Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is difference between Keychain and Secure Enclave

I've been in searching where keychain stores either secure enclave or any other, I found many articles (one of this stackoverflow answer) which says following but I'm looking for some Authenticated like Apple statement

The keychain stores the keys (and other small data) encrypted and restricts access to that data. Additionally in recent iPhones (5S and later) the keychain is in a separate processor, the Secure Enclave which additionally restricts access. There is no more secure way to store keys in iOS.

So my queries on the basis of above statement.

  • Is Keychain Items store in secure Enclave
  • If yes then where Public key and Private key CFTypeRef Store
  • Why we use this kSecAttrTokenIDSecureEnclave while creating key pair. (example following code).

    -(bool) generateKeyPairWithAccessControlObject:(SecAccessControlRef)accessControlRef
    {
          CFMutableDictionaryRef accessControlDict = newCFDict;;
          CFDictionaryAddValue(accessControlDict, kSecAttrAccessControl, accessControlRef);
          CFDictionaryAddValue(accessControlDict, kSecAttrIsPermanent, kCFBooleanTrue);
          CFDictionaryAddValue(accessControlDict, kSecAttrLabel, kPrivateKeyName);
    
          // create dict which actually saves key into keychain
          CFMutableDictionaryRef generatePairRef = newCFDict;
          CFDictionaryAddValue(generatePairRef, kSecAttrTokenID, kSecAttrTokenIDSecureEnclave);
          CFDictionaryAddValue(generatePairRef, kSecAttrKeyType, kSecAttrKeyTypeEC);
          CFDictionaryAddValue(generatePairRef, kSecAttrKeySizeInBits, (__bridge const void *)([NSNumber numberWithInt:256]));
          CFDictionaryAddValue(generatePairRef, kSecPrivateKeyAttrs, accessControlDict);
    
          OSStatus status = SecKeyGeneratePair(generatePairRef, &publicKeyRef, &privateKeyRef);
    
          if (status != errSecSuccess)
              return NO;
    
          [self savePublicKeyFromRef:publicKeyRef];
          return YES;
    }
    

Looking for authenticated answer. Cheers

like image 478
Aleem Avatar asked Dec 08 '16 12:12

Aleem


People also ask

Does iOS keychain use Secure Enclave?

The metadata key is protected by the Secure Enclave but is cached in the Application Processor to allow fast queries of the keychain. The secret key always requires a round trip through the Secure Enclave. The keychain is implemented as a SQLite database, stored on the file system.

What is a Secure Enclave?

A secure enclave provides CPU hardware-level isolation and memory encryption on every server, by isolating application code and data from anyone with privileges, and encrypting its memory. With additional software, secure enclaves enable the encryption of both storage and network data for simple full stack security.

What is Apple's Secure Enclave?

The Secure Enclave is a dedicated secure subsystem integrated into Apple systems on chip (SoCs). The Secure Enclave is isolated from the main processor to provide an extra layer of security and is designed to keep sensitive user data secure even when the Application Processor kernel becomes compromised.

Is keychain on iPhone secure?

Everything stored in iCloud Keychain is secure—it's protected by industry-standard encryption. Your iCloud Keychain can't be set up on another Mac or iOS or iPadOS device unless you approve it.


1 Answers

Take a look at Apple's iOS security whitepaper, it describes what Secure Enclave and Keychain are exactly.

A Secure Enclave is a coprocessor fabricated within the system on chip (SoC). It uses encrypted memory and includes a hardware random number generator. As for the Keychain, the iOS Keychain provides a secure way to store these (passwords and other short but sensitive bits of data) items. [...] The Keychain is implemented as a SQLite database stored on the file system..

Keychain is a piece of software that stores encrypted data (such as passwords) in a SQLite database. The key that encrypts this data is inside the Secure Enclave - it never leaves the SE, as per this paragraph

Keychain items are encrypted using two different AES-256-GCM keys, a table key (metadata) and per-row key (secret-key). Keychain metadata (all attributes other than kSecValue) is encrypted with the metadata key to speed search while the secret value (kSecValueData) is encrypted with the secret-key. The metadata key is protected by Secure Enclave processor, but cached in the application processor to allow fast queries of the keychain. The secret key always requires a round-trip through the Secure Enclave processor.

To answer your question: are keychain items stored inside Secure Enclave, no, they are stored inside a SQLite database on disk, but the encryption key needed to decrypt this data is inside the Secure Enclave. As for kSecAttrTokenIDSecureEnclave that apperas to be a flag that indicates that the key should be generated inside the Secure Element.

like image 74
aleks224 Avatar answered Nov 15 '22 17:11

aleks224