iCloud keychain

Internet

alexey-troshichev
of 61
Description
IF YOU ARE CONCERNED ABOUT CLOUD SECURITY PLEASE READ

http://blog.hackapp.com/2014/09/what-if-i-was-cloud.html
Text
  • 1. iCloud KeychainandiOS 7 Data ProtectionAndrey BelenkoSr. Security Engineer @ viaForensics!Alexey Troshichev@hackappcom founder
  • 2. What is iCloud?
  • 3. What’s inside?• Documents• Photos• Backups (SMS, application data, etc)• Keychain
  • 4. Hacker’s view
  • 5. Bruteforce protection?
  • 6. Bruteforce protection?
  • 7. Bruteforce protection?
  • 8. Find My iPhone
  • 9. Brought to you byhackapp.com!github.com/hackappcom/ibrute@hackappcom
  • 10. iCloud KeychainImage: Apple Inc.
  • 11. Motivationhttp://support.apple.com/kb/HT4865
  • 12. Intercepting SSLSSL Proxy(Burp, Charles, …)Root CA certProxy settings
  • 13. AuthenticationGET /authenticateAppleID, PasswordDsID, mmeAuthToken, fmipAuthTokenicloud.com
  • 14. /getAccountSettings
  • 15. /getAccountSettings
  • 16. Setup Options
  • 17. The Big Picture*.keyvalueservice.icloud.com*.escrowproxy.icloud.comKeychain items (encrypted)Keybag (encrypted)Some Secret
  • 18. Key-Value Store• Not new• Used extensively by many apps e.g. to keep preferencesin sync across devices• iCloud Keychain utilises two stores:• com.apple.security.cloudkeychainproxy3• Syncing between devices• com.apple.sbd3 (securebackupd3)• Copy to restore if no other devices
  • 19. Escrow Proxy• New; Designed to store precious secrets• Need to know iCSC to recover escrowed data• Need to receive SMS challenge• Must successfully complete SRP auth• User-Agent: com.apple.lakitu (iOS/OS X)Image: mariowiki.com
  • 20. Key-Value Storecom.apple.security.cloudkeychainproxy3S(usrPwd, D2_pub)S(D2_priv, (D1_pub, D2_pub))S(D1_priv, D1_pub)S(userPwd, D1_pub)S(D1_priv, (D1_pub, D2_pub))S(userPwd, (D1_pub, D2_pub))
  • 21. Key-Value Storecom.apple.sbd3Key Descriptioncom.apple.securebackup.enabled Is Keychain data saved in KVS?com.apple.securebackup.record Keychain records, encryptedSecureBackupMetadata iCSC complexity, timestamp, countryBackupKeybag Keybag protecting Keychain recordsBackupUsesEscrow Is keybag password escrowed?BackupVersion Version, currently @“1”BackupUUID UUID of the backup
  • 22. 4-digit iCSC [Default]
  • 23. 4-digit iCSC [Default]Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4
  • 24. 4-digit iCSC [Default]Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bit
  • 25. 4-digit iCSC [Default]Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bitAES-Wrap KeysRFC 3394
  • 26. 4-digit iCSC [Default]Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bitAES-Wrap KeysRFC 3394*.keyvalueservice.icloud.com
  • 27. 4-digit iCSC [Default]iCloud Security Code1234 PBKDF2Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bitAES-Wrap KeysRFC 3394*.keyvalueservice.icloud.com
  • 28. 4-digit iCSC [Default]iCloud Security Code1234 PBKDF2Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comKeychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bitAES-Wrap KeysRFC 3394*.keyvalueservice.icloud.com
  • 29. Secure Remote Password• Zero-knowledge password proof scheme• Combats sniffing/MITM• One password guess per connection attempt• Password verifier is not sufficient for impersonation• Escrow Proxy uses SRP-6a
  • 30. Key Negotiationa ← random, A ← g^ab ← random, B ← kv + g^bu ← H(A, B) u ← H(A, B)x ← H(SALT, Password)S ← (B - kg^x) ^ (a + ux)K ← H(S)S ← (Av^u) ^ bK ← H(S)Key VerificationM ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K)(Aborts if M is invalid)ID, ASALT, BMH(A, M, K)Password verifier:!SALT ← randomx ← H(SALT,Password)v ← g^xAgreed-upon parameters:!H – one-way hash functionN, g – group parametersk ← H(N, g)
  • 31. Key Negotiationa ← random, A ← g^ab ← random, B ← kv + g^bu ← H(A, B) u ← H(A, B)x ← H(SALT, Password)S ← (B - kg^x) ^ (a + ux)K ← H(S)S ← (Av^u) ^ bK ← H(S)Key VerificationM ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K)(Aborts if M is invalid)ID, A, SMS CODESALT, BM, SMS CODEH(A, M, K)Password verifier:!SALT ← randomx ← H(SALT,Password)v ← g^xAgreed-upon parameters:!H – SHA-256N, g – RFC 5054 w. 2048-bit groupk ← H(N, g)
  • 32. Escrowed Data Recovery*Display purposes only
  • 33. Escrowed Data Recovery/get_recordsList of escrowed records*Display purposes only
