Secure Enclave security

Hello! the other day I had troubles with running the application to interact with the Secure Enclave. (https://developer.apple.com/forums/thread/748611?page=1#783968022)

While my program is running perfectly fine now, I still have questions regarding its security. QUESTIONS: Is there any functionality just with the public key to get an evidence of a corresponding private key to be protected by the Secure Enclave without showing the source code? Even with the most recent update of iOS 17.4, there is still no way to directly access the functionality of a Secure Element itself, is that right? So far I found a function SecureElementPass, and it seems like it’s the only interaction possible. What is the difference between using Security API and Apple CryptoKit? I heard some were saying it the matter of habit and device support, but I still would like to hear an opinion of a professional.

Any information regarding that will be helpful. Thank you in advance for your time and effort!

Answered by DTS Engineer in 784586022

Is there any functionality just with the public key to get an evidence of a corresponding private key to be protected by the Secure Enclave without showing the source code?

Not really. SE-protected keys are always P256, and you can tell that from the public key. However, it’s common to have P256 keys that are not SE-protected.

Even with the most recent update of iOS 17.4, there is still no way to directly access the functionality of a Secure Element itself, is that right?

I don’t know what you mean by “directly access”.

What is the difference between using Security API and Apple CryptoKit?

There are lots of differences:

  • Functionality-wise:

    • Some functionality is common to both frameworks.

    • But some functionality is unique to one or the other.

    For example, Security framework can work with RSA keys, but Apple CryptoKit cannot. OTOH, Apple CryptoKit has an AES-GCM implementation, but Security framework does not.

  • Apple CryptoKit was designed to avoid common security traps. Most notably, it takes advantage of Swift’s advanced type system to prevent common mistakes, like providing a public key when the API is expecting a private key. OTOH, Security framework is much more old school in its approach.

  • Apple CryptoKit is much easier to use from Swift, although Security framework is not too bad if you have the right helpers and the apply some best practices.

  • Apple CryptoKit has an open source companion, Swift Crypto, that provides the same API on other platforms.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

Is there any functionality just with the public key to get an evidence of a corresponding private key to be protected by the Secure Enclave without showing the source code?

Not really. SE-protected keys are always P256, and you can tell that from the public key. However, it’s common to have P256 keys that are not SE-protected.

Even with the most recent update of iOS 17.4, there is still no way to directly access the functionality of a Secure Element itself, is that right?

I don’t know what you mean by “directly access”.

What is the difference between using Security API and Apple CryptoKit?

There are lots of differences:

  • Functionality-wise:

    • Some functionality is common to both frameworks.

    • But some functionality is unique to one or the other.

    For example, Security framework can work with RSA keys, but Apple CryptoKit cannot. OTOH, Apple CryptoKit has an AES-GCM implementation, but Security framework does not.

  • Apple CryptoKit was designed to avoid common security traps. Most notably, it takes advantage of Swift’s advanced type system to prevent common mistakes, like providing a public key when the API is expecting a private key. OTOH, Security framework is much more old school in its approach.

  • Apple CryptoKit is much easier to use from Swift, although Security framework is not too bad if you have the right helpers and the apply some best practices.

  • Apple CryptoKit has an open source companion, Swift Crypto, that provides the same API on other platforms.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Does Secure enclave works on Jail broken device ?

I can’t answer that, because it depends on exactly how the device has been modified.

If you’re developing apps for iOS and your concerned about your app’s integrity, I recommend that you look at App Attest. See Establishing your app’s integrity.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Secure Enclave security
 
 
Q