It's "replay protected" because the crypto prevents an attacker from replaying old contents of the chip back to the secure element.
If Intel ever stopped mucking around with SGX licensing policy, SGX + RPMB would be a really nice combination on laptops.
"Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID)
that is not accessible to other parts of the system and is not known to Apple. When
the device starts up, an ephemeral key is created, entangled with its UID, and used to
encrypt the Secure Enclave’s portion of the device’s memory space.
Additionally, data that is saved to the file system by the Secure Enclave is encrypted
with a key entangled with the UID and an anti-replay counter. "
This sounds like the secure enclave chip has a secret key, and all of its uses of external memory are encrypted using said key. This sounds like one would either need to break the crypto system itself, or compromise the secure enclave co-processor.
Imagine it like taking that piece of paper to give lottery numbers, throwing a couple darts on it, and then using that as the ID. Except the dart throwing happens in a way where you can't actually control/see the result during manufacturing.
There's a term for this that eludes me.
Do you have any more info?
The page is a bit obtuse, honestly I might have misunderstood a part of it.
What's different in more recent phones (>=A7 processor) is the secure enclave enforces that time delay, as opposed to the operating system, which is the reason why this brute force attack works on the 5c/A6.
>The same approach could be applied to the newer models of iPhone. The same type of LGA60 NAND chips are used up to the iPhone 6 Plus. Any attacker with sufficient technical skills could repeat the experiments.
Newer iPhones will require more sophisticated equipment and FPGA test board
And that's not all. With the introduction of Touch ID, Apple has shifted to 6 digit passcodes as the standard. The authors note that their method would not work so well, even if they had infinite time:
"Given six attempts per each rewrite this method would require at most 1667 rewrites to find a 4-digit passcode. For a 6-digit passcode it would require over 160 thousand rewrites and will very likely damage the Flash memory storage."
If you want to decrypt the modern iPhone you'd probably have to try to poke inside of the secure enclave with an SEM or something. And then you're getting into the realm of hardware defenses against this kind of intrusion, like physical self-destruction when probed.. not sure if Apple's doing anything there but it's crazy stuff.
 https://www.apple.com/business/docs/iOS_Security_Guide.pdf (page 12)
> On devices with an A7 or later A-series processor, the delays are enforced by the Secure
Enclave. If the device is restarted during a timed delay, the delay is still enforced, with
the timer starting over for the current period.
This is not super specific, but would imply that the secure enclave has its own storage.
Also while NAND mirroring does work, there is a good chance it wasn't used in that case, the current "theory" is that one of the patched USB DMA exploits were used to unlock the phone, NAND mirroring was too "risky" for the FBI to consider at the time, and it wasn't forensically secure IIRC one of the reasons for the very high price was the non-physical attack approach that the 3rd party provider they've selected had in their toolkit.
Cellebrite has a few of them I know of a few for MediaTek chipsets that work through the USB host and the camera connector.
This isn't any different than the DMA "skeleton keys" for PCs and Macs that work via firewire/thunderbolt/pcie/expresscard/PCMCIA etc.
Mobile phones aren't secure. Period. Anyone saying otherwise about theirs better provide convincing evidence that they mitigated everything on that non-comprehensive list. Then we talk about what I left off. When FBI said they couldn't get in, I knew they were lying to try to establish a precedent & technical method to increase their convenience. It was also only time Richard Clarke's pronouncement was relieving where he said (paraphrased) "I'd just ask the NSA to break into it." Because they or a contractor could due to risks not mitigated. Obvious.
Honestly not sure if I'll ever trust a tiny, slim smartphone for high-security INFOSEC given the effect of EMSEC on size and hardware POLA on power consumption. If their physical specs are Apple-grade, then they cut corners on INFOSEC and some government hacker has job security.
In the article the author mentions that this technique can effectively damage the flash memory because you can get effectively into a state where you are causing wear due to writes.
In theory you can scale this up and copy the contents of memory into an FPGA which emulates NAND (both logically and physically) or just hold multiple copies on different chips but even the initial process is not without risk.
While it's easy to say that the FBI lied or was incompetent because they had a motive to say set a precedent, but given the FBI's own rules for what is a forensically accepted method of extracting data NAND mirroring can easily be considered as something that "doesn't work".
Of course, the FBI director does not need to know this level of detail about every case, but given how much he appears to have known, he should not have been speaking about the case beyond directing people to ask the person in charge of the case.
 Although, I would argue, in cases where no alternative exists, if the FBI policies prevent NAND mirroring, they should be revisited. Even if it has the potential to be destructive, they would only be destroying otherwise unusable information.
Eh? no, destructive methods are a big no-no, this isn't a dichotomy.
The information ins't unusable, they can try force apple to unlock the phone, or wait until some one else comes that can do it without using a destructive method.
You can't destroy evidence because you can't do anything with it at the given time.
In practice it would have to be in external memory (DDR, flash, etc.) that the FPGA would use to back transactions because FPGAs don't have 32GB of memory capacity. Problems then become meeting bus timings that may very well be tuned for the PCB layout.
It doesn't end up to 1M$ but it's also not 50$.
"Unfortunately, the 1:1 backup copy did not work
in the iPhone 5c. Even the boot Apple logo did not appear
on the power up. There were some references to hidden
partitions used in iPhone NAND storage which makes
cloning a challenging task."
Edit: You are correct, I've misread it.
I do appreciate the authors that put one on there, though. Saves much Googling. :)
Papers that aren't published at conferences (preprints, technical reports... etc) don't have any standard format for this. Sometimes (especially for preprints) it's left out in expectation of adding the copyright notice in a future version, sometimes it's left out because the document is in a very preliminary stage and hasn't been officially published and sometimes it's left out because people just didn't think of it and there's no standard format that includes a date for things that aren't published to a specific venue.