New iOS Security Document Details Touch ID And The Secure Enclave System

Apple has recently published a security document for iOS on its website (via TechCrunch) where it dives into the various security features of iOS 7 and it even provides additional information on its Touch ID sensor and Secure Enclave system.

iPhone-5s-iPhone-5c-Keynote-iPhone-5s-Touch-ID-Promo-020-630x354

It is without a doubt an interesting read so here are some key highlights starting with how Touch ID processes a fingerprint.

The 88-by-88-pixel, 500-ppi raster scan is temporarily stored in encrypted memory within the Secure Enclave while being vectorized for analysis, and then it’s discarded after. The analysis utilizes subdermal ridge flow angle mapping, which is a lossy process that discards minutia data that would be required to reconstruct the user’s actual finger- print. The resulting map of nodes never leaves iPhone 5s, is stored without any identity information in an encrypted format that can only be read by the Secure Enclave, and is never sent to Apple or backed up to iCloud or iTunes.

There is only a 1 in 50,000 chance of matching randomly with someone else’s fingerprint.

Next up is how the Secure Enclave System encrypts the identification and share with the rest of the system without exposing that data to an outside party.

Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, tangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space.

Additionally, data that is saved to the file system by the Secure Enclave is encrypted with a key tangled with the UID and an anti-replay counter.

Fingerprint data is processed with the help of the A7 chip.The data is transferred from Touch ID to the A7 chip and then the Secure Enclave. The whole transferring process itself is encrypted and the data is not read by the A7 during the relay.

Communication between the A7 and the Touch ID sensor takes place over a serial peripheral interface bus. The A7 forwards the data to the Secure Enclave but cannot read it. It’s encrypted and authenticated with a session key that is negotiated using the device’s shared key that is built into the Touch ID sensor and the Secure Enclave. The session key exchange uses AES key wrap- ping with both sides providing a random key that establishes the session key and uses AES-CCM transport encryption.

So how does Touch ID function when unlocking your iPhone?

On devices with an A7 processor, the Secure Enclave holds the cryptographic class keys for Data Protection. When a device locks, the keys for Data Protection class Complete are discarded, and files and keychain items in that class are inaccessible until the user unlocks the device by entering their passcode.

On iPhone 5s with Touch ID turned on, the keys are not discarded when the device locks; instead, they’re wrapped with a key that is given to the Touch ID subsystem. When a user attempts to unlock the device, if Touch ID recognizes the user’s finger- print, it provides the key for unwrapping the Data Protection keys and the device is unlocked. This process provides additional protection by requiring the Data Protection and Touch ID subsystems to cooperate in order to unlock the device.

The decrypted class keys are only held in memory, so they’re lost if the device is rebooted. Additionally, as previously described, the Secure Enclave will discard the keys after 48 hours or 5 failed Touch ID recognition attempts.

This hardly touches on the entire document which isn’t just limited to Touch ID but all the security features of iOS. As such if this kind of thing interests you it is recommended you check out the entire document.

Don't forget to follow iJailbreak.com on Facebook, Twitter and Google+.