Escrow Security for iCloud Keychain

Does anyone know what is the "iCloud security code" mentioned? Is it just the 6 digit code that Apple sends to verify iCloud access?

> Is it just the 6 digit code that Apple sends to verify iCloud access?

No. It is unrelated to Apple ID 2FA.

If its what I'm thinking of, it used to be a user-visible thing[1] back in the day.

But now with the need for increased security posture in the modern environment it is now not user visible but held locally and encrypted using the local device secure enclave key. So you would typically now see a prompt for the device password so the enclave can be accessed to access the key to setup/renew iCloud access tokens.

As far as I am aware the only user-visible string still available in the Apple world is (for obvious reasons) the FileVault recovery key on macOS devices. Which is only visible once ... shown to you when you first enable FileVault.

[1] https://support.apple.com/en-us/101265

I think it's longer then 6 digits. Long ago I did this and I remember it being a long code with dashes.

> Is it just the 6 digit code that Apple sends to verify iCloud access?

No. It is unrelated to Apple ID 2FA.

If its what I'm thinking of, it used to be a user-visible thing[1] back in the day.

[1] https://support.apple.com/en-us/101265

I think it's longer then 6 digits. Long ago I did this and I remember it being a long code with dashes.

> long code with dashes

That sounds more like the FileVault recovery key ?

> long code with dashes

That sounds more like the FileVault recovery key ?

May have been, but I thought it was recovery key for lost iPhone pass code.

iCloud provides a secure infrastructure for keychain escrow to help ensure that only authorised users and devices can perform a recovery. Topographically positioned behind iCloud are clusters of hardware security modules (HSMs) that guard the escrow records. As described previously, each has a key that’s used to encrypt the escrow records under their watch.

To recover a keychain, users must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number. After this is done, users must enter their iCloud security code. The HSM cluster verifies that a user knows their iCloud security code using the Secure Remote Password (SRP) protocol; the code itself isn’t sent to Apple. Each member of the cluster independently verifies that the user hasn’t exceeded the maximum number of attempts allowed to retrieve their record, as discussed below. If a majority agree, the cluster unwraps the escrow record and sends it to the user’s device.

Next, the device uses the escrowed data to unwrap the random keys used to encrypt the user’s keychain. With that key, the keychain — retrieved from CloudKit and iCloud key-value storage — is decrypted and restored onto the device. The escrow service allows only 10 attempts to authenticate and retrieve an escrow record. After several failed attempts, the record is locked and the user must call Apple Support to be granted more attempts. After the 10th failed attempt, the HSM cluster destroys the escrow record and the keychain is lost forever. This provides protection against a brute-force attempt to retrieve the record, at the expense of sacrificing the keychain data in response.

These policies are coded in the HSM firmware. The administrative access cards that permit the firmware to be changed have been destroyed. Any attempt to alter the firmware or access the private key causes the HSM cluster to delete the private key. Should this occur, the owner of each keychain protected by the cluster receives a message informing them that their escrow record has been lost. They can then choose to re-enrol.

Helpful?

Character limit: 250

Please don’t include any personal information in your comment.

Maximum character limit is 250.

Thanks for your feedback.

Hacker Times

Hacker Times

Escrow Security for iCloud Keychain

Discussion

Discussion