On the Security of the iCloud Keychain

3b1f073bebf22be799410c292ddb76ab?s=47 Andrey Belenko
November 06, 2014

On the Security of the iCloud Keychain

iCloud Keychain, one of the latest additions to the family of iCloud services that was pitched by Apple. It is no doubt great for usability, but what about security? What kind of access does Apple have to your passwords stored in the iCloud? It haven’t received much research attention to the date and this talk aims to fill the gap.

3b1f073bebf22be799410c292ddb76ab?s=128

Andrey Belenko

November 06, 2014
Tweet

Transcript

  1. ON THE SECURITY OF THE ICLOUD KEYCHAIN Andrey Belenko viaForensics

  2. ICLOUD • Introduced in 2011 • iOS 5 and OS

    X 10.7 • 320M accounts (July 2013)
  3. ICLOUD

  4. ICLOUD STORAGE

  5. ICLOUD KEYCHAIN

  6. MOTIVATION http://support.apple.com/kb/HT4865

  7. ICLOUD KEYCHAIN • Introduced in 2013 • iOS 7.0.3 and

    OS X 10.9 • Two different services: • iCloud Keychain Sync • iCloud Keychain (Escrow and) Recovery
  8. INTERCEPTING COMMS iCloud.com certificate is not pinned

  9. FIRST STEPS

  10. FIRST STEPS GET /authenticate AppleID, password

  11. FIRST STEPS DsID, mmeAuthToken, fmipAuthToken GET /authenticate AppleID, password

  12. FIRST STEPS DsID, mmeAuthToken, fmipAuthToken GET /authenticate AppleID, password GET

    /get_account_settings AppleID, password
  13. FIRST STEPS DsID, mmeAuthToken, fmipAuthToken GET /authenticate AppleID, password Account

    information Account settings GET /get_account_settings AppleID, password
  14. ACCOUNT SETTINGS

  15. ACCOUNT SETTINGS

  16. ACCOUNT SETTINGS

  17. SETUP

  18. THE BIG PICTURE escrowproxy.icloud.com keyvalueservice.icloud.com

  19. THE BIG PICTURE Keychain (encrypted) Keybag (encrypted) escrowproxy.icloud.com keyvalueservice.icloud.com

  20. THE BIG PICTURE Keychain (encrypted) Keybag (encrypted) escrowproxy.icloud.com keyvalueservice.icloud.com Keychain

    sync
  21. THE BIG PICTURE Keychain (encrypted) Keybag (encrypted) escrowproxy.icloud.com keyvalueservice.icloud.com Master

    Secret Keychain sync
  22. KEY-VALUE STORE • Not new • Many apps use it

    to keep in sync across devices • iCloud Keychain uses two stores: • com.apple.security.cloudkeychainproxy3 • Syncing between devices • com.apple.sbd3 (securebackupd3) • Restore if no other devices
  23. ICLOUD KEYCHAIN SYNC com.apple.security.cloudkeychainproxy3 Sign(usrPwd, Bpub) Sign(Bpriv, (Apub, Bpub)) Sign(Apriv,

    Apub) Sign(userPwd, Apub) Sign(Apriv, (Apub, Bpub)) Sign(userPwd, (Apub, Bpub))
  24. KEY-VALUE STORE com.apple.sbd3 Key Description com.apple.securebackup.enabled Is Keychain data saved

    in KVS? com.apple.securebackup.record Keychain records, encrypted SecureBackupMetadata iCSC complexity, timestamp, country BackupKeybag Keybag protecting Keychain records BackupUsesEscrow Is keybag password escrowed? BackupVersion Version, currently @“1” BackupUUID UUID of the backup
  25. ESCROW PROXY • New, designed to store precious secrets •

    MFA to recover escrowed data • Must be signed into iCloud • Must provide 6-digit code sent via SMS • Must prove knowledge of iCSC via SRP • Data destroyed after ~10 failed attempts • User-Agent: com.apple.lakitu (iOS/OS X)
  26. DATA ESCROW escrowproxy.icloud.com keyvalueservice.icloud.com

  27. DATA ESCROW escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234

  28. DATA ESCROW Backup Keybag Key 1 Key 2 Key 3

    escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234
  29. DATA ESCROW Backup Keybag Key 1 Key 2 Key 3

    escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain
  30. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Backup Keybag Key 1 Key

    2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain
  31. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Backup Keybag Key 1 Key

    2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag
  32. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag
  33. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag
  34. DATA RECOVERY escrowproxy.icloud.com keyvalueservice.icloud.com

  35. DATA RECOVERY escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234

  36. DATA RECOVERY escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234

  37. DATA RECOVERY PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit escrowproxy.icloud.com

    keyvalueservice.icloud.com iCloud Security Code 1234
  38. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234
  39. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 AES-Wrap Keys RFC 3394 Encrypted Keybag
  40. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 AES-Wrap Keys RFC 3394 Encrypted Keybag
  41. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag
  42. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag
  43. DATA RECOVERY escrowproxy.icloud.com

