iCloud keychain

  • CategoryInternet

  • View135001

Report
of 61
Description
IF YOU ARE CONCERNED ABOUT CLOUD SECURITY PLEASE READ http://blog.hackapp.com/2014/09/what-if-i-was-cloud.html
Transcript
  • 1. iCloud KeychainandiOS 7 Data ProtectionAndrey BelenkoSr. Security Engineer @ viaForensics!Alexey Troshichev@hackappcom founder
2. What is iCloud? 3. What’s inside?• Documents• Photos• Backups (SMS, application data, etc)• Keychain 4. Hacker’s view 5. Bruteforce protection? 6. Bruteforce protection? 7. Bruteforce protection? 8. Find My iPhone 9. Brought to you byhackapp.com!github.com/hackappcom/ibrute@hackappcom 10. iCloud KeychainImage: Apple Inc. 11. Motivationhttp://support.apple.com/kb/HT4865 12. Intercepting SSLSSL Proxy(Burp, Charles, …)Root CA certProxy settings 13. AuthenticationGET /authenticateAppleID, PasswordDsID, mmeAuthToken, fmipAuthTokenicloud.com 14. /getAccountSettings 15. /getAccountSettings 16. Setup Options 17. The Big Picture*.keyvalueservice.icloud.com*.escrowproxy.icloud.comKeychain items (encrypted)Keybag (encrypted)Some Secret 18. Key-Value Store• Not new• Used extensively by many apps e.g. to keep preferencesin sync across devices• iCloud Keychain utilises two stores:• com.apple.security.cloudkeychainproxy3• Syncing between devices• com.apple.sbd3 (securebackupd3)• Copy to restore if no other devices 19. Escrow Proxy• New; Designed to store precious secrets• Need to know iCSC to recover escrowed data• Need to receive SMS challenge• Must successfully complete SRP auth• User-Agent: com.apple.lakitu (iOS/OS X)Image: mariowiki.com 20. Key-Value Storecom.apple.security.cloudkeychainproxy3S(usrPwd, D2_pub)S(D2_priv, (D1_pub, D2_pub))S(D1_priv, D1_pub)S(userPwd, D1_pub)S(D1_priv, (D1_pub, D2_pub))S(userPwd, (D1_pub, D2_pub)) 21. Key-Value Storecom.apple.sbd3Key Descriptioncom.apple.securebackup.enabled Is Keychain data saved in KVS?com.apple.securebackup.record Keychain records, encryptedSecureBackupMetadata iCSC complexity, timestamp, countryBackupKeybag Keybag protecting Keychain recordsBackupUsesEscrow Is keybag password escrowed?BackupVersion Version, currently @“1”BackupUUID UUID of the backup 22. 4-digit iCSC [Default] 23. 4-digit iCSC [Default]Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4 24. 4-digit iCSC [Default]Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bit 25. 4-digit iCSC [Default]Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bitAES-Wrap KeysRFC 3394 26. 4-digit iCSC [Default]Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bitAES-Wrap KeysRFC 3394*.keyvalueservice.icloud.com 27. 4-digit iCSC [Default]iCloud Security Code1234 PBKDF2Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bitAES-Wrap KeysRFC 3394*.keyvalueservice.icloud.com 28. 4-digit iCSC [Default]iCloud Security Code1234 PBKDF2Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comKeychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbBackup KeybagKey 1Key 2Key 3AES-GCM256 bitAES-Wrap KeysRFC 3394*.keyvalueservice.icloud.com 29. Secure Remote Password• Zero-knowledge password proof scheme• Combats sniffing/MITM• One password guess per connection attempt• Password verifier is not sufficient for impersonation• Escrow Proxy uses SRP-6a 30. Key Negotiationa ← random, A ← g^ab ← random, B ← kv + g^bu ← H(A, B) u ← H(A, B)x ← H(SALT, Password)S ← (B - kg^x) ^ (a + ux)K ← H(S)S ← (Av^u) ^ bK ← H(S)Key VerificationM ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K)(Aborts if M is invalid)ID, ASALT, BMH(A, M, K)Password verifier:!SALT ← randomx ← H(SALT,Password)v ← g^xAgreed-upon parameters:!H – one-way hash functionN, g – group parametersk ← H(N, g) 31. Key Negotiationa ← random, A ← g^ab ← random, B ← kv + g^bu ← H(A, B) u ← H(A, B)x ← H(SALT, Password)S ← (B - kg^x) ^ (a + ux)K ← H(S)S ← (Av^u) ^ bK ← H(S)Key VerificationM ← H(H(N) ⊕ H(g), H(ID), SALT, A, B, K)(Aborts if M is invalid)ID, A, SMS CODESALT, BM, SMS CODEH(A, M, K)Password verifier:!SALT ← randomx ← H(SALT,Password)v ← g^xAgreed-upon parameters:!H – SHA-256N, g – RFC 5054 w. 2048-bit groupk ← H(N, g) 32. Escrowed Data Recovery*Display purposes only 33. Escrowed Data Recovery/get_recordsList of escrowed records*Display purposes only 34. Escrowed Data Recovery/get_recordsList