Upgrade to Pro — share decks privately, control downloads, hide ads and more …

On the Security of the iCloud Keychain

Andrey Belenko
November 06, 2014
Technology
4
2.7k

On the Security of the iCloud Keychain

iCloud Keychain, one of the latest additions to the family of iCloud services that was pitched by Apple. It is no doubt great for usability, but what about security? What kind of access does Apple have to your passwords stored in the iCloud? It haven’t received much research attention to the date and this talk aims to fill the gap.

Andrey Belenko

November 06, 2014
Tweet

More Decks by Andrey Belenko

See All by Andrey Belenko
Типичные Проблемы Безопасности в Приложениях для iOS
belenko
1
250
iCloud Keychain and iOS 7 Data Protection
belenko
0
680
Dark and Bright Sides of the iCloud (In)Security
belenko
1
310
Evolution of iOS Data Protection and iPhone Forensics: 
from iPhone OS to iOS 5
belenko
1
110
Evolution of iOS Data Protection and iPhone Forensics: from iPhone OS to iOS 5
belenko
2
170
Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?
belenko
1
86

Other Decks in Technology

See All in Technology
Flutterによる 効率的なAndroid・iOS・Webアプリケーション開発の事例
recruitengineers
PRO
0
120
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
2
230
AGIについてChatGPTに聞いてみた
blueb
0
130
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
150
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
310
Platform Engineering for Software Developers and Architects
syntasso
1
520
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
200
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
190
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
330
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
350
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
1
120
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
600

Featured

See All Featured
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
The Invisible Side of Design
smashingmag
298
50k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
A Tale of Four Properties
chriscoyier
156
23k
Side Projects
sachag
452
42k
YesSQL, Process and Tooling at Scale
rocio
169
14k
How GitHub (no longer) Works
holman
310
140k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
130
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Fireside Chat
paigeccino
34
3k
RailsConf 2023
tenderlove
29
900
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k

Transcript

  1. ON THE SECURITY OF THE ICLOUD KEYCHAIN Andrey Belenko viaForensics

  2. ICLOUD • Introduced in 2011 • iOS 5 and OS

    X 10.7 • 320M accounts (July 2013)

  3. ICLOUD

  4. ICLOUD STORAGE

  5. ICLOUD KEYCHAIN

  6. MOTIVATION http://support.apple.com/kb/HT4865

  7. ICLOUD KEYCHAIN • Introduced in 2013 • iOS 7.0.3 and

    OS X 10.9 • Two different services: • iCloud Keychain Sync • iCloud Keychain (Escrow and) Recovery

  8. INTERCEPTING COMMS iCloud.com certificate is not pinned

  9. FIRST STEPS

  10. FIRST STEPS GET /authenticate AppleID, password

  11. FIRST STEPS DsID, mmeAuthToken, fmipAuthToken GET /authenticate AppleID, password

  12. FIRST STEPS DsID, mmeAuthToken, fmipAuthToken GET /authenticate AppleID, password GET

    /get_account_settings AppleID, password

  13. FIRST STEPS DsID, mmeAuthToken, fmipAuthToken GET /authenticate AppleID, password Account

    information Account settings GET /get_account_settings AppleID, password

  14. ACCOUNT SETTINGS

  15. ACCOUNT SETTINGS

  16. ACCOUNT SETTINGS

  17. SETUP

  18. THE BIG PICTURE escrowproxy.icloud.com keyvalueservice.icloud.com

  19. THE BIG PICTURE Keychain (encrypted) Keybag (encrypted) escrowproxy.icloud.com keyvalueservice.icloud.com

  20. THE BIG PICTURE Keychain (encrypted) Keybag (encrypted) escrowproxy.icloud.com keyvalueservice.icloud.com Keychain

    sync

  21. THE BIG PICTURE Keychain (encrypted) Keybag (encrypted) escrowproxy.icloud.com keyvalueservice.icloud.com Master

    Secret Keychain sync

  22. KEY-VALUE STORE • Not new • Many apps use it

    to keep in sync across devices • iCloud Keychain uses two stores: • com.apple.security.cloudkeychainproxy3 • Syncing between devices • com.apple.sbd3 (securebackupd3) • Restore if no other devices

