What is difference between Keychain and Secure Enclave

Question

I've been in searching where keychain stores either secure enclave or any other, I found many articles (one of this stackoverflow answer) which says following but I'm looking for some Authenticated like Apple statement

The keychain stores the keys (and other small data) encrypted and restricts access to that data. Additionally in recent iPhones (5S and later) the keychain is in a separate processor, the Secure Enclave which additionally restricts access. There is no more secure way to store keys in iOS.

So my queries on the basis of above statement.

• Is Keychain Items store in secure Enclave
• If yes then where Public key and Private key CFTypeRef Store

• Why we use this kSecAttrTokenIDSecureEnclave while creating key pair. (example following code).

  -(bool) generateKeyPairWithAccessControlObject:(SecAccessControlRef)accessControlRef
  {
        CFMutableDictionaryRef accessControlDict = newCFDict;;
        CFDictionaryAddValue(accessControlDict, kSecAttrAccessControl, accessControlRef);
        CFDictionaryAddValue(accessControlDict, kSecAttrIsPermanent, kCFBooleanTrue);
        CFDictionaryAddValue(accessControlDict, kSecAttrLabel, kPrivateKeyName);
  
        // create dict which actually saves key into keychain
        CFMutableDictionaryRef generatePairRef = newCFDict;
        CFDictionaryAddValue(generatePairRef, kSecAttrTokenID, kSecAttrTokenIDSecureEnclave);
        CFDictionaryAddValue(generatePairRef, kSecAttrKeyType, kSecAttrKeyTypeEC);
        CFDictionaryAddValue(generatePairRef, kSecAttrKeySizeInBits, (__bridge const void *)([NSNumber numberWithInt:256]));
        CFDictionaryAddValue(generatePairRef, kSecPrivateKeyAttrs, accessControlDict);
  
        OSStatus status = SecKeyGeneratePair(generatePairRef, &publicKeyRef, &privateKeyRef);
  
        if (status != errSecSuccess)
            return NO;
  
        [self savePublicKeyFromRef:publicKeyRef];
        return YES;
  }
  

Looking for authenticated answer. Cheers

Answer 1

Take a look at Apple's iOS security whitepaper, it describes what Secure Enclave and Keychain are exactly.

A Secure Enclave is a coprocessor fabricated within the system on chip (SoC). It uses encrypted memory and includes a hardware random number generator. As for the Keychain, the iOS Keychain provides a secure way to store these (passwords and other short but sensitive bits of data) items. [...] The Keychain is implemented as a SQLite database stored on the file system..

Keychain is a piece of software that stores encrypted data (such as passwords) in a SQLite database. The key that encrypts this data is inside the Secure Enclave - it never leaves the SE, as per this paragraph

Keychain items are encrypted using two different AES-256-GCM keys, a table key (metadata) and per-row key (secret-key). Keychain metadata (all attributes other than kSecValue) is encrypted with the metadata key to speed search while the secret value (kSecValueData) is encrypted with the secret-key. The metadata key is protected by Secure Enclave processor, but cached in the application processor to allow fast queries of the keychain. The secret key always requires a round-trip through the Secure Enclave processor.

To answer your question: are keychain items stored inside Secure Enclave, no, they are stored inside a SQLite database on disk, but the encryption key needed to decrypt this data is inside the Secure Enclave. As for kSecAttrTokenIDSecureEnclave that apperas to be a flag that indicates that the key should be generated inside the Secure Element.