Apple security guru lays out iPad, iPhone crypto architecture at Black Hat
A top Apple security guru Thursday presented an in-depth view into the security architecture for iOS, the basis of iPhones and iPad tablets, underscoring the complex certificate-based encryption framework Apple has adopted.
“Our attitude is security is an architecture,” said Apple platform security manager Dallas De Atley, adding, “It’s not something you sprinkle over your code when its done.”
In a description of how secure boot processes work, De Atley pointed out that firmware in each iOS device is digitally signed by Apple as part of the manufacturing process. But that’s just the start of a certificate encryption-based system Apple uses to try and prevent its products from becoming exploited if vulnerabilities are discovered and need to be remedied. Encryption is also embedded to enable users to take advantage of classes of encryption on their devices, according to De Atley.
By hitting a lock button, users can ensure their mail messages are encrypted at rest on the device, said De Attley. Files can also be automatically encrypted and not opened until a user enters a passcode.
The encryption classes include “Complete Protection,” where a passcode is required to decrypt; “Protected with First Unlock,” which De Atley said works like full-disk encryption on the desktop; and lastly, simply “No Protection” from the encryption mechanism if thats whats desired.
He said Apple has made additional efforts, including “entangling” the passcode with the device’s unique identifier to try and deter attackers from making brute-force attacks. Other safeguards include enabling the device to automatically wipe after 10 failed attempts to enter a passcode.
“The cryptography for this is fairly complicated,” said DeAtley about the iOS design, which also includes the concept of a keybag that lives on the device all the time for maintaining Class keys.
Apple has built encryption based on the 256-bit Advanced Encryption standard and the Secure Hash Algorithm into its processors. De Atley said neither Apple nor the manufacturers know the unique identifier, a safeguard he says makes sure the user has maximum protection. Apple maintains a global key as a top control point.
Basically, as is already known, apps from the Apple App Store will not run on users’ iOS devices unless they’re signed by Apple. Third-party developers can be issued a public-key certificate from Apple to make apps that run on Apple iOS. To build enterprise apps, developers can enroll in the iOS Developer Enterprise program. Each will find they receive an “Enterprise Provisioning profile” that is installed on devices they use. This provisioning profile expires annually, said De Atley.
The end result keeps Apple firmly in control over what’s going on in apps running on its devices, a fact that enterprises may find beneficial or not.
Apple’s DeAtley said the iOS architecture fosters the concept of a unique group of encryption-based controls for every device, and “entitlement,” which defines a crypto-determined way to decide what applications are allowed to access on each device, based on dynamic code-signing.
It all adds up to mean software running on devices is all known to come from a particular location, he said.
For erasing data, Apple devices don’t actually erase it but instead render it unobtainable because the necessary encryption key is erased. With what’s called “Effaceable Storage,” when the user triggers the function remotely, the keys are erased with the storage.
All this crypto processing can make performance and battery demands on a device, which is why Apple makes use of what it calls a suspended state for applications. “Applications are suspended by default,” until the user hits another button, De Atley said. “It helps performance and battery life.”
[Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.]