The present document can't read!
Please download to view
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
...

iCloud keychain

by alexey-troshichev

on

Report

Category:

Internet

Download: 0

Comment: 0

135,000

views

Comments

Description

IF YOU ARE CONCERNED ABOUT CLOUD SECURITY PLEASE READ

http://blog.hackapp.com/2014/09/what-if-i-was-cloud.html
Download iCloud keychain

Transcript

  • 1. iCloud KeychainandiOS 7 Data ProtectionAndrey BelenkoSr. Security Engineer @ viaForensics!Alexey [email protected] founder
  • 2. What is iCloud?
  • 3. What’s inside?• Documents• Photos• Backups (SMS, application data, etc)• Keychain
  • 4. Hacker’s view
  • 5. Bruteforce protection?
  • 6. Bruteforce protection?
  • 7. Bruteforce protection?
  • 8. Find My iPhone
  • 9. Brought to you [email protected]
  • 10. iCloud KeychainImage: Apple Inc.
  • 11. Motivationhttp://support.apple.com/kb/HT4865
  • 12. Intercepting SSLSSL Proxy(Burp, Charles, …)Root CA certProxy settings
  • 13. AuthenticationGET /authenticateAppleID, PasswordDsID, mmeAuthToken, fmipAuthTokenicloud.com
  • 14. /getAccountSettings
  • 15. /getAccountSettings
  • 16. Setup Options
  • 17. The Big Picture*.keyvalueservice.icloud.com*.escrowproxy.icloud.comKeychain items (encrypted)Keybag (encrypted)Some Secret
  • 18. Key-Value Store• Not new• Used extensively by many apps e.g. to keep preferencesin sync across devices• iCloud Keychain utilises two stores:• com.apple.security.cloudkeychainproxy3• Syncing between devices• com.apple.sbd3 (securebackupd3)• Copy to restore if no other devices
  • 19. Escrow Proxy• New; Designed to store precious secrets• Need to know iCSC to recover escrowed data• Need to receive SMS challenge• Must successfully complete SRP auth• User-Agent: com.apple.lakitu (iOS/OS X)Image: mariowiki.com
  • 20. Key-Value Storecom.apple.security.cloudkeychainproxy3S(usrPwd, D2_pub)S(D2_priv, (D1_pub, D2_pub))S(D1_priv, D1_pub)S(userPwd, D1_pub)S(D1_priv, (D1_pub, D2_pub))S(userPwd, (D1_pub, D2_pub))
  • 21. Key-Value Storecom.apple.sbd3Key Descriptioncom.apple.securebackup.enabled Is Keychain data saved in KVS?com.apple.securebackup.record Keychain records, encryptedSecureBackupMetadata iCSC complexity, timestamp, countryBackupKeybag Keybag protecting Keychain recordsBackupUsesEscrow Is keybag password escrowed?BackupVersion Version, currently @“1”BackupUUID UUID of the backup
  • 22. 4-digit iCSC [Default]
  • 23. 4-digit iCSC [Default]Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
  • 24. 4-digit iCSC [Default]Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bit
  • 25. 4-digit iCSC [Default]Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bitAES-Wrap KeysRFC 3394
  • 26. 4-digit iCSC [Default]Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bitAES-Wrap KeysRFC 3394*.keyvalueservice.icloud.com
  • 27. 4-digit iCSC [Default]iCloud Security Code1234 PBKDF2Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bitAES-Wrap KeysRFC 3394*.keyvalueservice.icloud.com
  • 28. 4-digit iCSC [Default]iCloud Security Code1234 PBKDF2Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comKeychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bitAES-Wrap KeysRFC 3394*.keyvalueservice.icloud.com
  • 29. Secure Remote Password• Zero-knowledge password proof scheme• Combats sniffing/MITM• One password guess per connection attempt• Password verifier is not sufficient for impersonation• Escrow Proxy uses SRP-6a
  • 30. Key Negotiationa ← random, A ← g^ab ← random, B ← kv + g^bu ← H(A, B) u ← H(A, B)x ← H(SALT, Password)S ← (B - kg^x) ^ (a + ux)K ← H(S)S ← (Av^u) ^ bK ← H(S)Key VerificationM ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K)(Aborts if M is invalid)ID, ASALT, BMH(A, M, K)Password verifier:!SALT ← randomx ← H(SALT,Password)v ← g^xAgreed-upon parameters:!H – one-way hash functionN, g – group parametersk ← H(N, g)
  • 31. Key Negotiationa ← random, A ← g^ab ← random, B ← kv + g^bu ← H(A, B) u ← H(A, B)x ← H(SALT, Password)S ← (B - kg^x) ^ (a + ux)K ← H(S)S ← (Av^u) ^ bK ← H(S)Key VerificationM ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K)(Aborts if M is invalid)ID, A, SMS CODESALT, BM, SMS CODEH(A, M, K)Password verifier:!SALT ← randomx ← H(SALT,Password)v ← g^xAgreed-upon parameters:!H – SHA-256N, g – RFC 5054 w. 2048-bit groupk ← H(N, g)
  • 32. Escrowed Data Recovery*Display purposes only
