Apple Details Touch ID And The A7’s Secure Enclave In Updated iOS Security Document

Apple has shared some information around how Touch ID and its Secure Enclave keeps information private in an updated security document newly posted to its “iPhone in Business” microsite. The new info provides an inside look at how exactly the Secure Enclave generates and communicates encrypted and temporary identification information to the rest of the system to make sure that fingerprint data is never exposed to anything beyond itself.

Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, tangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space.

Additionally, data that is saved to the file system by the Secure Enclave is encrypted with a key tangled with the UID and an anti-replay counter.

The Secure Enclave portion of the A7 chip is of course responsible for handling fingerprint data collected by the Touch ID sensor. Apple goes on to detail how the A7 processor helps gather the fingerprint data, but can’t actually read said information itself, and how the exchange that takes place between the A7 and the secure enclave is encrypted to prevent any hijacking of the data at that point.

Communication between the A7 and the Touch ID sensor takes place over a serial peripheral interface bus. The A7 forwards the data to the Secure Enclave but cannot read it. It’s encrypted and authenticated with a session key that is negotiated using the device’s shared key that is built into the Touch ID sensor and the Secure Enclave. The session key exchange uses AES key wrap- ping with both sides providing a random key that establishes the session key and uses AES-CCM transport encryption.

As for Touch ID itself, Apple details how the fingerprint-based unlocking and iTunes purchasing authorization tech works in a completely new section of the iOS Security document. It mostly explains what users likely already know about Touch ID: When it does and doesn’t work (i.e. after a restart), but also adds a few things that might not be clear from normal use – Touch ID unlocking stops working after an iPhone 5s has been left locked for 48 hours or more, for instance, requiring a text or number-based password input.

Apple also reiterates its firm “no third-parties” rule with Touch ID and fingerprint information, which is worth recalling given Samsung’s different take on the matter, with its Pass API announced earlier for platform developers.

Touch ID authentication and the data associated with the enrolled fingerprints are not
available to other apps or third parties

The document also includes previously revealed technical data around the Touch ID scanner itself, which takes an 88-by-88-pixel, 500-ppi raster scan of the finger being applied, which is then transmitted to the Secure Enclave, vectorized for the purposes of being analyzed and compared to fingerprints stored in memory, and then discarded. This info, it’s worth recalling, is never transmitted to Apple’s servers, nor is it stored in iCloud or the iTunes backup of a device.

Apple closes the section on Touch ID with a detailed, step-by-step explanation of how unlocking the smartphone with the tech works, which is worth a look if you’re unclear on the behind-the-scenes magic or security protections involved:

On devices with an A7 processor, the Secure Enclave holds the cryptographic class keys for Data Protection. When a device locks, the keys for Data Protection class Complete are discarded, and files and keychain items in that class are inaccessible until the user unlocks the device by entering their passcode.

On iPhone 5s with Touch ID turned on, the keys are not discarded when the device locks; instead, they’re wrapped with a key that is given to the Touch ID subsystem. When a user attempts to unlock the device, if Touch ID recognizes the user’s finger- print, it provides the key for unwrapping the Data Protection keys and the device is unlocked. This process provides additional protection by requiring the Data Protection and Touch ID subsystems to cooperate in order to unlock the device.

The decrypted class keys are only held in memory, so they’re lost if the device is rebooted. Additionally, as previously described, the Secure Enclave will discard the keys after 48 hours or 5 failed Touch ID recognition attempts.

Another new section details iCloud Keychain, the syncing service that stores your passwords for use across platforms. Apple notes the system is designed to prevent unauthorized access to iCloud Keychain stored information in the event of a compromised iCloud account, and to prevent third-party access to any passwords housed in the service.

Below is an excerpt of how iCloud makes sure that keychains are recovered only by authorized users, without even actually transmitting the local iOS security code to Apple itself.

iCloud provides a secure infrastructure for keychain escrow that ensures only authorized users and devices can perform a recovery. Topographically positioned behind iCloud are clusters of hardware security modules (HSM). These clusters guard the escrow records. Each has a key that is used to encrypt the escrow records under their watch, as described previously.

To recover a keychain, the user must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number. Once this is done, the user must enter their iCloud Security Code. The HSM cluster verifies that the user knows their iCloud Security Code using Secure Remote Password protocol (SRP); the
White Paper 26 iOS Security code itself is not sent to Apple. Each member of the cluster independently verifies that the user has not exceeded the maximum number of attempts that are allowed to retrieve their record, as discussed below. If a majority agree, the cluster unwraps the escrow record and sends it to the user’s device.

Apple has also added new information about iMessage, FaceTime encryption, single sign-on and Airdrop in terms of areas of interest to check out. If you’re a fan of learning how things work, or just want to know what steps Apple takes to protect any biometric information (and other data) it collects and transmits during normal iOS operation, the entire security document is definitely worth perusing.