---
title: WWDC2001 Session 305
framework: wwdc
role: article
path: wwdc/wwdc2001-305
---

# WWDC2001 Session 305

## Transcript

Kind: captions Language: en Craig Keithley I'm the security and cryptography technology manager I have another role which is also USB and firewire technology managers so if you've seen me in the USB and firewire sessions I do that too and there's actually a little bit of an overlap there's a number of security dongles that are USB based so I take my skills from USB you and I climb to those as well today we're going to be talking about security in Mac OS 10 from the high level kind of point of view I'll be talking about the new features have been added one of the things I'm really pleased to be able to say is that starting with ten point zero point three we now have PC se or smart card support built into the operating system so with out much further ado I'll bring up John Hurley who will give you the presentation on security overview thanks [Applause] okay good morning everyone good to have you all here I'm going to try and give you a overview of the new security features that we put into OS 10 we we've been really excited to be able to work with ten it's given us a lot of new possibilities I mean really the chance to actually start working towards towards a secure OS so that's been great for us to work on we have a lot of developer related features as well so I'll try and indicate some of those and we have sessions going on the rest of today as well with some of these things I guess one of our our biggest messages or design goals really is that we're trying to make the security in OS 10 configurable so the default out of the box thing that goes to the home user or whatever is going to have one configuration and and they ideally they won't even really think for two seconds of that security to just kind of be in the background but we want to be able to enable all these other markets that that really are interested in in security and and see Mac OS 10 as a great platform to implement that poem okay so I'll talk about our architecture for data security kind of how we see this all fitting into into us 10 and I'm going to give you a pretty quick overview on the basis for the foundation for our security architecture which is CDSA as I'll explain in a later slide it's common data security architecture give you a quick overview the keychain API Ken MacLeod is presenting a session later on today on that and the authorization API give you a quick overview on that and talk for just a very very very brief time about core OS type security okay so some of the the opportunities that we've been able to really leverage on with OS 10 we never had available to us before probably the biggest thing maybe is protected memory we can have memory that's in a particular process and you know unless you you have root access you can't actually see that memory you can't really get to it so we have for example we have a process called the security server which contains the the keys as as they're used being able to leverage that is really great and it gives us a good chance to make things more secure being able to take advantage of the multitasking stuff means we can do things we don't have to worry about being preempted or or worrying about other processes that need to run one really big advantage is that we we have this whole BSD infrastructure that we can build on so you know there's a lot of security work that's been done on the standard you know UNIX level security and wherever appropriate we've we've taken advantage of that maybe one of the biggest things is that we've we've been able to have a fresh start just of course classic still supports the OS 9 environment but being able to move to this completely different operating system men the meant that we could kind of shake things up a little bit and some of the things that had kind of gelled over the years we're able to to get in at the beginning and you know start really implementing security from the beginning okay now the last bullet here is the the announcement and then this is really we've been wanting to do this for a really long time and we finally pulled it all all together so the the announcement is that we're making most of our data security components open source so they they will be available yeah we're we're really happy about it because the it just gives us so many advantages you know one of the things with security is peer review it's really you know you can't do security through obscurity you have to have people being able to look at the code and try and find holes and so it's great that we're able to do this we've we've open-sourced pretty much everything that makes sense from a Darwin perspective so the idea is that if you have your your Darwin system you can compile that these are all the components that you could compile in and get working without you know it doesn't have say the high level UI components but all the low level stuff all the cryptography the CDSA plug-in modules actually the next slide sort of talks about that makes it a little bit easier for us to do export compliance and the last point is is really important we we really value your contributions I mean the open source community has been great in you know looking over things and providing suggestions and code whatever so we're really looking forward to getting that input from from all of you out there so in in more detail the things that we're making open-source the the security dot framework all the sub projects of that so the authorization sub framework secure transport which is our SSL implementation that ties into CDFA and all that so that's in there keychain not not the highest level api is because those are actually in carbon and so that's not open source but you can do all the keychain functionality with these lower-level api's and the code for security server all of the the plug-in modules for CDSA so the data library and cryptographic service provider there's some asn.1 code there's a lot of good utility code there's a lot of really really good stuff in there so we're really excited to be able to to make that available oh I'll just have to mention what the web page is because we this just went live last night so of course it didn't make it on the slides but if you go to WWE and source apple.com you can find the little blurb on on security and that tells you where you can get the source from and all that okay so talking just briefly about the the keychain this is a feature that a lot of you will be familiar with from OS 9 a lot of the the look and feel