WWDC2001 Session 307

Transcript

Kind: captions
Language: en
it's something that's present in nine
and certainly something we brought
forward into ten and in bringing it
forward into ten we we we really made it
a core part of the OS the keychains
available now every user has a keychain
and it's the place that we really want
passwords to be stored so I'm assuming
that because you're here
you already have that that sense of what
we want keychain to be used with that
application should store passwords there
the message we want to get out the
message that we need to get out and I
encourage you to share this with other
developers is that keychain is the place
to store passwords if they're storing
passwords any other place if they're
hashing them themselves if they're
encrypting themselves if they're porting
them and preferences or any other sort
of file they really shouldn't do that
they should use the keychain for that so
without further ado I will bring up Ken
MacLeod and he will go into greater
detail on keychain thank you very much
[Applause]
good afternoon everybody I'm kinda
MacLeod I am an engineer in the data
security group where we work on keychain
and I'm talking about the keychain today
so the session basically we'll start off
with an overview of what the keychain is
and what it does and we'll talk to you
about the new features that are in town
with the keychain I'll go over the key
chain manager API is that are available
for your application to use and the last
thing I'll talk about is the whole area
of managing user interaction with the
keychain and at the end we'll have a
demo of the keychain with Mac OS 10 and
time for Q&A so the three main questions
that this session is designed to to
answer that the questions are what does
the keychain give me and how can I add
support for it to my application and of
course where can I get more information
about it feel free as the session goes
on to sort of add your own
list of questions that you can ask at
the end if you have more that the
session doesn't cover so I've got here a
keychain this is a keychain in the real
world and apologize for you know right
off drawing a distinction between
computers of the real world but I'll try
not to do that too often but the real
convenience and usefulness of this thing
in the real world is that I don't have
to remember these things individually I
don't have to remember to bring you know
my car key with me my office key all
these things I just have to remember one
object I have to remember to bring my
keys and then I have access to all of
the the services or the things that
these keys on the lock and the same idea
is true of the keychain on OS 10 at an
OS 9 the idea is to provide something
that is a convenience but much more than
a convenience it needs to be secure
because when you're letting your
computer manage your keys for you you
need some level of security so that
leads me into the definition of what the
keychain is the keychain is a secure
repository for your passwords your
digital keys sort of analog on the
computer of what the keys are in reality
a much more appropriate metaphor perhaps
that even a keychain is a sort of bank
vault the bank vault has a door and when
that bank vault is locked the things
that are in it are locked down you can't
get out them they're protected when the
door is unlocked there's a security
guard sitting there and he's monitoring
all access he's checking the credentials
of everybody who takes a key out of the
vault
the keychain has built on something
we've been talking about called CDSA the
common data security architecture which
as of this week is all open sourced and
all of the really all the work that the
keychain does happens down in that layer
CDSA has a whole series of plug-ins for
doing things like a data storage and
cryptography and those pieces are all
part of that framework that you can take
look at the keychain has a convenience
feature as I said we're clients of the
keychain can provide something called
transparent authentication in other
words the user experience of typing in
your password wants to unlock your
keychain and then not having to type in
all the passwords that are actually
stored in the keychain so you have a
single sign-on user experience as Craig
mentioned to start off with the keychain
is available on both OS 9 and OS 10 but
on OS 10 every user has a keychain every
user logs in they have a user account
and a keychain is automatically created
for them so I like to define the terms
when talking about the keychain because
it can get a little confusing what do we
mean when we use the word keychain and
there's a grammatical difference here
between keychain with a capital K and
keychain with a small K when we use
keychain or the capital K we're talking
about the technology we're talking about
the software that's built into the
operating system we talked about
keychain with a little K we're talking
about the data store the thing that the
user has that they put their passwords
and keys into the keychain can be in one
of two states
kechi is either locked or unlocked and
the definition of an unlocked keychain
is one that has a key which is available
to decrypt items in the keychain without
that key nothing can be decrypted
nothing can be retrieved from the
keychain and the keychain is locked
everything that you put in the keychain
whether it's a key an actual
cryptographic key a password a
certificate
we use the term keychain item to refer
to all of these things collectively and
the other term the last term that we use
a lot is default keychain the default
keychain is if you have more than one
keychain this is the one where items are
added to
so typically a user logs in they have a
keychain created but you're not limited
to that
as a user or as a developer now you can
create as many key chains as you want
have as many unlocked as you want to be
