WWDC2001 Session 305

Transcript

Kind: captions
Language: en
Craig Keithley I'm the security and
cryptography technology manager I have
another role which is also USB and
firewire technology managers so if
you've seen me in the USB and firewire
sessions I do that too and there's
actually a little bit of an overlap
there's a number of security dongles
that are USB based so I take my skills
from USB you and I climb to those as
well
today we're going to be talking about
security in Mac OS 10 from the high
level kind of point of view I'll be
talking about the new features have been
added one of the things I'm really
pleased to be able to say is that
starting with ten point zero point three
we now have PC se or smart card support
built into the operating system so with
out much further ado I'll bring up John
Hurley who will give you the
presentation on security overview thanks
[Applause]
okay good morning everyone good to have
you all here I'm going to try and give
you a overview of the new security
features that we put into OS 10 we we've
been really excited to be able to work
with ten it's given us a lot of new
possibilities I mean really the chance
to actually start working towards
towards a secure OS so that's been great
for us to work on we have a lot of
developer related features as well so
I'll try and indicate some of those and
we have sessions going on the rest of
today as well with some of these things
I guess one of our our biggest messages
or design goals really is that we're
trying to make the security in OS 10
configurable so the default out of the
box thing that goes to the home user or
whatever is going to have one
configuration and and they ideally they
won't even really think for two seconds
of that security to just kind of be in
the background but we want to be able to
enable all these other markets that that
really are interested in in security and
and see Mac OS 10 as a great platform to
implement that poem okay so I'll talk
about our architecture for data security
kind of how we see this all fitting into
into us 10 and I'm going to give you a
pretty quick overview on the basis for
the foundation for our security
architecture which is CDSA as I'll
explain in a later slide it's common
data security architecture give you a
quick overview
the keychain API Ken MacLeod is
presenting a session later on today on
that and the authorization API give you
a quick overview on that and talk for
just a very very very brief time about
core OS type security okay so some of
the the opportunities that we've been
able to really leverage on with OS 10 we
never had available to us before
probably the biggest thing maybe is
protected memory we can have memory
that's in a particular process and you
know unless you you have root access you
can't actually see that memory you can't
really get to it so we have for example
we have a process called the security
server which contains the the keys as as
they're used being able to leverage that
is really great and it gives us a good
chance to make things more secure being
able to take advantage of the
multitasking stuff means we can do
things we don't have to worry about
being preempted or or worrying about
other processes that need to run one
really big advantage is that we we have
this whole BSD infrastructure that we
can build on so you know there's a lot
of security work that's been done on the
standard you know UNIX level security
and wherever appropriate we've we've
taken advantage of that maybe one of the
biggest things is that we've we've been
able to have a fresh start just of
course classic still supports the OS 9
environment but being able to move to
this completely different operating
system men
the meant that we could kind of shake
things up a little bit and some of the
things that had kind of gelled over the
years we're able to to get in at the
beginning and you know start really
implementing security from the beginning
okay now the last bullet here is the the
announcement and then this is really
we've been wanting to do this for a
really long time and we finally pulled
it all all together so the the
announcement is that we're making most
of our data security components open
source so they they will be available
yeah we're we're really happy about it
because the it just gives us so many
advantages you know one of the things
with security is peer review it's really
you know you can't do security through
obscurity you have to have people being
able to look at the code and try and
find holes and so it's great that we're
able to do this we've we've open-sourced
pretty much everything that makes sense
from a Darwin perspective so the idea is
that if you have your your Darwin system
you can compile that these are all the
components that you could compile in and
get working without you know it doesn't
have say the high level UI components
but all the low level stuff all the
cryptography the CDSA plug-in modules
actually the next slide sort of talks
about that makes it a little bit easier
for us to do export compliance and the
last point is is really important we we
really value your contributions I mean
the open source community has been great
in you know looking over things and
providing suggestions and code
whatever so we're really looking forward
