10

I've read the WWDC 2015 article from Apple, which says that:

We also moved the KeyStore component from the kernel into Secure Enclave and it's that component which controls the cryptography around Keychain items and the data protection.

Does this mean that the private key generated and then stored in the keychain has the similar security level as the private key generated directly in the Secure Enclave?

The one difference I can think of is that the private key generated inside the Secure Enclave is unextractable in any form.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Summer
  • 201
  • 1
  • 6

1 Answers1

3

This depends. If you are using the keychain to store a key which you can retrieve then the security level is not the same. You still have to move that key into memory to use it - all the secure enclave does is make storage of that key data when not in use more secure.

Alternatively you can create and store an actual key in the enclave directly. See -

https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave

When you store a private key in the Secure Enclave, you never actually handle the key, making it difficult for the key to become compromised. Instead, you instruct the Secure Enclave to create the key, securely store it, and perform operations with it. You receive only the output of these operations, such as encrypted data or a cryptographic signature verification outcome.

...

Can’t import preexisting keys. You must create keys directly inside the Secure Enclave. Not having a mechanism to transfer key data into or out of the Secure Enclave is fundamental to its security.

Hector
  • 10,893
  • 3
  • 41
  • 44
  • How are keys stored in the enclave retrieve for usage later? Do you store a reference to the key which isn't sensitive? – Woodstock Sep 26 '19 at 10:14