unlocked at a time if you want you can
set a keychain to lock automatically by
default the keychain will be unlocked at
login and locked when you log out but if
you want to restrict that even further
that's completely available to you
the default keychain again when you log
in on OS 10 is unlocked and it's got the
same user name or I'm sorry the same
name as your user account and it uses
the same password as that account by
default again you're not limited to that
you can change it at any time but this
is just sort of to give the user a
default keychain you can take a keychain
and move it around from machine to
machine and what we mean by the word
portable here in this context is that
you can take it from one machine to
another you can take it from home to
work vice versa so you have the keys
with you on any machine that you use
portable in this sense does not mean
portable between nine and ten now the
reason for that is that as you'll see
when you look at the CDSA pieces we have
open sourced all of the algorithms that
the keychain uses and on OS nine we had
some algorithms that were proprietary
and could not be open sourced so we
moved away from using them and we move
toward something that could be open
sourced for OS 10 you can put keychain
files on a server so that you have them
available you can put them on a CD you
can just use them wherever they happen
to be and the CDSA architecture doesn't
limit us to that it supports fully
supports keychains being on smart cards
or removable tokens so we can actually
get back to having a real-world keychain
that has a little removable toe
that actually holds your digital keys so
here's a diagram or a map of all of the
api's that are available across the
board related to security starting on
the left hand side there I know us 9 and
still available in classic are the
keychain API and an API that we talked
about previously Macintosh file signing
and some other ones there all of these
are built on top of the older version of
CDSA 1.2 which had quite a lot of
limitations but you know worked well for
OS 9 moving forward your applications on
OS 10 will either use carbon or they'll
use core services now the carbon piece
sort of straddles the line between the
two implementations of CDSA i'm the two
platforms so if you write a application
that uses the carbon keychain api's you
can run on OS 9 or on OS 10 if you're a
CFM binary now the pieces in the core
box there or core services are at a
lower level than carbon carbon actually
uses some of them and the piece there
are security core and the authorization
api that Michael Brauer talked about
this morning are all built on top of
CDSA 2.0 and 2.0 allows us to be a lot
more flexible with things like access
control which I'll get into in a moment
so if you are one of those types of
applications on the top layer there
you'll use the api's that are available
for example carbon applications can use
carbon cocoa you can mix you can either
use carbon or the security core API and
if you're a UNIX command-line tool you
can take advantage of the keychain as
well because we've factored the api's
that were formerly exclusively in the
carbon layer there in the carbon box and
we move some of those into security core
where they're available to you without
having to depend on carbon
so what kind of items can you store in a
keychain well there's three basic
classes of items that are defined keys
passwords and certificates on OS 9 keys
and certificates were there for the
first release of OS 10 we focused on
getting passwords really supported well
certainly keys and certificates are
something that we are working on but the
focus of what I'm going to talk about
today will be passwords and within the
class of password item there are three
sort of categories we have Apple share
passwords which allow you to access
Apple share servers Internet passwords
are a more general case for any type of
you know protocol like SMTP FTP
what-have-you those sorts of things that
require you know access to a server and
then the last category of password is
sort of a generic password account and
service type of item so let's drill down
a little bit and look inside a keychain
item a keychain items contents are
really simple there's two things there's
attributes and there's data the data is
in this case the password in this
example just the data of the password
that I'm trying to protect I can add a
number of attributes to the item that
help me find the item later on so if I'm
storing for example here a password for
an FTP server I might want to add my
account name and the name of the server
and some other information that lets me
find that password I have and match it
back up when I need to log back into
that server so every item it's in a
keychain has a set of common attributes
and all these items can be treated more
or less the same they have the class of
the item they have things like the date
when the item was created or modified
they have a label that describes the
item there's also a description of the
item there's a comment field where
with the keychain access application a
user can actually add comments to an
item that's stored in the keychain
within those subcategories though of an
item class there are additional
attributes that are defined so for
example if you have an internet password
you have things like the protocol and
the server which are additional
attributes that are specific to an
internet password and the whole purpose
of adding attributes to these things is
so that you can find the item again when
you're looking for it now the data
portion of the item is protected as I
said unlike attributes you can't search
on the data of the item so it can't be
revealed to you in that way the data
cannot ever be retrieved unless the
keychain is unlocked and it can't be
retrieved unless the user gives explicit
