I'm looking for something either like this security white paper for iOS except for OS X or even better, some kind of security audit report from an independent expert. After reading through documentation like the Keychain Services Programming Guide I'm even more confused about what is vulnerable to an adversarial attack on an unencrypted backup of an OS X System.
Last time I checked, the user's login keychain under OS X was about as secure as the password. I recall some issue that shrank the actual secrecy of the key to something like 111 bits (foggy memory, please feel free to correct me) due to some issue with how the password is converted to a key, but that was a long time ago and hopefully that's been fixed.
On the other hand, I've been told the System Keychain is inherently less secure because any administrator can access it and an intruder has many options for becoming an administrator besides guessing a single user's password.
In particular, I'm worried about storing passwords used in automated scripts in the System Keychain as the system files are backed up and stored off-site without further encryption. Documents and other user data are encrypted before being taken off-site, but I have a nagging suspicion that there's a path I'm overlooking that recovers those keys once the System Keychain is compromised (due to our procedures, not necessarily any cryptographic flaws). So I want to have a thorough understanding of how the System Keychain is simultaneously secured yet accessible to any administrator.
-
How are the keys architected such that any administrative user can unlock the System Keychain?
-
Are there cryptographic restrictions that limit what an administrative user can do with information in the System Keychain in any way?
-
Given an unencrypted system backup without
/Users, how would you gain access to the keys in the System Keychain?
I'm interested in OS X 10.5 Leopard and later versions, but specifically limited to desktop or laptop Macs without a T2 chip or secure enclave. Apple's Spring 2020 Platform Security Whitepaper explains pretty well that the critical keys encrypting keychain data are stored on the T2 chip and the T2 chip itself manages and applies ACLs which restrict access to the decryption functionality. So on those computers, as with all iOS devices, the keychain database is tied to the hardware and cannot be used on a different device.
Best Answer
The system keychain is stored in
/Library/Keychains/System.keychainand the key to unlock it is stored in/var/db/SystemKey(its default file permissions are readable by root only). The location of these files is referenced in the security-checksystem script (from the security_systemkeychain source). It is even possible to test to automatic locking/unlocking of the system keychain by usingThe keychain security framework allows non-privileged programs to make requests for information provided they are in the ACL stored within the keychain entry. Obviously if a user has root they on a system they can directly access both the file storing the system keychain and the key to unlock it, thus they do not have make requests via the security framework and are not beholden to the ACLs stored within the keychain itself.
(I didn't actually answer the original questions so let's give this another go)
The libsecurity keychain framework allows regular processes to interact with the system keychain in an authenticated manner using Apple's XPC interprocess communication framework (IPC).
Program A sends a request to access the system keychain information using IPC. A check is made that the requesting user is already in the wheel group and also knows the password of a user in the wheel group. Once authorization is confirmed, the privileged
kcproxydaemon can be used to access material in/var/db/SystemKey, unlock the system keychain and return the requested information.No - an administrative user is allowed to access/change anything in the system keychain. Even if they couldn't, they could copy the underlying files to another machine on which they have complete control and just unlock/access it there.
If the backup contained copies of
/Library/Keychains/System.keychainand/var/db/SystemKeythen I would copy them to their respective locations on a new OS X system and usesystemkeychainto make the later unlock the former and dump the keychain database usingsecurity dump-keychain.