---
title: WWDC2000 Session 168
framework: wwdc
role: article
path: wwdc/wwdc2000-168
---

# WWDC2000 Session 168

## Transcript

Kind: captions Language: en so as bill said i'm kevin macleod and i work on this thing called keychain which we're going to go through today so hopefully we have some exciting stuff to tell you about much more exciting than what's going on next door we'll give you a quick overview of what the keychain is and then we'll update you since we talked to you last year about what's been going on with the keychain will tell you about the key chain manager api's and answer your questions about where they fit with carbon and where they are on OS 10 and then at the end we'll tell you where we're going with the api's and finally we'll have a demo of course and QA hopefully what so you'll take away from the session is a knowledge of what the keychain provides for you and especially what api's would be in carbon so you can go out and add keychain support to your application so what is the key chain the keychain is a repository that's secure analogy I use is a bank vault the bank's vault door closes and things you put in there secure the things we put in there are passwords cryptographic keys digital certificates the bits of information that sort of authenticate you or private bits of data that unlock other things or you know decrypt pieces of data the keychain is built on top of this framework called cdsa which is the common data security architecture that originated at Intel and that's an open group standard I believe they've announced plans to open source their implementation the key chain has a really neat feature and that it enables its clients to provide something called transparent authentication that's the ability to log in one and then any servers and things that you have passwords stored in your keychain for you'll just be able to connect to them transfer currently through clients that use the key chain the key chain is first introduced and shipped with mac OS 9 and it's available there and going forward of course on 10 and later so let's define some terms that are important when talking about key chains key chain is always in one of two states it's either locked or it's unlocked and when it's locked you can't retrieve data from the keychain you need to unlock it in order to do that every stored password or key or certificate things that are in the keychain we call keychain items and go into a little bit these things which all keychain items have in common then we have this notion of the default key chain that's the one if you have multiple key chains that's the one where new items are added so a system can have more than one key chain you can have some locks some unlocked put some types of keys or server passwords in one and and copy one to the server you know and use it over the network if you want typically we see the two there's one key chain per user that's certainly the ability to have more than one that's their key chains can be set to lock automatically so you don't have to go off for example leave your desk and worry about whether or not someone can come up and access things that are in your keychain and the key chain is scriptable so everything that you can access through the keychain API you can get out through applescript keychain files can be moved around from one machine to the other which makes them very useful you can take your keychain from work to home and and have it available there you can have it on the network at this point I have to tell you that key chains will not be portable between nine and ten now that was a decision that we do not make lightly and part of the reason is that the key chains on OS and I'm use encryption algorithm which is patented and we're trying to move away from we're trying to get rid of any things that prevent us from open sourcing that's at some point in the future but when you go from nine base keychains to 10 base keychains we hope to provide some kind of updater that will just convert them so you can go easily but if that's going to be a problem please let us know about it like I said keychain files can be on servers you can use them over the network and you can hit use them unlock media so you can open a keychain read-only most important for where we're going in the future the cdsa architecture on which the keychain is built allows you to have key chains on smart cards and removable tokens these things just appear as keychains to clients with the keychain API and when there are modules to plug in to the underlying PDSA architecture to support these types of things we actually have one working but as there are other ones that are provided these things just show up and you can use them in the keychain so lots actually happened since last year we're in OS 9 and not just shipping but we're actually an integral part of it there are a lot of system components that use the key chain and are tied to it if you use the Apple share client you'll know that it can store passwords in the keychain and the other components like network browser and even airport and Apple file security AFF all use the key chain for password storage we ship the security SDK which includes the keychain and URL access and Macintosh file signing and the CMS technology cryptographic message syntax and all those things are available now hopefully some of you have had a chance to look at and use them play with it copy that URL down because a lot of good stuff there the keychain is now in BP for if you've had a chance to install that the api's are in there still kind of a development release still working on it and it requires you to link to the security a chai framework in order to actually get at the keychain api that wont to stay the case we're very close to actually having this fully in carbon on both 9 and 10 just missed the BP for train but so you can still use CP for again if you link with security HRM work so this