permission now I'll get into that and a
little bit later but in OS 10 and with
CDSA 2.0 we were able to let the user or
the administrator configure the access
control on a keychain item and have that
be persistent and in the case of
cryptographic keys private and symmetric
type keys the data of those items is
actually never able to be retrieved from
a keychain you'll only be able to use
item references to reference the item so
the big question that everyone has about
the keychain is how secure is it well
for one it doesn't depend on your
machines physical security unlike a lot
of mechanisms or api's it's an encrypted
container so even if someone can sit
down and have access to the filesystem
on your machine your keys your data is
sitting in an encrypted container that
they can't get at the benefit of that is
that you don't have to write down
passwords on sticky notes or store them
at a preferences file somewhere in
clear-text or maybe you just have a you
know simple X XOR algorithm that that
scrambles them this lets you have a
secure encrypted container to store
these things
now the password that unlocks the
keychain itself is never stored anywhere
in the keychain on disk you keep that in
your head and when you type it in we
generate a key from that we use a
algorithm called it's a it's actually
defined in aspect called pkcs5 which is
our essays cryptographic spec for
deriving a key from a past password or
phrase on OS 9 when we use this we used
as I mentioned an algorithm that could
not be open sourced
we used 128-bit keys on OS 10 we've gone
up to 168 bit keys with an algorithm
that is available so the data of an item
is protected and it can't be retrieved
unless the user gives an explicit ok now
on on OS 9 some of you have seen what
this means it means that a dialog comes
up the dialog says this particular
process is trying to access this item is
that ok and the user at that point has
to make an explicit decision do I want
to allow this process access to the item
on OS 9 there was a problem though
because that dialog box kept popping up
every time you accessed an item and it
got really annoying because there was no
way to securely store that setting
persistently so that after you rebooted
the machiner you came back the same
thing wouldn't happen again you wouldn't
be asked again for permission on OS 10
CDSA lets us have access control lists
that are persistent for an item so you
can avoid or give permission once to a
particular process what we'll do is
store hash of that process and later
when that same process tries to access
the keychain we'll say ok yes this is
the same process you're allowed to
access without having that dialogue pop
up the application or the process that
puts an item into the keychain by
default has access to it
on the philosophy that well you know
they had the data that they're giving us
so we'll trust them to access it and
that prevents a lot of unnecessary
asking of the user for permission so
every item in the keychain can have its
own access control list and you can
configure these individually you can
allow any application to access a
particular item or you can restrict it
to just one application or a whole
series of applications you can use the
keychain access utility which is
available in the utilities folder to pre
configure access and I will show you a
little demo that later the access
control api's are available in the CDSA
layer we don't currently have any in the
keychain manager API to configure those
we assume that the user or the
administrator of the machine will setup
the permissions as they see fit for a
particular keychain item and of course
access control lists stick around on OS
10 so you know across reboots it's
always it's always going to be there so
what can you do as an application
developer with the keychain
well the first and probably a most
important thing is you can store things
securely there in the keychain instead
of perhaps having to worry about how are
you were going to you know hide a
particular piece of data whether you're
going to you know encrypt it yourself
put it in a preferences file whatever we
sort of you know provide that now as a
system service that you can just take
advantage of and not have to worry about
it you can also look in the keychain
when you need to connect to a particular
service so the user doesn't necessarily
have to type in their password more than
once if that password is available in a
keychain and the keychain is unlocked so
if you are connecting to let's say you
know an FTP server you can look first in
the keychain to see if there is a
password for that FTP server and use
that instead of having to force the user
to type in a password every time
and another thing you can do with it
you're not just limited to passwords in
the traditional sense you can use the
keychain to store for example cookies or
software you know perhaps serial numbers
registration numbers maybe a content key
for you know an mp3 there's just all
sorts of little bits of data that need
to be kept private by your application
and now there's a central place that you
can store them in a secure way so here's
the sort of high-level overview of the
API there are two sort of divisions
there's high-level calls and low-level
calls and it's real easy to get started
with the high level calls because
there's really only two you'll find a
password or you'll add a password if
there isn't one already there there's a
series of low level routines on which
those high level routines are built and
so they give you the flexibility to do
perhaps a piece of what the high level
routines do without requiring or pulling
in a lot of extra code perhaps to do the
UI like the high level routines do these
routines lets you for example search for
multiple items or manage keychains
themselves as opposed to the items on
the keychain and the last area of the
