Upgrade to Pro — share decks privately, control downloads, hide ads and more …

iCloud Keychain and iOS 7 Data Protection

Andrey Belenko
December 02, 2013
Technology
0
530

iCloud Keychain and iOS 7 Data Protection

When Apple announced iOS 7, iCloud Keychain was one of its key features. It is no doubt great for usability, but what about security? What kind of access does Apple have to your passwords stored in the iCloud? This talk will address this and other questions.

The talk is focused on protection of user data. We will review iOS Data Protection and changes that iOS 7 brought to it. We will see what is new and where is Apple going with this. We will explore in great detail the inner workings of the new iCloud service — 'escrowproxy' — which is the essence of the iCloud Keychain.

Main giveaway of the talk is the in-depth analysis of the new iCloud Keychain feature. You will learn how, when, and where things are encrypted, and what it takes to decrypt them.

Andrey Belenko

December 02, 2013
Tweet

More Decks by Andrey Belenko

See All by Andrey Belenko
On the Security of the iCloud Keychain
belenko
4
2.5k
Типичные Проблемы Безопасности в Приложениях для iOS
belenko
1
200
Dark and Bright Sides of the iCloud (In)Security
belenko
1
270
Evolution of iOS Data Protection and iPhone Forensics: 
from iPhone OS to iOS 5
belenko
1
86
Evolution of iOS Data Protection and iPhone Forensics: from iPhone OS to iOS 5
belenko
2
140
Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?
belenko
1
76

Other Decks in Technology

See All in Technology
Oracle Exadata Database Service on [email protected] X9M ([email protected]) 技術詳細
oracle4engineer
PRO
0
1.5k
高速な深層学習モデルアーキテクチャ2023
yu4u
2
1.6k
Exadata Database Cloud (Exadata Cloud Service) サービス技術詳細
oracle4engineer
PRO
0
29k
機械学習モデル性能向上への学習データからのアプローチ
okada_fuutass
0
150
JUnitテストをCI環境で並列で実行する方法とその速度, スケーラビリティ
nabedge
4
270
安心して現場で学習できる環境として Flutter Web の管理サイトがおすすめな話
htsuruo
5
140
食べログChatGPTプラグイン導入で見えてきた未来:データサイエンティストの向き合い方
moritama1515
PRO
3
430
ChatGPTを活用した 便利ツールの紹介
hankehly
1
500
OCI Data Integration技術情報 / ocidi_technical_jp
oracle4engineer
PRO
0
450
1人目QA奮闘記-2023年ver-/QA Engineer's Struggle 2023
mii3king
1
740
net/http/httptest.Server のアプローチをテスト戦略に活用する / Go Conference 2023
k1low
7
1.1k
何故、UseCaseは1メソッドなのか
okuzawats
2
390

Featured

See All Featured
Design by the Numbers
sachag
272
18k
Designing with Data
zakiwarfel
92
4.3k
How to train your dragon (web standard)
notwaldorf
69
4.4k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
8.4k
Scaling GitHub
holman
453
140k
The World Runs on Bad Software
bkeepers
PRO
59
5.9k
Intergalactic Javascript Robots from Outer Space
tanoku
263
26k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
13
1.4k
We Have a Design System, Now What?
morganepeng
38
6.2k
Building Your Own Lightsaber
phodgson
96
5k
KATA
mclloyd
13
10k
Writing Fast Ruby
sferik
613
58k

Transcript

  1. iCloud Keychain
    and
    iOS 7 Data Protection
    Andrey Belenko
    Sr. Security Engineer @ viaForensics

    View Slide

  2. iOS Data Protection
    Keychain encryption since the very beginning
    • Before iOS 4: AES-CBC, per-device key
    • iOS 4: AES-CBC, per-record key based on desired
    item accessibility
    • iOS 5+: AES-GCM, per-record key, encrypts
    metadata

    View Slide

  3. iOS Data Protection
    Storage encryption since iOS 4*
    • File-level (much like Windows EFS), so carving is challenging
    • Per-file key based on protection class: NSFileProtectionNone
    or NSFileProtectionComplete
    • iOS 5 adds …CompleteUntilFirstUserAuthentication and …
    CompleteUnlessOpen (uses DJB’s curve25519)
    !
    * Pre-iOS 4 encryption was used to wipe data

    View Slide

  4. iOS 7?
    • No visible changes to file encryption (i.e. existing
    tools work and don’t screw things up)
    • Keychain record format has changed
    • ASN.1 BER encoding instead of proprietary
    Binary Property List encoding
    • Keychain encryption has not changed: AES-GCM
    with per-record key

    View Slide

  5. ASN.1?
    Apple switching from something proprietary to
    something standard? Why?
    • ASN.1 BER is sequential: no need to read TOC
    from the end of the stream first
    • ASN.1 BER is more compact
    • ASN.1 is cross-platform: will we see Keychain on
    other platforms?

