Keychain和Secure Enclave有什么区别

Question

I've been in searching where keychain stores either secure enclave or any other, I found many articles (one of this stackoverflow answer ) which says following but I'm looking for some Authenticated like Apple statement

The keychain stores the keys (and other small data) encrypted and restricts access to that data. Additionally in recent iPhones (5S and later) the keychain is in a separate processor, the Secure Enclave which additionally restricts access. There is no more secure way to store keys in iOS.

So my queries on the basis of above statement.

• Is Keychain Items store in secure Enclave
• If yes then where Public key and Private key CFTypeRef Store

• Why we use this kSecAttrTokenIDSecureEnclave while creating key pair. (example following code).

   -(bool) generateKeyPairWithAccessControlObject:(SecAccessControlRef)accessControlRef { CFMutableDictionaryRef accessControlDict = newCFDict;; CFDictionaryAddValue(accessControlDict, kSecAttrAccessControl, accessControlRef); CFDictionaryAddValue(accessControlDict, kSecAttrIsPermanent, kCFBooleanTrue); CFDictionaryAddValue(accessControlDict, kSecAttrLabel, kPrivateKeyName); // create dict which actually saves key into keychain CFMutableDictionaryRef generatePairRef = newCFDict; CFDictionaryAddValue(generatePairRef, kSecAttrTokenID, kSecAttrTokenIDSecureEnclave); CFDictionaryAddValue(generatePairRef, kSecAttrKeyType, kSecAttrKeyTypeEC); CFDictionaryAddValue(generatePairRef, kSecAttrKeySizeInBits, (__bridge const void *)([NSNumber numberWithInt:256])); CFDictionaryAddValue(generatePairRef, kSecPrivateKeyAttrs, accessControlDict); OSStatus status = SecKeyGeneratePair(generatePairRef, &publicKeyRef, &privateKeyRef); if (status != errSecSuccess) return NO; [self savePublicKeyFromRef:publicKeyRef]; return YES; } 

Looking for authenticated answer. Cheers

Answer 1

The Keychain uses Secure Enclave, the Secure Enclave is implemented in hardware.

From what I understand:
By default asymmetric key-pairs are created and stored in the secure enclave. The private key is available only at creation time and can not be obtained later. Asymmetric operations that use the private key obtain it from the keychain without exposing it to user code.

There is an exception that allows access to the private key, the Keychain Access app.

Answer 2

Not all keychain items are stored in secure enclave
From Apple document

The only keychain items supported by the Secure Enclave are 256-bit elliptic curve private keys (those that have key type kSecAttrKeyTypeEC). Such keys must be generated directly on the Secure Enclave using the SecKeyGeneratePair( : :_:) function with the kSecAttrTokenID key set to kSecAttrTokenIDSecureEnclave in the parameters dictionary. It is not possible to import pre-existing keys into the Secure Enclave.

Answer 3

Take a look at Apple's iOS Security documentation , it describes what Secure Enclave and Keychain are exactly.

A Secure Enclave is a coprocessor fabricated within the system on chip (SoC). It uses encrypted memory and includes a hardware random number generator . As for the Keychain , the iOS Keychain provides a secure way to store these (passwords and other short but sensitive bits of data) items. [...] The Keychain is implemented as a SQLite database stored on the file system. .

Keychain is a piece of software that stores encrypted data (such as passwords) in a SQLite database. The key that encrypts this data is inside the Secure Enclave - it never leaves the SE, as per this paragraph

Keychain items are encrypted using two different AES-256-GCM keys, a table key (metadata) and per-row key (secret-key). Keychain metadata (all attributes other than kSecValue) is encrypted with the metadata key to speed search while the secret value (kSecValueData) is encrypted with the secret-key. The metadata key is protected by Secure Enclave processor, but cached in the application processor to allow fast queries of the keychain. The secret key always requires a round-trip through the Secure Enclave processor.

To answer your question: are keychain items stored inside Secure Enclave, no, they are stored inside a SQLite database on disk, but the encryption key needed to decrypt this data is inside the Secure Enclave. As for kSecAttrTokenIDSecureEnclave that apperas to be a flag that indicates that the key should be generated inside the Secure Element.