  • 34. Escrowed Data Recovery/get_recordsList of escrowed records/get_sms_targetsList of phone numbers**Display purposes only
  • 35. Escrowed Data Recovery/get_recordsList of escrowed records/get_sms_targetsList of phone numbers*/generate_sms_challengeOK*Display purposes only
  • 36. Escrowed Data Recovery/get_recordsList of escrowed records/get_sms_targetsList of phone numbers*/generate_sms_challengeOK/srp_init [DsID, A, SMS CODE][UUID, DsID, SALT, B]*Display purposes only
  • 37. Escrowed Data Recovery/get_recordsList of escrowed records/get_sms_targetsList of phone numbers*/generate_sms_challengeOK/srp_init [DsID, A, SMS CODE][UUID, DsID, SALT, B]/recover [UUID, DsID, M, SMS CODE][IV, AES-CBC(KSRP, Escrowed Record)]*Display purposes only
  • 38. Escrow Proxy EndpointsEndpoint Descriptionget_club_cert [?] Obtain certificateenroll Submit escrow recordget_records List escrowed recordsget_sms_targets List SMS numbers for escrowed recordsgenerate_sms_challenge Generate and send challenge codesrp_init First step of SRP protocolrecover Second step of SRP protocolalter_sms_target Change SMS number
  • 39. Escrow RecordiCloud Security Code1234 PBKDF2Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comKeychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbAES-Wrap KeysRFC 3394Backup KeybagKey 1Key 2Key 3AES-GCM256 bit*.keyvalueservice.icloud.com
  • 40. Escrow RecordiCloud Security Code1234 PBKDF2Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)
  • 41. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)
  • 42. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)• This is stored by Apple
  • 43. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)• This is stored by Apple• iCSC is 4 digits by default
  • 44. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)• This is stored by Apple• iCSC is 4 digits by default
  • 45. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)• This is stored by Apple• iCSC is 4 digits by defaultCan you spot the problem yet?
  • 46. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)• Offline iCSC guessing is possible• Almost instant recovery [for default settings]• iCSC decrypts keybag password• Keybag password unlocks keybag keys• Keybag keys decrypt Keychain items
  • 47. Apple, or other adversary withaccess to stored data, can near-instantlydecrypt “master”password and read synced iCloudKeychain records!(for default settings)
  • 48. Setup Options
  • 49. Complex iCSCcorrect horse battery staple PBKDF2Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbiCloud Security CodeRandom PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000AES-CBC256 bitBackup KeybagKey 1Key 2Key 3*.escrowproxy.icloud.comAES-Wrap KeysRFC 3394AES-GCM256 bit*.keyvalueservice.icloud.com
  • 50. Complex iCSC• Mechanics are the same as with simple iCSC• Offline password recovery attack is still possible,although pointless if password is complex enough
  • 51. Setup Options
  • 52. Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbAES-Wrap KeysRFC 3394Backup KeybagKey 1Key 2Key 3AES-GCM256 bit*.keyvalueservice.icloud.comiCloud Security Codecorrect horse battery staple PBKDF2SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comRandom iCSC
  • 53. Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbAES-Wrap KeysRFC 3394Backup KeybagKey 1Key 2Key 3AES-GCM256 bit*.keyvalueservice.icloud.comiCloud Security Codecorrect horse battery staple PBKDF2SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comRandom iCSC
  • 54. Random iCSCRandom PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbAES-Wrap KeysRFC 3394Backup KeybagKey 1Key 2Key 3AES-GCM256 bit*.keyvalueservice.icloud.com
  • 55. Random iCSC• Escrow Proxy is not used• Random iCSC (or derived key) stored on the device[haven’t verified]
  • 56. Setup OptionsiCloudKeychainKeychainSyncKeychainBackupMasterPasswordEscrowNo iCloud Security CodeRandom iCloud Security CodeComplex iCloud Security CodeSimple iCloud Security Code
  • 57. ConclusionsImage: Apple Inc.
  • 58. Conclusions• Trust your vendor but verify his claims• Never ever use simple iCloud Security Code• Do not think that SMS Apple sends you is a 2FA• Yet, iCK is reasonably well engineered although notwithout shortcomings
  • 59. Thank You!Questions are welcome :-)!!@abelenko @hackappcom
  • Comments
    Top