6

I can't find information about EC curve used by Apple's iOS platform. The algorithm name that I could see in their docs is:

eciesEncryptionCofactorVariableIVX963SHA256AESGCM

However, there is no any explanation what it refers to. I've tried to find info about cofactor IVX963 with n/a so far. I read somewhere that Apple has adopted DJB's Curve25519. Is this the one that iOS uses as well?

If not, probably you can provide some pointers like NIST refs or anything else in public domain explaining what this is exactly.

Answer below is good (I've accepted it) and it does provide a lot of information, but clarification is still required.

The only ref that links curve in question with p256r1 is from a private blogger who primarily talks about generating curves of different types. While p256r1 has been generated in the demo, he doesn't know what other curves can be generated this way, nor it's clear how his curve generating scripts are related to the curve in this post.

This rough demo script isn’t set up to handle curves other than P256v1

More information is needed

  1. A more official link that explains what this curve is
  2. Equation type, domain parameters, etc.

I hope, it's not P256r1/v1

Please also note that the recommended curve is not even available in iOS 14.1, which is very recent

Type 'SecKeyAlgorithm' has no member 'kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM

UPDATE I found the new link provided by @kelalaka very useful and practical, especially this part of it:

import Sodium

let sodium = Sodium()
let curve25519KeyPair = sodium.box.keyPair()
let privateKey = curve25519KeyPair!.secretKey
let publicKey = curve25519KeyPair!.publicKey

This is what everyone should use in EC domain, not the old and obscure Apple's CommonCrypto

Oleg Gryb
  • 366
  • 6
  • 11

1 Answers1

9

Apple's CryptoKit Suite

Apple's documentation is sparse, we need to look at all available sources. (The CryptoKit documentation provides only short descriptions and lists.)

The apple/swift-crypto Github has source code. The project description:

Swift Crypto is an open-source implementation of a substantial portion of the API of Apple CryptoKit suitable for use on Linux platforms. It enables cross-platform or server applications with the advantages of CryptoKit.

The below from the iOS page SecKeySizes

  • secp192r1: 192-bit ECC Keys for Suite-B from RFC 4492 section 5.1.1.
  • secp256r1: 256-bit ECC Keys for Suite-B from RFC 4492 section 5.1.1.
  • secp384r1: 384-bit ECC Keys for Suite-B from RFC 4492 section 5.1.1.
  • secp521r1: 521-bit ECC Keys for Suite-B from RFC 4492 section 5.1.1.

There is also iOS-compatible ECIES implementation in Java.

kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM

About this constant:

If we take a look at the corresponding constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM defined in SecKey.h ... then we can see that this algorithm is considered “legacy” and the recommended one is SecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM instead (in Swift it’s eciesEncryptionCofactorVariableIVX963SHA256AESGCM).

and this from darthnull.org/security:

  • ECIES: Elliptic Curve Integrated Encryption System - an open standard that defines exactly how to do what we’re about to do.
  • Cofactor: Include the elliptic curve’s “cofactor” when completing the Diffie-Hellman key agreement process.
  • X963SHA256: Use the ANSI x9.63* key derivation function (KDF), with SHA-256 as an underlying hash function.
  • AESGCM: For the final symmetric encryption, use AES in Galois Counter Mode (GCM), a form of authenticated encryption.

The curve is SecP256R1 (This claim needs to be verified!!!)

The Secure Enclave

Apple describes the Secure Enclave as "a representation of a device’s hardware-based key manager".

Secure Enclave only has

  • NIST P-256 signatures and key agreement as of 2020.

*real ANSI X9.63 is here

kelalaka
  • 49,797
  • 12
  • 123
  • 211