How iOS 8 and OS X 10.10 need to fix iCloud Keychain

iCloud Keychain lets you generate, store, and manage strong, unique passwords between your iPhone, iPad, and/or Mac. In theory, that's an amazing win for both convenience and security. Unfortunately, it's only in theory. Sadly there are two big problems with iCloud Keychain, one conceptual, one architectural, that make it so that I — and anyone concerned with security — can't use it. Luckily, it's something that can and hopefully will be fixed with iOS 8 and OS X 10.10.

Re-authentication

The first problem with iCloud Keychain is that it doesn't demand re-authentication before it works. That means, as long as your iPhone, iPad, or Mac is unlocked, anyone using it has access to your stored passwords and credit cards. That also means, if iCloud Keychain is enabled, I can't hand my iPhone, iPad, or Mac over to a friend, colleague, acquaintance, family member, or anyone else, at all, ever, without having to worry about my passwords and credit cards being accessed.

If someone needs to make an emergency call, or look something up on the web, or try out one of my games, or do any of a hundred other things other people typically do when you hand them your device, there's a gaping security hole in the form of iCloud Keychain.

That's why third party password managers require a "master password".

The idea is, even if you unlock and hand your iPhone, iPad, or Mac over to a third party, they'd be required to re-authenticate with your passcode, password, or Touch ID before iCloud Keychain could auto-fill a password or credit card.

Yes, the idea behind iCloud Keychain is to be so convenient that people using weak, repetitive passwords find it enticingly easy to stop doing that.

Apple's well aware of that because it's exactly how the App Store and iTunes Store work right now. After a certain, fairly short, length of time, you're required to re-authenticate in order to buy something. It's less convenient but way more secure. And, thanks to the App Store and iTunes Store, we're used to things working that way already.

With Touch ID, which should make it's way into the next generation iPad and mid-tier iPhones this fall, the loss of convenience would be minimal as well. Touch the sensor and the password or credit card fills. Simple as that.

Either way, iOS and OS X shouldn't treat web passwords and credit cards with any less protection than they treat iTunes accounts.

Better cryptography

Apple uses amazingly good, privacy and security-centric cryptography in almost every aspect of the iOS architecture. The big, glaring exception appears to be iCloud Keychain. Here's Security Now!'s Steve Gibson on the problem:

Here, in iCloud, for no explicable reason, they have not used the good curve. They have used the P-256 curve which nobody now trusts. We know that it came from a guy named Jerry Solinas at the NSA. I mean, we've gone back, the crypto community has really looked at this carefully. And it was generated by the NSA using an SHA-1 hash where we've been given the seed of a series of hashes, and downstream of the series is the result on which this elliptic curve is based. And I don't remember now whether it was Bernstein or Schneier or Matt. But all three of them have said no. And one of them suggested that, if the NSA knew how to find weaknesses in ECC, and there were enough of them, then they could hide the fact that they had found a weakness by using an SHA-1 hash chain and simply running it forward until it gave them a pseudorandom number that resulted in a weak key. That allows them to say, look, we didn't choose this weak key. The SHA-1 hash chain chose it for us.

So obviously it's random. Except they could have seeded - all they had to do was try a lot of them until they found one that was weak, and then present that one. And that was exactly what they did. They said, we started with this seed, we hashed it like crazy, and look what came out the other end. So trust us. And it turns out that there are, aside from suspicion, there are many characteristics of this specific curve that make it weak. And I've got links here in the show notes if anyone wants to pursue it. There's safecurves.cr.yp.to, which is Bernstein's site. There is another site that talks about it. Schneier has written that he absolutely would not trust this curve.

I'm not smart enough to understand the details to the level Gibson does, but none of that sounds good to me. Here's how our security editor, Nick Arnott puts it:

The vast majority of us do not fully, or even partially, grasp the mathematics behind cryptographically sound standards. Fortunately there's a community of people far smarter than us who do understand these things. When that community finds a standard to be weak, anybody interested in keeping things secure should move away from that standard. Apple appears to be using a curve that the security community has determined is weak and thusly, nobody, including Apple, should be using it if they want their security to be trusted and taken seriously.

If Apple can use rock-solid crypto throughout the rest of the system, it'd be great if they could use it for something as important as iCloud Keychain in iOS 8 and OS X 10.10 as well.

Because, again, there are few things as critical to keep safe as web passwords and credit card information.

iCloud Keychain: The bottom line

I should make clear that I don't think Apple has intentionally made iCloud Keychain weak, flawed, or otherwise compromised. Secure sync is incredibly hard. Balancing security and convenience is incredibly hard. Getting betas and releases out given Apple's deadlines is incredibly hard. Inevitably features get pushed back and things go missing.

