Upgrade to Pro — share decks privately, control downloads, hide ads and more …

On the Security of the iCloud Keychain

Andrey Belenko
November 06, 2014
Technology
4
2.6k

On the Security of the iCloud Keychain

iCloud Keychain, one of the latest additions to the family of iCloud services that was pitched by Apple. It is no doubt great for usability, but what about security? What kind of access does Apple have to your passwords stored in the iCloud? It haven’t received much research attention to the date and this talk aims to fill the gap.

Andrey Belenko

November 06, 2014
Tweet

More Decks by Andrey Belenko

See All by Andrey Belenko
Типичные Проблемы Безопасности в Приложениях для iOS
belenko
1
240
iCloud Keychain and iOS 7 Data Protection
belenko
0
620
Dark and Bright Sides of the iCloud (In)Security
belenko
1
300
Evolution of iOS Data Protection and iPhone Forensics: 
from iPhone OS to iOS 5
belenko
1
100
Evolution of iOS Data Protection and iPhone Forensics: from iPhone OS to iOS 5
belenko
2
160
Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?
belenko
1
84

Other Decks in Technology

See All in Technology
なぜ NOT A HOTEL が Web3 に取り組むのか - NOT A HOTEL TECH TALK
ynunokawa
0
160
レガシーをぶっ壊せ。AEONで始めるDevRelの話 / Qiita Night 2024-2-22
aeonpeople
3
150
ユーザーストーリーのレビューを自動化したみたの
bun913
1
320
疲弊しない!AWSセキュリティ統制の考え方 #devio_osakaday1
masahirokawahara
6
5.9k
SREとその組織類型
tatsuo48
8
1.5k
コンパウンドスタートアップのためのスケーラブルでセキュアなInfrastructure as Codeパイプラインを考える / Scalable and Secure Infrastructure as Code Pipeline for a Compound Startup
yuyatakeyama
3
2.4k
普段有償でサポート業務をしているCSAが技術知見を無料で公開する理由
07jp27
1
640
Four keys改善の取り組み事例紹介
sansantech
PRO
3
230
Databricks における 『MLOps』
databricksjapan
2
140
ChatGPT for IT Service Management (IT Pro)
dahatake
2
150
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
0
220
Databricks におけるデータエンジニアリング
databricksjapan
0
380

Featured

See All Featured
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4.4k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Atom: Resistance is Futile
akmur
258
25k
Making the Leap to Tech Lead
cromwellryan
123
8.5k
Building Better People: How to give real-time feedback that sticks.
wjessup
354
18k
A Tale of Four Properties
chriscoyier
150
22k
Debugging Ruby Performance
tmm1
70
11k
Design by the Numbers
sachag
274
18k
Testing 201, or: Great Expectations
jmmastey
27
6.3k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
12
1.5k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k

Transcript

  1. ON THE SECURITY OF THE ICLOUD KEYCHAIN Andrey Belenko viaForensics

  2. ICLOUD • Introduced in 2011 • iOS 5 and OS

    X 10.7 • 320M accounts (July 2013)

  3. ICLOUD

  4. ICLOUD STORAGE

  5. ICLOUD KEYCHAIN

  6. MOTIVATION http://support.apple.com/kb/HT4865

  7. ICLOUD KEYCHAIN • Introduced in 2013 • iOS 7.0.3 and

    OS X 10.9 • Two different services: • iCloud Keychain Sync • iCloud Keychain (Escrow and) Recovery

  8. INTERCEPTING COMMS iCloud.com certificate is not pinned

  9. FIRST STEPS

  10. FIRST STEPS GET /authenticate AppleID, password

  11. FIRST STEPS DsID, mmeAuthToken, fmipAuthToken GET /authenticate AppleID, password

  12. FIRST STEPS DsID, mmeAuthToken, fmipAuthToken GET /authenticate AppleID, password GET

    /get_account_settings AppleID, password

  13. FIRST STEPS DsID, mmeAuthToken, fmipAuthToken GET /authenticate AppleID, password Account

    information Account settings GET /get_account_settings AppleID, password

  14. ACCOUNT SETTINGS

  15. ACCOUNT SETTINGS

  16. ACCOUNT SETTINGS

  17. SETUP

  18. THE BIG PICTURE escrowproxy.icloud.com keyvalueservice.icloud.com

  19. THE BIG PICTURE Keychain (encrypted) Keybag (encrypted) escrowproxy.icloud.com keyvalueservice.icloud.com

  20. THE BIG PICTURE Keychain (encrypted) Keybag (encrypted) escrowproxy.icloud.com keyvalueservice.icloud.com Keychain

    sync

  21. THE BIG PICTURE Keychain (encrypted) Keybag (encrypted) escrowproxy.icloud.com keyvalueservice.icloud.com Master

    Secret Keychain sync

  22. KEY-VALUE STORE • Not new • Many apps use it

    to keep in sync across devices • iCloud Keychain uses two stores: • com.apple.security.cloudkeychainproxy3 • Syncing between devices • com.apple.sbd3 (securebackupd3) • Restore if no other devices