to getting that input from from all of
you out there so in in more detail the
things that we're making open-source the
the security dot framework all the sub
projects of that so the authorization
sub framework secure transport which is
our SSL implementation that ties into
CDFA and all that so that's in there
keychain not not the highest level api
is because those are actually in carbon
and so that's not open source but you
can do all the keychain functionality
with these lower-level api's and the
code for security server all of the the
plug-in modules for CDSA so the data
library and cryptographic service
provider there's some asn.1 code there's
a lot of good utility code there's a lot
of really really good stuff in there so
we're really excited to be able to to
make that available oh I'll just have to
mention what the web page is because we
this just went live last night so of
course it didn't make it on the slides
but if you go to WWE and source
apple.com you can find the little blurb
on on security and that tells you where
you can get the source from and all that
okay so talking just briefly about the
the keychain this is a feature that a
lot of you will be familiar with from OS
9 a lot of the the look and feel of it
is is very much the same as it was on
nine that I think the biggest thing to
realize is that on on OS 10 every single
user has a keychain so you can pretty
much count on that I mean even on 9 if
they didn't have one and used it it
would come up and give them the dialog
to create one but on 10 when they log in
they they have a default keychain that's
created with their login password and
all the system services use that to
store their passwords so for example
mail or can't think of the other ones
now but anyway with itools and and
whatever so all those passwords are
stored in the users keychain and and
we've actually done a really good job of
kind of making that transparent so you
log in by default it's unlocked
throughout the whole time that you are
logged in but of course you can change
that setting so that it automatically
locks or whatever the idea is to make it
as simple as possible kind of for the
average user but if you're more security
conscious you can do things like make it
lock more frequently
the biggest message that I have to say
about that and of course Ken will go
into real detail about how to use it
biggest message I have is if you are
saving if you need to save a password
use the keychain to do it it's really
really easy you only need like basically
two calls you've you find it to see if
it's there and if it's not there already
you can add it that's it and you know
it's very very small amount of code it
will save you
perhaps some embarrassment if you didn't
quite implement it right I mean we've
gone to a lot of trouble to make sure
that the the keychain files protected
and applications that are not allowed to
use a particular password or you know
will either warn the user or prevent
them from doing so so we put in a lot of
work it's easy for you you to use it so
that's my big message to you is is just
use it if you have passwords store them
there as I said it's mostly transparent
to to the users they they we've really
changed a lot since oh it's nine
probably a lot of you are familiar with
the old rogue app alert that would pop
up a lot but we've we've managed to
because of the capabilities of OS 10
we've finally been able to do that kind
of the right way and so the rogue Apple
or just doesn't show up it really only
shows up when it's supposed to and it's
an API that's available through carbon
or you can now also call these these
lower level api's that are part of the
open source okay a completely new API
that we've introduced on ten is the
authorization API and I think right
after this session michael brauer is
doing a you know a complete walkthrough
of all the the API calls and all that
but I did want to spend some time here
just so that that people at least
understand why we why we did that and
why why it might be worth your while to
go to the next session to hear more
about it
one thing we we realized looking at well
even online but particularly on 10 there
there are a lot of places where the user
needs to say enter their admin password
to do something so we've kind of locked
it down a little bit so that you can't
accidentally make a mistake or or
whatever but initially different groups
that Apple were kind of doing in a
different way and you know they would
check it here and there was no real
central way so one thing we did was we
kind of went around to all the groups
and said okay let's funnel through this
this one bottleneck and with the idea
that for any given operation that you're
doing you can basically find out from
the user or find out from some settings
that maybe the the administrator of the
machine has configured you can find out
whether they are allowed to do that
operation at that time and and
bottlenecking it through one spot allows
us to do a lot of great things like
being able to say cache the password for
five minutes or something like that that
just kind of streamlines it a little bit
for the user so they're not typing this
password in all the time so from a
really high level the the authorization
