Scramble Keychain contents with a persistent key #611
Description
Hi, this is a proposal for the following behavior/algorithm to be implemented:
- Store a persistent, pseudorandomly-generated key e.g. in UserDefaults or on disk.
- Store a parallel key in the keychain
- On each initialization of the Keychain instance, check the parity of both keys. If they match, assume that the data stored in the keychain is valid.
- If the client tries to query one of the keychain items, try to get the item first, then decrypt it with a symmetric encryption algorithm with a key derived from the one stored in the UserDefaults or on disk from the step 1.
- When storying the key, scramble it with the key mentioned in step 1.
- In case the step 3 fails, i.e. the decryption key is either missing or incorrect, erase the keychain and assume that the app has just been uninstalled. Since the key is now missing, there is no even theoretical possibility of the data of the previous session leaking into a new one.
This idea has been expressed earlier in the Apple Developer Support forums by one of the engineers:
https://developer.apple.com/forums/thread/36442
If you fall into the second category, you can effectively implement an auto delete feature by entangling the secret you store in the keychain with a key that you store on disk. If the app gets deleted that on-disk key goes away and you effectively lose access to the keychain item.
The motivation behind this functionality is as follows:
- Normally, if the app is reinstalled, the keychain contents are not erased.
- In order to erase the contents of the keychain, e.g. on app reinstallation, the developer usually puts some flag in user defaults or on a disk storage which indicates that the app has been relaunched. If the app is launched for the first time after the installation or a reinstallation, this flag would be missing.
- In case of a missing flag, the system would erase the contents of keychain.
The problem with this approach is that it's not fail-safe. For example, if the code related to the erasure of the keychain is removed by accident, the contents of the previous session would leak into a new session, therefore risking data integrity / confidentiality.
Examples: User 1 installs the app, logs in, removes the app. User 2 installs the same app and if the code responsible for removing the keychain items fails or missing, the User 2 would see the User's 1 login details.
In the case as proposed in the Apple Developer Forums this would not be possible, as a new encryption/decryption key would be generated which would not work with the old data.
Solves #309