Description

Family Wallet supports backup of private key material to iCloud. The app encrypts the private key material using CryptoKit ChaChaPoly, with a 256-bit symmetric key derived from a user password. The user password is required to pass some security requirements.

The app supports three key derivation schemas:

• v1 — the symmetric key is derived from the SHA-256 hash of the user password, converted to ASCII hex and truncated to the first 32 characters.

• v2 — the symmetric key is derived from the raw binary SHA-256 hash of the user password.

• v3 — the symmetric key is derived with PBKDF2-SHA256, using 750k rounds and a fixed salt.

When creating a new item, the app automatically uses the newest available schema; older schemas are supported for backwards compatibility purposes.

All three schemas have weaknesses and do not adhere to common best practices. Furthermore, there is no mechanism for reencrypting old backups that were created using an older and weaker scheme.

Impact

The v1 and v2 schemas are weak towards brute-force attacks, as they only consist of a single round of SHA-256. They are also vulnerable to rainbow tables, as there is no salt. The v1 schema unnecessarily truncates the real entropy of the key to 128 bits, since the output of SHA-256 is encoded as ASCII hex and truncated from 64 to 32 bytes.

While the v3 schema is more resistant to brute-force attacks, it is still vulnerable to rainbow-table attacks, because the salt is fixed.

Recommendations

Implement a random salt for each symmetric key. Consider using a stronger key-derivation function such as Argon2id.

Remediation

This issue concerning a lack of randomized salt was remediated in the following commit:

• 9a31e844ed8c6fdecfe4bec00f4819e82f9496c9