Apple has this week released new information explaining how their Touch ID and A7 Secure Enclave hardware functions in a newly updated security document which has been published on the iPhone in Business site.
Newly updated documents published by Apple reveal how the devices communicate fingerprint and temporary identification information throughout the iPhone, explaining how user fingerprint data is kept secure and never exposed during the process.
Apple has also published new details on iMessage, FaceTime encryption, single sign-on and Airdrop in the iPhone in Business documents. Here is a snippet about the Touch ID and A7 Secure Enclave :
“Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, tangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space.
Additionally, data that is saved to the file system by the Secure Enclave is encrypted with a key tangled with the UID and an anti-replay counter.
Communication between the A7 and the Touch ID sensor takes place over a serial peripheral interface bus. The A7 forwards the data to the Secure Enclave but cannot read it. It’s encrypted and authenticated with a session key that is negotiated using the device’s shared key that is built into the Touch ID sensor and the Secure Enclave. The session key exchange uses AES key wrap- ping with both sides providing a random key that establishes the session key and uses AES-CCM transport encryption.
Touch ID authentication and the data associated with the enrolled fingerprints are not available to other apps or third parties.
On iPhone 5s with Touch ID turned on, the keys are not discarded when the device locks; instead, they’re wrapped with a key that is given to the Touch ID subsystem. When a user attempts to unlock the device, if Touch ID recognizes the user’s finger- print, it provides the key for unwrapping the Data Protection keys and the device is unlocked. This process provides additional protection by requiring the Data Protection and Touch ID subsystems to cooperate in order to unlock the device.
The decrypted class keys are only held in memory, so they’re lost if the device is rebooted. Additionally, as previously described, the Secure Enclave will discard the keys after 48 hours or 5 failed Touch ID recognition attempts.”
Check out the full iOS Security PDF document published by Apple here.
Source: Tech Crunch