---
title: WWDC2001 Session 307
framework: wwdc
role: article
path: wwdc/wwdc2001-307
---

# WWDC2001 Session 307

## Transcript

Kind: captions Language: en it's something that's present in nine and certainly something we brought forward into ten and in bringing it forward into ten we we we really made it a core part of the OS the keychains available now every user has a keychain and it's the place that we really want passwords to be stored so I'm assuming that because you're here you already have that that sense of what we want keychain to be used with that application should store passwords there the message we want to get out the message that we need to get out and I encourage you to share this with other developers is that keychain is the place to store passwords if they're storing passwords any other place if they're hashing them themselves if they're encrypting themselves if they're porting them and preferences or any other sort of file they really shouldn't do that they should use the keychain for that so without further ado I will bring up Ken MacLeod and he will go into greater detail on keychain thank you very much [Applause] good afternoon everybody I'm kinda MacLeod I am an engineer in the data security group where we work on keychain and I'm talking about the keychain today so the session basically we'll start off with an overview of what the keychain is and what it does and we'll talk to you about the new features that are in town with the keychain I'll go over the key chain manager API is that are available for your application to use and the last thing I'll talk about is the whole area of managing user interaction with the keychain and at the end we'll have a demo of the keychain with Mac OS 10 and time for Q&A so the three main questions that this session is designed to to answer that the questions are what does the keychain give me and how can I add support for it to my application and of course where can I get more information about it feel free as the session goes on to sort of add your own list of questions that you can ask at the end if you have more that the session doesn't cover so I've got here a keychain this is a keychain in the real world and apologize for you know right off drawing a distinction between computers of the real world but I'll try not to do that too often but the real convenience and usefulness of this thing in the real world is that I don't have to remember these things individually I don't have to remember to bring you know my car key with me my office key all these things I just have to remember one object I have to remember to bring my keys and then I have access to all of the the services or the things that these keys on the lock and the same idea is true of the keychain on OS 10 at an OS 9 the idea is to provide something that is a convenience but much more than a convenience it needs to be secure because when you're letting your computer manage your keys for you you need some level of security so that leads me into the definition of what the keychain is the keychain is a secure repository for your passwords your digital keys sort of analog on the computer of what the keys are in reality a much more appropriate metaphor perhaps that even a keychain is a sort of bank vault the bank vault has a door and when that bank vault is locked the things that are in it are locked down you can't get out them they're protected when the door is unlocked there's a security guard sitting there and he's monitoring all access he's checking the credentials of everybody who takes a key out of the vault the keychain has built on something we've been talking about called CDSA the common data security architecture which as of this week is all open sourced and all of the really all the work that the keychain does happens down in that layer CDSA has a whole series of plug-ins for doing things like a data storage and cryptography and those pieces are all part of that framework that you can take look at the keychain has a convenience feature as I said we're clients of the keychain can provide something called transparent authentication in other words the user experience of typing in your password wants to unlock your keychain and then not having to type in all the passwords that are actually stored in the keychain so you have a single sign-on user experience as Craig mentioned to start off with the keychain is available on both OS 9 and OS 10 but on OS 10 every user has a keychain every user logs in they have a user account and a keychain is automatically created for them so I like to define the terms when talking about the keychain because it can get a little confusing what do we mean when we use the word keychain and there's a grammatical difference here between keychain with a capital K and keychain with a small K when we use keychain or the capital K we're talking about the technology we're talking about the software that's built into the operating system we talked about keychain with a little K we're talking about the data store the thing that the user has that they put their passwords and keys into the keychain can be in one of two states kechi is either locked or unlocked and the definition of an unlocked keychain is one that has a key which is available to decrypt items in the keychain without that key nothing can be decrypted nothing can be retrieved from the keychain and the keychain is locked everything that you put in the keychain whether it's a key an actual cryptographic key a password a certificate we use the term keychain item to refer to all of these things collectively and the other term the last term that we use a lot is default keychain the default keychain is if you have more than one keychain this is the one where items are added to so typically a user logs in they have a keychain created but you're not limited to that as a user or as a