--- title: WWDC2003 Session 101 framework: wwdc role: article path: wwdc/wwdc2003-101 --- # WWDC2003 Session 101 ## Transcript Kind: captions Language: en good afternoon I'm Craig Keithley I'm the security technology evangelist in Apple's Worldwide Developer relations group I'm really pleased by this turnout security is a really important part of our architecture and it should be an important part of your applications and solutions as well today's session we're going to give you an overview of our security architecture we're going to go into a bit of the structure and what pieces are there and what they're for and how you should use that so without further ado carry the cynic okay oh good well I'm glad somebody cares about security never know five in the evening okay security is different um most features no you know you wanted it'll while your users it'll sell lots of copies that's why you using a technology and you just want to use it right security there's a few publications where security actually is the main feature you know your typical encryption utilities and stuff like that but for most of you it's something you put into your application so things don't go disastrously wrong and you get really bad press you know like security violation in public disclosure that kind of stuff so for most of you security is sort of a defensive kind of thing there are situations where it'll add to the value of a feature because you feeling me you know make it work better than it could saw you didn't have any way of determining who soon who'd love guess what they're supposed to be getting but I think for most of you the experiences that security tends to get in the way of your application and I've certainly seen a lot of application programmers a lot of times just make that bad security get out of the way so they can get their feature to work one thing that you probably all noticed at least one and if you haven't you will security operate on the weakest link effect there is nothing that is absolutely here but if your stuff is the weakest the thing with the wicked security the weakest application security wise or the weakest library security wise the attackers are going to come after you because you're the easiest target so like Neil joke with those are two people in the forest which we've all heard so I want repeated your task primarily is not to be the easiest mark when the bad hackers come calling so what are we going to talk about this is security architecture overview so you're not going to see any lines of API scrolling over the screen that's not the level of detail I am going to tell you what we've got in big brush stroke I'm going to tell you what to look out for how these things are supposed to be used and basically if you have a problem which documents you go to first which API header you don't you first see maybe you can solve your problem there well I technology where we got a lot of what we got is industry standard it's unix we all making a big deal out of how this is really unique so well you'll find unique security technology all the kind of stuff there is mach 3 under there most of the time you won't notice most of the time you don't have to know but if you know something about mark or if you run into something having to do with my sport so that's a part of the security here we can certainly break and our temp system really wide open by doing stupid things with my sport we use the common data security architecture API infrastructure that's an open group standards it's in there that's how you do crypto we have a pretty darn good support for kerberos 5 this time around some answers as a matter of fact we have strategy to cover us cover eyes just about every client-server application and you'll find a lot of you know the open source stuff in there SSH openssl all that good stuff if you can't find it in the system out of the box you can probably just compile it there you may have heard of unique sport which makes it pretty easy to get stuff on and if it's no reasonably portable yeah okay well of course we can't just you know do the open source stuff we want you to pay extra money want everybody to pay extra money so we have microwaves 10 specific stuff we have keychain um everybody here know what the key trainer I hope so this is where you put your secret so they don't leak out we have something called the authorization API which you may not have heard of what you should because it's pretty darn useful particularly if you make a local client server arrangement basically your way to work well deal with authorizations in the system we have x509certificate support and associated trust management that's our we think heck of a lot better than what you get out of open SSL and I put directory services on here not because it's something that's a security group does although we talk to those folks once in a while but if your problem if your security problem is how to look up users and find them and enumerate them and figure out what they're supposed to be allowed to do directory services is probably the API that you want to go through all right next level of detail and I shall I start at the beginning as usual you know keep your questions write them down you can ask them at the end we'll stick around for as long as it takes to answer all of your questions which one of you is not comfortable just dealing in UNIX terms admit it raise your hand if this unique thing just freaked you out and you you know your sort of used to the OS 9 way of doing things tell me all right that's so thank you so very briefly for you unlike oh it's mine on unix processes are hard separated with address spaces each process has its own address space and that's really the main point of security in unit within an address space you have the OS 9 game back you know everybody can look at each other state or if they only figure out where it is and you can't really separate the or keep secrets within one process so the UNIX trick to the extended it either the trick is if you want to protect data stick it in its own process or stick it in its own file managed by John process and then that process can be send the data against everybody else who's sitting a different process what you have is user identities user IDs numbers names and groups you have the UNIX file system just basically your primary way of labeling the data with who owns it to get access to it and so you have the magic user user number 0 will get to do everything to the system as you want now see at that point my presentation settles the nuclear weapon of UNIX and they told me don't do that it fast and I'm supposed to use scary words anymore and we have the set uyd facility which is essentially the one and only way that you can get access to a user ID if you don't already have access to a user ID that's basically be one unix mechanism for elevating privileges or getting access and stuff that you don't already have actually cautionary worth about roots always good idea Brutus dangerous route is omnipotent which can do anything which can mess you up can now delete your data completely corrupt system so be very afraid if you write code that runs with root privilege the primary advisors don't do it if you don't have to if you have to then know that you are dancing in a minefield and either be an expert in how to do this right or hire yourself an expert writing root level code if you just sort of kind of understanding unix it's just not a good idea and it's worthwhile getting yourself at least a consultant to understand some stuff if you're not comfortable