of escrowed records/get_sms_targetsList of phone numbers**Display purposes only 35. Escrowed Data Recovery/get_recordsList of escrowed records/get_sms_targetsList of phone numbers*/generate_sms_challengeOK*Display purposes only 36. Escrowed Data Recovery/get_recordsList of escrowed records/get_sms_targetsList of phone numbers*/generate_sms_challengeOK/srp_init [DsID, A, SMS CODE][UUID, DsID, SALT, B]*Display purposes only 37. Escrowed Data Recovery/get_recordsList of escrowed records/get_sms_targetsList of phone numbers*/generate_sms_challengeOK/srp_init [DsID, A, SMS CODE][UUID, DsID, SALT, B]/recover [UUID, DsID, M, SMS CODE][IV, AES-CBC(KSRP, Escrowed Record)]*Display purposes only 38. Escrow Proxy EndpointsEndpoint Descriptionget_club_cert [?] Obtain certificateenroll Submit escrow recordget_records List escrowed recordsget_sms_targets List SMS numbers for escrowed recordsgenerate_sms_challenge Generate and send challenge codesrp_init First step of SRP protocolrecover Second step of SRP protocolalter_sms_target Change SMS number 39. Escrow RecordiCloud Security Code1234 PBKDF2Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comKeychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbAES-Wrap KeysRFC 3394Backup KeybagKey 1Key 2Key 3AES-GCM256 bit*.keyvalueservice.icloud.com 40. Escrow RecordiCloud Security Code1234 PBKDF2Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword) 41. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword) 42. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)• This is stored by Apple 43. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)• This is stored by Apple• iCSC is 4 digits by default 44. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)• This is stored by Apple• iCSC is 4 digits by default 45. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)EscrowRecord ← AES-CBC(Key, RandomPassword)• This is stored by Apple• iCSC is 4 digits by defaultCan you spot the problem yet? 46. Escrow RecordKey ← PBKDF2-SHA256(iCSC, 10’000)• Offline iCSC guessing is possible• Almost instant recovery [for default settings]• iCSC decrypts keybag password• Keybag password unlocks keybag keys• Keybag keys decrypt Keychain items 47. Apple, or other adversary withaccess to stored data, can near-instantlydecrypt “master”password and read synced iCloudKeychain records!(for default settings) 48. Setup Options 49. Complex iCSCcorrect horse battery staple PBKDF2Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbiCloud Security CodeRandom PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4SHA-256 x 10’000AES-CBC256 bitBackup KeybagKey 1Key 2Key 3*.escrowproxy.icloud.comAES-Wrap KeysRFC 3394AES-GCM256 bit*.keyvalueservice.icloud.com 50. Complex iCSC• Mechanics are the same as with simple iCSC• Offline password recovery attack is still possible,although pointless if password is complex enough 51. Setup Options 52. Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbAES-Wrap KeysRFC 3394Backup KeybagKey 1Key 2Key 3AES-GCM256 bit*.keyvalueservice.icloud.comiCloud Security Codecorrect horse battery staple PBKDF2SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comRandom iCSC 53. Random PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbAES-Wrap KeysRFC 3394Backup KeybagKey 1Key 2Key 3AES-GCM256 bit*.keyvalueservice.icloud.comiCloud Security Codecorrect horse battery staple PBKDF2SHA-256 x 10’000AES-CBC256 bit*.escrowproxy.icloud.comRandom iCSC 54. Random iCSCRandom PasswordBL7Z-EBTJ-UBKD-X7NM-4W6D-J2N4Keychain PasswordsyMa9ohCJtzzcVhE7sDVoCnbAES-Wrap KeysRFC 3394Backup KeybagKey 1Key 2Key 3AES-GCM256 bit*.keyvalueservice.icloud.com 55. Random iCSC• Escrow Proxy is not used• Random iCSC (or derived key) stored on the device[haven’t verified] 56. Setup OptionsiCloudKeychainKeychainSyncKeychainBackupMasterPasswordEscrowNo iCloud Security CodeRandom iCloud Security CodeComplex iCloud Security CodeSimple iCloud Security Code 57. ConclusionsImage: Apple Inc. 58. Conclusions• Trust your vendor but verify his claims• Never ever use simple iCloud Security Code• Do not think that SMS Apple sends you is a 2FA• Yet, iCK is reasonably well engineered although notwithout shortcomings 59. Thank You!Questions are welcome :-)!!@abelenko @hackappcom