    View Slide

  6. iCloud Keychain
    Image: Apple Inc.

    View Slide

  7. Motivation
    http://support.apple.com/kb/HT4865

    View Slide

  8. Motivation
    http://support.apple.com/kb/HT4865

    View Slide

  9. iCloud

    View Slide

  10. View Slide

  11. The Big Picture
    *.keyvalueservice.icloud.com
    *.escrowproxy.icloud.com
    Keychain (encrypted)
    Keybag (encrypted)
    Some Secret
    HTTPS!
    NO PINNING

    View Slide

  12. Setup Options

    View Slide

  13. 4-digit iCSC [Default]
    Random Password
    BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
    iCloud Security Code
    1234
    PBKDF2
    SHA-256 x 10’000
    AES-CBC
    256 bit
    *.escrowproxy.icloud.com
    Keychain Passwords
    yMa9ohCJ
    tzzcVhE7
    sDVoCnb
    Backup Keybag
    Key 1
    Key 2
    Key 3
    AES-GCM
    256 bit
    AES-Wrap Keys
    RFC 3394
    *.keyvalueservice.icloud.com

    View Slide

  14. Key-Value Store
    • Not new
    • Used extensively by many apps e.g. to keep
    preferences in sync across devices
    • iCloud Keychain utilises two stores:
    • com.apple.security.cloudkeychainproxy3
    • com.apple.sbd3 (securebackupd3)

    View Slide

  15. Key-Value Store
    Key Description
    com.apple.securebackup.enabled Is Keychain data saved in KVS?
    com.apple.securebackup.record Keychain records, encrypted
    SecureBackupMetadata iCSC complexity, timestamp, country
    BackupKeybag Keybag protecting Keychain records
    BackupUsesEscrow Is keybag password escrowed?
    BackupVersion Version, currently @“1”
    BackupUUID UUID of the backup

    View Slide

  16. Escrow Proxy
    • Designed to store precious secrets
    • Access to service requires auth token
    • Access to escrowed data requires iCSC
    • Need to receive SMS challenge
    • Must successfully complete SRP auth
    • User-Agent: com.apple.lakitu (iOS/OS X)
    Image: mariowiki.com

    View Slide

  17. Secure Remote Password
    • Zero-knowledge password proof scheme
    • Combats sniffing/MITM
    • One password guess per connection attempt
    • Password verifier is not sufficient for impersonation
    • Escrow Proxy uses SRP-6a

    View Slide

  18. Key Negotiation
    a ← random, A ← g^a
    b ← random, B ← kv + g^b
    u ← H(A, B) u ← H(A, B)
    x ← H(SALT, Password)
    S ← (B - kg^x) ^ (a + ux)
    K ← H(S)
    S ← (Av^u) ^ b
    K ← H(S)
    Key Verification
    M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K)
    (Aborts if M is invalid)
    ID, A
    SALT, B
    M
    H(A, M, K)
    Password verifier:
    !
    SALT ← random
    x ← H(SALT,Password)
    v ← g^x
    Agreed-upon parameters:
    !
    H – one-way hash function
    N, g – group parameters
    k ← H(N, g)

    View Slide

  19. Key Negotiation
    a ← random, A ← g^a
    b ← random, B ← kv + g^b
    u ← H(A, B) u ← H(A, B)
    x ← H(SALT, Password)
    S ← (B - kg^x) ^ (a + ux)
    K ← H(S)
    S ← (Av^u) ^ b
    K ← H(S)
    Key Verification
    M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K)
    (Aborts if M is invalid)
    ID, A, SMS CODE
    SALT, B
    M, SMS CODE
    H(A, M, K)
    Password verifier:
    !
    SALT ← random
    x ← H(SALT,Password)
    v ← g^x
    Agreed-upon parameters:
    !
    H – SHA-256
    N, g – RFC 5054 w. 2048-bit group
    k ← H(N, g)

    View Slide

  20. Escrowed Data Recovery
    /get_records
    List of escrowed records
    /get_sms_targets
    List of phone numbers*
    /generate_sms_challenge
    OK
    /srp_init [DsID, A, SMS CODE]
    [UUID, DsID, SALT, B]
    /recover [UUID, DsID, M, SMS CODE]
    [IV, AES-CBC(KSRP
    , Escrowed Record)]
    *Display purposes only