developer now you can create as many key chains as you want have as many unlocked as you want to be unlocked at a time if you want you can set a keychain to lock automatically by default the keychain will be unlocked at login and locked when you log out but if you want to restrict that even further that's completely available to you the default keychain again when you log in on OS 10 is unlocked and it's got the same user name or I'm sorry the same name as your user account and it uses the same password as that account by default again you're not limited to that you can change it at any time but this is just sort of to give the user a default keychain you can take a keychain and move it around from machine to machine and what we mean by the word portable here in this context is that you can take it from one machine to another you can take it from home to work vice versa so you have the keys with you on any machine that you use portable in this sense does not mean portable between nine and ten now the reason for that is that as you'll see when you look at the CDSA pieces we have open sourced all of the algorithms that the keychain uses and on OS nine we had some algorithms that were proprietary and could not be open sourced so we moved away from using them and we move toward something that could be open sourced for OS 10 you can put keychain files on a server so that you have them available you can put them on a CD you can just use them wherever they happen to be and the CDSA architecture doesn't limit us to that it supports fully supports keychains being on smart cards or removable tokens so we can actually get back to having a real-world keychain that has a little removable toe that actually holds your digital keys so here's a diagram or a map of all of the api's that are available across the board related to security starting on the left hand side there I know us 9 and still available in classic are the keychain API and an API that we talked about previously Macintosh file signing and some other ones there all of these are built on top of the older version of CDSA 1.2 which had quite a lot of limitations but you know worked well for OS 9 moving forward your applications on OS 10 will either use carbon or they'll use core services now the carbon piece sort of straddles the line between the two implementations of CDSA i'm the two platforms so if you write a application that uses the carbon keychain api's you can run on OS 9 or on OS 10 if you're a CFM binary now the pieces in the core box there or core services are at a lower level than carbon carbon actually uses some of them and the piece there are security core and the authorization api that Michael Brauer talked about this morning are all built on top of CDSA 2.0 and 2.0 allows us to be a lot more flexible with things like access control which I'll get into in a moment so if you are one of those types of applications on the top layer there you'll use the api's that are available for example carbon applications can use carbon cocoa you can mix you can either use carbon or the security core API and if you're a UNIX command-line tool you can take advantage of the keychain as well because we've factored the api's that were formerly exclusively in the carbon layer there in the carbon box and we move some of those into security core where they're available to you without having to depend on carbon so what kind of items can you store in a keychain well there's three basic classes of items that are defined keys passwords and certificates on OS 9 keys and certificates were there for the first release of OS 10 we focused on getting passwords really supported well certainly keys and certificates are something that we are working on but the focus of what I'm going to talk about today will be passwords and within the class of password item there are three sort of categories we have Apple share passwords which allow you to access Apple share servers Internet passwords are a more general case for any type of you know protocol like SMTP FTP what-have-you those sorts of things that require you know access to a server and then the last category of password is sort of a generic password account and service type of item so let's drill down a little bit and look inside a keychain item a keychain items contents are really simple there's two things there's attributes and there's data the data is in this case the password in this example just the data of the password that I'm trying to protect I can add a number of attributes to the item that help me find the item later on so if I'm storing for example here a password for an FTP server I might want to add my account name and the name of the server and some other information that lets me find that password I have and match it back up when I need to log back into that server so every item it's in a keychain has a set of common attributes and all these items can be treated more or less the same they have the class of the item they have things like the date when the item was created or modified they have a label that describes the item there's also a description of the item there's a comment field where with the keychain access application a user can actually add comments to an item that's stored in the keychain within those subcategories though of an item class there are additional attributes that are defined so for example if you have an internet password you have things like the protocol and the server which are additional attributes that are specific to an internet password and the whole purpose of adding attributes to these things is so that you can find the item again when you're looking for it now the data portion of the item is protected as I said unlike attributes you can't search on the data of the item so it can't be revealed to you in that way the data cannot ever be retrieved unless the keychain is