complex iCloud Security Code Simple iCloud Security Code
  • 60. Conclusions • Trust your vendor but verify his claims • Never ever use simple iCloud Security Code • Do not think that SMS Apple sends you is a 2FA • Yet, iCK is reasonably well engineered although not without shortcomings
  • 61. Thank You! Questions are welcome :-) ! ! @abelenko @hackappcom