top | item 42016321

(no title)

Well, the real problem is iCloud Keychain is essentially a "black box" system. Apple does use AES encryption in various parts of their security architecture, as documented in their security white papers. But we can't confirm the specific implementation details for iCloud Keychain.

And you should also know...

Best practices for password storage use one-way hash functions (like bcrypt, Argon2, or PBKDF2).

discuss

chrisBob|1 year ago

> Best practices for password storage use one-way hash functions (like bcrypt, Argon2, or PBKDF2) rather than encryption algorithms like AES.

That is true if you are running a service that USES passwords. In that case you just need to confirm they match. That is not true if you are running a password manager where the user needs to be able to get their plain text password back out of the system.

threeseed|1 year ago

Keychain is documented here and is encrypted using AES-256-GCM:

https://support.apple.com/en-au/guide/security/secb0694df1a/...

It’s then stored in iCloud as a SQLite file and encrypted as it does for your other synced data.

nicce|1 year ago

The whole OS is a blackbox. We trust that keyloggers are not everywhere. We need to trust completely or not at all. I think there is nothing between when the same vendor also supplying the underlying closed-source OS.

hello0904|1 year ago

Agreed. But we are talking encryption and why there isn't open source algorithms for iCloud. I find it funny as when you submit iOS apps to the App Store they specifically require encryption standards and no "roll your own algos/cryptos" but at the same time all their crypto is a black box.

I'm a happy Apple user, love the OS...just saying.