Behind the Scenes with iOS Security

Recommendations

Info

iCloud Keychain Backup Premise New credential—iCloud Security Code (commonly device passcode), unknown to Apple Generate strong random backup (“escrow”) key, wrap with KDF-derived key from iCSC Back up copy of iCloud Keychain secrets to the Apple cloud, encrypted with escrow key Send wrapped escrow key to Apple In case of device loss or new device, user can recover secrets with their iCloud password and the iCSC
Synchronizing Secrets Goals—Inspired by Data Protection Selected user secrets (passwords, credit cards, …) available on all of the user’s devices Synchronization protected with strong cryptographic keys User can recover secrets even if they lose all their devices User secrets not exposed to Apple Backend not in a privileged position to brute-force keys protecting user secrets
Page 1 and 2: Behind the Scenes with iOS Security
Page 3 and 4: Component Encryption iOS 10 User da
Page 5 and 6: Hardened WebKit JIT Mapping Backgro
Page 7 and 8: Hardened WebKit JIT Mapping Execute
Page 9 and 10: Hardened WebKit JIT Mapping Tying i
Page 11 and 12: 4. Prevent writing into the executa
Page 13 and 14: iOS 10 - - X R-X RW-
Page 15 and 16: iOS 10 - - X R-X RW- mov x0, #0
Page 17 and 18: iOS 10 - - X R-X RW- mov x0, #0 mov
Page 19 and 20: Data Protection with the Secure En
Page 21 and 22: Data Protection Goals—Sidestep AP
Page 23 and 24: Secure Enclave Processor Overview D
Page 25 and 26: User Keybags Background Sets of key
Page 27 and 28: 00000000 44 41 54 41 00 00 05 ca 56
Page 29 and 30: Filesystem Data Protection Overview
Page 31 and 32: 7) keybagd loads system keybag (cla
Page 33 and 34: Userspace UserEventAgent Darwin loc
Page 35 and 36: Unattended Update—Install Later 1
Page 37 and 38: Data Protection Goals User data pro
Page 39 and 40: Synchronizing Secrets Uses Password
Page 41 and 42: “Humans are incapable of securely
Page 43: iCloud Keychain Approach Each devic
Page 47 and 48: Cloud Key Vault Overview HSMs runni
Page 49 and 50: Cloud Key Vault HSM keys Key Descri
Page 51 and 52: Cloud Key Vault Understanding the d
Page 53 and 54: Cloud Key Vault Club Host HSM Host
Page 55 and 56: Cloud Key Vault Quorum commit Each
Page 57 and 58: Cloud Key Vault Escrow Recovery Tra
Page 63 and 64: Cloud Key Vault Who watches the wat
Page 65 and 66: No.
Page 67 and 68: Physical One-Way Hash Function
Page 69: Cloud Key Vault Final attestation A
Page 72 and 73: Apple Security Bounty
Page 74 and 75: Apple Security Bounty Rewards resea
Page 76 and 77: Apple Security Bounty Payments We r
Page 78 and 79: September
Page 80: TM and © 2016 Apple Inc. All right

Behind the Scenes with iOS Security

Create successful ePaper yourself

Delete template?

Save as template?