is a map of where the api's are and where you can call them from it's actually a pretty important slide on the left hand side our legacy apps which are your pre carbon mac OS and I on applications and the AP is that are there are those that we shipped with mac OS 9 the key chain you will access i sign which is Macintosh file signing and the CMS api's all those are still there in classic and they're built on top of cdsa 1.2 so those apps will just work in classic OS 10 and they'll continue to work on Mac OS 9 of course the middle block carbon applications sort of straddle this line between mac OS 9 and mac OS 10 the api is that are in carbon will be key chain and URL access so carbonized application that can run on nine or on 10 can make use of those ap is one thing that we did after Mac OS 9 when we sort of look toward the future and integrating with those 10 is how to factor the pieces functionality that we had in keychain API and make it available for you know not just carbon applications but you know bsd unix applications coco app across the board and when weari architected this we realized that a number of things had to be separated out especially key in certificate management and things that required keys and certificates so Mac OS 10 apps as a category or those applications that will only run on mac OS 10 that could include your cocoa apps your bsd unix abs and also carbon applications that make use of those api's such as file signing and the piece there that we're calling security Corps which includes keychain api's and some newer versions of those AP is that you can use from lower levels and that don't require UI which I'll get into a little bit again those applications 10 applications and carbon applications that you're running on 10 sit on top of the CD s a 2.0 API and that's a big step forward from 1.2 in the amount of things that lets us do it lets us have for example something called access control lists so that each individual item in your keychain can be protected separately and you can allow certain applications to access certain items and not access other items and all those things are sort of enabled by CBS a two point oh so your application you want to use the keychain API what can you store in the keychain there are three basic classes of items that go into the keychain keys passwords and certificates and each of those classes has subclasses of items that we support the middle column their passwords is what the keychain API is primarily focused on in this release and in carbon every keychain item has two components they have attributes and they have data the data in this case in this example is just a password but there are additional attributes that sort of hang on to that password and allow you to find it again in this example I have my account name can and a server and a pass on that server these are all this bits of data that you can attach to the password and that help you find it so all these items that are in the keychain have these common attributes the collapse of the item the date created the date modified every item has a label the thing that shows up when you view it in keychain access as a description and a comment which is all optional within those subclasses of course every item has additional attributes that you can look at internet password items for example have a server name associated with them and things like the protocol that's used for that particular password attributes as I said are used just to find the item the actual thing that you're storing in the keychain which are keeping secure is the data the items data can't be searched you can't look for all items that have a particular password because wouldn't be too secure you can't get the data out unless the keychain is unlock and you can't retrieve the data of an item without the user's explicit permission now what's that cement in the past if you've had a chance to play with a key chain on OS 9 is that every time you go to get something out of the keychain a dialog pops up and asks you do you want to allow access to this item that's been a problem if for no other reason than users just get conditioned to hit the enter key every time so we're moving away from that dialogue it would come up and go more than once and we're going toward the ability to let you pre-configure access for your items in particular very important cryptographic keys private keys and symmetric keys the data of those items can never be retrieved from a keychain so how secure is the key chain well for one and I think this is pretty important it doesn't actually depend on the machines physical security it's stored in an encrypted format so you don't have to write down your passwords or store them in a preference this file or store them you know on a sticky note somewhere on your disk the keychain file itself is encrypted and the password that unlocks your keychain is never stored anywhere on disk what we do is run it through an algorithm called PK or PB kdf to which is specified in our essays p kc f 5 standard and what that does is it derives a key every time from your keychain password a little bit about the encryption that's used and again I said that we were trying to move away from what we were using a mac OS 9 to something a little better on OS 10 that did not prevent us from at some point in the future doing what Darwin has done the current plan is to use triple deaths although I've talked to some of you and some of you brought this up in another session that there are perhaps other algorithms that we can use so we were certainly looking forward to any feedback that you have about to about that now normally a keychain is unlocked with a password the dialog box comes up and it asks me to unlock the key chain you type in the password and then the keychain is unlocked and items can be retrieved if you type the wrong password in every time you do that the delay grows between the amount of the