Behind the Scenes with iOS Security

Recommendations

Info

Synchronizing Secrets Traditional approaches Wrap user secrets with strong random key • User has to take care of a printed “sock drawer key” and enter it on each device • If printed key is lost, losing devices means loss of secrets Wrap user secrets with KDF-derived key from their password • Account provider backend is privileged, can intercept or brute-force account password • If user resets their account password, must prompt for old password to recover secrets • Anyone else in possession of wrapped user secrets can launch a brute-force attack
“Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations.” C. Kaufman, R. Perlman, M. Speciner
Page 1 and 2: Behind the Scenes with iOS Security
Page 3 and 4: Component Encryption iOS 10 User da
Page 5 and 6: Hardened WebKit JIT Mapping Backgro
Page 7 and 8: Hardened WebKit JIT Mapping Execute
Page 9 and 10: Hardened WebKit JIT Mapping Tying i
Page 11 and 12: 4. Prevent writing into the executa
Page 13 and 14: iOS 10 - - X R-X RW-
Page 15 and 16: iOS 10 - - X R-X RW- mov x0, #0
Page 17 and 18: iOS 10 - - X R-X RW- mov x0, #0 mov
Page 19 and 20: Data Protection with the Secure En
Page 21 and 22: Data Protection Goals—Sidestep AP
Page 23 and 24: Secure Enclave Processor Overview D
Page 25 and 26: User Keybags Background Sets of key
Page 27 and 28: 00000000 44 41 54 41 00 00 05 ca 56
Page 29 and 30: Filesystem Data Protection Overview
Page 31 and 32: 7) keybagd loads system keybag (cla
Page 33 and 34: Userspace UserEventAgent Darwin loc
Page 35 and 36: Unattended Update—Install Later 1
Page 37 and 38: Data Protection Goals User data pro
Page 39: Synchronizing Secrets Uses Password
Page 43 and 44: iCloud Keychain Approach Each devic
Page 45 and 46: Synchronizing Secrets Goals—Inspi
Page 47 and 48: Cloud Key Vault Overview HSMs runni
Page 49 and 50: Cloud Key Vault HSM keys Key Descri
Page 51 and 52: Cloud Key Vault Understanding the d
Page 53 and 54: Cloud Key Vault Club Host HSM Host
Page 55 and 56: Cloud Key Vault Quorum commit Each
Page 57 and 58: Cloud Key Vault Escrow Recovery Tra
Page 63 and 64: Cloud Key Vault Who watches the wat
Page 65 and 66: No.
Page 67 and 68: Physical One-Way Hash Function
Page 69: Cloud Key Vault Final attestation A
Page 72 and 73: Apple Security Bounty
Page 74 and 75: Apple Security Bounty Rewards resea
Page 76 and 77: Apple Security Bounty Payments We r
Page 78 and 79: September
Page 80: TM and © 2016 Apple Inc. All right

Behind the Scenes with iOS Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?