way to attest that a Secure Enclave key is hardware-bound on macOS

We generate Secure Enclave keys via SecKeyCreateRandomKey with kSecAttrTokenIDSecureEnclave on macOS. We need to prove to a remote server that the key is genuinely hardware-bound, not a software key claiming to be one.

Is there any API on macOS for an app to obtain an Apple-signed certificate or attestation statement for such a Secure Enclave key, similar to how ASAuthorizationProviderExtensionLoginManager.attestKey() works within Platform SSO but available to general apps? Or other possible workaround for this? Thank you!

Answered by DTS Engineer in 886552022

I don’t think there’s a good way to do that. I’m not even sure how that’d work, because the only info you can extract from the key is the public key bits, and there’s nothing special about those.

Realistically, you need something like App Attest, to give you a signal that the device as a whole can be trusted. Sadly, that’s not available on macOS.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I don’t think there’s a good way to do that. I’m not even sure how that’d work, because the only info you can extract from the key is the public key bits, and there’s nothing special about those.

Realistically, you need something like App Attest, to give you a signal that the device as a whole can be trusted. Sadly, that’s not available on macOS.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello everyone,

following up on the question asked and the answer provided, on iOS now, I get the impression that App Attest allows us to get an attestation from Apple about the fact that the environment on which the app is installed can be trusted.

Unless I'm mistaken, I don't believe the App Attest mechanism can specifically certifies that a key created within the app (SecKeyCreateRandomKey with kSecAttrTokenIDSecureEnclave) is actually located in the Secure Enclave.

If that's the case, is there another process on iOS that allows us to get a certification from Apple regarding this point? (this certification for instance could be provided to a remote server for validation)

Thanks!

is actually located in the Secure Enclave.

To be clear, the keys you create with kSecAttrTokenIDSecureEnclave are not “located in the Secure Enclave”. Rather, they are protected by the Secure Enclave. This is a common misconception, one that I address in the Keys Aren’t Stored in the Secure Enclave section of SecItem: Pitfalls and Best Practices.

is there another process on iOS that allows us to get a certification from Apple regarding this point?

Not directly. But you can follow an indirect chain of trust: If you trust that the OS and app haven’t been compromised and you wrote the app and trust your own code then you can be reasonably sure that the app will only give you an SE-protected key. And App Attest can help with that first step.

IMPORTANT I’m using the words “can help” deliberately. Quoting the DeviceCheck framework docs:

No single policy can eliminate all fraud. For example, App Attest can’t definitively pinpoint a device with a compromised operating system. Instead, the DeviceCheck services provide information that you can integrate into an overall risk assessment for a given device.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello!

Thank you for your response regarding the key attestation and for clarifying the "storage of Secure Enclave” keys.

I was confused by the description of kSecAttrTokenIDSecureEnclave (https://developer.apple.com/documentation/security/ksecattrtokenidsecureenclave?language=objc), which explicitly states that items created with this parameter are stored in the Secure Enclave.

Can you confirm that operations involving keys protected by the Secure Enclave are performed within the SEP and that no private data leaves the SEP during these operations?

Thanks!

I was confused by the description of kSecAttrTokenIDSecureEnclave

Oh, hey, thanks for pointing that out. We missed that when we fixed the Protecting keys with the Secure Enclave article. I’ll get that changed (r. 181575543).

Can you confirm that operations involving keys protected by the Secure Enclave are performed within the [Secure Enclave Processor] … ?

Correct. To quote Protecting keys with the Secure Enclave:

you instruct the Secure Enclave to create and encode the key, and later to decode and perform operations with it. You receive only the output of these operations, such as encrypted data or a cryptographic signature verification outcome.

and:

Not having a mechanism to transfer plain-text key data into or out of the Secure Enclave is fundamental to its security.

and that no private data leaves the [Secure Enclave Processor] during these operations?

Correct.

Well, that depends on what you mean by “private data”. If you use a private key to decrypt some data then obviously that plaintext, which is very much private data, is gonna leave the Secure Enclave. But if you’re asking whether the private key can leave the Secure Enclave then the answer to that is “No.”

Having said that, this is all based on my imperfect understanding of how various bits of our system fit together. For definitive answers, I recommend that you consult the Apple Platform Security doc.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

way to attest that a Secure Enclave key is hardware-bound on macOS
 
 
Q