“At a security ‘deep dive’ at Apple on Friday, executives went into depth on Apple security philosophy and technological approach to the matter. I’ve sat through many technology company’s technical briefings but never one from Apple which went deeper on custom silicon solutions than I had seen before,” Ben Bajarin writes for Tech.pinions. “I’ll weave some technical tidbits I learned into this article but there was a theme which came up that struck me. More than a handful of times, presenters used the phrase ‘balancing security with ease of use.‘”
“This seemed to be a key phrase and philosophy that is driving Apple’s thinking. The more I thought about it, the more it made sense in light of so many other security issues that exist in corporate, government, and other high-security environments where computers are used,” Bajarin writes. “You can build Fort Knox-level security into a personal computer but it would come at the expense of user experience — and oftentimes does. Apple is attempting something that seems unprecedented at an industry level. To bring industry leading security but do so by actually enhancing the user experience.”
“I came away from this discussion with a much greater appreciation of the Secure Enclave,” Bajarin writes. “Everything from booting up securely to individual file level encryption runs through the secure enclave. This means someone can’t hack into just part of my phone and get some of the data. It is all protected and encrypted.”
Read more in the full article here.
MacDailyNews Note: As per Apple, the Secure Enclave is a coprocessor fabricated in the Apple A7 or later A-series processor. It utilizes its own secure boot and personalized software update separate from the application processor. It provides all cryptographic operations for Data Protection key management and maintains the integrity of Data Protection even if the kernel has been compromised.
The Secure Enclave uses encrypted memory and includes a hardware random number generator. Its microkernel is based on the L4 family, with modi cations by Apple. Communication between the Secure Enclave and the application processor is isolated to an interrupt-driven mailbox and shared memory data buffers.
Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, entangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space.
Additionally, data that is saved to the le system by the Secure Enclave is encrypted with a key entangled with the UID and an anti-replay counter.
The Secure Enclave is responsible for processing ngerprint data from the Touch ID sensor, determining if there is a match against registered ngerprints, and then enabling access or purchases on behalf of the user. Communication between the processor and the Touch ID sensor takes place over a serial peripheral interface bus. The processor forwards the data to the Secure Enclave but cannot read it. It’s encrypted and authenticated with a session key that is negotiated using the device’s shared key that is provisioned for the Touch ID sensor and the Secure Enclave. The session key exchange uses AES key wrapping with both sides providing a random key that establishes the session key and uses AES-CCM transport encryption.
Apple: We have the ‘most effective security organization in the world’ – April 16, 2016
FBI director confirms hack only works on older iPhones that lack Apple’s Secure Enclave – April 7, 2016
Edward Snowden: Apple is a privacy pioneer – June 5, 2015
Apple granted patents for Secure Enclave for Apple Pay and more – October 28, 2014
Edward Snowden’s privacy tips: ‘Get rid of Dropbox,’ avoid Facebook and Google – October 13, 2014
U.S. NSA secretly infiltrated Yahoo, Google data centers worldwide, Snowden documents say – October 30, 2013