But iCloud Keychain is incredibly important and these two things — re-authentication and better cryptography — simply need to be in place before I can use it and before I can recommend anyone else use it.

Hopefully iOS 8 and OS X 10.10 will do just that.

Meanwhile, let me know — are you're using iCloud Keychain, and what you think of the feature?

Have something to say about this story? Share your comments below! Need help with something else? Submit your question!

Rene Ritchie

Editor-in-Chief of iMore, co-host of Iterate, Debug, Review, Vector, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts

 

9
loading...
0
loading...
82
loading...
0
loading...

← Previously

J.D. Power survey shows consumers still most satisfied with iPhone on all major U.S. carriers

Next up →

Best translation apps for iPhone: iTranslate Voice, iVoice, Google Translate, and more!

Reader comments

How iOS 8 and OS X 10.10 need to fix iCloud Keychain

31 Comments

Gibson is being sensational. P-256 currently accounts for 99.9% of all elliptic curve cryptography. There ARE better curves. Google is experimenting with one called Curve25519. A year from now that may be the best choice. For now, and certainly when Apple introduced it, P-256 is the best of several flawed options.

The last thing I’d want to see is Apple being the first company to use a new, unproven encryption method that could end up being broken by anyone, as opposed to P-256, which could (theoretically!) be broken only by the NSA.

It should go without saying, but if you are trying to hide your passwords from the NSA, you *probably* aren’t using iCloud Keychain.

I think Gibson's only point there was that Apple used better elliptical crypto everywhere else. iCloud Keychain was the only place not using it, which makes it an outlier.

Is there some reason iCloud Keychain had to be different? I'm not smart enough to know.

Wow. It turns out Apple is using Curve25519 in several places. Honestly, I didn’t expect that yet. It does seem like a good choice for a future version of iCloud Keychain. In the meantime, I have no problem using the current keychain with P-256. Much more worrisome is the other problem you pointed out — lack of re-authentication.

Regarding re auth and iTunes: you point out in your article that Touch ID is likely coming to the iPad. I agree that Touch ID is the solution here. I have a 5s, and I (unreasonably, no doubt) get annoyed when I have to enter my password (um, like an animal) instead of using Touch ID. If Safari popped up a request to (so briefly, with the now fully functional battle station, er, Touch ID) rest my thumb on the home button, no problem. It's hardly an inconvenience at all.

Sent from the iMore App

Agreed,
Alternatively... GUEST LOGIN for iOS !!!
... with access to the apps already installed by the owner, without the owner's app-data/credentials, obviously, then delete the cache/cookies/etc after exiting that session of guest login.
Might as well throw in TRUE multitasking (split-screen) for iPads.
Let this Lamborghini get past 25!

"P-256 is the best of several flawed options"

Okay, so don't use the flawed options. Apparently P-256 is not the best because at least 3 of the top experts on crypto are saying not to use it. With all do respect, had they said, "Look, this isn't the best but it's the best we had" then you would have a point.

As I said, when it was introduced, it was the best option. It is true that several experts are *now* advising against P-256. Most famously, Bruce Schneier wrote in September that he no longer trusts it.

Note that iCloud Keychain was announced in June and it had been in development for some time before that. At that time, P-256 was considered good. Apparently Steve Gibson thinks Apple should have been able to see into the future.

While Curve25519 was always considered better, it was not yet incorporated into widely used crypto libraries (it still hasn’t been, although work is in progress). The recent distrust of P-256 has greatly accelerated its adoption in a community that is conservative about adopting new algorithms.

The fact that Apple used Curve25519 for a few other functions does not indicate that they distrusted P-256. It indicates they were forward-thinking in trying out a “next-gen” crypto algorithm.

I have been using it but finally decided to bite the bullet and start using 1password for the reason that you mentioned Rene, anyone with access to my phone can access my stuff too easily. It was convenient at first but security issues became too glaring.

Sent from the iMore App

I have been using it and felt it was better than nothing. Frankly, trying to wade through the "how to" instructions from 1Password and LastPass were just further than I wanted to go. I live in the Apple ecosystem and there were just too many hoops to jump though to make it work.
All that being said, with the latest "HeartBurn", changing all my passwords was not as easy as I hoped with Keychain was not as easy as I had hoped it would be. So if they fix it with IOS8 and 10.10, I'll stay with it. Otherwise, I'll start learning to jump through the hoops and learn how to use one of the other password managers.