  44. DATA RECOVERY /get_records List of escrowed records escrowproxy.icloud.com

  45. DATA RECOVERY /get_records List of escrowed records /get_sms_targets List of

    phone numbers escrowproxy.icloud.com
  46. DATA RECOVERY /get_records List of escrowed records /get_sms_targets List of

    phone numbers /generate_sms_challenge OK escrowproxy.icloud.com
  47. DATA RECOVERY /get_records List of escrowed records /get_sms_targets List of

    phone numbers /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] escrowproxy.icloud.com
  48. DATA RECOVERY /get_records List of escrowed records /get_sms_targets List of

    phone numbers /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] /recover [UUID, DsID, M, SMS CODE] [IV, AES-CBC(KSRP , Escrowed Record)] escrowproxy.icloud.com
  49. SECURE REMOTE PASSWORD • Zero-knowledge password proof scheme • Combats

    sniffing/MITM • One password guess per connection attempt • Password verifier is not sufficient for impersonation • Escrow Proxy uses SRP-6a
  50. Key Negotiation a ← random A ← g^a b ←

    random B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A SALT, B M H(A, M, K) Password verifier: SALT ← random x ← H(SALT,Password) v ← g^x (mod N) Agreed-upon parameters: H – one-way hash function N, g – group parameters k ← H(N, g)
  51. Key Negotiation a ← random A ← g^a b ←

    random B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A, SMS CODE SALT, B M, SMS CODE H(A, M, K) Password verifier: SALT ← random x ← H(SALT,Password) v ← g^x (mod N) Agreed-upon parameters: H – SHA-256 N, g – RFC 5054 w. 2048-bit group k ← H(N, g)
  52. ESCROW PROXY COMMANDS Endpoint Description get_club_cert Obtains some certificate for

    a user enroll Escrows a record and returns phoneToken get_records Lists escrowed records get_sms_targets Lists phone numbers used for verification generate_sms_challenge Sends SMS challenge srp_init First step of SRP protocol recover Second step of SRP protocol alter_sms_target Given a phoneToken, changes phone number used for verification
  53. ALTER_SMS_TARGET • Changes phone number used for verification • Stricter

    authentication: requires AppleID password • Authentication token won’t work • Requires phoneToken returned at escrow time • iOS 8 finally exposes this in the UI
  54. ESCROW RECORD Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code 1234 PBKDF2

    SHA-256 x 10’000 AES-CBC 256 bit Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 escrowproxy.icloud.com keyvalueservice.icloud.com Encrypted Keychain Encrypted Keybag
  55. ESCROW RECORD Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code 1234 PBKDF2

    SHA-256 x 10’000 AES-CBC 256 bit escrowproxy.icloud.com
  56. ESCROW RECORD Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code 1234 PBKDF2

    SHA-256 x 10’000 AES-CBC 256 bit escrowproxy.icloud.com EscrowRecord ← AES-CBC(Key, RandomPassword) Key ← PBKDF2-SHA256(iCSC, 10’000)
  57. ESCROW RECORD EscrowRecord ← AES-CBC(Key, RandomPassword) Key ← PBKDF2-SHA256(iCSC, 10’000)

    This is stored by Apple This is 4 digits by default For default settings access is totally feasible!
  58. ESCROW RECORD • Offline iCSC guessing is possible • Almost

    instant recovery [for default settings] • iCSC decrypts keybag password • Keybag password unlocks keybag keys • Keybag keys decrypt Keychain items
  59. Apple, or other adversary with access to stored data, can

    near-instantly decrypt “master” password and consequently decrypt backed up iCloud Keychain records (for default settings)
  60. BUT CAN APPLE ACCESS STORED DATA?

  61. HARDWARE SECURITY MODULE • Apple claims it uses HSMs for

    storing escrowed data • Impossible to verify from outside
  62. SETUP

  63. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code correct horse

    battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 escrowproxy.icloud.com keyvalueservice.icloud.com Encrypted Keychain Encrypted Keybag
  64. COMPLEX ICSC • Mechanics are the same as with simple

    iCSC • Offline password recovery attack is still possible, although pointless if password is complex enough
  65. SETUP

  66. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb

    Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 keyvalueservice.icloud.com Encrypted Keychain Encrypted Keybag AES-CBC 256 bit iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 escrowproxy.icloud.com
  67. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb

    Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 keyvalueservice.icloud.com Encrypted Keychain Encrypted Keybag
  68. RANDOM ICSC Escrow Proxy is not used

  69. SETUP

  70. DATA ESCROW keyvalueservice.icloud.com escrowproxy.icloud.com Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ

    tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 Encrypted Keychain Encrypted Keybag AES-CBC 256 bit iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000
  71. DATA ESCROW keyvalueservice.icloud.com escrowproxy.icloud.com

  72. NO ICSC Escrow Proxy is not used Keychain is not

    backed up
  73. ATTACK SURFACE iCloud Keychain Services Master Password Escrow iCloud Keychain

    Backup iCloud Keychain Sync No iCloud Security Code Random iCloud Security Code Complex iCloud Security Code Simple iCloud Security Code (default)
  74. CONCLUSIONS

  75. CONCLUSIONS • Trust your vendor but verify his claims •

    Never use simple iCloud Security Code • Overall, iCloud Keychain is reasonably well engineered
  76. Q & A

  77. THANK YOU! abelenko@viaforensics.com @abelenko