Nicolas17: Add links to related resources

2021-12-06T00:57:28Z

Add links to related resources

Nicolas17: braindump

2021-12-06T00:24:20Z

braindump

New page

{{lowercase}}
'''iCloud Keychain''' is an Apple service that synchronizes Keychain contents across multiple devices from the same owner,
using end-to-end encryption.
This is visible to the user as synchronization of passwords and credit card numbers saved by Safari,
but other "end-to-end encrypted iCloud data" works by saving the encryption keys in iCloud Keychain as well.

== Codenames ==

Many components of iCloud Keychain are actually open source (some unintentionally!) as part of the [https://opensource.apple.com/source/Security/ Security framework source releases].

You will still find a ''lot'' of unexplained codenames.
This is a high-level overview from a broad look at the code,
that may help understand what those names mean,
though it still has a lot of speculation and unanswered questions.

In Security-55471, iCloud Keychain was introduced, with '''SOS (Secure Object Sync)'''.
It uses [https://developer.apple.com/library/archive/documentation/General/Conceptual/iCloudDesignGuide/Chapters/DesigningForKey-ValueDataIniCloud.html iCloud Key-Value Store] (KVS) as the storage/sync backend.
There is an XPC service called "CloudKeychainProxy" that acts as a proxy between the keychain daemon (`securityd`) and KVS,
because `securityd` can't (rather "couldn't back then") use Objective-C or link to Foundation.

In Security-57336, SOS can communicate over IDS too, and there's a new IDSKeychainSyncingProxy service (later renamed KeychainSyncingOverIDSProxy).
This presumably means syncing keychain items by sending end-to-end encrypted push notifications between devices (iMessage uses IDS too) instead of storing items in KVS.
This version also added '''keychain views''' (see [https://opensource.apple.com/source/Security/Security-57740.1.18/OSX/sec/SOSCircle/SecureObjectSync/ViewList.list.auto.html ViewList.list]),
which apparently splits syncable keychain items into groups with different properties (maybe different top-level keys?).

Security-58286 changed a lot. There is a whole new "syncing system" called '''CKKS (CloudKit Keychain Syncing)'''.
Views can be either synced by SOS or by CKKS.
Presumably SOS is considered legacy (there's code to "upgrade from SOS to CKKS").
There are a few new views synced by CKKS, some have self-explanatory names (AutoUnlock and Health)
but there's also two called '''Engram''' and '''Manatee''' (meaning and distinction unknown).

As hints for future research:
"Engram" is a private framework that is certainly related;
some features like AirTag pairing check "whether manatee is available" and tell the user to enable 2FA if not;
[https://conference.hitb.org/hitbsecconf2018dxb/materials/D1T2%20-%20Cloudy%20With%20a%20Chance%20of%20Messages%20-%20Extracting%20Messages%20from%20iCloud%20-%20Vladimir%20Katalov.pdf ElcomSoft's talk about iMessages in iCloud] mentions needing to download data from both Engram and Manatee to get messages.

There's a larger system called '''Octagon''' (overall "iCloud Keychain v2" project? or just the new way devices add each other as trusted?), introduced together with CKKS, and a related XPC service called '''Cuttlefish''' (TrustedPeersHelper).

[[Category:Software]]

← Older revision		Revision as of 00:57, 6 December 2021
Line 36:		Line 36:

	There's a larger system called '''Octagon''' (overall "iCloud Keychain v2" project? or just the new way devices add each other as trusted?), introduced together with CKKS, and a related XPC service called '''Cuttlefish''' (TrustedPeersHelper).		There's a larger system called '''Octagon''' (overall "iCloud Keychain v2" project? or just the new way devices add each other as trusted?), introduced together with CKKS, and a related XPC service called '''Cuttlefish''' (TrustedPeersHelper).
		+
		+	== Resources ==
		+	* [https://support.apple.com/guide/security/icloud-keychain-security-overview-sec1c89c6f3b/1/web/1 Apple Platform Security Guide: iCloud Keychain Security]
		+	* [https://youtu.be/BLGFriOKz6U?t=1355 Ivan Krstic's talk at BlackHat USA 2016] ([https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf slides]) (though he focuses on iCloud Keychain escrow/backup and glosses over syncing)
		+	* [https://conference.hitb.org/hitbsecconf2017ams/materials/D1T4%20-%20Vladamir%20Katalov%20-%20Breaking%20Apple%E2%80%99s%20iCloud%20Keychain.pdf Breaking Apple's iCloud Keychain – ElcomSoft]
		+	* [https://conference.hitb.org/hitbsecconf2018dxb/materials/D1T2%20-%20Cloudy%20With%20a%20Chance%20of%20Messages%20-%20Extracting%20Messages%20from%20iCloud%20-%20Vladimir%20Katalov.pdf Extracting Messages from iCloud – ElcomSoft]

	[[Category:Software]]		[[Category:Software]]

ICloud Keychain - Revision history

Nicolas17: Add links to related resources

Nicolas17: braindump