  23. ICLOUD KEYCHAIN SYNC com.apple.security.cloudkeychainproxy3 Sign(usrPwd, Bpub) Sign(Bpriv, (Apub, Bpub)) Sign(Apriv,

    Apub) Sign(userPwd, Apub) Sign(Apriv, (Apub, Bpub)) Sign(userPwd, (Apub, Bpub))

  24. KEY-VALUE STORE com.apple.sbd3 Key Description com.apple.securebackup.enabled Is Keychain data saved

    in KVS? com.apple.securebackup.record Keychain records, encrypted SecureBackupMetadata iCSC complexity, timestamp, country BackupKeybag Keybag protecting Keychain records BackupUsesEscrow Is keybag password escrowed? BackupVersion Version, currently @“1” BackupUUID UUID of the backup

  25. ESCROW PROXY • New, designed to store precious secrets •

    MFA to recover escrowed data • Must be signed into iCloud • Must provide 6-digit code sent via SMS • Must prove knowledge of iCSC via SRP • Data destroyed after ~10 failed attempts • User-Agent: com.apple.lakitu (iOS/OS X)

  26. DATA ESCROW escrowproxy.icloud.com keyvalueservice.icloud.com

  27. DATA ESCROW escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234

  28. DATA ESCROW Backup Keybag Key 1 Key 2 Key 3

    escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234

  29. DATA ESCROW Backup Keybag Key 1 Key 2 Key 3

    escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain

  30. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Backup Keybag Key 1 Key

    2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain

  31. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Backup Keybag Key 1 Key

    2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag

  32. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag

  33. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag

  34. DATA RECOVERY escrowproxy.icloud.com keyvalueservice.icloud.com

  35. DATA RECOVERY escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234

  36. DATA RECOVERY escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234

  37. DATA RECOVERY PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit escrowproxy.icloud.com

    keyvalueservice.icloud.com iCloud Security Code 1234

  38. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234

  39. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 AES-Wrap Keys RFC 3394 Encrypted Keybag

  40. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 AES-Wrap Keys RFC 3394 Encrypted Keybag

  41. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag

  42. DATA RECOVERY Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 PBKDF2 SHA-256 x 10’000 AES-CBC

    256 bit Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 escrowproxy.icloud.com keyvalueservice.icloud.com iCloud Security Code 1234 AES-GCM 256 bit Encrypted Keychain AES-Wrap Keys RFC 3394 Encrypted Keybag

  43. DATA RECOVERY escrowproxy.icloud.com

  44. DATA RECOVERY /get_records List of escrowed records escrowproxy.icloud.com

  45. DATA RECOVERY /get_records List of escrowed records /get_sms_targets List of

    phone numbers escrowproxy.icloud.com

  46. DATA RECOVERY /get_records List of escrowed records /get_sms_targets List of

    phone numbers /generate_sms_challenge OK escrowproxy.icloud.com

  47. DATA RECOVERY /get_records List of escrowed records /get_sms_targets List of

    phone numbers /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] escrowproxy.icloud.com

  48. DATA RECOVERY /get_records List of escrowed records /get_sms_targets List of

    phone numbers /generate_sms_challenge OK /srp_init [DsID, A, SMS CODE] [UUID, DsID, SALT, B] /recover [UUID, DsID, M, SMS CODE] [IV, AES-CBC(KSRP , Escrowed Record)] escrowproxy.icloud.com

  49. SECURE REMOTE PASSWORD • Zero-knowledge password proof scheme • Combats

    sniffing/MITM • One password guess per connection attempt • Password verifier is not sufficient for impersonation • Escrow Proxy uses SRP-6a

  50. Key Negotiation a ← random A ← g^a b ←

    random B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A SALT, B M H(A, M, K) Password verifier: SALT ← random x ← H(SALT,Password) v ← g^x (mod N) Agreed-upon parameters: H – one-way hash function N, g – group parameters k ← H(N, g)

