Apple has been granted a patent (number 20160004884) by the U.S. Patent & Trademark Office for its Keychain technology. iCloud Keychain keeps your Safari website usernames and passwords, credit card information, and Wi-Fi network information up to date across all of your approved devices that are using iOS 7.0.3 or later or OS X Mavericks v10.9 or later.
iCloud Keychain can also keep the accounts you use in Mail, Contacts, Calendar, and Messages up to date across all of your Macs. If you sign in to Facebook, Twitter, Linked In, or any other accounts in Internet Accounts on OS X Mavericks, iCloud can push those accounts to your Macs, as well.
iCloud Keychain keeps the passwords and credit card information that you save up to date only on the devices that you approve. When you turn on iCloud Keychain on an additional device, your other devices that use iCloud Keychain receive a notification requesting approval for the additional device. After you approve the additional device, your iCloud Keychain automatically begins updating on that device.
In the patent filing, Apple says that, in order to protect the confidential information in a keychain, the keychain or each item in the keychain is encrypted with a key sometimes referred to as class keys. The class keys are then stored in a data structure referred to as a “keybag.” The keybag can be backed up at a remote storage location such as another computer or on a network such as the Internet. The backup copy can be used to restore the keybag to the device.
To maximize the protection of the keybag, the backed up keybag for each device is also encrypted with a unique device identifier (UID) such as advanced encryption standard (AES) key of the device prior to being backed up in the storage outside the device. This protects the keybag of a device to be stolen and used on another device.
Here’s Apple’s summary of the invention: “A method of restoring confidential information items of a first device to a second device by using a set of servers. The method generates a public and private key pair and ties the private key to the hash of executable code of the servers at the time of generating the public and private keys. The method receives the encrypted confidential information items in a secure object which is encrypted with a user-specific key and the public key.
"The method only provides the confidential information to the second device when the second device provides the same user-specific key as the key that encrypts the secure object and the hash of the executable code of the servers at the time of accessing the private key to decrypt the secure object matches the hash of the executable code running on the servers at the time of generating the private key.”