unlocked and it can't be retrieved unless the user gives explicit permission now I'll get into that and a little bit later but in OS 10 and with CDSA 2.0 we were able to let the user or the administrator configure the access control on a keychain item and have that be persistent and in the case of cryptographic keys private and symmetric type keys the data of those items is actually never able to be retrieved from a keychain you'll only be able to use item references to reference the item so the big question that everyone has about the keychain is how secure is it well for one it doesn't depend on your machines physical security unlike a lot of mechanisms or api's it's an encrypted container so even if someone can sit down and have access to the filesystem on your machine your keys your data is sitting in an encrypted container that they can't get at the benefit of that is that you don't have to write down passwords on sticky notes or store them at a preferences file somewhere in clear-text or maybe you just have a you know simple X XOR algorithm that that scrambles them this lets you have a secure encrypted container to store these things now the password that unlocks the keychain itself is never stored anywhere in the keychain on disk you keep that in your head and when you type it in we generate a key from that we use a algorithm called it's a it's actually defined in aspect called pkcs5 which is our essays cryptographic spec for deriving a key from a past password or phrase on OS 9 when we use this we used as I mentioned an algorithm that could not be open sourced we used 128-bit keys on OS 10 we've gone up to 168 bit keys with an algorithm that is available so the data of an item is protected and it can't be retrieved unless the user gives an explicit ok now on on OS 9 some of you have seen what this means it means that a dialog comes up the dialog says this particular process is trying to access this item is that ok and the user at that point has to make an explicit decision do I want to allow this process access to the item on OS 9 there was a problem though because that dialog box kept popping up every time you accessed an item and it got really annoying because there was no way to securely store that setting persistently so that after you rebooted the machiner you came back the same thing wouldn't happen again you wouldn't be asked again for permission on OS 10 CDSA lets us have access control lists that are persistent for an item so you can avoid or give permission once to a particular process what we'll do is store hash of that process and later when that same process tries to access the keychain we'll say ok yes this is the same process you're allowed to access without having that dialogue pop up the application or the process that puts an item into the keychain by default has access to it on the philosophy that well you know they had the data that they're giving us so we'll trust them to access it and that prevents a lot of unnecessary asking of the user for permission so every item in the keychain can have its own access control list and you can configure these individually you can allow any application to access a particular item or you can restrict it to just one application or a whole series of applications you can use the keychain access utility which is available in the utilities folder to pre configure access and I will show you a little demo that later the access control api's are available in the CDSA layer we don't currently have any in the keychain manager API to configure those we assume that the user or the administrator of the machine will setup the permissions as they see fit for a particular keychain item and of course access control lists stick around on OS 10 so you know across reboots it's always it's always going to be there so what can you do as an application developer with the keychain well the first and probably a most important thing is you can store things securely there in the keychain instead of perhaps having to worry about how are you were going to you know hide a particular piece of data whether you're going to you know encrypt it yourself put it in a preferences file whatever we sort of you know provide that now as a system service that you can just take advantage of and not have to worry about it you can also look in the keychain when you need to connect to a particular service so the user doesn't necessarily have to type in their password more than once if that password is available in a keychain and the keychain is unlocked so if you are connecting to let's say you know an FTP server you can look first in the keychain to see if there is a password for that FTP server and use that instead of having to force the user to type in a password every time and another thing you can do with it you're not just limited to passwords in the traditional sense you can use the keychain to store for example cookies or software you know perhaps serial numbers registration numbers maybe a content key for you know an mp3 there's just all sorts of little bits of data that need to be kept private by your application and now there's a central place that you can store them in a secure way so here's the sort of high-level overview of the API there are two sort of divisions there's high-level calls and low-level calls and it's real easy to get started with the high level calls because there's really only two you'll find a password or you'll add a password if there isn't one already there there's a series of low level routines on which those high level routines are built and so they give you the flexibility to do perhaps a piece of what the high level routines do without requiring or pulling in a lot of extra code perhaps to do the UI like the high level routines do these routines lets you for example search for multiple items or manage keychains themselves as opposed to the items on the keychain and the last area of the API is the whole area of notification so when something happens with a keychain when the keychain locks are unlocked or if somebody takes the data out you can get notified when those things occur and then the last thing I'll talk about there is the new factoring of the API between carbon and core services so the very first thing to do to get started is to call this routine keychain manager available now you say why isn't the keychain always there if you are a carbon app that needs to run back to nine or even earlier then you'll definitely want to make sure that you call this because the keychain may not be there prior to nine of course on tan the keychain is always there so it's less important you don't need to explicitly make sure that there's a keychain you don't need to create one first you don't need to make sure it's unlocked because high-level routines will prompt the user just sort of you know transparently to do those sorts of housekeeping things well that's your application having to worry about it again the low-level routines are there if you need to explicitly create one yourself or unlock it but the high-level routines sort of take care of all that for you and when the user logs in on OS 10 their keychain is already unlocked so it's all just sort of happening transparently to them and to your application and then once you've figured out that the keychain manager is available you can either find or add a password the first thing you'll do is try to find the password in the keychain and there are three high level calls in the keychain API and Carbon that lets you do that depending on the type of password you're looking for so for example if you are that FTP application you can call find internet password pass it the attributes you're looking for the name of the server the fact that this is a password for FTP and those sorts of attributes and then it'll return the password if it's in fact found in the keychain and the flip side of that is adding an item if the item wasn't already there perhaps you want to store it in the keychain and there's three calls to do that depending on the type of password that you want to add again all of these are in carbon and because they're high-level calls all of these sort of housekeeping tasks of making sure the keychain is unlocked creating a keychain if necessary is all taken care of for you so as I said the high level API is sort of encompass or capsulate a whole set of low-level calls and just makes it convenient and easy to use for you but the low-level calls are there if you need the flexibility so in this case the add internet password call is really just a wrapper around a whole series of the lower-level calls the first two create a new item and then to add it to a particular keychain and then we make a series of calls to set whatever after we need to set on the item and then finally we need to set the data of the item the thing that's important to protect and the last call ere is update item which writes it out to the keychain so here's that diagram again and here are the two sort of components of the keychain API if you're a carbon application everything is there available to you from carbon if you are not wanting to use carbon or you were for example a UNIX command-line tool you can call directly to the securityq or api's again the the split is sort of along the lines of does this call require UI so the high-level calls in carbon may display user interface for example if the keychain is locked and you make this call to find the password and a password is found the the user may see a dialog box come up asking to unlock the keychain and that's the sort of call where these things happen in line and you I could come up so they remain in carbon when you're a carbon application using those it automatically pulls in all of the lower-level api's that are in core services so everything there is available in carbon if you are going straight to core services if you're going straight to so that level those API calls do not display UI and in order to use them you'll include core services H and again this is something that can be used by any application but especially applications that don't want or need to rely on carbon so the basic API routines at that layer like I said give you a lot of flexibility if you want to just create a new item without adding it to a particular keychain you'll use new item add item of course adds an item to a particular keychain always you're going to access an item through a reference called a KC item ref and no matter what the item is they're all treated the same you'll always use a reference because you don't know exactly what the composition or the backing store or any of that you know needs to be if your application uses item refs it doesn't have to worry about about any of those underlying details you'll use get attribute when you need to get an attribute from an item and set attribute will of course set the attribute on the item and the same thing with data get data will get the data of the item and set data will set it when you're all done sort of you know adding or you know changing the item around you'll use update item which will write it out to the keychain and commit it and when you're all done with an item we want you to call KC release item because that will release the memory that the item occupies again if you need the flexibility of being able to find more than one item in a keychain we provide sort of a lightweight database type API called find first and find next item find first item of course you pass in the same sort of thing that you would to higher-level ones in terms of attributes these are the things I'm looking for find these items and what that will call will do is return a search reference and then you can pass that search reference to find next item and continue searching until no more items match and when you're all done with one of those multiple item searches you can call KC release search and that will release the memory that it occupies now in a similar way to using a KC item ref when you're you know dealing with items you want to use something called a KC ref to refer to keychains themselves most of the time your application won't care about keychains or where a particular item is stored but if you do you'll use a KC ref we provide two routines there to sort of translate between a KC ref and an object in a file system that's specified by an alias record but it's real important to realize that it's not always going to be a file and in fact you really can't assume ever that a keychain is a file on the disk that's a bad thing to do if you were at this talk last year I said the same thing and it's still true now that we have actual smart card support in OS 10 this is going to be coming sooner rather than later so it's real important to remember that Casey gets status is a routine that's your friend it will tell you a lot of information it will tell you whether the keychain is unlocked a particular keychain or the default keychain and it will tell you whether the keychain can be written to or if it's just open read-only and get keychain name is pretty aptly named it will tell you the name of the keychain if you need to explicitly unlock a keychain you have KC unlock keychain again most of the time you won't need to worry about whether the keychain is locked or unlocked because all of that will be taken care of for you and we'll just prompt the user to unlock the keychain if it's necessary if you need to create a new keychain you'll use case you create keychain and if you need to look through all the key chains that are available in the system we have count key chains and get end keychain err or get a keychain out of particular index the notification section of the API is pretty useful every time a event happens with a key chain someone unlocks it someone locks it someone adds something to it someone retrieves data from it this generates a keychain event and your application can register to get these events to sort of see what's going on perhaps you want to write a logging application that logs all accesses to the keychain you can do that by registering for keychain events you'll call add callback and that will register a routine that will call to let you know when these things occur will give you information about you-know-what keychain it was what keychain item it was what the process was that asked and so on you can register only for those events that you care about for example you may not care when the keychain locks are unlocks the only thing you care about is somebody retrieved data so you can just register for example for that event and when you're all done you can call remove callback before your application is is ready to quit here's a little snippet of code that shows how simple this is really to use this routine connect to server takes two arguments we're about to connect to a server and we know something we know the server's name that we're going to connect to and we know an account that we want to connect as so the first thing is to see if there's a password in the keychain before we go and ask the user to type in their password so in this case kc5 internet password takes a series of arguments and the first argument it takes is the name of the server and so I can just pass that in the server in this case that I'm interested in it takes the security domain argument which is a string in this case I'm not concerned about the domain so I pass nil I pass in my account name I can pass in a port since I'm not concerned about a particular port I can pass the constant any port I can pass in a particular protocol type that I'm interested in finding and an authorization type where I'm sorry an authentication type constant there and then I pass in a buffer at a point a pointer to a buffer that I provide and the length of that buffer if this call is successful and it actually does find a password it will fill in the buffer with the password and return no error so after I've made this call a number of things could have happened it could have gone off asked the user to unlock the keychain created a keychain if no keychain existed all that stuff I don't have to worry about in this routine it's all sort of handled for me so now they're at the bottom if there's a error return from this routine then I know that no password in fact was there in the keychain and I'll need to do something to ask the user for the password as I normally would and I call a routine there my get password which actually would go off assuming that it it got the password from the user could go off and call KC add internet password to put it there in the keychain so it's there for next time and then when I get to the very bottom of their chain either way I have a password and then I can connect to the server so the nuts and bolts of what your application needs to do to use the keychain if you are a CFM application that's going to be running on on 10 and 9 you'll want to link against carbon Live 1.1 or greater which has the keychain API in it if you're a carbon application on 10 of course you will link with the carbon framework and if you are a Coco application you can link with either one depending on what your needs are which portions of the API you want to bring in if you are a command-line tool you probably should not like against Carbon you'll only want to link with the core services framework and the things that don't necessarily require UI so the last thing I want to talk about is the whole area of user interaction and what your application can do to manage it the keychain as I said when you make these calls these high-level calls to find or add a password can't put up UI it can ask to unlock the keychain it can ask for permission to access an item if it doesn't already have that permission of pre-configured and in some cases this is not going to be appropriate for you obviously there's there's an example where you have an application that it's a server application that's running on a machine that's in a locked closet and if you go off and try to find a password in the keychain and a dialog pops up on the screen there's not a user there to do anything about it so you want to be aware if you're writing an application that is not going to be user driven in that way that you call something called set interaction allowed to essentially turn off the displaying of UI elements and what that will do is if the keychain is already unlocked there will be no UI required and you can proceed if the keychain happens to be locked then those calls will just generate an error and you can do whatever is appropriate with that error I believe it's you know just an error that says the keychain is locked the second case that you might run into is an application that's perhaps a command-line tool something running over you know you're logged in via SSH let's say and you're running this application and you know you can't put up UI you have a command-line interface so if you have no way of unlocking the keychain via this dialog box we provide the ability to unlock it programmatically with KCM lock but again this is something where UI is not is not the way you want to go there um the second point that I wanted to make is that when you're using the keychain you should always let the user decide to use the keychain and let the user make the decisions about when to interact with it the way a lot of apps handle this is when you have a password dialog box it'll have a little checkbox next to it that says add this to my key chain or maybe remember this password again you're letting the user make the decision at that point whether or not they want to store it and the final item there is a real fundamental principle of UI design often gets lost but it bears repeating and that is all of the things that occur that bring up you I should be the direct result of the user having done something so if I make a call to find internet password and it needs to put up a dialog that's the same as my directly putting up that dialog and if that occurs at some point long after the user has interacted with your application it can be very confusing if I set up for example a mail account and then you know 30 minutes into the future mail is asking me for my keychain password or permission to access it there's no consistent sort of connection in my mind between my act of you know interacting with the mail client or whatever it happens to be and its use of the password so when you call a kc5 internet password or any of these high-level api's that can bring up you I be sure that you do it as a result of something the user has done they've clicked add they've clicked you know connect whatever it happens to be so along those lines it's entirely appropriate to cache items that you retrieve out of a keychain especially on 10 when you have a protected memory model you can hold something in your own processes memory space and other processes running on the system the user happens to start up can't get access to it the caveat there is that well memory is protected you want to protect against that thing getting written out to disk and the way to do that is to lock the memory you always make sure the memory is locked if it contains sensitive data on carbon the calls that you use to do that our hold memory to actually lock it down and unhold memory when you're done with it and the same thing for if you're using bsd at that level you use em lock and m unlock which is essentially the same thing so now I'd like to actually show you a demo of how this works on OS 10 so down here in the applications and utilities folder is your friend keychain access this little utility will show you your keychains and let you manage them it shows you what's in a keychain in this case I have a keychain that's empty so start off with nothing in my keychain and I'll set up a mail account in the mail application I actually have an account set up here I have a particular email address and I have a server name that I'm going to be connecting to to retrieve mail and a user name now it makes logical sense that those are good attributes for a keychain item if I'm storing a password in the keychain those are tags that I can add as attributes so that I can find that particular password when I go to connect to this server I'm not going to type in my password now I will go and actually get mail at this point and when they click that I guess here let's quit and try again I think what what mail did was cache my password from when I when I set this up so when mail actually goes to connect to the server it has looked in the keychain found nothing there and is putting up a dialog asking me to type in my password so I'll go ahead and do that and then I can make the decision to actually remember that or store it in the keychain and then I go off and it goes off to the server and looks for my mail now notice what happened on the keychain an item just got added so that's quick mail and take a look at this item it's got a label here which is the server that I connected to it put an internet password in there with the account name that I logged in as now there's something new for OS 10 with keychain items and we have an access control pain now and keychain access that lets you sort of set up who has access to this particular password so by default the mail application created it and we give mail access by default to this item you can turn off access all together or you can allow access by any application that wants to access