Secure Enclave and kSecAttrKeySizeInBits 384

Hello!

The documentation says that the SE stores only 256-bit elliptic curve private keys at: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave

However I'm a bit baffled because if I generate keys with kSecAttrKeyType kSecAttrKeyTypeEC, kSecAttrKeySizeInBits 384 and kSecAttrTokenID kSecAttrTokenIDSecureEnclave the call is successful. I get a private key that I also can query with SecItemCopyMatching.

I can also sign data with SecKeyCreateSignature with SecKeyAlgorithm.ecdsaSignatureMessageX962SHA384 algorithm and verify the signature with SecKeyVerifySignature. SecKeyIsAlgorithmSupported also returns ok.

So my question is this: What really happens? Are 384 bit keys supported by secure enclave? Does the key generation fail silently and use regular keychain? Does it somehow still use 256 bit keys in secure enclave even though 384 is specified?

Answered by DTS Engineer in 695373022

Are 384 bit keys supported by Secure Enclave?

That depends on what you mean by “supported” (-: Clearly it works under some specific circumstances, however the official word is that the SE only supports P-256 keys. Don’t use anything else in products that you care about.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Are 384 bit keys supported by Secure Enclave?

That depends on what you mean by “supported” (-: Clearly it works under some specific circumstances, however the official word is that the SE only supports P-256 keys. Don’t use anything else in products that you care about.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Secure Enclave and kSecAttrKeySizeInBits 384
 
 
Q