Escrow security for iCloud Keychain
iCloud provides a secure infrastructure for keychain escrow to help ensure that only authorized users and devices can perform a recovery. Topographically positioned behind iCloud are clusters of hardware security modules (HSMs) that guard the escrow records. As described previously, each has a key that is used to encrypt the escrow records under their watch.
To recover a keychain, users must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number. After this is done, users must enter their iCloud security code. The HSM cluster verifies that a user knows their iCloud security code using the Secure Remote Password (SRP) protocol; the code itself isn’t sent to Apple. Each member of the cluster independently verifies that the user hasn’t exceeded the maximum number of attempts allowed to retrieve their record, as discussed below. If a majority agree, the cluster unwraps the escrow record and sends it to the user’s device.
Next, the device uses the iCloud security code to unwrap the random keys used to encrypt the user’s keychain. With that key, the keychain—retrieved from iCloud key-value storage and CloudKit—is decrypted and restored onto the device. iOS, iPadOS, and macOS allow only 10 attempts to authenticate and retrieve an escrow record. After several failed attempts, the record is locked and the user must call Apple Support to be granted more attempts. After the 10th failed attempt, the HSM cluster destroys the escrow record and the keychain is lost forever. This provides protection against a brute-force attempt to retrieve the record, at the expense of sacrificing the keychain data in response.
These policies are coded in the HSM firmware. The administrative access cards that permit the firmware to be changed have been destroyed. Any attempt to alter the firmware or access the private key causes the HSM cluster to delete the private key. Should this occur, the owner of each keychain protected by the cluster receives a message informing them that their escrow record has been lost. They can then choose to reenroll.