API is basically it's it's trying to
answer a yes/no question given up an
operation am I allowed to do it right
now and I guess the really interesting
part comes through may be the side
effects which is okay how do you figure
out whether they are allowed to do that
or not and one of the basic side effects
that that can happen there is it may
call off to these plug-in modules that
we have to do different types of
authentication so
let's take the really really simple
example of if you have the prefs panel
you have the little lock you just want
to know whether you are allowed to turn
on your screensaver or something so if
you click on that lock it might do a
very simple authentication thing it
might say oh is this user the the
administrator of that machine and does
the password match okay you're allowed
to do it but through this API we've set
it up so that you can plug in different
modules and those could get evaluated
and return you know ask for different
types of authentication from the user
for example as Craig mentioned but the
the PCs see stuff now we can do smart
card stuff so you could be getting
information off a smart card or
voiceprint or fingerprint whatever there
are a lot of different things that you
can do and it's set up so that you can
chain a whole bunch of these together
and get get answers from each one of
them I guess one other thing that I want
to point out is that it's not this is
not it does not give you the ability to
do a particular operation it's kind of
assumed that it's being called from a
trusted app that could do it anyway so
it's really in a way it's really a
convenience - or a a service to the user
that you are asking the user whether or
not you're allowed to to do this
operation because of course if it wasn't
a trusted process they could just well
not call the API and just bypass all
that authentication stuff so that's
something to keep in mind that that's
it's not really providing the capability
and as Michael will say later on you
you'll end up needing to have probably a
set UID root tool or something like that
that can do if that's what would be
required for the operation
the authentication modules could do a
couple different things they might
figure out who you are so for example
look you up in some directory services
database or net info or whatever or it
could be looking at say a fingerprint
reader the three things I list there or
kind of the the security questions that
you want to find out about
authentication could be who you are so
that's actually something like a finger
fingerprint what you know would be like
a password and what you have might be
something like a smart card so if you
have all three of those together then
you've really you know added some
security to the system
one other thing with these
authentication modules is that they may
they may generate some sideband
information that's needed either for the
next module down the line or for for the
ultimate service that that may need
something like for example let's say
you're logging in with Kerberos you need
to know not only username and password
but you also need to know the realm so
that would be those of you things that
would get passed along so that at the
end of the operation you would know what
you need to know to move forward and
then the last point is in a lot of cases
this operation might just succeed like
the answer to the question you know can
I do this operation the answer is always
yes
it never does anything never throws a
dialogue never asks the user at all the
point is that you can configure it for
these different operations so if you're
in a more secure setup you could you
know lock that down more so we're you
know we're moving towards getting
getting all that stuff
working nicely ok so just an example of
probably maybe a typical operation you
might think of for authorization you're
let's say you're logging into the
console you could have several different
steps that you might have to go through
so you might have to type in your
username and password the username for
example you know can supply can go look
off in a directory somewhere and figure
out where your home directory is and all
that the password ideally you want to
ask the user for that because then they
can unlock the keychain you might have
to insert a smart card or a fingerprint
reader or voice recognition some some of
the operations that you might be able to
do I mean logging in is an obvious one
but unlocking the screen saver you know
would be nice to be able to step up to
your machine and as you walk back to
your office say hey I'm back and have
the screen saver just unlock without
having to type a password playing a CD
is something that comes up a lot in K
through 12 market they the teachers want
to restrict what CDs the kids can play
so that's an operation that you know
that we can by calling the authorization
API you could set it up to configure it
so it could go off and look up in a
playlist whether or not it's actually
allowed to to play that CD and format a
disk that's kind of a good one too you
know to turn on for your kindergarten
kids so that they don't format your
stuff
okay so anyway the there's a more
detailed session on that next after this
CDSA is the the foundation for the this
security architecture that I've been
