Apple released its 2021 Platform Security guide back in February with new details on M1 Macs, iOS 14, macOS Big Sur, watchOS 7, and more. Now the guide has been updated with specifics on how Touch ID on the new Magic Keyboard works, how iPhone unlock with Apple Watch in iOS 14.5 cryptography works, and more.
The revised Platform Security Guide goes in-depth describing how the new Magic Keyboard with Touch ID that comes with the new M1 iMacs works, and more.
The Magic Keyboard with Touch ID performs the role of the biometric sensor; it doesn’t store biometric templates, perform biometric matching, or enforce security policies (for example, having to enter the password after 48 hours without an unlock). The Touch ID sensor in the Magic Keyboard with Touch ID must be securely paired to the Secure Enclave on the Mac before it can be used, and then the Secure Enclave performs the enrollment and matching operations and enforces security policies in the same way it would for a built-in Touch ID sensor.
Apple notes that a Magic Keyboard with Touch ID can only be “paired with one Mac at a time” but interestingly, “a Mac can maintain secure pairings with up to five different Magic Keyboard with Touch ID keyboards.”
While the new keyboard is only sold with the new M1 iMac for now, Apple does say it will work with MacBooks with built-in Touch ID:
The Magic Keyboard with Touch ID and built-in Touch ID sensors are compatible. If a finger that was enrolled on a built-in Mac Touch ID sensor is presented on a Magic Keyboard with Touch ID, the Secure Enclave in the Mac successfully processes the match—and vice versa.
The documentation further describes the secure pairing, secure intent to pair, and Touch ID channel security.
To help ensure a secure communication channel between the Touch ID sensor in the Magic Keyboard with Touch ID and Secure Enclave on the paired Mac, the following are required:
• The secure pairing between the Magic Keyboard with Touch ID PKA block and the Secure Enclave as described above
• A secure channel between the Magic Keyboard with Touch ID sensor and its PKA block
The secure channel between the Magic Keyboard with Touch ID sensor and its PKA block is established in the factory by using a unique key shared between the two. (This is the same technique used to create the secure channel between the Secure Enclave on the Mac and its built-in sensor, for Mac computers with Touch ID built-in.)
Another main update to the guide shares specifics on the cryptography used for the iPhone unlock with Apple Watch feature that launched with iOS 14.5.
For greater convenience when using multiple Apple devices, some devices can automatically unlock others in certain situations. Auto Unlock supports three uses:
• An Apple Watch can be unlocked by an iPhone.
• A Mac can be unlocked by an Apple Watch.
• An iPhone can be unlocked by an Apple Watch when a user is detected with their nose and mouth covered.
All three use cases are built upon the same basic foundation: a mutually authenticated Station-to-Station (STS) protocol, with Long-Term Keys exchanged at time of feature enablement and unique ephemeral session keys negotiated for each request. Regardless of the underlying communication channel, the STS tunnel is negotiated directly between the Secure Enclaves in both devices, and all cryptographic material is kept within that secure domain (with the exception of Mac computers without a Secure Enclave, which terminate the STS tunnel in the kernel).
Diving into the details for how this works, there are two phases:
A complete unlock sequence can be broken down in two phases. First, the device being unlocked (the “target”) generates a cryptographic unlock secret and sends it to the device performing the unlock (the “initiator”). Later, the initiator performs the unlock using the previously generated secret.
To arm auto unlock, the devices connect to each other using a BLE connection. Then a 32-byte unlock secret randomly generated by the target device is sent to the initiator over the STS tunnel. During the next biometric or passcode unlock, the target device wraps its passcode-derived key (PDK) with the unlock secret and discards the unlock secret from its memory.
To perform the unlock, the devices initiate a new BLE connection and then use peer-to- peer Wi-Fi to securely approximate the distance between each other. If the devices are within the specified range and the required security policies are met, the initiator sends its unlock secret to the target through the STS tunnel. The target then generates a new 32-byte unlock secret and returns it to the initiator. If the current unlock secret sent by the initiator successfully decrypts the unlock record, the target device is unlocked and the PDK is rewrapped with a new unlock secret. Finally, the new unlock secret and PDK are then discarded from the target’s memory.
Along with those updates, Apple has added details on the CustomOS Image4 Manifest hash and edited some details for Express Mode transactions, Secure Multi-Boot, and Sealed Key Protection.
FTC: We use income earning auto affiliate links. More.