of it is is very much the same as it was on nine that I think the biggest thing to realize is that on on OS 10 every single user has a keychain so you can pretty much count on that I mean even on 9 if they didn't have one and used it it would come up and give them the dialog to create one but on 10 when they log in they they have a default keychain that's created with their login password and all the system services use that to store their passwords so for example mail or can't think of the other ones now but anyway with itools and and whatever so all those passwords are stored in the users keychain and and we've actually done a really good job of kind of making that transparent so you log in by default it's unlocked throughout the whole time that you are logged in but of course you can change that setting so that it automatically locks or whatever the idea is to make it as simple as possible kind of for the average user but if you're more security conscious you can do things like make it lock more frequently the biggest message that I have to say about that and of course Ken will go into real detail about how to use it biggest message I have is if you are saving if you need to save a password use the keychain to do it it's really really easy you only need like basically two calls you've you find it to see if it's there and if it's not there already you can add it that's it and you know it's very very small amount of code it will save you perhaps some embarrassment if you didn't quite implement it right I mean we've gone to a lot of trouble to make sure that the the keychain files protected and applications that are not allowed to use a particular password or you know will either warn the user or prevent them from doing so so we put in a lot of work it's easy for you you to use it so that's my big message to you is is just use it if you have passwords store them there as I said it's mostly transparent to to the users they they we've really changed a lot since oh it's nine probably a lot of you are familiar with the old rogue app alert that would pop up a lot but we've we've managed to because of the capabilities of OS 10 we've finally been able to do that kind of the right way and so the rogue Apple or just doesn't show up it really only shows up when it's supposed to and it's an API that's available through carbon or you can now also call these these lower level api's that are part of the open source okay a completely new API that we've introduced on ten is the authorization API and I think right after this session michael brauer is doing a you know a complete walkthrough of all the the API calls and all that but I did want to spend some time here just so that that people at least understand why we why we did that and why why it might be worth your while to go to the next session to hear more about it one thing we we realized looking at well even online but particularly on 10 there there are a lot of places where the user needs to say enter their admin password to do something so we've kind of locked it down a little bit so that you can't accidentally make a mistake or or whatever but initially different groups that Apple were kind of doing in a different way and you know they would check it here and there was no real central way so one thing we did was we kind of went around to all the groups and said okay let's funnel through this this one bottleneck and with the idea that for any given operation that you're doing you can basically find out from the user or find out from some settings that maybe the the administrator of the machine has configured you can find out whether they are allowed to do that operation at that time and and bottlenecking it through one spot allows us to do a lot of great things like being able to say cache the password for five minutes or something like that that just kind of streamlines it a little bit for the user so they're not typing this password in all the time so from a really high level the the authorization API is basically it's it's trying to answer a yes/no question given up an operation am I allowed to do it right now and I guess the really interesting part comes through may be the side effects which is okay how do you figure out whether they are allowed to do that or not and one of the basic side effects that that can happen there is it may call off to these plug-in modules that we have to do different types of authentication so let's take the really really simple example of if you have the prefs panel you have the little lock you just want to know whether you are allowed to turn on your screensaver or something so if you click on that lock it might do a very simple authentication thing it might say oh is this user the the administrator of that machine and does the password match okay you're allowed to do it but through this API we've set it up so that you can plug in different modules and those could get evaluated and return you know ask for different types of authentication from the user for example as Craig mentioned but the the PCs see stuff now we can do smart card stuff so you could be getting information off a smart card or voiceprint or fingerprint whatever there are a lot of different things that you can do and it's set up so that you can chain a whole bunch of these together and get get answers from each one of them I guess one other thing that I want to point out is that it's not this is not it does not give you the ability to do a particular operation it's kind of assumed that it's being called from a trusted app that could do it anyway so it's really in a way it's really a convenience - or a a service to the user that you are asking the user whether or not you're allowed to to do this operation because of course if it wasn't a trusted process they could just well not call the API and just bypass all that authentication stuff so that's something to keep in mind that that's it's not really providing the capability and as Michael will say later on you you'll end up needing to have probably a set UID root tool or something like that that can do if that's what would be required for the operation the authentication modules could do a couple different things they might figure out who you are so for example look you up in some directory services database or net info or whatever or it could be looking at say a fingerprint reader the three things I list there or kind of the the security questions that you want to find out about authentication could be who you are so that's actually something like a finger fingerprint what you know would be like a password