I've been in searching where keychain stores either secure enclave or any other, I found many articles (one of this stackoverflow answer) which says following but I'm looking for some Authenticated like Apple statement
The keychain stores the keys (and other small data) encrypted and restricts access to that data. Additionally in recent iPhones (5S and later) the keychain is in a separate processor, the Secure Enclave which additionally restricts access. There is no more secure way to store keys in iOS.
So my queries on the basis of above statement.
CFTypeRef
Store Why we use this kSecAttrTokenIDSecureEnclave
while creating key pair. (example following code).
-(bool) generateKeyPairWithAccessControlObject:(SecAccessControlRef)accessControlRef
{
CFMutableDictionaryRef accessControlDict = newCFDict;;
CFDictionaryAddValue(accessControlDict, kSecAttrAccessControl, accessControlRef);
CFDictionaryAddValue(accessControlDict, kSecAttrIsPermanent, kCFBooleanTrue);
CFDictionaryAddValue(accessControlDict, kSecAttrLabel, kPrivateKeyName);
// create dict which actually saves key into keychain
CFMutableDictionaryRef generatePairRef = newCFDict;
CFDictionaryAddValue(generatePairRef, kSecAttrTokenID, kSecAttrTokenIDSecureEnclave);
CFDictionaryAddValue(generatePairRef, kSecAttrKeyType, kSecAttrKeyTypeEC);
CFDictionaryAddValue(generatePairRef, kSecAttrKeySizeInBits, (__bridge const void *)([NSNumber numberWithInt:256]));
CFDictionaryAddValue(generatePairRef, kSecPrivateKeyAttrs, accessControlDict);
OSStatus status = SecKeyGeneratePair(generatePairRef, &publicKeyRef, &privateKeyRef);
if (status != errSecSuccess)
return NO;
[self savePublicKeyFromRef:publicKeyRef];
return YES;
}
Looking for authenticated answer. Cheers
The metadata key is protected by the Secure Enclave but is cached in the Application Processor to allow fast queries of the keychain. The secret key always requires a round trip through the Secure Enclave. The keychain is implemented as a SQLite database, stored on the file system.
A secure enclave provides CPU hardware-level isolation and memory encryption on every server, by isolating application code and data from anyone with privileges, and encrypting its memory. With additional software, secure enclaves enable the encryption of both storage and network data for simple full stack security.
The Secure Enclave is a dedicated secure subsystem integrated into Apple systems on chip (SoCs). The Secure Enclave is isolated from the main processor to provide an extra layer of security and is designed to keep sensitive user data secure even when the Application Processor kernel becomes compromised.
Everything stored in iCloud Keychain is secure—it's protected by industry-standard encryption. Your iCloud Keychain can't be set up on another Mac or iOS or iPadOS device unless you approve it.
Take a look at Apple's iOS security whitepaper, it describes what Secure Enclave and Keychain are exactly.
A Secure Enclave is a coprocessor fabricated within the system on chip (SoC). It uses encrypted memory and includes a hardware random number generator. As for the Keychain, the iOS Keychain provides a secure way to store these (passwords and other short but sensitive bits of data) items. [...] The Keychain is implemented as a SQLite database stored on the file system..
Keychain is a piece of software that stores encrypted data (such as passwords) in a SQLite database. The key that encrypts this data is inside the Secure Enclave - it never leaves the SE, as per this paragraph
Keychain items are encrypted using two different AES-256-GCM keys, a table key (metadata) and per-row key (secret-key). Keychain metadata (all attributes other than kSecValue) is encrypted with the metadata key to speed search while the secret value (kSecValueData) is encrypted with the secret-key. The metadata key is protected by Secure Enclave processor, but cached in the application processor to allow fast queries of the keychain. The secret key always requires a round-trip through the Secure Enclave processor.
To answer your question: are keychain items stored inside Secure Enclave, no, they are stored inside a SQLite database on disk, but the encryption key needed to decrypt this data is inside the Secure Enclave. As for kSecAttrTokenIDSecureEnclave
that apperas to be a flag that indicates that the key should be generated inside the Secure Element.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With