API is the whole area of notification so
when something happens with a keychain
when the keychain locks are unlocked or
if somebody takes the data out you can
get notified when those things occur and
then the last thing I'll talk about
there is the new factoring of the API
between carbon and core services so the
very first thing to do to get started is
to call this routine keychain manager
available now you say why isn't the
keychain always there if you are a
carbon app that needs to run back to
nine or even earlier then you'll
definitely want to make sure that you
call this because the keychain may not
be there prior to nine of course on tan
the keychain is always there so it's
less important
you don't need to explicitly make sure
that there's a keychain you don't need
to create one first you don't need to
make sure it's unlocked because
high-level routines will prompt the user
just sort of you know transparently to
do those sorts of housekeeping things
well that's your application having to
worry about it again the low-level
routines are there if you need to
explicitly create one yourself or unlock
it but the high-level routines sort of
take care of all that for you and when
the user logs in on OS 10 their keychain
is already unlocked so it's all just
sort of happening transparently to them
and to your application and then once
you've figured out that the keychain
manager is available you can either find
or add a password the first thing you'll
do is try to find the password in the
keychain and there are three high level
calls in the keychain API and Carbon
that lets you do that depending on the
type of password you're looking for so
for example if you are that FTP
application you can call find internet
password pass it the attributes you're
looking for the name of the server the
fact that this is a password for FTP and
those sorts of attributes and then it'll
return the password if it's in fact
found in the keychain and the flip side
of that is adding an item if the item
wasn't already there perhaps you want to
store it in the keychain and there's
three calls to do that depending on the
type of password that you want to add
again all of these are in carbon and
because they're high-level calls all of
these sort of housekeeping tasks of
making sure the keychain is unlocked
creating a keychain if necessary is all
taken care of for you
so as I said the high level API is sort
of encompass or capsulate a whole set of
low-level calls and just makes it
convenient and easy to use for you but
the low-level calls are there if you
need the flexibility so in this case the
add internet password call is really
just a wrapper around a whole series of
the lower-level calls the first two
create a new item and then to add it to
a particular keychain and then we make a
series of calls to set whatever after
we need to set on the item and then
finally we need to set the data of the
item the thing that's important to
protect and the last call ere is update
item which writes it out to the keychain
so here's that diagram again and here
are the two sort of components of the
keychain API if you're a carbon
application everything is there
available to you from carbon if you are
not wanting to use carbon or you were
for example a UNIX command-line tool you
can call directly to the securityq or
api's again the the split is sort of
along the lines of does this call
require UI so the high-level calls in
carbon may display user interface for
example if the keychain is locked and
you make this call to find the password
and a password is found the the user may
see a dialog box come up asking to
unlock the keychain and that's the sort
of call where these things happen in
line and you I could come up so they
remain in carbon when you're a carbon
application using those it automatically
pulls in all of the lower-level api's
that are in core services so everything
there is available in carbon if you are
going straight to core services if
you're going straight to so that level
those API calls do not display UI and in
order to use them you'll include core
services H and again this is something
that can be used by any application but
especially applications that don't want
or need to rely on carbon
so the basic API routines at that layer
like I said give you a lot of
flexibility if you want to just create a
new item without adding it to a
particular keychain you'll use new item
add item of course adds an item to a
particular keychain always you're going
to access an item through a reference
called a KC item ref and no matter what
the item is they're all treated the same
you'll always use a reference because
you don't know exactly what the
composition or the backing store or any
of that you know needs to be if your
application uses item refs it doesn't
have to worry about about any of those
underlying details you'll use get
attribute when you need to get an
attribute from an item and set attribute
will of course set the attribute on the
item and the same thing with data get
data will get the data of the item and
set data will set it when you're all
done sort of you know adding or you know
changing the item around you'll use
update item which will write it out to
the keychain and commit it and when
you're all done with an item we want you
to call KC release item because that
will release the memory that the item
occupies again if you need the
flexibility of being able to find more
than one item in a keychain
we provide sort of a lightweight
database type API called find first and
find next item find first item of course
you pass in the same sort of thing that
you would to higher-level ones in terms
of attributes these are the things I'm
looking for find these items and what
that will call will do is return a
search reference and then you can pass
that search reference to find next item
and continue searching until no more
