iOSDevSWE
About
- Username
- iOSDevSWE
- Joined
- Visits
- 33
- Last Active
- Roles
- member
- Points
- 144
- Badges
- 0
- Posts
- 29
Reactions
-
How to manage Secure Enclave card storage limits
Let’s go through some misconceptions in your articles:
”Apple's Secure Enclave is a protected area on Apple's devices which holds keys, encrypted data, cards, and other security information.”
No! The Secure Enclave doesn’t hold anything else than Private keys. Those keys can’t even be retrieved from its protected space. The place where you “store” things is called the Keychain. Basically what you do is you create a private key in the Secure Enclave and use it (through its data representation as you can’t get the key out of Secure Enclave) and encrypt data into Keychain. People often do this mistake of confusing Keychain with Secure Enclave because they are using low level queries with Keychain to save passwords or sensitive data from their app. Instead the iOS developer should use CryptoKit. That way it is clear what you can and can’t do by simply using autocomplete in Xcode with “SecureEnclave.P256.” as a start. For the curious reader, P256 is the only type of elliptic curve used with Secure Enclave that enables NIST P-256 signatures and key agreements.
“[…] it uses AES cryptography to encode information so it's not plain-text readable without decryption.“
Encoding and encrypting are two completely different things. Encoding is to “write differently” something. For instance you can use ascii, utf8, utf16 etc… An example -> the following string has been encoded in base64: QXBwbGVJbnNpZGVy. I will let the reader choose whichever online base64 decoding tool to read what I encoded 😉. Anybody can “decode” that string to its original utf8 form, but if I encrypt it with my own Secure Enclave key on my iPhone 15 Pro, you will need exactly that key on my phone to read it without brute force. I would recommend you go through your article and replace all occurrences of “encode” to “encrypt”.
“One of the major uses of Secure Enclave is to encode, store, and retrieve your sensitive data and passes in the Apple Wallet app for later use.”
No, the major and only use of Secure Enclave is to encrypt or sign data. Nothing else.
“Apple wallet limitations”
Precisely! The limitations are on the Apple Wallet app, not Secure Enclave. However, if you’re like me, very intrigued about how Secure Enclave works, you should watch Ivan Krstic’s talk at Black Hat USA in 2016 (available on YouTube). It is possible to exhaust the number of private keys you can create in the Secure Enclave (listen particularly to the questions at the end of the video). But Apple doesn’t communicate what this limit is. The curious/intrepid developer could write an app that abuses Secure Enclave and creates many private keys until they exhaust. I have no idea what happens then, perform at your own risk…
I hope that now people will understand more clearly what the Secure Enclave really is: it is not Keychain!
Secure Enclave documentation: https://developer.apple.com/documentation/cryptokit/secureenclave
CryptoKit documentation: https://developer.apple.com/documentation/cryptokit/