Apple’s Secure Enclave for Touch ID And Its Importance Detailed
Alchemist and metaphysician Brian Roemmele has written an interesting article on Quora, detailing how the new “secure enclave” in the A7 processor of the iPhone 5S, that stores the encrypted fingerprint biometric ID, actually works and why is it so important for security purposes. The author notes that Apple perfected the Touch ID over several years of very hard work, that includes several patent applications, the acquisition of AuthenTec and the selection of the A7 processor.
The article details that ARM’s TrustZone technology is tightly integrated into the A7 processor, extending throughout the system. This is also one of the reasons why Apple moved to the A7 processor. Apple needed a processor that is already aware of the concept of encryption and has the dedicated hardware to make a segregated and secure area with in the processor architecture. Apple has customized a highly optimized version of TrustZone and created what is now known as “Secure Enclave”.
“The security of the TrustZone system is achieved by partitioning all of the hardware and software resources so that they exist in one of two worlds – the Secure world for the security subsystem or the Normal world for everything else. The TrustZone-enabled AMBA3 AXI bus fabric ensures that Normal world components do not access Secure world resources, enabling construction of a strong perimeter boundary between the two.
To use Touch ID you will also have to create a passcode as a backup. Only that passcode can unlock the phone if the phone is either rebooted (example full battery drain) or hasn’t been unlocked for 48 hours. This is a genius feature that is meant to set a time limit for criminals if try to find a way to circumvent the fingerprint scanner.”
The author notes that Apple has “wisely restricted access to Touch ID” and does not have any APIs available for developers. In fact, this is why Apple has removed the iCloud Keychain from the most recent developer build of iOS 7. “The technology is now limited to just two use cases, device unlock and iTunes and App Store purchases”, says the author.
It seems that Apple will provide full developer API access to Touch ID at some point, though not in some areas that Apple will limit as it wants to be the “sole provider in those areas”.