items match and when you're all done
with one of those multiple item searches
you can call KC release search and that
will release the memory that it occupies
now in a similar way to using a KC item
ref when you're
you know dealing with items you want to
use something called a KC ref to refer
to keychains themselves most of the time
your application won't care about
keychains or where a particular item is
stored but if you do you'll use a KC ref
we provide two routines there to sort of
translate between a KC ref and an object
in a file system that's specified by an
alias record but it's real important to
realize that it's not always going to be
a file and in fact you really can't
assume ever that a keychain is a file on
the disk that's a bad thing to do if you
were at this talk last year I said the
same thing and it's still true now that
we have actual smart card support in OS
10 this is going to be coming sooner
rather than later so it's real important
to remember that Casey gets status is a
routine that's your friend it will tell
you a lot of information it will tell
you whether the keychain is unlocked a
particular keychain or the default
keychain and it will tell you whether
the keychain can be written to or if
it's just open read-only and get
keychain name is pretty aptly named it
will tell you the name of the keychain
if you need to explicitly unlock a
keychain you have KC unlock keychain
again most of the time you won't need to
worry about whether the keychain is
locked or unlocked because all of that
will be taken care of for you and we'll
just prompt the user to unlock the
keychain if it's necessary if you need
to create a new keychain
you'll use case you create keychain and
if you need to look through all the key
chains that are available in the system
we have count key chains and get end
keychain err or get a keychain out of
particular index
the notification section of the API is
pretty useful every time a event happens
with a key chain someone unlocks it
someone locks it someone adds something
to it
someone retrieves data from it this
generates a keychain event and your
application can register to get these
events to sort of see what's going on
perhaps you want to write a logging
application that logs all accesses to
the keychain you can do that by
registering for keychain events you'll
call add callback and that will register
a routine
that will call to let you know when
these things occur will give you
information about you-know-what keychain
it was what keychain item it was what
the process was that asked and so on you
can register only for those events that
you care about for example you may not
care when the keychain locks are unlocks
the only thing you care about is
somebody retrieved data so you can just
register for example for that event and
when you're all done you can call remove
callback before your application is is
ready to quit here's a little snippet of
code that shows how simple this is
really to use this routine connect to
server takes two arguments we're about
to connect to a server and we know
something we know the server's name that
we're going to connect to and we know an
account that we want to connect as so
the first thing is to see if there's a
password in the keychain before we go
and ask the user to type in their
password so in this case kc5 internet
password takes a series of arguments and
the first argument it takes is the name
of the server and so I can just pass
that in the server in this case that I'm
interested in it takes the security
domain argument which is a string in
this case I'm not concerned about the
domain so I pass nil I pass in my
account name I can pass in a port since
I'm not concerned about a particular
port I can pass the constant any port I
can pass in a particular protocol type
that I'm interested in finding and an
authorization type where I'm sorry an
authentication type constant there and
then I pass in a buffer at a point a
pointer to a buffer that I provide
and the length of that buffer if this
call is successful and it actually does
find a password it will fill in the
buffer with the password and return no
error so after I've made this call a
number of things could have happened it
could have gone off asked the user to
unlock the keychain created a keychain
if no keychain existed all that stuff I
don't have to worry about in this
routine it's all sort of handled for me
so now they're at the bottom if there's
a error return from this routine then I
know that no password in fact was there
in the keychain and I'll need to do
something to ask the user for the
password as I normally would and I call
a routine there my get password which
actually would go off assuming that it
it got the password from the user could
go off and call KC add internet password
to put it there in the keychain so it's
there for next time and then when I get
to the very bottom of their chain either
way I have a password and then I can
connect to the server so the nuts and
bolts of what your application needs to
do to use the keychain if you are a CFM
application that's going to be running
on on 10 and 9 you'll want to link
against carbon Live 1.1 or greater which
has the keychain API in it if you're a
carbon application on 10 of course you
will link with the carbon framework and
if you are a Coco application you can
link with either one depending on what
your needs are which portions of the API
you want to bring in if you are a
command-line tool you probably should
not like against Carbon you'll only want
to link with the core services framework
and the things that don't necessarily
require UI so the last thing I want to
talk about is the whole area of user
interaction and what your application
can do to manage it the keychain as I
said when you make these calls these
high-level calls to find or add a