talking about the keychain is is based
on it the secure transport stuff uses
uses all that all the cryptography stuff
that we do goes goes through this it
stands for common data security
architecture originally it came from
Intel but now it's an open group
standard and we on OS 9 we implemented
the 1.2 version of the standard and we
learned a lot from doing that and
contributed a lot to the to the next
version of the standard which is 2 point
2.0 so that's what is in OS 10 is the
2.0 standard I guess one of the biggest
features that stands out about CDSA is
that it uses plug-in modules to do a lot
of the work so for example the data
library module or CSP cryptographic
service provider you can plug in you can
write a module to to do different types
of crypto certificate library and and
trust policy module there we go here's
kind of a really rough block diagram of
how these things are laid out kind of
the pieces in purple at the bottom are
the plug-in modules and the cssm layer
is the kind of guts of it that loads the
different modules and inner helps them
interact with each other the the layers
in red are just some of the sort of
middle layers that we've written on top
of the CDSA api's CDSA is a pretty
extensive standard I mean the
manuals about that thick and unlike
13-under pages so there's tons and tons
of api's but we found that when we were
using them we kind of tended to group
them together and you know maybe use
them in a particular way so though a lot
of the stuff that you would see in in
securities security core for example
which you can see in the open source
archive those are collecting together
these CDSA functions security h-i is the
the user interface stuff that you might
see like the dialogue that pops up to
enter your password secure transport is
our our SSL implementation that uses our
certificate libraries and things like
that
and then the you know you can write apps
on top of that I guess the biggest point
is that if you're writing to the API is
on top even if the plugins stuff changes
below your application isn't going to
have to change so you can really
leverage as people develop more stuff
below your app can just you know if
there's suddenly a hardware crypto
module then you could take advantage of
that data library modules are basically
the storage information or storage
module for CDSA and it stores things
that other modules might need the
keychain is basically the Apple file CSP
ADL so it's a combination cryptographic
service provider and data library module
and that way when we write the keys out
to to the file we can do the encryption
at the same time we could have done it
as maybe separate ones but it just
turned out to be convenient to put it in
one module another example of a DL that
we don't have now that would be not too
hard to write it would be an LDAP DL so
you could store things particularly save
certificates or something like that you
could store them in a
in a public LDAP directory certificate
library modules roughly it just knows
how to parse a public key certificate so
the one that we shipped by default it
does x.509 version 3 certificates and
for a particular field in the
certificate the the layers up above can
ask okay what's the modification date on
this or who signed it or whatever and
the certificate library knows we're in
the certificate to grab that value it
would be possible to write one that
would know how to deal with the PGP
certificate or attribute certificates
which contain it's basically a way to
take a bunch of attributes about
something and then sign it so that it's
it's a little bit more certified maybe
trust policy modules this is an
interesting one because I think I think
this is one that a lot of corporations
or universities might be interested in
writing because it mean the standard one
that we ship basically says okay given a
chain of or given a certificate how do
you know whether or not the user trusts
that and so the standard one that we
shift for x.509 we look given a
certificate we see who signed it and
then we see who signed that and finally
we get down to a list of trusted root
certificates and if it matches one of
those root certificates then we say okay
it's trusted but it could be that you
don't necessarily want to want to do it
that way one example there is you could
do a web of trust so you could say okay
it's I'm only going to trust it if my
pal trusted it
and so that would be a different way to
to implement a TP or you could go look
it up in a corporate database so there's
a lot of different ways that you can
change how certificates are trusted on
the system by writing a trust policy
module okay as as Craig mentioned before
we in software update to ten point o2
the de binary for PCs see is is
available so people can write drivers
for smart cards I think the the SDK is
posted on the on the security page so
for actually developing it that's that's
available there we we wanted to make
sure that it was easy using this API to
get to the CDSA api's and try and make
it pretty easy if you had an application
that was already using PC SC on another
platform you'd at least be able to bring
over that portion of the code pretty
easily onto Huntington we tried really
really hard to make it very easy to