and what you have might be something like a smart card so if you have all three of those together then you've really you know added some security to the system one other thing with these authentication modules is that they may they may generate some sideband information that's needed either for the next module down the line or for for the ultimate service that that may need something like for example let's say you're logging in with Kerberos you need to know not only username and password but you also need to know the realm so that would be those of you things that would get passed along so that at the end of the operation you would know what you need to know to move forward and then the last point is in a lot of cases this operation might just succeed like the answer to the question you know can I do this operation the answer is always yes it never does anything never throws a dialogue never asks the user at all the point is that you can configure it for these different operations so if you're in a more secure setup you could you know lock that down more so we're you know we're moving towards getting getting all that stuff working nicely ok so just an example of probably maybe a typical operation you might think of for authorization you're let's say you're logging into the console you could have several different steps that you might have to go through so you might have to type in your username and password the username for example you know can supply can go look off in a directory somewhere and figure out where your home directory is and all that the password ideally you want to ask the user for that because then they can unlock the keychain you might have to insert a smart card or a fingerprint reader or voice recognition some some of the operations that you might be able to do I mean logging in is an obvious one but unlocking the screen saver you know would be nice to be able to step up to your machine and as you walk back to your office say hey I'm back and have the screen saver just unlock without having to type a password playing a CD is something that comes up a lot in K through 12 market they the teachers want to restrict what CDs the kids can play so that's an operation that you know that we can by calling the authorization API you could set it up to configure it so it could go off and look up in a playlist whether or not it's actually allowed to to play that CD and format a disk that's kind of a good one too you know to turn on for your kindergarten kids so that they don't format your stuff okay so anyway the there's a more detailed session on that next after this CDSA is the the foundation for the this security architecture that I've been talking about the keychain is is based on it the secure transport stuff uses uses all that all the cryptography stuff that we do goes goes through this it stands for common data security architecture originally it came from Intel but now it's an open group standard and we on OS 9 we implemented the 1.2 version of the standard and we learned a lot from doing that and contributed a lot to the to the next version of the standard which is 2 point 2.0 so that's what is in OS 10 is the 2.0 standard I guess one of the biggest features that stands out about CDSA is that it uses plug-in modules to do a lot of the work so for example the data library module or CSP cryptographic service provider you can plug in you can write a module to to do different types of crypto certificate library and and trust policy module there we go here's kind of a really rough block diagram of how these things are laid out kind of the pieces in purple at the bottom are the plug-in modules and the cssm layer is the kind of guts of it that loads the different modules and inner helps them interact with each other the the layers in red are just some of the sort of middle layers that we've written on top of the CDSA api's CDSA is a pretty extensive standard I mean the manuals about that thick and unlike 13-under pages so there's tons and tons of api's but we found that when we were using them we kind of tended to group them together and you know maybe use them in a particular way so though a lot of the stuff that you would see in in securities security core for example which you can see in the open source archive those are collecting together these CDSA functions security h-i is the the user interface stuff that you might see like the dialogue that pops up to enter your password secure transport is our our SSL implementation that uses our certificate libraries and things like that and then the you know you can write apps on top of that I guess the biggest point is that if you're writing to the API is on top even if the plugins stuff changes below your application isn't going to have to change so you can really leverage as people develop more stuff below your app can just you know if there's suddenly a hardware crypto module then you could take advantage of that data library modules are basically the storage information or storage module for CDSA and it stores things that other modules might need the keychain is basically the Apple file CSP ADL so it's a combination cryptographic service provider and data library module and that way when we write the keys out to to the file we can do the encryption at the same time we could have done it as maybe separate ones but it just turned out to be convenient to put it in one module another example of a DL that we don't have now that would be not too hard to write it would be an LDAP DL so you could store things particularly save certificates or something like that you could store them in a in a public LDAP directory certificate library modules roughly it just knows how to parse a public key certificate so the one that we shipped by default it does x.509 version 3 certificates and for a particular field in the certificate the the layers up above can ask okay what's the modification date on this or who signed it or whatever and the certificate library knows we're in the certificate to grab that value it would be possible to write one that would know how to deal with the PGP certificate or attribute certificates which contain it's basically a way to take a bunch of attributes about something and then sign it so that it's it's a little bit more certified maybe trust policy modules this is an interesting one because I think I think this is one that a lot of corporations or universities might be interested in writing because it mean the standard one that we ship basically says okay given a chain of or given a certificate how do you know whether or not