Decrypting encrypted iPhone backups

["Adam Behnke" <adam () infosecinstitute com>]

Data protection mechanism introduced in iOS 4 protects the sensitive data in
files on the file system and items in the keychain by adding another layer
of encryption. Data protection uses the user’s passcode key and the device
specific hardware encryption keys to generate a set of class keys which
protect the designated data. Developers use the data protection API to add
protection class flag to the files and the keychain items. On the iPhone,
protection class keys are stored in the System Keybag. During the backup,
iTunes generates a new set of protection class keys and stores them in the
Backup Keybag. Class keys stored in the System Keybag are different from the
keys in the Backup Keybag. Protected files and data in the backup are
encrypted using the class keys that are stored in the Backup Keybag. In
normal backups Backup Keybag is protected with a key generated from the
iPhone hardware (Key 0×835) and in encrypted backups it is protected with
the iTunes password. 

The article at InfoSec Institute here:
http://resources.infosecinstitute.com/iphone-forensics-part2/ discloses the
procedure to extract protection class keys from the Backup Keybag and covers
the techniques & the tools to decrypt the protected backup files and the
encrypted backups.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/