12

I recently purchased a Macbook Pro (late 2016) which now includes Touch ID, like the iPhones have been for a while. Although this is a very convenient addition, I am wondering how this affects the security of full disk encryption (with FileVault 2).

As far as I know, it is not possible to use a (biometric) fingerprint as an encryption/decryption key directly (which explains why you need to type in your password after rebooting the machine). This would mean that the password would need to be stored somewhere, unencrypted, which OSX "unlocks" after scanning the correct fingerprint.

(Admittedly, I'm not too familiar with how FileVault works in detail either, so maybe I'm missing something there)

I'm assuming that the data is not unlocked all the time that my machine is powered on (after logging in for the first time), but I can't find any good articles on how this process works exactly. Anyone able to explain or point me in the right direction? Is enabling Touch ID in combination with FileVault considered more/less secure?

Chaminda Bandara
  • 283
  • 1
  • 2
  • 13
tkers
  • 221
  • 2
  • 4
  • The key does not necessarily have to be stored in clear. Modern biometric authentication are mostly implemented as a security co-processor where it independently verifies the fingerprint and allow certain cryptographic operations without releasing the actual key to the main CPU. Though unlike ARM land where the co-processor can be integrated to the CPU and thus directly handle decryption, Intel-based implementations will most likely store the key in main memory, so less secure. – billc.cn Jan 03 '17 at 14:50
  • That would make a lot of sense, yes. Meanwhile I found a white paper describing how this process works on iOS (https://www.apple.com/business/docs/iOS_Security_Guide.pdf, page 9). The keys are wrapped with another key that only Touch ID has access to, and I can only assume that MacOS is doing something similar. Still, would be nice if someone can confirm this / find a source for MacOS. – tkers Jan 04 '17 at 19:32

2 Answers2

2

Touch ID and Filevault are not related, at least not yet in current macOS versions.

When a Mac reboots, it first loads a small unencrypted partition which presents the password dialog to unlock the "disk" (really only a volume). A key derivation function is used to derive a long passphrase from your password, which in turn unlocks the encrypted volume with the operating system and all of your applications and files.

Once the operating system boots, you may use Touch ID. It uses a similar element to iPhones called Secure Enclave - a small processor that signs cryptographic challenges. When an authentication event takes places on the system, for example screen unlock, your fingerprint matches the stored representation in the enclave and you're allowed in. As an analogy, asymmetric cryptography is being used instead of a symmetric key (a password).

Whether or not using Touch ID is secure would have to be based on a threat model, but certainly it and traditional password-authentication have their unique advantages.

P. Cap
  • 31
  • 1
0

My answer is from a design point of view of a file encryption system, and not actual implementations.

You said "it is not possible to use a (biometric) fingerprint as an encryption/decryption key directly--- This would mean that the password would need to be stored somewhere, unencrypted, which OSX "unlocks" after scanning the correct fingerprint."

Mostly correct. First, it is correct to assume that (currently) no biometric information can be used as decryption key, only because biometric authentication is done by similarity, e.g. biometric samples are always binary different. Even your very face will change tomorrow, not to mention its appearence under different light.

Cryptography keys are basically numbers, so they have to be stored verbatim. But this does not mean unprotected.

A TPM chip, probably what Apple calls "Secure enclave" in their paper, is the best solution to use biometric decryption. A TPM is a chip that stores secret keys and performs cryptographic operations upon authentication. A very simplified version of a FileVault-equivalent implemented by me for sake of discussion requires the TPM to store both the key and your fingerprint sample scurely. When a new sample that matches the stored sample is supplied then the key is released to the kernel, allowing decryption.

This is likely NOT how Apple is really doing FileVault2, but is realistic and simple to explain as a general concept.

So in order to answer your question, NO, biometric encryption itself is not currently possible according to our technology and encryption standards, but YES, your biometrics can be used like if they were an encryption key.

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35