Apple Details iPhone 5s Touch ID Scanner
Apple has updated its iOS Security document to include intricate, detailed information pertaining to the Touch ID sensor that is found on the iPhone 5s.
Apple reiterates that Touch ID and its Secure Enclave store only data from scanned fingerprints, rather than actual images. Using a secure boot process, the Enclave – a coprocessor inside of Apple’s A7 processor – verifies and signs information independently of other iOS hardware and software.
All Secure Enclaves can function independently even if a kernel is compromised and each one contains a unique ID inaccessible to other parts of the system and unknown to Apple, preventing the company or any other third parties from accessing data contained within.
“Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, tangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space,” the document said.
“Additionally, data that is saved to the file system by the Secure Enclave is encrypted with a key tangled with the UID and an anti-replay counter.”
And while the A7 processor deals with data from Touch ID, this information is encrypted by the scanner, making it unreadable to the rest of the phone. Only Secure Enclave can authenticate the data.
“It’s encrypted and authenticated with a session key that is negotiated using the device’s shared key that is built into the Touch ID sensor and the Secure Enclave,” the document reads. “The session key exchange uses AES key wrapping with both sides providing a random key that establishes the session key and uses AES-CCM transport encryption.”
Apple has also spelt out that it has strict no-third party app rule when it comes to TouchID data. “Touch ID authentication and the data associated with the enrolled fingerprints are not available to other apps or third parties,” reads the document.