write a driver for the different readers
and there are several manufacturers that
have have already completed they haven't
shipped them yet they've completed
drivers for different smart card readers
and for four different types of smart
cards you can you can actually write a
different CSP to deal with to use the
cryptography that might be on the card
here's kind of a complicated diagram
with how this all fits fits together you
can see down at the bottom that the
readers and the cards are down there the
idea is basically that you have the
applications at the top and if they're
calling through these api's they don't
really need to know any of the details I
mean PCSC can deal with it deals with
all the resource management so for
example if you have if you're in a
situation where you have like 10
different readers plugged in and they
all have different kinds of cards and
whatever the this sorts it all out it
knows whether you know several
applications can talk to a particular
reader at once or or whatever so all
those details are basically taken care
of for you okay
so as I said I just wanted to talk
briefly about core level security this
is an area of course the a lot of you if
you're familiar with with UNIX then you
know a lot of these a lot of these
things that security features that you
can use basically OS 10 ships with most
of the services turned off so you know
FTP and telnet things like that the
average user
the average Macintosh customer you know
if they're not familiar with that it's
safer to just leave it off if they find
out or if they're interested they can go
and re-enable that we we turn off the
the root password by default but that
can be renamed and I think that was one
of the very common questions people
people weren't complaining that we had
turned off root they just wanted to know
how to turn it back on again so there's
a there's a tech info library note on
that if you search the till database you
can find that
file permissions has been one of the
area's that's been pretty tricky to to
figure out and I think roughly the basic
goal is we're trying to make sure that
it works the right way with with OS 9
and so a lot of those things are maybe
not set the way that you're used to say
from another UNIX system but they're
they're set up to work to interoperate
with classic and things like that I
guess the biggest thing is they're just
you know there are a lot of different
books on UNIX security and most of those
things apply in on on Mac OS 10 so I
would say you know look look to the
resources that you know from that area
we try and keep things pretty much
standard if we can at that level and you
know as we hook it more up into the
upper levels well we try and keep the
behavior pretty much the same as your as
you're used to
let's see how much else I have to say
about that I think they talked a little
bit more about this in in the BST
session too so here are some of the some
of the resources for these things that
are available this the security webpage
at developer.apple.com has some good
links off to off to our software and to
some other other links that are
interesting can find the the
specifications for CDSA at the Open
Group we also have a pointer they are on
the security webpage and as I mentioned
the WW open source dot Apple comm has
has our source
oh that's sorry again here's another
thing that just just came up so it's not
on the slides I'm glad I remembered to
talk about it
the we we have posted a security webpage
a lot of people had kind of been
wondering you know how we would deal
with things like sorted visor ease and
and just security holes that might pop
up in you know s10 so sorry that this
isn't on the slide but again this page
went live yesterday so that if you go to
www.hsn where they you know may need
some security assistance
and that that page contains the
resources that that kind of tell you how
to how to deal with that incident so
it's it's a central point for kind of
reporting problems we we have a team
within Apple so that that stuff gets
distributed you know really immediately
and we depending it gets routed to a lot
of different groups each group will kind
of look at it and determine if it's
something that is in their area of
responsibility and we will try and fix
it as quickly as possible we we of
course have the software update
mechanism so we we have been able to we
have been able to actually already
release some fixes in each of the
software updates that's gone out so far
we pretty much I think we pretty much
shipped pretty much once per month since
we released OS 10 so so we can deal with
those pretty quickly so that's a that's
a good resource to go to
here's some of the related sessions that
that I mentioned right after this is the
authorization API session at 2:00
o'clock is the session on the keychain
learning how to use that
tomorrow afternoon there's a session on
Kerberos talk about how what we're doing
with Kerberos and on on Friday
there's the feedback form
here's person to contact Craig Keithley
started out here so that's his his email
you can I think you can also find that
on the web page if you have any
questions particularly if you're
interested in developing security
related products he can find all the
right resources for you
you