    View Slide

  21. Escrow Proxy Endpoints
    Endpoint Description
    get_club_cert [?] Obtain certificate
    enroll Submit escrow record
    get_records List escrowed records
    get_sms_targets List SMS numbers for escrowed records
    generate_sms_challenge Generate and send challenge code
    srp_init First step of SRP protocol
    recover Second step of SRP protocol
    alter_sms_target Change SMS number

    View Slide

  22. Escrow Record
    Random Password
    BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
    iCloud Security Code
    1234
    PBKDF2
    SHA-256 x 10’000
    AES-CBC
    256 bit
    *.escrowproxy.icloud.com
    Keychain Passwords
    yMa9ohCJ
    tzzcVhE7
    sDVoCnb
    Backup Keybag
    Key 1
    Key 2
    Key 3
    AES-Wrap Keys
    RFC 3394
    AES-GCM
    256 bit
    *.keyvalueservice.icloud.com

    View Slide

  23. Escrow Record
    Random Password
    BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
    iCloud Security Code
    1234
    PBKDF2
    SHA-256 x 10’000
    AES-CBC
    256 bit
    *.escrowproxy.icloud.com
    Key ← PBKDF2-SHA256(iCSC, 10’000)
    EscrowRecord ← AES-CBC(Key, RandomPassword)

    View Slide

  24. • This is stored by Apple
    • iCSC is 4 digits by default
    Escrow Record
    Key ← PBKDF2-SHA256(iCSC, 10’000)
    EscrowRecord ← AES-CBC(Key, RandomPassword)
    Can you spot the problem yet?

    View Slide

  25. Escrow Record
    Key ← PBKDF2-SHA256(iCSC, 10’000)
    • Offline iCSC guessing is possible
    • Almost instant recovery [for default settings]
    • iCSC decrypts keybag password
    • Keybag password unlocks keybag keys
    • Keybag keys decrypt Keychain items

    View Slide

  26. Apple, or other adversary with similar
    access level, can near-instantly decrypt
    “master” password and read synced
    iCloud Keychain records
    !
    (for default settings)

    View Slide

  27. Setup Options

    View Slide

  28. Complex iCSC
    Keychain Passwords
    yMa9ohCJ
    tzzcVhE7
    sDVoCnb
    Random Password
    BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
    iCloud Security Code
    correct horse battery staple
    PBKDF2
    SHA-256 x 10’000
    AES-CBC
    256 bit
    Backup Keybag
    Key 1
    Key 2
    Key 3
    *.escrowproxy.icloud.com
    AES-Wrap Keys
    RFC 3394
    AES-GCM
    256 bit
    *.keyvalueservice.icloud.com

    View Slide

  29. Complex iCSC
    • Mechanics are the same as with simple iCSC
    • Offline password recovery attack is still possible,
    although pointless if password is complex enough

    View Slide

  30. Setup Options

    View Slide

  31. Random Password
    BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
    Keychain Passwords
    yMa9ohCJ
    tzzcVhE7
    sDVoCnb
    Backup Keybag
    Key 1
    Key 2
    Key 3
    AES-Wrap Keys
    RFC 3394
    AES-GCM
    256 bit
    *.keyvalueservice.icloud.com
    iCloud Security Code
    correct horse battery staple
    PBKDF2
    SHA-256 x 10’000
    AES-CBC
    256 bit
    *.escrowproxy.icloud.com
    Random iCSC

    View Slide

  32. Random Password
    BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
    Keychain Passwords
    yMa9ohCJ
    tzzcVhE7
    sDVoCnb
    Backup Keybag
    Key 1
    Key 2
    Key 3
    AES-Wrap Keys
    RFC 3394
    AES-GCM
    256 bit
    *.keyvalueservice.icloud.com
    Random iCSC

    View Slide

  33. Random iCSC
    • Escrow Proxy is not used
    • Random iCSC (or derived key) stored on the
    device [haven’t verified]

    View Slide

  34. Setup Options

    View Slide

  35. No iCSC
    Work in Progress

    View Slide

  36. Conclusions
    Image: Apple Inc.

    View Slide

  37. Conclusions
    • Trust your vendor but verify his claims
    • Never ever use simple iCloud Security Code
    • Do not think that SMS Apple sends you is a 2FA
    • Yet, iCK is reasonably well engineered although not
    without shortcomings

    View Slide

  38. Thank You!
    Questions are welcome :-)
    !
    !
    !
    @abelenko
    [email protected]

    View Slide