iCloud Keychain

and
iOS 7 Data Protection
Andrey Belenko
Sr. Security Engineer @ viaForensics

Alexey Troshichev
@hackappcom founder

What is iCloud?

Whats inside?

Documents

Photos

Backups (SMS, application data, etc)

Keychain

Hackers view

Bruteforce protection?

Bruteforce protection?

Bruteforce protection?

Find My iPhone

Brought to you by
hackapp.com
!

github.com/hackappcom/ibrute
@hackappcom

iCloud Keychain
Image: Apple Inc.

Motivation

http://support.apple.com/kb/HT4865

Intercepting SSL
Root CA cert
Proxy settings

SSL Proxy
(Burp, Charles, )

Authentication
GET /authenticate
AppleID, Password
DsID, mmeAuthToken, fmipAuthToken

icloud.com

/getAccountSettings

/getAccountSettings

Setup Options

The Big Picture

Keychain items (encrypted)
Keybag (encrypted)

*.keyvalueservice.icloud.com

Some Secret
*.escrowproxy.icloud.com

Key-Value Store

Not new

Used extensively by many apps e.g. to keep preferences

in sync across devices

iCloud Keychain utilises two stores:

com.apple.security.cloudkeychainproxy3
Syncing between devices

com.apple.sbd3 (securebackupd3)
Copy to restore if no other devices

Escrow Proxy

New; Designed to store precious secrets

Need to know iCSC to recover escrowed data

Need to receive SMS challenge

Must successfully complete SRP auth

User-Agent: com.apple.lakitu (iOS/OS X)

Image: mariowiki.com

Key-Value Store
com.apple.security.cloudkeychainproxy3

S(D1_priv, D1_pub)
S(userPwd, D1_pub)

S(usrPwd, D2_pub)

S(D1_priv, (D1_pub, D2_pub))

S(userPwd, (D1_pub, D2_pub))

S(D2_priv, (D1_pub, D2_pub))

Key-Value Store
com.apple.sbd3
Key

Description

com.apple.securebackup.enabled

Is Keychain data saved in KVS?

com.apple.securebackup.record

Keychain records, encrypted

SecureBackupMetadata

iCSC complexity, timestamp, country

BackupKeybag

Keybag protecting Keychain records

BackupUsesEscrow

Is keybag password escrowed?

BackupVersion

Version, currently @1

BackupUUID

UUID of the backup

4-digit iCSC [Default]

4-digit iCSC [Default]

Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4

4-digit iCSC [Default]

Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4

Backup Keybag

Keychain Passwords

Key 1

yMa9ohCJ

Key 2
Key 3

AES-GCM
256 bit

tzzcVhE7
sDVoCnb

4-digit iCSC [Default]

Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4

AES-Wrap Keys
RFC 3394

Backup Keybag
Key 1
Key 2
Key 3

AES-GCM
256 bit

Keychain Passwords
yMa9ohCJ
tzzcVhE7
sDVoCnb

4-digit iCSC [Default]

Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4

AES-Wrap Keys
RFC 3394

Backup Keybag
Key 1
Key 2
Key 3

AES-GCM
256 bit

*.keyvalueservice.icloud.com
Keychain Passwords
yMa9ohCJ
tzzcVhE7
sDVoCnb

4-digit iCSC [Default]

iCloud Security Code
1234

PBKDF2
SHA-256 x 10000

Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4

AES-Wrap Keys
RFC 3394

Backup Keybag
Key 1
Key 2
Key 3

AES-GCM
256 bit

*.keyvalueservice.icloud.com
Keychain Passwords
yMa9ohCJ
tzzcVhE7
sDVoCnb

4-digit iCSC [Default]

iCloud Security Code
1234

PBKDF2
SHA-256 x 10000

Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4

AES-CBC
256 bit
*.escrowproxy.icloud.com

AES-Wrap Keys
RFC 3394

Backup Keybag
Key 1
Key 2
Key 3

AES-GCM
256 bit

*.keyvalueservice.icloud.com
Keychain Passwords
yMa9ohCJ
tzzcVhE7
sDVoCnb

Secure Remote Password

Zero-knowledge password proof scheme

Combats sniffing/MITM

One password guess per connection attempt

Password verifier is not sufficient for impersonation

Escrow Proxy uses SRP-6a

Agreed-upon parameters:

Password verifier:

H one-way hash function

N, g group parameters
k H(N, g)

SALT random
x H(SALT,Password)
v g^x

Key Negotiation
a random, A g^a

ID, A
SALT, B

b random, B kv + g^b

u H(A, B)

u H(A, B)

x H(SALT, Password)
S (B - kg^x) ^ (a + ux)
K H(S)

S (Av^u) ^ b
K H(S)

Key Verification
M H(H(N) H(g), H(ID), SALT, A, B, K)
M
H(A, M, K)

(Aborts if M is invalid)

Agreed-upon parameters:

Password verifier:

H SHA-256
N, g RFC 5054 w. 2048-bit group
k H(N, g)

SALT random
x H(SALT,Password)
v g^x

Key Negotiation
a random, A g^a

ID, A, SMS CODE

SALT, B

b random, B kv + g^b

u H(A, B)

u H(A, B)

x H(SALT, Password)
S (B - kg^x) ^ (a + ux)
K H(S)

S (Av^u) ^ b
K H(S)

Key Verification
M H(H(N) H(g), H(ID), SALT, A, B, K)
M, SMS CODE
H(A, M, K)

(Aborts if M is invalid)

*Display purposes only

Escrowed Data Recovery

Escrowed Data Recovery

/get_records

*Display purposes only

List of escrowed records

Escrowed Data Recovery

/get_records
List of escrowed records
/get_sms_targets

*Display purposes only

List of phone numbers*

Escrowed Data Recovery

/get_records
List of escrowed records
/get_sms_targets
List of phone numbers*
/generate_sms_challenge