time when that dialogue can come up again and new passwords are accepted so this sort of prevents a systematic attack sort of the virtual user type thing where it just types him the password into the dialogue over and over we allow programmatic unlock in OS 9 it was limited essentially if you use the programmatic API to unlock the key chain and you've got the password wrong the first time that was it you have to restart in order to try that again and but you know effectively shut down that opportunity but it also prevented a lot of people from acting as an intermediary to let the user unlock a keychain that perhaps your applications we've created so no it's 10 we're going to move to a mechanism that allows that same sort of exponential delay between failures to prevent the attack now again data of the items can't be retrieved without some sort of explicit permission that the user has granted this permission can be given on a per item basis a per process basis or entire keychain you can say always allow everything in this keychain to be accessed without without bothering me again in OS 9 we had a problem identifying processes it would be nice to say okay always lets my web browser or my mail client access the password in the keychain don't bother me problem was when that client quit something else could start up and say hey I'm the mail client give me the password and there was actually no mechanism at nine to prevent that so in 10 we can actually do a digest a cryptographic digest of the process store that and securely allow in a pre-configured manner access to key chain items now cryptographic keys in your keychain in 9 optionally required a password in order to use them not just to unlock the key chain itself to get at them but every time you want to use them the CD SI 2 point 0 API and Mac OS 10 is going to allow us to provide that sort of per item protection optionally for every item in your keychain so what can you do with the keychain well if your application at any point ask the user for a password and needs to store it somewhere you can store that password in a keychain instead of having to worry about how you're going to encrypt it or where you're going to store it and also you really want to allow the user the opportunity to save off the password that you've asked for so that in the future they can come back and they don't have to type the password over and over as they access whatever it is it needs the password and you can also store keys and certificates this is a piece of functionality that is moving out of the keychain API and carbon to that other box that I showed on the previous slide that's going to be a mac OS 10 oh gee so let's go over the AP is that are in carbon there are high-level calls which are very easy to get started with those high-level calls actually have some underlying low-level routines to do bits and pieces of functionality that you may need the API allows you to search for items that's its primary sort of purpose there to find and then there are API routines to let you manage keychain and finally there's the ability to notify when something has occurred with the keychain whether it's a keychain unlocking or a particular items being accessed you can register and get notifications for those sorts of events so the first thing you need to do is call this routine key chain manager available reason for that is that it may not be there if your application is a carbon application running on say 8.1 the keychain is not going back that far but your application can still be running as a carbon app so you need to test for it to make sure that its present you also don't need to explicitly create a keychain to get started with unless your application needs to for some reasons but the preferred ways to let the user be in charge of that if you need to store something in a keychain you can just store it and all of the sort of housekeeping it's setting up a keychain will be taken care of for you by the API and then finally you'll just use the high-level call to find the password in the keychain so there are three basic API routines to get a password fine Apple share password internet password and generic and all of these take a number of attributes that you're looking for maybe a server name an account name and will return the password to you and conversely we have those actually should say add instead of fine but we have the similar routines for adding a single password to the default key chain so just mentally replace the word find in each of those with ADD and you have the idea so those high level calls are actually made up of a number of sort of individual factored pieces when you're calling add internet password to put something into the keychain it's actually doing the work of all of those items that you see there on the right hand side to set up the item to associate it with a keychain to associate the attributes you passed in and finally to update it and write it out to the keychain storage so the new item call will create a new keychain item and when you do that it's just in memory and it's not associated with any particular key chain you want to add it to a keychain you'll call add item and you'll always access items through a KC item rep that's sort of the common denominator the format's that all items whether their keys passwords or certificates can be manipulated through you'll use get attribute to retrieve a particular attribute from an item and set attribute to change the attribute and the same thing with the data get data will retrieve the data of the item it's that data will change it when you've changed an item whether you've added new attributes to it or change them or change the data you'll want to call update item which actually commits the change it writes it to the keychain and finally when you're done with an item you can release the memories of the item occupies by calling kc release item if you need to define