  • 33. Escrowed Data Recovery/get_recordsList of escrowed records*Display purposes only
  • 34. Escrowed Data Recovery/get_recordsList of escrowed records/get_sms_targetsList of phone numbers**Display purposes only
  • 35. Escrowed Data Recovery/get_recordsList of escrowed records/get_sms_targetsList of phone numbers*/generate_sms_challengeOK*Display purposes only
  • 36. Escrowed Data Recovery/get_recordsList of escrowed records/get_sms_targetsList of phone numbers*/generate_sms_challengeOK/srp_init [DsID, A, SMS CODE][UUID, DsID, SALT, B]*Display purposes only
  • 37. Escrowed Data Recovery/get_recordsList of escrowed records/get_sms_targetsList of phone numbers*/generate_sms_challengeOK/srp_init [DsID, A, SMS CODE][UUID, DsID, SALT, B]/recover [UUID, DsID, M, SMS CODE][IV, AES-CBC(KSRP, Escrowed Record)]*Display purposes only
  • 38. Escrow Proxy EndpointsEndpoint Descriptionget_club_cert [?] Obtain certificateenroll Submit escrow recordget_records List escrowed recordsget_sms_targets List SMS numbers for escrowed recordsgenerate_sms_challenge Generate and send challenge codesrp_init First step of SRP protocolrecover Second step of SRP protocolalter_sms_target Change SMS number
  • 39. Escrow RecordiCloud Security Code1234 PBKDF2Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comKeychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbAES-Wrap KeysRFC 3394Backup KeybagKey 1Key 2Key 3AES-GCM256 bit*.keyvalueservice.icloud.com
  • 40. Escrow RecordiCloud Security Code1234 PBKDF2Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)
  • 41. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)
  • 42. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)• This is stored by Apple
  • 43. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)• This is stored by Apple• iCSC is 4 digits by default
  • 44. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)• This is stored by Apple• iCSC is 4 digits by default
  • 45. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)• This is stored by Apple• iCSC is 4 digits by defaultCan you spot the problem yet?
  • 46. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)• Offline iCSC guessing is possible• Almost instant recovery [for default settings]• iCSC decrypts keybag password• Keybag password unlocks keybag keys• Keybag keys decrypt Keychain items
  • 47. Apple, or other adversary withaccess to stored data, can near-instantlydecrypt “master”password and read synced iCloudKeychain records!(for default settings)
  • 48. Setup Options
  • 49. Complex iCSCcorrect horse battery staple PBKDF2Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbiCloud Security CodeRandom PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000AES-CBC256 bitBackup KeybagKey 1Key 2Key 3*.escrowproxy.icloud.comAES-Wrap KeysRFC 3394AES-GCM256 bit*.keyvalueservice.icloud.com
  • 50. Complex iCSC• Mechanics are the same as with simple iCSC• Offline password recovery attack is still possible,although pointless if password is complex enough
  • 51. Setup Options
  • 52. Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbAES-Wrap KeysRFC 3394Backup KeybagKey 1Key 2Key 3AES-GCM256 bit*.keyvalueservice.icloud.comiCloud Security Codecorrect horse battery staple PBKDF2SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comRandom iCSC
  • 53. Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbAES-Wrap KeysRFC 3394Backup KeybagKey 1Key 2Key 3AES-GCM256 bit*.keyvalueservice.icloud.comiCloud Security Codecorrect horse battery staple PBKDF2SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comRandom iCSC
  • 54. Random iCSCRandom PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbAES-Wrap KeysRFC 3394Backup KeybagKey 1Key 2Key 3AES-GCM256 bit*.keyvalueservice.icloud.com
  • 55. Random iCSC• Escrow Proxy is not used• Random iCSC (or derived key) stored on the device[haven’t verified]
  • 56. Setup OptionsiCloudKeychainKeychainSyncKeychainBackupMasterPasswordEscrowNo iCloud Security CodeRandom iCloud Security CodeComplex iCloud Security CodeSimple iCloud Security Code
  • 57. ConclusionsImage: Apple Inc.
  • 58. Conclusions• Trust your vendor but verify his claims• Never ever use simple iCloud Security Code• Do not think that SMS Apple sends you is a 2FA• Yet, iCK is reasonably well engineered although notwithout shortcomings
  • 59. Thank You!Questions are welcome :-)[email protected] @hackappcom
  • Fly UP