当前位置：网站首页>Encryption defect of icloud Keychain in Apple mobile phone

Encryption defect of icloud Keychain in Apple mobile phone

2022-07-28 11:19:00 【InfoQ】

What is? iCloud Key chain

Apple key chain is apple computer , mobile phone , Password manager on the tablet , Help users save the management account password . Turn on iCloud After cloud synchronization , The account and password can be synchronized between all devices of the user , At the same time, a copy will also be backed up in iCloud On .

Because Apple will turn on by default iCloud Cloud synchronization , So most Apple users will use iCloud Key chain management password .

iCloud The key chain cloud is synchronously encrypted

We know Google Chrome Saved password , It will not be encrypted first , Upload to the cloud .

although Google Claim encrypted storage in the cloud , But this encryption , Yes Google Internal staff , Or invade Google For service hackers , There is no protective effect . obviously , We don't want to Google Know our password .

Relatively speaking , Make apples better . stay  

iCloud The key chain is safely restored

  This article explains how Apple encrypts to prevent itself （ Or hackers who invaded Apple ,FBI？） Read the password we saved in the key chain （ Login, double authentication, etc. cannot prevent server attacks ）：

iCloud The key string will give the user's key string data to Apple trusteeship , But it's not allowed Apple Read the password and other data contained in the key string .

The user's key is encrypted through strong password .

There are several ways to establish a strong password ：
If the user account has dual authentication enabled , Then use the device password to restore the managed key chain .
If dual authentication is not set , Users need to provide a six digit password to create iCloud Safety code . besides , If dual authentication is not set , Users can specify a longer security code or allow their devices to create a random encrypted security code , They can record and save by themselves .

Explain a little ：

The account number and password in the key chain will be saved in iCloud On , But apple can't read .

The data in the key chain uses
Strong password
encryption .

Apple uses
Device unlock password
As
Strong password
.

Because the password in the key chain will be encrypted with the device unlock password first , And then save it to iCloud On . The device unlock password will not be uploaded to iCloud Of , So apple can't start from iCloud Read the password in the key chain .

The decryption process is reversed ： Users' new mobile phones are from iCloud Download Keychain data , Enter the unlock password , Decrypt the originally saved password from the encrypted data .

How strong is this strong password ？

Most iPhone users , The set unlock password is just 6 Digit number , Even 4 Digit number . Apple uses this simple digital password to encrypt .

Insert a little story ：

Apple and FBI Jointly put on a public relations show ？
The article points out that , stay 2015 year , Apple is not normal , Refuse to contact in the name of protecting privacy FBI cooperation , Help unlock a terrorist's iPhone 5C mobile phone . There was a lot of noise in those days , The lawsuit has reached the Congress .

A few years later , Apple makes FBI Interviewed a demonstrator accused of setting fire to a police car iCloud Account  
Apple gave the FBI access to the iCloud account of a protester accused of setting police cars on fire
. All the information on Apple Mobile , Including passwords are uploaded by default iCloud after , presumably FBI No longer need to unlock iPhone 了 , Crack directly iCloud The data on is simpler .

Unfortunately, encryption is flawed ,1 Gedong can be cracked

that iCloud use 6 Bit digital password to encrypt data , How long does brute force cracking take ？ Let's estimate , It's simple ！

When unlocking the phone , The phone will calculate an encryption key . In order not to let users wait too long , About less than 1 Second time , We simply follow
500ms
Calculation .

6 Digit passwords cannot be directly used for encryption , You usually use PBKDF2 Algorithms like that , from 6 Calculate the encryption key with digits .

all 6 The digit code is ：000000, 000001, ..., 999999, The total is
1 One million
individual .

all 6 Digit code , It takes a total of 50 Thousands of seconds ~ 
139 Hours
.

This year, AMD Published desktop CPU 5995WX Yes 64 The core 128 Threads , And faster than mobile phones CPU faster , Use it to brutally crack 6 Digit unlocking password , no need 1 Hours .

If you use more powerful GPU Cluster cracking , That's just

Minutes and minutes

It's something .

This obviously cannot stop Apple ,FBI, Or hackers who hacked into Apple's servers cracked our store in iCloud The password in the key chain .

What mistake did Apple make ？

In daily life , Use 6 Digit code PIN Is very extensive . Except for mobile phones and computers , Bank card withdrawal passwords are also 6 Digit number , Is it unsafe ？

6 position PIN The role of is to identify users , If you lose several times in a row , It will take some time to retry , Prevent bad guys from brutally cracking . If you continue to input wrong , The waiting time for retry will be longer and longer , It's possible that 47 year .