more than one item in the key chain you can use fine first item and find next item fairly straightforward they take a list of attributes things that you're searching for and they'll return a search reference to you so you can continue to call find next item as you need to define items that match your search criteria and then when you're all done you call release search now as I said before most of the time you want to allow the user to create their own key chains but there are calls when you need to create a keychain yourself and when you need to sort of iterate through the key change perhaps you're looking for a particular key chain with a particular set of attributes you'll access those through a Casey rep Casey ref is an opaque structure currently everything on the system is a key chain file but that's changing and it's very important not to assume the casey ref or keychain is actually an FF spec or a file on the system because it could be a smart card it could be any kind of device that's pluggable into the CDF a layer on the bottom they've against status routine you'll probably actually use that when you need to determine whether a keychain is locked unlocked whether it has read only access before you try to store something in it for example and other status flags keychain name returns like it says the name of the keychain you'll use count keychains to figure out how many key chains are available and get in the keychain which is get indexed keychain will return a particular key chain out of that list given an index so this is an interesting part of the API notification when anything happens in the keychain you can be notified and take some sort of action maybe you want to write a logging apps that logs all accesses to the keychain you can do it with this what you do is register a callback procedure with Casey add call back and you can give it a bit mask that specifies the actual events that you're interested in receiving you don't have to deal with all of these but will tell you when a keeps you in unlocks what it locks when something's added when someone does a search and the item is found will certainly tell you when someone retrieves an item that's the get data event will tell you when an item is deleted updated and will tell you when the default key chain has been changed when you're all done and you don't want these events anymore you can call Casey remove call back and then you won't get them so here's a real simplified example of a routine that your application might call I have a connect to server routine and the two parameters there are the server that I'm connecting to and who I want to connect as what my account name is so the first thing I do there actually the first thing I do would be to call key chain manager available but that's just sort of assumed so i can call Casey find internet password and the things that I'm interested in what I want to look up this password are of course the server name so I'll pass that in I don't actually care about the security domain which is a string so i'll leave that mill i could specify a particular constants there i do want to look for a particular account name that matches I really don't care about associating a particular port so I'll pass any port this is an HTTP password so there's a constant that I'll pass him that says I only want an HTTP password use the default authtype authentication type there may be different authentication types that you can associate with the same server and you can distinguish them with that parameter then I'll pass in a buffer that I pre-allocated and the length of that buffer when the call returns assuming that a password is found that buffer will be filled out with the password data and then actual length will contain the length of that data so then if that all went well and i found a password the return the return value status is going to be no error and so i can just connect if it's not i need to look at that do something else ask the user for a password with my own UI whatever I need to do there and then finally at the end I've got a password and I can connect I said that everything you can do from a capi you can also do from applescript with the keychain here's a real simple example I have the first internet key of the current keychain the huge claws at the end there is doing all my searching so i can add attributes like whose account is can and whose server is ftp apple com I can string a list of those together to sort of specify the item I'm looking for and if the item is in the keychain it'll be returned in the item and then i can get particular attributes from the item such as password of the item and then this sample just displays the password which is obviously not something that's a you ever want to do so which keychain AP is are actually in carbon well the good news is the things that we're in universal interface is 3.3 it's legal or up to 33 1 or 2 3 actually all of those calls with two exceptions are part of carbon so those will be there they'll be there in carbon lib and they'll be there in carbon frame work on 10 we had a key chain 1 point 0 API I know some of you in this room actually used it and unfortunately it didn't actually ship until we were at keychain two point oh but you know we we put in some code that actually kept key chain one point O working and everything was supported on OS 9 with some exceptions which were noted at the time and going forward into town that will be removed there is a document in that security SDK that give you the ftp URL for that actually details the changes from one point 0 to 2 point 0 and the things that you need to be careful not to do I think the primary one is not to use a key change specification that you always want to use a kc r f which is that opaque reference and that allows things like smart cards and other other forms of key chain to work so we'll be in carbon with 1.1 on OS 9 i think that we may actually