*Display purposes only

OK

Escrowed Data Recovery

/get_records
List of escrowed records
/get_sms_targets
List of phone numbers*
/generate_sms_challenge

/srp_init [DsID, A, SMS CODE]

[UUID, DsID, SALT, B]

*Display purposes only

OK

Escrowed Data Recovery

/get_records
List of escrowed records
/get_sms_targets
List of phone numbers*
/generate_sms_challenge

/srp_init [DsID, A, SMS CODE]

[UUID, DsID, SALT, B]
/recover [UUID, DsID, M, SMS CODE]
[IV, AES-CBC(KSRP, Escrowed Record)]

*Display purposes only

OK

Escrow Proxy Endpoints

Endpoint

Description

get_club_cert

[?] Obtain certificate

enroll

Submit escrow record

get_records

List escrowed records

get_sms_targets

List SMS numbers for escrowed records

generate_sms_challenge

Generate and send challenge code

srp_init

First step of SRP protocol

recover

Second step of SRP protocol

alter_sms_target

Change SMS number

Escrow Record
iCloud Security Code
1234

PBKDF2
SHA-256 x 10000

Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4

AES-CBC
256 bit
*.escrowproxy.icloud.com

AES-Wrap Keys
RFC 3394

*.keyvalueservice.icloud.com
Keychain Passwords

Backup Keybag
Key 1
Key 2
Key 3

AES-GCM
256 bit

yMa9ohCJ
tzzcVhE7
sDVoCnb

Escrow Record
iCloud Security Code
1234

Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4

PBKDF2
SHA-256 x 10000

AES-CBC
256 bit
*.escrowproxy.icloud.com

Key PBKDF2-SHA256(iCSC, 10000)

EscrowRecord AES-CBC(Key, RandomPassword)

Escrow Record
Key PBKDF2-SHA256(iCSC, 10000)
EscrowRecord AES-CBC(Key, RandomPassword)

Escrow Record
Key PBKDF2-SHA256(iCSC, 10000)
EscrowRecord AES-CBC(Key, RandomPassword)

This is stored by Apple

Escrow Record
Key PBKDF2-SHA256(iCSC, 10000)
EscrowRecord AES-CBC(Key, RandomPassword)

This is stored by Apple

iCSC is 4 digits by default

Escrow Record
Key PBKDF2-SHA256(iCSC, 10000)
EscrowRecord AES-CBC(Key, RandomPassword)

This is stored by Apple

iCSC is 4 digits by default

Escrow Record
Key PBKDF2-SHA256(iCSC, 10000)
EscrowRecord AES-CBC(Key, RandomPassword)

This is stored by Apple

iCSC is 4 digits by default

Can you spot the problem yet?

Escrow Record
Key PBKDF2-SHA256(iCSC, 10000)

Offline iCSC guessing is possible

Almost instant recovery [for default settings]

iCSC decrypts keybag password

Keybag password unlocks keybag keys

Keybag keys decrypt Keychain items

Apple, or other adversary with

access to stored data, can nearinstantly decrypt master
password and read synced iCloud
Keychain records
!

(for default settings)

Setup Options

Complex iCSC
iCloud Security Code
correct horse battery staple

PBKDF2
SHA-256 x 10000

Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4

AES-CBC
256 bit
*.escrowproxy.icloud.com

AES-Wrap Keys
RFC 3394

Backup Keybag
Key 1
Key 2
Key 3

AES-GCM
256 bit

*.keyvalueservice.icloud.com
Keychain Passwords
yMa9ohCJ
tzzcVhE7
sDVoCnb

Complex iCSC

Mechanics are the same as with simple iCSC

Offline password recovery attack is still possible,

although pointless if password is complex enough

Setup Options

Random iCSC
iCloud Security Code
correct horse battery staple

PBKDF2
SHA-256 x 10000

Random Password

AES-CBC
256 bit

BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4

*.escrowproxy.icloud.com
AES-Wrap Keys
RFC 3394

*.keyvalueservice.icloud.com
Keychain Passwords

Backup Keybag
Key 1
Key 2
Key 3

AES-GCM
256 bit

yMa9ohCJ
tzzcVhE7
sDVoCnb

Random iCSC
iCloud Security Code
correct horse battery staple

PBKDF2
SHA-256 x 10000

Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4

AES-CBC
256 bit
*.escrowproxy.icloud.com

AES-Wrap Keys
RFC 3394

Backup Keybag
Key 1
Key 2
Key 3

AES-GCM
256 bit

*.keyvalueservice.icloud.com
Keychain Passwords
yMa9ohCJ
tzzcVhE7
sDVoCnb

Random iCSC
Random Password
BL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4

AES-Wrap Keys
RFC 3394

Backup Keybag
Key 1
Key 2
Key 3

AES-GCM
256 bit

*.keyvalueservice.icloud.com
Keychain Passwords
yMa9ohCJ
tzzcVhE7
sDVoCnb

Random iCSC

Escrow Proxy is not used

Random iCSC (or derived key) stored on the device

[havent verified]

Setup Options
iCloud
Keychain

Keychain
Backup

Keychain
Sync

Master
Password
Escrow
No iCloud Security Code
Random iCloud Security Code
Complex iCloud Security Code
Simple iCloud Security Code

Conclusions

Image: Apple Inc.

Conclusions

Trust your vendor but verify his claims

Never ever use simple iCloud Security Code

Do not think that SMS Apple sends you is a 2FA

Yet, iCK is reasonably well engineered although not

without shortcomings

Thank You!
Questions are welcome :-)
!
!

@abelenko

@hackappcom