  23. ICLOUD KEYCHAIN SYNC com.apple.security.cloudkeychainproxy3 Sign(usrPwd, Bpub) Sign(Bpriv, (Apub, Bpub)) Sign(Apriv,

    Apub) Sign(userPwd, Apub) Sign(Apriv, (Apub, Bpub)) Sign(userPwd, (Apub, Bpub))

  24. KEY-VALUE STORE com.apple.sbd3 Key Description com.apple.securebackup.enabled Is Keychain data saved

    in KVS? com.apple.securebackup.record Keychain records, encrypted SecureBackupMetadata iCSC complexity, timestamp, country BackupKeybag Keybag protecting Keychain records BackupUsesEscrow Is keybag password escrowed? BackupVersion Version, currently @“1” BackupUUID UUID of the backup

  25. ESCROW PROXY • New, designed to store precious secrets •

    MFA to recover escrowed data • Must be signed into iCloud • Must provide 6-digit code sent via SMS • Must prove knowledge of iCSC via SRP • Data destroyed after ~10 failed attempts • User-Agent: com.apple.lakitu (iOS/OS X)

  26. DATA ESCROW escrowproxy.icloud.com keyvalueservice.icloud.com

  27. DATA ESCROW escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234

  28. DATA ESCROW Backup Keybag Key 1 Key 2 Key 3

    escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234

  29. DATA ESCROW Backup Keybag Key 1 Key 2 Key 3

    escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain

  30. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Backup Keybag Key 1 Key

    2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain

  31. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Backup Keybag Key 1 Key

    2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag

  32. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag

  33. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag

  34. DATA RECOVERY escrowproxy.icloud.com keyvalueservice.icloud.com

  35. DATA RECOVERY escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234

  36. DATA RECOVERY escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234

  37. DATA RECOVERY PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit escrowproxy.icloud.com

    keyvalueservice.icloud.com iCloud Security Code 1234

  38. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234

  39. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 AES-Wrap Keys RFC 3394 Encrypted Keybag

  40. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 AES-Wrap Keys RFC 3394 Encrypted Keybag

  41. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag

  42. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag

  43. DATA RECOVERY escrowproxy.icloud.com

  44. DATA RECOVERY /get_records List of escrowed records escrowproxy.icloud.com

  45. DATA RECOVERY /get_records List of escrowed records /get_sms_targets List of

    phone numbers escrowproxy.icloud.com

  46. DATA RECOVERY /get_records List of escrowed records /get_sms_targets List of

    phone numbers /generate_sms_challenge OK escrowproxy.icloud.com

  47. DATA RECOVERY /get_records List of escrowed records /get_sms_targets List of

    phone numbers /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] escrowproxy.icloud.com

  48. DATA RECOVERY /get_records List of escrowed records /get_sms_targets List of

    phone numbers /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] /recover [UUID, DsID, M, SMS CODE] [IV, AES-CBC(KSRP , Escrowed Record)] escrowproxy.icloud.com

  49. SECURE REMOTE PASSWORD • Zero-knowledge password proof scheme • Combats

    sniffing/MITM • One password guess per connection attempt • Password verifier is not sufficient for impersonation • Escrow Proxy uses SRP-6a

  50. Key Negotiation a ← random A ← g^a b ←

    random B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A SALT, B M H(A, M, K) Password verifier: SALT ← random x ← H(SALT,Password) v ← g^x (mod N) Agreed-upon parameters: H – one-way hash function N, g – group parameters k ← H(N, g)