be in there even as we speak in the current d build of 1.1 the next sort of build cycle will get that in so it's eminently there and on OS 10 will be on the carbon frame work in deep before as i said before you need to currently linked against an additional framework security H I but certainly by the timeless thing is reaches public beta we will be fully integrated so what do you have to do right now to use the key chain well there's a list here first of all the current interfaces define this weird symbol calling keychain but not in carbon which is kind of a mouthful it's a workaround so if you define it to true you'll get all of the keychain calls the caveat there is that as well as defining that you need to link to one of two libraries online you need to link still with keychain lib until that 1.1 build of carbon lip is done and on 10 you need to link against security a chai framework so right now today there's not the ability to have a CFM binary that you can just build online and take over to 10 and that will run using the keychain but certainly that will be possible by by public data I should also point out that DP for does mean developer preview and it is a preview we are not done and one of the things we're not done with is the encryption so you may we will definitely need to know that the script encryption has been disabled in DP for so do not rely on key changes you create in DP for to be secure just a warning so moving forward we actually plan to take those api's that we added teaching on OS 9 and move them into a factor them into a way that they can be called from applications that don't bring a few I that was sort of a problem that we had with the current release you were forced in some cases to bring up you I to unlock a keychain if the key chain was was locked in order to do anything if your app couldn't bring up you I then that was a problem another problem was that there was no way to add items to a specific key chain all items went through the default key chain whatever that happened to be so we needed to correct that going forward on 10 these api's will be part of security Corps and part of the OS 10 frameworks they won't necessarily be in carbon as we move forward the api's that we have there in place now are certainly in carbon but the new key and certificate management based things that will interoperate with the key chain r OS 10 only so the first part of those new API routines solves that problem of what can happen or what needs to happen if you can't bring up any you I can unlock or authenticate and we had a routine and we still have a routine in the SDK called stead interaction allowed which lets you turn on or off any user interface coming up problem of course is that you turn that off and the keychain is locked then we just returned an error and that's not very useful so the new api's will require credentials to be provided and this is something that is again supported by the underlying framework the CD s a framework that will built on top o'the in OS 10 so the AP is will let you provide some sort of credential which can be either a password it can be a token it can be as simple as Cheers you know the process that I am did I have a digest that was pre-approved there will be a call back where you can provide that information with the key chain needs without popping up a dialogue when it needs it ultimately we want to move towards certificates as a way of authenticating that the items can be retrieved and sort of verifying the identity of the process that is trying to retrieve them another problem that we had is how to add an item to a particular key chain what you had to do previously is to save off the default keychain whenever you were going to add something to your own key chain you'd have to set it as the default you'd have to clip the item in and then sort of swap it back to to save the users or restore the users default key change that was pretty messy so the new API is in OS then we'll have an optional keychain parameter so I mentioned the keys and certificates ap is that were part of key chain in OS 9 we really only had two API routines and I'm not aware of any one that actually used them please come up afterwards if you use them and heavily depend on these but to factor out these and be able to as I said look forward to being able to take advantage of the CD s a 2 point 0 features as well as the possibility of open sourcing some of these components we've had to move mr. tific handling out of key chain proper so these two routines will not be there going forward and can they'll still be available online and they'll still be available at classic but to we'd like you to get away from using them and use the ones that will have going forward the new routines will be provided as part of that security core piece which is an OS 10 technology one big reason we want to do this is to avoid dependence on carbon so if you are for example a bsd unix app you don't want to depend on carbon have all this and i don't know in every case whether it's even possible to have that dependent so what this all means is that we're not taking away keys and certificates they'll still be there and they'll still be visible in your keychain they'll just be put in from a different sort of vector you won't call add in a keychain you'll add from the security Corps api's and you'll even add from the lower level cdsa p is if you want to go down that far and use those all the cdsa headers are available there on the open group's website which is open groups or get believe I have a URL for them later on in this talk but you can look at those certainly and items in a keychain are certainly accessible at that layer we are working on higher level interface is obviously to sit on top of those which will to be available by public beta I'm sorry those are actually the ones that we're working on for the release right after public beta so this is the part I've been looking