the user trusts that and so the standard one that we shift for x.509 we look given a certificate we see who signed it and then we see who signed that and finally we get down to a list of trusted root certificates and if it matches one of those root certificates then we say okay it's trusted but it could be that you don't necessarily want to want to do it that way one example there is you could do a web of trust so you could say okay it's I'm only going to trust it if my pal trusted it and so that would be a different way to to implement a TP or you could go look it up in a corporate database so there's a lot of different ways that you can change how certificates are trusted on the system by writing a trust policy module okay as as Craig mentioned before we in software update to ten point o2 the de binary for PCs see is is available so people can write drivers for smart cards I think the the SDK is posted on the on the security page so for actually developing it that's that's available there we we wanted to make sure that it was easy using this API to get to the CDSA api's and try and make it pretty easy if you had an application that was already using PC SC on another platform you'd at least be able to bring over that portion of the code pretty easily onto Huntington we tried really really hard to make it very easy to write a driver for the different readers and there are several manufacturers that have have already completed they haven't shipped them yet they've completed drivers for different smart card readers and for four different types of smart cards you can you can actually write a different CSP to deal with to use the cryptography that might be on the card here's kind of a complicated diagram with how this all fits fits together you can see down at the bottom that the readers and the cards are down there the idea is basically that you have the applications at the top and if they're calling through these api's they don't really need to know any of the details I mean PCSC can deal with it deals with all the resource management so for example if you have if you're in a situation where you have like 10 different readers plugged in and they all have different kinds of cards and whatever the this sorts it all out it knows whether you know several applications can talk to a particular reader at once or or whatever so all those details are basically taken care of for you okay so as I said I just wanted to talk briefly about core level security this is an area of course the a lot of you if you're familiar with with UNIX then you know a lot of these a lot of these things that security features that you can use basically OS 10 ships with most of the services turned off so you know FTP and telnet things like that the average user the average Macintosh customer you know if they're not familiar with that it's safer to just leave it off if they find out or if they're interested they can go and re-enable that we we turn off the the root password by default but that can be renamed and I think that was one of the very common questions people people weren't complaining that we had turned off root they just wanted to know how to turn it back on again so there's a there's a tech info library note on that if you search the till database you can find that file permissions has been one of the area's that's been pretty tricky to to figure out and I think roughly the basic goal is we're trying to make sure that it works the right way with with OS 9 and so a lot of those things are maybe not set the way that you're used to say from another UNIX system but they're they're set up to work to interoperate with classic and things like that I guess the biggest thing is they're just you know there are a lot of different books on UNIX security and most of those things apply in on on Mac OS 10 so I would say you know look look to the resources that you know from that area we try and keep things pretty much standard if we can at that level and you know as we hook it more up into the upper levels well we try and keep the behavior pretty much the same as your as you're used to let's see how much else I have to say about that I think they talked a little bit more about this in in the BST session too so here are some of the some of the resources for these things that are available this the security webpage at developer.apple.com has some good links off to off to our software and to some other other links that are interesting can find the the specifications for CDSA at the Open Group we also have a pointer they are on the security webpage and as I mentioned the WW open source dot Apple comm has has our source oh that's sorry again here's another thing that just just came up so it's not on the slides I'm glad I remembered to talk about it the we we have posted a security webpage a lot of people had kind of been wondering you know how we would deal with things like sorted visor ease and and just security holes that might pop up in you know s10 so sorry that this isn't on the slide but again this page went live yesterday so that if you go to www.hsn where they you know may need some security assistance and that that page contains the resources that that kind of tell you how to how to deal with that incident so it's it's a central point for kind of reporting problems we we have a team within Apple so that that stuff gets distributed you know really immediately and we depending it gets routed to a lot of different groups each group will kind of look at it and determine if it's something that is in their area of responsibility and we will try and fix it as quickly as possible we we of course have the software update mechanism so we we have been able to we have been able to actually already release some fixes in each of the software updates that's gone out so far we pretty much I think we pretty much shipped pretty much once per month since we released OS 10 so so we can deal with those pretty quickly so that's a that's a good resource to go to here's some of the related sessions that that I mentioned right after this is the authorization API session at 2:00 o'clock is the session on the keychain learning how to use that tomorrow afternoon there's a session on Kerberos talk about how what we're doing with Kerberos and on on Friday there's the feedback form here's person to contact Craig Keithley started out here so that's his his email you can I think you can also find that on the web page if you have any questions particularly if you're interested in developing security related products he can find all the right resources for you you