Are Keychain p12 files considered secure?

In the projects I work on it's common for Keychain p12 files, containing signing certificates & private keys, to be further encrypted before being stored in a repository.

Given the p12 file is an industry standard storage format that uses password protected encryption, I was wondering if this extra encryption step was really necessary.

One reason the extra step may have been added is that the Triple DES encryption that Keychain uses by default was not considered to be secure enough. A Google search on the topic does suggest that newer algorithms are preferred.

However, it seems unlikely that Apple would use an insecure export format in Keychain, so the general advice found online may not apply here?

I also noticed that Triple DES may be officially disallowed by NIST [800-131A Revision 2] at the end of 2023. Does that mean that Keychain will be updated before then?

Up vote post of roryobryan Down vote post of roryobryan
1.3k views
Posted by
roryobryan
Reply
Add a Comment

Replies

So, there are three parts to this:

  • How are Apple .p12 files encrypted? (A)

  • Is that considered secure? (B)

  • Is this going to be fixed by the end of 2023? (C)

I can only answer A. The info you’ve discovered is correct: Apple’s .p12 files use older encryption standards. It’s easy to see this by exporting a .p12 and dumping its structure [1].

% dumpasn1 -a -p Frankie.p12 
…
    pbeWithSHAAnd40BitRC2-CBC (1 2 840 113549 1 12 1 6)
…
    pbeWithSHAAnd3-KeyTripleDES-CBC (1 2 840 113549 1 12 1 3)
…
    OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
…

Normally I’d suggest filing a bug about this but that’s not necessary in this case (r. 23040329).

With regards B, I can’t answer that becasue the definition of “secure” depends on the context. You’ll have to decide on whether this is secure enough for you.

With regards C, I can’t predict The Future™, alas.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] I’m using dumpasn1 here.

https://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • Adding another bug number, just for my own records (r. 45298245).

    eskimo

  • Another note to myself: The -legacy option for the pkcs12 subcommand in the openssl tool.

    eskimo
Add a Comment

Thank you Quinn,

Our context is the storage of App Store Connect Development, Distribution, and Enterprise signing certificates for use in CI pipelines. The passwords for the extra encryption step are treated in the same way as the passwords for the p12, so I think in this case it comes down to the encryption algorithms themselves and how vulnerable those are to attack and what you could do with the certs if you stole them.

You are correct of course, the question "Is it considered secure" is an unanswerable open question 🤦‍♂️. So I was hoping for some expert knowledge to feed into that judgement. Maybe on the technical side "Triple DES would take a non state actor approximately 2.62 billion years to brute force with current technology", on the industry side: "Triple DES is secure until NIST says otherwise (Dec 2023)" or perhaps on the Apple side: "Distribution Certificates should be kept securely, but ultimately a rogue app submission would still have to go though App Review so you'd probably notice if someone stole your certs"

But I accept it probably is an unanswerable question!

Thanks

Posted by
roryobryan
Up vote reply of roryobryan Down vote reply of roryobryan
Add a Comment