1 / 12

iPhone Security: Understanding the KeyChain

Nicholis Bufmack and Ryan Thomas CS 691 Summer 2009. iPhone Security: Understanding the KeyChain. Presentation Outline. Mobile security issues The iPhone KeyChain Authentication Certificate storage Code signing and publisher verification Final Comments References.

tulia
Download Presentation

iPhone Security: Understanding the KeyChain

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nicholis Bufmack and Ryan Thomas CS 691 Summer 2009 iPhone Security:Understanding the KeyChain

  2. Presentation Outline • Mobile security issues • The iPhone KeyChain • Authentication • Certificate storage • Code signing and publisher verification • Final Comments • References

  3. Mobile Security Issues:The Problem • Mobile devices can connect to the internet. This brings with it the same problems as more traditional computing. • Additionally, more and more mobile devices allow users to download and install custom applications. • With both issues in mind, the developer must have a clear security solution in mind while simultaneously considering issues of limited processing power and memory.

  4. Mobile Security Issues:The Problem (continued) • Traditional approach includes authentication services, keys, and certificates, as well as traditional shared key encryption. • Different developers using custom mechanisms leads to potential security gaps and management problems. • Most efficient approach is to have a shared repository for security tokens and a API for interfacing with the token library.

  5. The iPhone Keychain • 13.7 million iPhones sold in 2008 • iPhone OS is based on the Mac OS X • Security is handled by the Security Framework • The storage for passwords, accounts, certificates, and keys is called the Keychain. • On the Mac, the Keychain can be easily accessed to add, delete, and modify security tokens.

  6. The iPhone Keychain (continued)

  7. The iPhone Keychain (continued) • Security tokens are stored by Keychain • Keychains allow security tokens to be stored in logical groupings • Everyone has a login, system, and system store Keychain • One Keychain must be the default. This is the first place an application usually looks for a security token. • Within a Keychain, tokens are categorized.

  8. Authentication • The Keychain can act as a simple password/username repository keyed on the application or service. • The Keychain can also act as an intermediary agent presenting authentication credentials on behalf of a user, service, or application. • Authentication tokens within the Keychain are encrypted.

  9. Certificate Storage • The Keychain supports X.509 certificate storage. • RSA encryption • Key storage and use • Many helper functions exist to ease development • Root certificates are stored enabling verification of certificate chains.

  10. Code Signing and Publisher Verification • Code signing allows a software publisher to sign code for installation. • Users of the software can then validate the identity of the publisher before installation. • Useful for controlling proliferation of malware. • Signing is based on presentation of a developer's certificate. • Extra steps for Apple developers if they want to test on a device!

  11. Final Comments • The Keychain API is powerful and robust, but may be daunting to the novice. • Those familiar with the OpenSSL library will have an easier time of it. • In fact, it's easy to port algorithms from OpenSSL to the Keychain API. • Implementations are somewhat different from platform to platform: what works on the Mac may need to be modified slightly for the iPhone.

  12. References • Apple Developer Connection. http://apple.developer.com • Talukder, Asoke and Roopa Yavagal. 2006. Mobile Computing. New York: McGraw-Hill Professional

More Related