[hello0904]

Well, the real problem is iCloud Keychain is essentially a "black box" system. Apple does use AES encryption in various parts of their security architecture, as documented in their security white papers. But we can't confirm the specific implementation details for iCloud Keychain.

And you should also know...

Best practices for password storage use one-way hash functions (like bcrypt, Argon2, or PBKDF2).

[chrisBob]

> Best practices for password storage use one-way hash functions (like bcrypt, Argon2, or PBKDF2) rather than encryption algorithms like AES.

That is true if you are running a service that USES passwords. In that case you just need to confirm they match. That is not true if you are running a password manager where the user needs to be able to get their plain text password back out of the system.

[threeseed]

Keychain is documented here and is encrypted using AES-256-GCM:

https://support.apple.com/en-au/guide/security/secb0694df1a/...

It’s then stored in iCloud as a SQLite file and encrypted as it does for your other synced data.

[nicce]

The whole OS is a blackbox. We trust that keyloggers are not everywhere. We need to trust completely or not at all. I think there is nothing between when the same vendor also supplying the underlying closed-source OS.

[hello0904]

Agreed. But we are talking encryption and why there isn't open source algorithms for iCloud. I find it funny as when you submit iOS apps to the App Store they specifically require encryption standards and no "roll your own algos/cryptos" but at the same time all their crypto is a black box.

I'm a happy Apple user, love the OS...just saying.

[lapcat]

> when you submit iOS apps to the App Store they specifically require encryption standards and no "roll your own algos/cryptos"

This is not true.