I use it for some sites, but the bulk of my passwords are stored in 1Password. I am starting to use its browser on my iOS devices more often than before. I do agree with the need to have some sort of passcode or PIN before allowing access to the iOS keychain. It does seem like a glaring omission, but I guess the decision was made in the hopes of making it as easy to use as possible in hoeps that stronger passwords would become the norm. (It doesn't affect me much because I don't let others use my phone/tablet. I'm just paranoid that way.)

After the NSA stuff came out there is no reason for me to add even more critical data onto my phone. If Apple comes up with some ironclad security for keychain I will take another look at it. I just don't see the pros outweighing the cons for this convenience. Hell who am I kidding "they" have all my info already.

The more intrusive security is the less the average user will use it. Fact.

Lots of users, maybe even the majority, run around with no passcode and leave their devices unlocked at all times. Having to re-authenticate every time you want to do something will just drive people away from security, not attract them to it. That’s why we now have the TouchID security. It’s easy and you don’t have to remember anything.

Your first point about re-authentication is exactly why I don't use it. I suppose it is better than no passwords, crap passwords or the computer monitor covered in post-it notes with banking passwords written on it....but it is not fully baked.

The big turn off for me was the thought of losing a device that might be compromised, then allow the thief to access all my accounts through Safari and Key Chain. Right now I use mSecure and a 22 character password (a sensational PITA to type in on an iPhone). I may be fooling myself as I am no crypto genius but it feels more secure than Key Chain on a lost/stolen iPhone or iPad. I need to be sure that if my mobile device is compromised that I have not handed the keys to my vast internationally plundered wealth to some doofus whose only skill is unlocking stolen phones. Granted, that wealth barely pays the rent each month, but it is important to me.

Thanks for the article and good job Rene. I have been using keychain and found it very useful and simple. I think it's great for what it is right now and will only get better as time goes by. I have to admit that haven't noticed the certains about how secure it is until I read this article.

Here's a hint: don't give your phone to someone you don't trust with your credit cards.

If you lose your phone, I'm sure you have a password lock enabled. And we know for sure that you do if you have 5s.

And the NSA couldn't give 2 s--ts what I'm doing, so I'm not worried about that.

A password for my passwords? Uh-oh, my password's password better have a password, too.

So what's the point of the article again? Maybe the text of the article should have been: "Apple should increase the safety of it's cryptography." Done.

I'm a 1password user who entertained switching to keychain. The first time I encountered a site that wouldn't let me save/submit their password, I bailed back to 1password. iOS used to allow you to force login to sites that didn't allow it, but 7.1 ditched that option.

On a lesser note, MacOS should have a better interface for managing password preferences. A Safari preference pane is an unintuitive option.

The removal of "save PW anyhow" from 7.1 is annoying. Almost all sites (that I use) don't allow password saving now. I only save passwords for bs sites that I barely go to anyhow. (Better than logging in with facebook!) If it's a site where I (or an unauthorized user) could purchase something, I don't save the password in keychain.

Also, when the f will Keychain be used in apps? Almost all apps are superior to their mobile web counter parts, yet sometimes there is no option to stay logged in. Or if even there is, and you install the app on a different device, or delete/reinstall the app, or get logged out for some stupid reason, you'll have to go through the pw reset procedure.

I agree on the iOS side. Touch ID and/or a password should be used to access passwords. However if I loan my Mac to someone (or just let them use it) it'll be on a guest account, not mine.

Agreed. If iOS devices had accounts (I believe Android has this for tablets) you could create a limited guest account and let others use that.

Sent from the iMore App

Most sites require CVV when entering a credit card, keychain does not store that. You have to enter that CVV each time Keychain auto fills a credit card form. I know it's only a 3 digit number, and I agree that Touch ID should be required in addition to CVV.

I must be missing something here. If you hand someone your phone and the passphrase or TouchID is off, that's on the owner of the phone, not the software. I have a 5 and it's locked, needed a code to unlock it. Could Apple require a passphrase with each use of a Keychain item? Sure. Now think about that and how annoying it will be.

End of the day, if you give physical control of your iOS device or Mac to someone, it's on you to know and trust that person. If you don't, don't store sensitive information of any kind on there.

I agree. I never give anyone my phone? It's more important than my wallet and I never give anyone my wallet, either. You need to make a phone call? Fine. I'll dial the number for you, lock my phone, and hand you the phone. Done.

Doesn't OS X 10.10 = 10.1? Wasn't that Puma? I mean, if they're going with the 'decimal' thing...

Think we'll get OS XI or OS X 11 this summer?

iOS crypto has not been 'rock solid' (before v8 at least). In fact most data could not be encrypted and the data which was encrypted used a key based on your hardware ID thereby allowing apple, law enforcement, a scorned lover, or random hacker to access this data without your pass code.