  51. Key Negotiation a ← random A ← g^a b ←

    random B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A, SMS CODE SALT, B M, SMS CODE H(A, M, K) Password verifier: SALT ← random x ← H(SALT,Password) v ← g^x (mod N) Agreed-upon parameters: H – SHA-256 N, g – RFC 5054 w. 2048-bit group k ← H(N, g)

  52. ESCROW PROXY COMMANDS Endpoint Description get_club_cert Obtains some certificate for

    a user enroll Escrows a record and returns phoneToken get_records Lists escrowed records get_sms_targets Lists phone numbers used for verification generate_sms_challenge Sends SMS challenge srp_init First step of SRP protocol recover Second step of SRP protocol alter_sms_target Given a phoneToken, changes phone number used for verification

  53. ALTER_SMS_TARGET • Changes phone number used for verification • Stricter

    authentication: requires AppleID password • Authentication token won’t work • Requires phoneToken returned at escrow time • iOS 8 finally exposes this in the UI

  54. ESCROW RECORD Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code 1234 PBKDF2

    SHA-256 x 10’000 AES-CBC 256 bit Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 escrowproxy.icloud.com keyvalueservice.icloud.com Encrypted Keychain Encrypted Keybag

  55. ESCROW RECORD Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code 1234 PBKDF2

    SHA-256 x 10’000 AES-CBC 256 bit escrowproxy.icloud.com

  56. ESCROW RECORD Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code 1234 PBKDF2

    SHA-256 x 10’000 AES-CBC 256 bit escrowproxy.icloud.com EscrowRecord ← AES-CBC(Key, RandomPassword) Key ← PBKDF2-SHA256(iCSC, 10’000)

  57. ESCROW RECORD EscrowRecord ← AES-CBC(Key, RandomPassword) Key ← PBKDF2-SHA256(iCSC, 10’000)

    This is stored by Apple This is 4 digits by default For default settings access is totally feasible!

  58. ESCROW RECORD • Offline iCSC guessing is possible • Almost

    instant recovery [for default settings] • iCSC decrypts keybag password • Keybag password unlocks keybag keys • Keybag keys decrypt Keychain items

  59. Apple, or other adversary with access to stored data, can

    near-instantly decrypt “master” password and consequently decrypt backed up iCloud Keychain records (for default settings)

  60. BUT CAN APPLE ACCESS STORED DATA?

  61. HARDWARE SECURITY MODULE • Apple claims it uses HSMs for

    storing escrowed data • Impossible to verify from outside

  62. SETUP

  63. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code correct horse

    battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 escrowproxy.icloud.com keyvalueservice.icloud.com Encrypted Keychain Encrypted Keybag

  64. COMPLEX ICSC • Mechanics are the same as with simple

    iCSC • Offline password recovery attack is still possible, although pointless if password is complex enough

  65. SETUP

  66. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb

    Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 keyvalueservice.icloud.com Encrypted Keychain Encrypted Keybag AES-CBC 256 bit iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 escrowproxy.icloud.com

  67. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb

    Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 keyvalueservice.icloud.com Encrypted Keychain Encrypted Keybag

  68. RANDOM ICSC Escrow Proxy is not used

  69. SETUP

  70. DATA ESCROW keyvalueservice.icloud.com escrowproxy.icloud.com Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ

    tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 Encrypted Keychain Encrypted Keybag AES-CBC 256 bit iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000

  71. DATA ESCROW keyvalueservice.icloud.com escrowproxy.icloud.com

  72. NO ICSC Escrow Proxy is not used Keychain is not

    backed up

  73. ATTACK SURFACE iCloud Keychain Services Master Password Escrow iCloud Keychain

    Backup iCloud Keychain Sync No iCloud Security Code Random iCloud Security Code Complex iCloud Security Code Simple iCloud Security Code (default)

  74. CONCLUSIONS

  75. CONCLUSIONS • Trust your vendor but verify his claims •

    Never use simple iCloud Security Code • Overall, iCloud Keychain is reasonably well engineered

  76. Q & A

  77. THANK YOU! [email protected] @abelenko