  51. Key Negotiation a ← random A ← g^a b ←

    random B ← kv + g^b u ← H(A, B) u ← H(A, B) x ← H(SALT, Password) S ← (B - kg^x) ^ (a + ux) K ← H(S) S ← (Av^u) ^ b K ← H(S) Key Verification M ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K) (Aborts if M is invalid) ID, A, SMS CODE SALT, B M, SMS CODE H(A, M, K) Password verifier: SALT ← random x ← H(SALT,Password) v ← g^x (mod N) Agreed-upon parameters: H – SHA-256 N, g – RFC 5054 w. 2048-bit group k ← H(N, g)

  52. ESCROW PROXY COMMANDS Endpoint Description get_club_cert Obtains some certificate for

    a user enroll Escrows a record and returns phoneToken get_records Lists escrowed records get_sms_targets Lists phone numbers used for verification generate_sms_challenge Sends SMS challenge srp_init First step of SRP protocol recover Second step of SRP protocol alter_sms_target Given a phoneToken, changes phone number used for verification

  53. ALTER_SMS_TARGET • Changes phone number used for verification • Stricter

    authentication: requires AppleID password • Authentication token won’t work • Requires phoneToken returned at escrow time • iOS 8 finally exposes this in the UI

  54. ESCROW RECORD Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code 1234 PBKDF2

    SHA-256 x 10’000 AES-CBC 256 bit Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 escrowproxy.icloud.com keyvalueservice.icloud.com Encrypted Keychain Encrypted Keybag

  55. ESCROW RECORD Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code 1234 PBKDF2

    SHA-256 x 10’000 AES-CBC 256 bit escrowproxy.icloud.com

  56. ESCROW RECORD Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code 1234 PBKDF2

    SHA-256 x 10’000 AES-CBC 256 bit escrowproxy.icloud.com EscrowRecord ← AES-CBC(Key, RandomPassword) Key ← PBKDF2-SHA256(iCSC, 10’000)

  57. ESCROW RECORD EscrowRecord ← AES-CBC(Key, RandomPassword) Key ← PBKDF2-SHA256(iCSC, 10’000)

    This is stored by Apple This is 4 digits by default For default settings access is totally feasible!

  58. ESCROW RECORD • Offline iCSC guessing is possible • Almost

    instant recovery [for default settings] • iCSC decrypts keybag password • Keybag password unlocks keybag keys • Keybag keys decrypt Keychain items

  59. Apple, or other adversary with access to stored data, can

    near-instantly decrypt “master” password and consequently decrypt backed up iCloud Keychain records (for default settings)

  60. BUT CAN APPLE ACCESS STORED DATA?

  61. HARDWARE SECURITY MODULE • Apple claims it uses HSMs for

    storing escrowed data • Impossible to verify from outside

  62. SETUP

  63. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 iCloud Security Code correct horse

    battery staple PBKDF2 SHA-256 x 10’000 AES-CBC 256 bit Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 escrowproxy.icloud.com keyvalueservice.icloud.com Encrypted Keychain Encrypted Keybag

  64. COMPLEX ICSC • Mechanics are the same as with simple

    iCSC • Offline password recovery attack is still possible, although pointless if password is complex enough

  65. SETUP

  66. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb

    Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 keyvalueservice.icloud.com Encrypted Keychain Encrypted Keybag AES-CBC 256 bit iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000 escrowproxy.icloud.com

  67. DATA ESCROW Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ tzzcVhE7 sDVoCnb

    Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 keyvalueservice.icloud.com Encrypted Keychain Encrypted Keybag

  68. RANDOM ICSC Escrow Proxy is not used

  69. SETUP

  70. DATA ESCROW keyvalueservice.icloud.com escrowproxy.icloud.com Random Password BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 Keychain Passwords yMa9ohCJ

    tzzcVhE7 sDVoCnb Backup Keybag Key 1 Key 2 Key 3 AES-GCM 256 bit AES-Wrap Keys RFC 3394 Encrypted Keychain Encrypted Keybag AES-CBC 256 bit iCloud Security Code correct horse battery staple PBKDF2 SHA-256 x 10’000

  71. DATA ESCROW keyvalueservice.icloud.com escrowproxy.icloud.com

  72. NO ICSC Escrow Proxy is not used Keychain is not

    backed up

  73. ATTACK SURFACE iCloud Keychain Services Master Password Escrow iCloud Keychain

    Backup iCloud Keychain Sync No iCloud Security Code Random iCloud Security Code Complex iCloud Security Code Simple iCloud Security Code (default)

  74. CONCLUSIONS

  75. CONCLUSIONS • Trust your vendor but verify his claims •

    Never use simple iCloud Security Code • Overall, iCloud Keychain is reasonably well engineered

  76. Q & A

  77. THANK YOU! [email protected] @abelenko