forward to and mostly because I know that there's no way max phone can pop up so it's a it's going to be good if we could have demo one up on the screen I can actually go to that okay great so the first thing I'll do is look at keychain access this is the new keychain access maybe some of you have actually already have stalled dp4 and it's had a chance to see this then it looks a lot like the keychain access that's an OS 9 except of course it's carbonized and it has the aqua look and feel so i can have columns that resize and all those neat things that you get with the with aqua carbon when we shipped OS 9 we listened to a lot of feedback of us and there was a lot of user feedback and of course number one was why doesn't my web browser support the keychain but number two was how do I get something into the keychain and there was no clear way yes you could drag mounted servers into the keychain you know and you could add passwords there it wasn't real parent how you would you know store something for example you know credit card number or you know the password to your etrade account or you know these bits of data that people have been writing down their palm pilots and sticky notes wasn't real clear how to get that in so we've got an advil and that just allows you to put in your account name and a location maybe this is the password for my wwc demo and i'll type it in add it and then i can get a password in that way and it becomes a little more useful for people to use another feature that we've added to keychain access is the ability to manage your key chains a little better than you could before so for example you may have a list of two or three key chains or you may have a dozen key change and maybe you don't want all of them to be searched when applications call finds and applications are looking for things in your keychain do you have the ability to turn on or off whether these things are included in the search and you'll have the ability to reorder the search order from a dialog so these are things are working on of what I'd like to do now is run the carbonized version of fetch thanks to Jim Matthews this is ftp client for the Mac that's carbonized and I have a shortcut here actually that goes to a server that I have an account on so when I double-click that fetch like most clients needs a password for the server because it's a password-protected account so it pops up a password dialog but in this password dialog is a check box that lets me as the user decide whether or not i want to add my password to the keychain and that's actually very important you don't want to force people to use the keychain you always want to give them the option so I'll add that a log in to my server if I sort of go back to keychain access here I'd say that it's added a password for that server to the keychain so I can look at it see that it's in fact the internet password see the URL the account and this looks an awful lot again like OS 9 what's not there and what we are working on is those access control lists that I mentioned so given that item I want to be able to allow fetch of course and you know perhaps some of my other clients to access that item and you know don't bug me about it again everybody else you know that wants that item bug me but certainly I want those clients to be able have access so we're going to add in this dialog the ability to build up a list pre-approve pre-configure those clients that have access so I'll close the connection to the server and of course the next time fetch needs to access it I can just open it and it doesn't pop any password dialog because he's called find internet password and it was there in the keychain so he was able to use it and I can close the connection again and I can open it again and still no password I can do that all day long of course I can also remove this password from the keychain if I don't want it to be used anymore and then bitch can't use it because it's not there and it has to ask again so that's just a basic demo of keychain land in OS 10 and we could have the slides back we can wrap up so just to wrap up the keychain is a repository it's like a like a bank vault like a safe it's the place that you can put your your secure data anna has provided for you as a system service so your application doesn't have to do all the work associated with making these things secure and hopefully even for asking for the data that you need to authenticate it's very easy to use you really only need two to three calls to get your application using this and you can get started now you can get started with TP for the api's are there again with the one note that you need to link with security a chai framework and certainly the security SDK is out there for nine which you can also look at so unfortunately the problem with this slide is that everything's already happened but you really if you can want to take a look at security directions that gives you more information and i'm not sure what the media the the session will be available in afterwards but if you get a chance to look at a recorded version of that it's very important to see how cdsa 2 point 0 fits in for more information we have the SDK available on the website and we have updated documentation so you should all look at the PDF file it's up on the carbon the tech club's carbon website and the documentation is also available in HTML format on the DP for CD so if you look in that thang system documentation in that path you'll find all of the key chain manager documentation if you're interested in sort of drilling down and getting to the CD sa API layer cdsa is documented at the open group's website I can go there for more info and if you are interested in developing smartcard plugins or the ability to have these things show up as keychains that was talked about of course in the security directions session but for more info take a look at the pc SC workgroup website you