password can't put up UI it can ask to
unlock the keychain it can ask for
permission to access an item if it
doesn't already have that permission of
pre-configured and in some cases this is
not going to be appropriate for you
obviously there's there's an example
where you have an application that it's
a server application that's running on a
machine that's in a locked closet and if
you go off and try to find a password in
the keychain and a dialog pops up on the
screen there's not a user there to do
anything about it so you want to be
aware if you're writing an application
that is not going to be user driven in
that way that you call something called
set interaction allowed to essentially
turn off the displaying of UI elements
and what that will do is if the keychain
is already unlocked
there will be no UI required and you can
proceed if the keychain happens to be
locked then those calls will just
generate an error and you can do
whatever is appropriate with that error
I believe it's you know just an error
that says the keychain is locked the
second case that you might run into is
an application that's perhaps a
command-line tool something running over
you know you're logged in via SSH let's
say and you're running this application
and you know you can't put up UI you
have a command-line interface so if you
have no way of unlocking the keychain
via this dialog box we provide the
ability to unlock it programmatically
with KCM lock but again this is
something where UI is not is not the way
you want to go there um the second point
that I wanted to make is that when
you're using the keychain
you should always let the user decide to
use the keychain and let the user make
the decisions about when to interact
with it the way a lot of apps handle
this is when you have a password dialog
box it'll have a little checkbox next to
it that says add this to my key chain or
maybe remember this password again
you're letting the user make the
decision at that point whether or not
they want to store it and the final item
there is a real fundamental principle of
UI design
often gets lost but it bears repeating
and that is all of the things that occur
that bring up you I should be the direct
result of the user having done something
so if I make a call to find internet
password and it needs to put up a dialog
that's the same as my directly putting
up that dialog and if that occurs at
some point long after the user has
interacted with your application it can
be very confusing if I set up for
example a mail account and then you know
30 minutes into the future mail is
asking me for my keychain password or
permission to access it there's no
consistent sort of connection in my mind
between my act of you know interacting
with the mail client or whatever it
happens to be and its use of the
password so when you call a kc5 internet
password or any of these high-level
api's that can bring up you I be sure
that you do it as a result of something
the user has done they've clicked add
they've clicked you know connect
whatever it happens to be so along those
lines it's entirely appropriate to cache
items that you retrieve out of a
keychain especially on 10 when you have
a protected memory model you can hold
something in your own processes memory
space and other processes running on the
system the user happens to start up
can't get access to it the caveat there
is that well memory is protected you
want to protect against that thing
getting written out to disk and the way
to do that is to lock the memory you
always make sure the memory is locked if
it contains sensitive data on carbon the
calls that you use to do that our hold
memory to actually lock it down and
unhold memory when you're done with it
and the same thing for if you're using
bsd at that level you use em lock and m
unlock which is essentially the same
thing
so now I'd like to actually show you a
demo of how this works on OS 10 so down
here in the applications and utilities
folder is your friend keychain access
this little utility will show you your
keychains and let you manage them it
shows you what's in a keychain in this
case I have a keychain that's empty so
start off with nothing in my keychain
and I'll set up a mail account in the
mail application I actually have an
account set up here I have a particular
email address and I have a server name
that I'm going to be connecting to to
retrieve mail and a user name now it
makes logical sense that those are good
attributes for a keychain item if I'm
storing a password in the keychain
those are tags that I can add as
attributes so that I can find that
particular password when I go to connect
to this server I'm not going to type in
my password now I will go and actually
get mail at this point and when they
click that I guess here let's quit and
try again I think what what mail did was
cache my password from when I when I set
this up so when mail actually goes to
connect to the server it has looked in
the keychain found nothing there and is
putting up a dialog asking me to type in
my password so I'll go ahead and do that
and then I can make the decision to
actually remember that or store it in
the keychain and then I go off and it
goes off to the server and looks for my
mail now notice what happened on the
keychain an item just got added so
that's quick mail and take a look at
this item it's got a label here which is
the server that I connected to
it put an internet password in there
with the account name that I logged in
as now there's something new for OS 10
with keychain items and we have an
access control pain now and keychain
access that lets you sort of set up who
has access to this particular password
so by default the mail application
created it and we give mail access by
default to this item you can turn off
access all together or you can allow
access by any application that wants to
access it without without putting up
