iOS 8 And OS X 10.10 Need to Fix iCloud Keychain
By Judith Aparri | May 6, 2014 6:07 AM EST
Currently, there are two reported issues with iCloud Keychain that the upcoming iOS 8 and OS X 10.10 may hopefully fix. Such issues make iCloud Keychain unusable for those whose main concern is about security.
iCloud Keychain allows generation, storage and management of unique, strong passwords for Apple's Mac, iPad and iPhone. It is used to save credit card and password information to securely sync them across devices. Theoretically, it is a convenient and secure feature if not for its flaws.
Problem 1: No Re-authentication
iCloud keychain does not require re-authentication to grant access to the stored information. If the device, whether an iPad, iPhone or Mac is unlocked, anyone who uses it can access stored credit cards and passwords.
When iCloud Keychain is enabled, device owners cannot simply hand the unit over to a colleague, friend, family member or to anyone else as there will be a risk of having credit cards and passwords accessed.
Whether you have to make an emergency call, search for something on the Web, play games or do anything, people usually use their mobile devices and there is a hole in the iCloud Keychain.
Third-party password managers, found in Apple's iTunes App store, usually require a "master password." To buy apps on the App Store, Apple also requires re-authentication before the user makes a purchase, which is something Apple ought to be aware of.
iOS and OS X should not treat passwords and credit cards less protection than they do with accounts on iTunes.
Problem 2: Weak Cryptography
Apple is doing a good job in security-centered cryptography in most of its architectures, except in iCloud Keychain.
For some unexplained reasons, iCloud uses a bad curve with iCloud Keychain called P-256 curve, one that no one trusts, as it has numerous characteristics that make it weak as shown in SafeCurves and StackExchange sites.
iCloud Keychain flaws maybe too technical that not all people would want to fully comprehend them. But there are some people smarter enough to understand, who, when they find a standard weak, anyone who wants security, would move away from such standard.
Apple has used a curve determined by the security community as weak, thus, nobody should be using it if they want to be trusted.
If Apple can correct crypto and make it rock-solid throughout the system, it would be great if it would via OS X 10.10 and iOS 8.
To contact the editor, e-mail: