The Secure Enclave
The hive of activity that keeps your biometric data safe
Apple’s Secure Enclave appeared as a hardware feature in 2013’s iPhone 5s, but the technologies behind it first
surfaced in 2008. In that year, Apple filed a patent application for user authentication by fingerprint recognition, illustrating an iPhone unlock screen as an example. Around the same time, ARM, the British chip designer, published a white paper outlining what would become TrustZone, a feature that allows sensitive data to be stored securely within a processor chip, protected by hardware-level encryption. These would form the two key ingredients of Touch ID, and then Face ID.
Both companies knew this stuff was going to be important, and by 2012 ARM went on to form partnerships to build online payment systems into mobile devices, while Apple acquired AuthenTec, a fingerprint scanning specialist. The iPhone 5s arrived in September 2013 with the Touch ID fingerprint sensor in the Home button. Inside, the A7 chip at its heart, jointly designed by Apple and ARM, was the first 64-bit processor in a mobile device and, as SVP of Hardware Engineering Dan Riccio explained in a launch video, incorporated a Secure Enclave (aka TrustZone) so that biometric data would be ‘locked away from everything else… never available to other software and never stored on Apple servers.’
This means you can record your fingerprint and use it to unlock the device, or authorise a contactless or online transaction, safe in the knowledge that this process can’t be hacked. What goes into the Secure Enclave stays in the Secure Enclave. The same goes for iPhone X’s Face ID.
Within these walls
The word ‘enclave’ means something locked inside something else, which might suggest an empty room or box. It makes more sense to think of it in the sociological sense of an area inhabited by people with their own distinctive culture and industry. The Secure Enclave is a hive of activity – a processor in its own right, with access to its own memory and resources. A bit like a medieval castle, it’s able to
The Secure Enclave isn’t just an empty box, it’s a hive of activity
communicate with the world outside, but has everything it needs within its walls.
It’s this self-sufficiency that makes the Secure Enclave superior to other forms of data security. Your software keychain, for example, stores private keys for various services on your Mac and iOS devices in encrypted form, so you can access them when needed by providing your administrator credentials to decrypt the keys. The catch is that at the point when a key is extracted, it has to be passed to the app or website that you’re trying to supply it to, and necessarily appears unencrypted in system memory, if only for a moment. That makes all sorts of security compromises theoretically possible.
The Secure Enclave’s fundamental principle, by contrast, is that nothing sensitive ever goes in or out. Behind the scenes, it communicates with iOS or macOS through a secure mailbox that only accepts very limited types of messages. A process can ask the Secure Enclave to create a private key, and it will, but it won’t reveal the key. The process can then ask it to encrypt data using that key, to generate public keys from it, or to verify cryptographic signatures; or in the case of processes accessing Touch ID or Face ID, it will simply issue a code verifying that the user has been authenticated, or not. All the processing happens within the Secure Enclave.
Device specific
A unique security feature is that keys generated in a device’s Secure Enclave are valid only on that device. That’s why if you break your iPhone, replace it and restore all your data, you’ll still have to register your fingerprints or face with Touch ID or Face ID all over again. Your biometrics can never be uploaded from the Secure Enclave to iCloud or transferred to another device. Your old Secure Enclave will take your secrets to its grave.
Of course, there’ll always be hackers who go to extreme lengths to get around any security measure. To thwart attempts to bypass Touch ID or Face ID, your device will stop responding to biometric unlocks after it’s been powered down and started up again, or after it’s been idle for 48 hours. Instead, it’ll require your passcode. That’s to limit how long someone can spend trying different inputs in the hope of matching your face or fingerprint.