that warning dialog so to show you what
that looks like I'm going to actually
remove mail from that access control
list and now mail no longer has
pre-approved access to this item so when
I go to save this list I get asked
permission to actually change the access
control list here which I will do and
I'll go back and run mail mail goes off
tries to look the password up in the
keychain finds the password but it
doesn't have access to just get the
password without the users knowledge so
I get this confirmation dialog and I can
look at in fact the details of this this
is the keychain that is being accessed
and this is the particular process that
is wanting access to this item and my
choices are I can allow this to occur
just once or I can permanently allow it
to occur by clicking always allow and
when I do that if we go back to the
access control paint of this item you'll
see that mail has been then re added to
the list
so maelys is one client of the keychain
in OS 10
but it's integrated pretty well
throughout the Finder has a connect to
server to connect to a particular Apple
shrilled appers I can speak Apple share
server in this case I can connect to
iDisk mac.com
which is really just an AFP server so
when I go to connect to it it asked me
for a name and password and again Apple
share has provided some human interface
to let me decide whether or not I want
to store it in the keychain
so I'll click yes I'll go ahead and log
in those the account that I set up
and I can mount that volume now I talked
a little bit earlier on about providing
a transparent authentication experience
so one thing I can do in the Apple sure
case is to make an alias of the server
or I'm sorry of the volume and then I'll
go ahead and unmount this volume and
let's first examine this item and see
who has access to it so we see that the
finder has access to it so now if I go
back to the finder and I double click on
this alias because the finder has access
you get the spinning cursor and the
volume just mounts without having to
type in a password the other thing
that's new in OS town with keychain
access is the ability for users to add
their own types of passwords for example
software registration numbers credit
card numbers pin numbers whatever it may
be all they have to do is click Add and
I can add something like you know my
software serial number for me and I'll
type in whatever that happens to be I
can look at it and clear text if I want
to that's not what it defaults to I'll
go ahead and add it and now I have an
item that I stored without you know a
whole lot of muss or fuss I can give
applications pre-approval to access this
item if I know that a particular
application is going to need this
password or the serial number I can go
ahead from this interface and change the
access control list I can go to for
example applications and you know maybe
it's a serial number for the chess game
so I can add that and now whenever chess
looks for a serial number that's stored
in the keychain the user won't be
bothered with a dialog asking for
permission because chess is pre-approved
now I mentioned that by default the
keychain is unlocked when you log in and
it's locked when you log out you can
change those settings at any time you
can have it lock after a period of
inactivity or when the system sleeps and
of course at any time you can manually
lock the keychain so if I manually lock
the keychain then those things that need
to access it will require the keychain
to be unlocked first so when I double
clicked on that alias and the finder or
in this case Apple share did a find to
look for its password in the keychain
the keychain was locked and so we take
care of putting up this unlock dialog
for you and your application just
doesn't have to to handle all of that so
I'll unlock the keychain I did enter the
wrong password and capslock arm anyway
and then when the keychain unlocks the
volume will mount so that's pretty much
it for the demo go back to the last
slide if it good so just to sum up the
keychain is like a bank vault for all of
your sensitive passwords keys things
that you need to store securely and it's
provided for you as a system of service
so it's always there and you don't have
to roll your own code to do the
encryption it's very simple to use most
applications just need to do find an ad
and all of this is there now in OS 10 as
shipped out of the box so go ahead get
started with it and thank you what I'd
like
I did want to mention that there are a
number of resources for getting more
information about the keychain on your
Mac os10 disk you can look in the
developer folder and there's
documentation under the carbon directory
there in the documentation folder on the
web we have a security page there is a
new page that I don't have the URL for
that just went up this week and then of
course the source code itself is open
source and you can go to WWF and source
apple.com and all the links are there
for getting access to that and looking
at it if you're interested in sort of
drilling down to the CDSA layer and the
API is that are available there under
the keychain those are all described at
the open group's website which is open
group org we have a number of security
sessions here of course now three of
them are already over but encourage you
to look at the session on Kerberos and
if you can if you happen to miss any of
the other two try to take a look at
those when the sessions become available
in whatever format they become available
in and then please come on Friday and
talk to us tell us what you want to see
or what if you have concerns about this
or suggestions for how we can approve it
please let us know here's the email
address for all of your questions talk
to Craig Craig make sure that we there
or the appropriate team gets notified so
that we can handle whatever issues come
up
you