it without without putting up that warning dialog so to show you what that looks like I'm going to actually remove mail from that access control list and now mail no longer has pre-approved access to this item so when I go to save this list I get asked permission to actually change the access control list here which I will do and I'll go back and run mail mail goes off tries to look the password up in the keychain finds the password but it doesn't have access to just get the password without the users knowledge so I get this confirmation dialog and I can look at in fact the details of this this is the keychain that is being accessed and this is the particular process that is wanting access to this item and my choices are I can allow this to occur just once or I can permanently allow it to occur by clicking always allow and when I do that if we go back to the access control paint of this item you'll see that mail has been then re added to the list so maelys is one client of the keychain in OS 10 but it's integrated pretty well throughout the Finder has a connect to server to connect to a particular Apple shrilled appers I can speak Apple share server in this case I can connect to iDisk mac.com which is really just an AFP server so when I go to connect to it it asked me for a name and password and again Apple share has provided some human interface to let me decide whether or not I want to store it in the keychain so I'll click yes I'll go ahead and log in those the account that I set up and I can mount that volume now I talked a little bit earlier on about providing a transparent authentication experience so one thing I can do in the Apple sure case is to make an alias of the server or I'm sorry of the volume and then I'll go ahead and unmount this volume and let's first examine this item and see who has access to it so we see that the finder has access to it so now if I go back to the finder and I double click on this alias because the finder has access you get the spinning cursor and the volume just mounts without having to type in a password the other thing that's new in OS town with keychain access is the ability for users to add their own types of passwords for example software registration numbers credit card numbers pin numbers whatever it may be all they have to do is click Add and I can add something like you know my software serial number for me and I'll type in whatever that happens to be I can look at it and clear text if I want to that's not what it defaults to I'll go ahead and add it and now I have an item that I stored without you know a whole lot of muss or fuss I can give applications pre-approval to access this item if I know that a particular application is going to need this password or the serial number I can go ahead from this interface and change the access control list I can go to for example applications and you know maybe it's a serial number for the chess game so I can add that and now whenever chess looks for a serial number that's stored in the keychain the user won't be bothered with a dialog asking for permission because chess is pre-approved now I mentioned that by default the keychain is unlocked when you log in and it's locked when you log out you can change those settings at any time you can have it lock after a period of inactivity or when the system sleeps and of course at any time you can manually lock the keychain so if I manually lock the keychain then those things that need to access it will require the keychain to be unlocked first so when I double clicked on that alias and the finder or in this case Apple share did a find to look for its password in the keychain the keychain was locked and so we take care of putting up this unlock dialog for you and your application just doesn't have to to handle all of that so I'll unlock the keychain I did enter the wrong password and capslock arm anyway and then when the keychain unlocks the volume will mount so that's pretty much it for the demo go back to the last slide if it good so just to sum up the keychain is like a bank vault for all of your sensitive passwords keys things that you need to store securely and it's provided for you as a system of service so it's always there and you don't have to roll your own code to do the encryption it's very simple to use most applications just need to do find an ad and all of this is there now in OS 10 as shipped out of the box so go ahead get started with it and thank you what I'd like I did want to mention that there are a number of resources for getting more information about the keychain on your Mac os10 disk you can look in the developer folder and there's documentation under the carbon directory there in the documentation folder on the web we have a security page there is a new page that I don't have the URL for that just went up this week and then of course the source code itself is open source and you can go to WWF and source apple.com and all the links are there for getting access to that and looking at it if you're interested in sort of drilling down to the CDSA layer and the API is that are available there under the keychain those are all described at the open group's website which is open group org we have a number of security sessions here of course now three of them are already over but encourage you to look at the session on Kerberos and if you can if you happen to miss any of the other two try to take a look at those when the sessions become available in whatever format they become available in and then please come on Friday and talk to us tell us what you want to see or what if you have concerns about this or suggestions for how we can approve it please let us know here's the email address for all of your questions talk to Craig Craig make sure that we there or the appropriate team gets notified so that we can handle whatever issues come up you