XCreds Local Secrets Cryptography

Overview

XCreds 5.2 includes a new secrets file for encrypting the local administrator password and username/password information for card login (RFID). The passwords are required for the following reasons:

Local Admin Password: When a user forgets their password and resets it outside the Mac, the keychain in the local user account cannot be reset/replaced without the local administrator password. The local administrator password allows the user to reset their keychain without a local administrator present.

RFID User: When a user authenticates with an RFID card, the local username and password is used log in. This is required to unlock the user keychain.

Summary

1. The local admin password is protected by file permissions and access to the system keychain.
2. The RFID UID user passwords are protected by file permissions, access to the system keychain, the RFID UID of the user and the user PIN.

Password Protection Details

To protect the passwords, a local encrypted file is created at /usr/local/var/twocanoes/secrets.bin. The entire file is encrypted using an asymmetric key created in the system keychain. The password to unlock the system keychain is located in a SIP-protected area of the filesystem, and only the system has access to it when SIP is enabled and the system is booted. Within the encrypted data, the RFID user passwords are individually encrypted.

The system incorporates multiple layers of encryption depending on the data type stored in the secrets.bin file. Both the admin user and the RFID users have passwords, but the RFID users also have an associated RFID and potentially a user PIN. When the user password is encrypted, the password is encrypted as follows:

RawKey: RFID-UID (7 bytes, 0x00 prefix padded) + PIN + Machine Serial number

A 16 byte salt is then generated and appended to the raw key and SHA256 hashed. This key is then stretched 65535 times for brute force prevention. This result is then used as the symmetric key to encrypt the user password.

The admin password does not have a PIN or an RFID, so it does not benefit from user-provided data for additional protection. It is, however, associated with the machine serial number and encrypted with an asymmetric key in the system keychain.

The RFID user password is hashed and stretched with the local serial number, optional PIN and padded RFID UID. To decrypt the RFID user password, the secrets.bin must be decrypted using a key from the system keychain, and the symmetric key created using the optional user PIN, the local machine serial number, and RFID-UID of the card. Since the PIN is optional and the RFID UID may be short (some cards have 3-byte UIDs), the key is stretched to increase the work required to brute force to derive the symmetric key. It is recommended that RFID cards with long UID are used and a longer user PIN is used depending on security requirements.

The local admin password is protected by the system keychain and access control that limits access only to XCreds and the login window process. The system keychain password can be obtained by booting to recovery. It is recommended that a firmware password and full disk encryption be used to prevent the system keychain and the system keychain password from being exfiltrated from the system.

Hardening

Protecting Secrets.bin

1. Verify permissions on /usr/local/var/twocanoes/ are readable only by the system and root.
2. Use full disk encryption if possible.
3. Use a firmware password if possible to prevent access to the system keychain password from recovery.

Protecting Access to RFID User Passwords

1. Use RFID cards that have 7-byte or longer UIDs.
2. Use RFID cards that have randomized UIDs.
3. Use PIN as applicable.