Signing Tezos Transactions with iOS’s Secure Enclave and Face ID

A screen recoding of a prototype application which uses the Secure Enclave to sign and broadcast Tezos transactions.

Did you know that you can use the Secure Enclave and Face ID to sign Tezos transactions on your iOS device?

The video on the left is a screen capture of a prototype iOS app creating and signing a transaction with the user’s face. You can see the transaction on the blockchain here.

Note that unlike most iOS apps which use biometrics to sign transactions, this transaction uses an address which starts with ‘tz3’ instead of an address that starts with ‘tz1’. This is because unlike other iOS apps, the key is actually stored inside the iOS device’s Secure Enclave.

Properly utilizing the Secure Enclave provides optimal security on iOS devices, a practice which is not widely adopted by Tezos applications today. This article aims to explain the differences between signing methodologies, and presents a more optimal way for Tezos keys to be managed on iOS devices.

Elliptical Curve Cryptography

What’s the difference between a ‘tz1’ and ‘tz3’ address anyway? These addresses are both generated using elliptical curve cryptography, but they are created using different curves.

Most blockchains support a single curve. However, Tezos supports three curves for maximum compatibility across a wide range of devices. The following curves are supported:

  • ed25519: Produces a tz1 address. This curve is easy to work with and produces faster and more efficient operations than other curves without compromising security.
  • secp256k1: Produces a tz2 address. This curve is used by most blockchains, including Bitcoin and Ethereum.
  • secp256r1: Produces a tz3 address. This curve is also referred to as ‘Nist’ or ‘P256’. This curve is popular in most consumer electronic devices including the iPhone and Android devices.

The Secure Enclave

Modern iPhones contain a special chip which Apple calls the Secure Enclave. You may also hear this chip referred to as a hardware security module (HSM). Ledger and Trezor devices are other examples of HSMs.

The key feature of a HSM is that is it hard wired to prevent your key from leaving the chip, which provides maximum security. Instead, messages are sent into the Secure Enclave, signed, and then output without ever giving the operating system (OS) or application access to your private key. Permission to sign a transaction can be granted using a biometric authentication method (face, fingerprint) or device passcode.

The Secure Enclave supports a single signing curve, secp256r1, which produces tz3 addresses.

The Key Chain

iOS also provides a service called the ‘Keychain’ which allows for relatively safe key storage. Like the Secure Enclave, keychain access can also be protected with biometric or passcode based authentication.

While the keychain is reasonably secure, it does not afford the same level of security as the Secure Enclave chip. For this reason, Apple opts to store the most sensitive data on an iPhone (facial data, fingerprints, and credit card numbers) on the secure enclave rather than in the keychain.

Most iOS Apps which interact with the Tezos blockchain store keys in the keychain. How can you tell? As discussed above, the only addresses that can be stored inside the Secure Enclave start with ‘tz3’, while (as far as this author has seen) all iOS apps on the market today produce an address beginning with ‘tz1’. This represents less than optimal security for Tezos keys on iOS devices, given that the necessary hardware for safer key management is widely available and the reward for compromising a Tezos secret key is very high.

The Rub

In a bid to be as secure as possible, the Secure Enclave doesn’t allow applications to import keys into the chip. Likewise, applications cannot access the secret key. For this reason, it’s impossible to produce a mnemonic phrase to backup a secret key offline or export the key from the device. Cell phones are prone to a number of unexpected end of life moments, including theft, loss, screen shattering drops, and water damage. For this reason, storing a key on this device with no backup represents a poor security choice.

An elegant solution is to create a 1 of 2 multi signature smart contract. One key can be generated offline, safely stored, and its public key hash can be computed and used as the first signature on the smart contract. The second key can be generated inside the Secure Enclave. With this scheme, neither the phone’s operating system nor the running application ever gain access to either secret key. In case of phone loss, the user can safely use their offline backup key to move their funds out of the wallet.

An additional problem is presented by a malicious attacker attempting to gain access to funds by both (1) obtaining control of your device and (2) obtaining your passcode or biometrics (i.e. A mugger takes your phone and forces you to authenticate a transaction at gunpoint). A proposed further optimization to the smart contract would set a rolling spending limit on a per day basis for the key on the phone. This spending limit effectively limit’s a user’s maximum loss in active theft scenario, while letting the user have freedom to recover funds when the reach safety with their offline backup key.

TezosKit

Want to build for Tezos on the iOS or MacOS Platform? TezosKit is a Swift library that provides a client-side SDK for the Tezos blockchain on iOS and MacOS. You can get started here.

Curious about using the Secure Enclave or building Tezos iOS applications? Get in touch.