Comments (13)
I'm definitely out of my depth, but this is worth a look:
https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_attribute_keys_and_values#2557909
I might be looking in the wrong place, but it looks like kSecAttrSynchronizable is discussed right next to kSecAttrTokenIDSecureEnclave without any discussion of them being mutually exclusive.
from secretive.
No it's not, private keys are not even available to macOS, let alone be exported.
from secretive.
I understand there are security tradeoffs here, but if the user were to opt in, would specifying kSecAttrSynchronizable be straightforward?
from secretive.
@aschw theoretically someone could build a Secretive-like app that uses iCloud Keychain for key storage instead of the Secure Enclave – setting kSecAttrSynchronizable
wouldn't be sufficient alone, but there's nothing to prevent someone from storing a key in the keychain and performing signing operations with that.
This is pretty explicitly contradictory to the purpose of this project though – this project is built around the Secure Enclave and its associated security guarantees, so we probably won't be pursuing it here.
from secretive.
I recognize the importance of the Secure Enclave’s role in this project and its significant security benefits. However, transitioning to a new macOS device under the current setup can be notably burdensome, primarily because users need to track down all the uses of their old public key and update them.
Enabling kSecAttrSynchronizable for keys in the Secure Enclave may reduce their security attributes, but compromising these keys would still require overcoming robust security measures—specifically, breaching the Secure Enclave itself or obtaining the user's iCloud credentials and successfully adding a new device to their iCloud account, which involves additional verification steps. The Secure Enclave remains crucial to each signing operation, ensuring that keys stay secure even if an attacker obtains an unencrypted copy of the Mac's hard drive[1].
The evolution of WebAuthn and Passkeys in Safari echoes this situation. With the release of Safari 14, WebAuthn platform authenticators like Face ID or Touch ID were introduced without iCloud sync capability. It was only in Safari 15 that Passkeys, which synchronize with the iCloud Keychain, were made available. This shift towards integrating user-friendly features without fully compromising security has been well-received as a positive development. Many users of Secretive are likely using iCloud-synchronized Passkeys and would appreciate similar features for ease of device migration and backup in the Secretive project, especially when replacing a lost device or transitioning to a new one.
[1] https://www.slashid.dev/blog/passkeys-deepdive/
from secretive.
@aschw interesting link – I'm not... 100% confident that what that article is describing is accurate (at least for third party apps), but I'm also not 100% I'm correct here either ;)
When a user enables iCloud Keychain for the first time, the device establishes a circle of trust and creates a syncing identity for itself. The syncing identity consists of a private key and a public key, and is stored in the device’s keychain. The public key of the syncing identity is put in the circle, and the circle is signed twice: first by the private key of the syncing identity, and then again with an asymmetric elliptical key (using P-256) derived from the user’s iCloud account password. Also stored with the circle are the parameters (random salt and iterations) used to create the key that’s based on the user’s iCloud password.
I'm not positive I agree with their reading of this statement – what this is describing, as far as I can tell, is how general synchronizable items in the keychain behave, not SEP-backed ones specifically.
That being said, I'm not sure how to reconcile the source code they linked with my understanding of the current limitations of the SEP – my understanding was that iCloud Keychain keys were in the data protection keychain but not processed by the SEP itself. It's possible that code they linked is an artifact of a previous beta incarnation of passkeys where that was (iirc) the case.
Apple's security guide itself does not mentioned the SEP at all when discussion passkeys: https://support.apple.com/en-us/102195
Anyway, I'll poke around this a little more.
from secretive.
Admittedly my disassembly reading is very weak so I could be wrong here, but I think they might have misread that assembly as a pure "add the sync key" when it actually reassigns the attributes dict to a new object without that key.
local_160 = *(undefined8 *)__got::_kSecAttrTokenIDSecureEnclave;
gets stuffed into
uVar4 = __auth_stubs::_objc_msgSend (&_OBJC_CLASS_$_NSDictionary,"dictionaryWithObjects:forKeys:count:",&local_160, &local_180,4);
in the
iVar1 = __auth_stubs::_objc_msgSend(uVar5,"shouldUseAlternateCredentialStore");
codepath, uvar4
is rewritten to a new dictionary, one that (afaict) does not have the SEP attribute applied.
from secretive.
Is it worth reopening the issue?
from secretive.
Just for experimentation's sake, I did try this and it didn't appear to sync (I'm surprised it allowed creation at all without throwing an error tbh):
from secretive.
I’d also expect it to either work or throw an error…
Out of curiosity, did you try specifying kSecAttrSynchronizable and not kSecAttrTokenIDSecureEnclave to ensure that configuration syncs?
from secretive.
FYI, for what it is worth, I recently "reset" an Apple Silicon Mac running macOS Sonoma and then "migrated" from a SuperDuper! backup and all my Secretive private keys were migrated/preserved. So somehow, the private keys were exported from the Secure Enclave and restored via Migration or the "Reset" didn't correctly erase the Secure Enclave. I believe the case is the former and not the later and therefore, then "syncing" may work if implemented correctly.
from secretive.
FYI, for what it is worth, I recently "reset" an Apple Silicon Mac running macOS Sonoma and then "migrated" from a SuperDuper! backup and all my Secretive private keys were migrated/preserved. So somehow, the private keys were exported from the Secure Enclave and restored via Migration or the "Reset" didn't correctly erase the Secure Enclave. I believe the case is the former and not the later and therefore, then "syncing" may work if implemented correctly.
This seems unlikely. For example, a few weeks ago, I migrated from an M1 Macbook Air to an M3 Macbook Air, and all of my Secretive private keys disappeared.
If you believe your experience accurately reflects how the migration process preserves data within the Secure Enclave, it might be best to open a separate issue to discuss this, as it isn't directly relevant to the current discussion. This will help keep the focus here while properly addressing your observations.
The scenario you describe is not particularly relevant to the interplay between kSecAttrSynchronizable and kSecAttrTokenIDSecureEnclave.
from secretive.
Just for experimentation's sake, I did try this and it didn't appear to sync (I'm surprised it allowed creation at all without throwing an error tbh):
@maxgoedjen There seems to be some configuration needed in the Apple developer portal. For example:
https://developer.apple.com/help/account/manage-identifiers/enable-app-capabilities/
https://developer.apple.com/documentation/xcode/configuring-keychain-sharing
from secretive.
Related Issues (20)
- ux: removing smart card does not "close" smart card key view
- ux: removing the smart card removes the public key file
- Loss of secrets HOT 2
- iTerm2 Secretive excessive notifications HOT 4
- Using Multiple Github Accounts HOT 1
- Configure how long key is active via settings HOT 1
- Agent refused operation when launching multiple requests HOT 2
- vvccccvvlgkjgcuehuuueiliitnbfvifvehbkunetdig
- vvccccvvlgkjgcuehuuueiliitnbfvifvehbkunetdigvvccccvvlgkjdjkunnereidjidtvitktldngbbvtnhul HOT 1
- Agent fails to respond in devcontainer
- [Feature/Bug] Yubikey not shown on macOS WITH secure enclave HOT 2
- “iTerm” would like to access data from other apps. HOT 4
- SecretAgent deadlocked after Sonoma 14.4.1 upgrade HOT 11
- Agent becomes unresponsive after a while HOT 2
- Apple Watch will not prompt for auth HOT 6
- Secrets don't survive reinstalling macOS HOT 1
- Document that notifications allow caching authN HOT 2
- Loss of all SSH keys, and immediate crash when trying to create a new secret HOT 6
- Possible performance issues on macOS 14.5 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secretive.