with one principle about root code don't make it big make it really really simple make it really really small and make it really easy to understand ideally you're the coach that you're right that runs the food privilege is about the page or two of source code gosh yeah okay so your application we have two hundred thousand lines of code so what do you do remember prospect separations this is how you do security UNIX take your would coach make it as small as possible to get in a separate process easily to run as a process separate from your big application and then let that you talk to each other in a secure way i'll tell you how later we call this factoring it's a little bit like the factoring you've got the OS nine folks if you went through when you did Apple script and you pack expected your application anybody remember that it's about the same idea well that'd UNIX why marvelous UNIX not quite totally normal eunuch there is a mouth like a colonel in there if they said most of the time you don't notice but it is in there and it is not separated from the UNIX kernel but you are sort of sitting there like Siamese twins so you have to understand it sometimes it's possible to get things out of UNIX going the mach route that on a normal unique system you wouldn't be able to get for example there are ways to get root privilege by going through the mouth passport facility so when you're doing security analysis if this is the kind of thing you do keep that in mind otherwise for the most part don't worry about it the root user doesn't actually exist by default well ok it exists but don't have a password so you can't login as the root user an administrator can go in turn it on give it a password it'll be a perfectly nice user but by default it doesn't exist and that's by design we have invented a class of huge is called administrators which technically is just those users that are in the admin group and administrators can actually do a lot of things to your system if you look around your Mac os10 system Jaguar Panther earlier doesn't matter there's a lot of directories that are writable by good as new so admin users are almost rude frankly an admin user if he knows what he's doing can get the roots pretty easily so look out for that group make sure you don't accidentally create directories so that belongs to a cenar right able to admin unless you mean them to be basically system opening just a few words about math it's in there you probably don't care about it if for some reason you actually want to use a mock interface it's a different world it's not like sort of UNIX so get yourself a book you know nutshell book oh whatever your preference is learn how to do this right basically masport mass message courts are the big thing in mass security a mock message port if an access right you can pass it around between processes and the whole digital you do security one warning word if you know about Mark and you want to play around with it in oh it's 10 we're actually using the bootstrap storage facility quite extensively we're using mass bootstrap subsets again if you don't know what this means never mind but if you do we are using this don't expect that every process in the system has the same mass footsteps common data security architecture yang cute it's an open group standard you can tell by the word we implemented that for mac OS 10 it's a pretty complete implementation this is not a port of the until referent platform this is a completely new implementation we've open sourced it you can get it out of the CVS repository look at it play around with it be impressed with how great it is it's c++ in case anybody cares basically anything in the system well almost anything in the system excuse me in the system that does cryptography is actually doing it with the CD SI api so whenever you see something doing encryption whether it's disk images or SSL or anything else chances are ultimately it's calling down into the tds a layer so what you see is that many times you're going to end up using the CD SI layer implicitly by calling hire a p.i so it's really great i mean the open group standard is like 600 pages when you can spend many many weekends just reading the standards and it's a very very powerful set of API it's very flexible it's all pluggable with plugins it's also very verbose I mean it basically takes about 50 lines of C code it should start the thing up you know calling initialization and loading modules so unless this is something that you really need to learn because your job is doing good poverty on our stem my advice would be that you should try to use higher level api's for example if you want to do with ssl call the ssl api's they'll do all of this now steep stuff under the hood there are situations where you know there isn't a higher level API or it doesn't quite do what you want one of the features of our API is the Apple API is that in almost all places if you look there is an API function that gets you CDFA data structures out from underneath so if high level API gets you ninety percent to where you want to go you can get the CD s a module handles and attachment handles make a couple of calls get that special extra option you need it and then go back up and continue on the higher level API so that's really how you should look at this alright big building block number one keychains so you all have one well at least if you have an OS 10 system that you've ever logged into you all have a keychain at least one because the system makes one for you when you log in for the first time the keychain is a file in your home directory where you can stick secrets no password he's all that stuff that you don't want just everybody to know you could put it on a sticky note or write it on a piece of paper when I think about keychain is that they actually encrypt the data so if you then you walk away and somebody carries your system away on in his car they can't get your secrets because of the why 19 here says they're offline save that literally means that short of calculating for a couple of probably hundreds of thousands of years on the fastest known platform there was really no way to get those secrets out of a keychain if you're not around that's assuming you picked a good password but I hope you all know about the importance of not picking your mother's maiden name as your password the items in a keychain are protected by access control pacifically by EDSA access control list I'll talk about that in a couple of slides later but keep that in mind it's really powerful if you look at it at the CD SI layer these things are databases they're really actually database is complete with schemas you have different item types each item type has a different schema you have a set of typed attributes assigned to items of a particular type and behind your back this stuff is actually done by a system demon remember again unique separation of address spaces all the good stuff all of the secrets are not actually sitting in your own address space they're handled by the security server demon so even if some bad virus actually manages to grab a hold of your application all is not lost some is lost but not all scalable API hmm well there's a single API function for store this secret in my keychain somewhere please if all you want is you know some back to stick you a secret password into you and then get it back out later that's the only call you need to store that for me you know you give an account name and its service names but just so we can tell them apart but that's all there is to it and there's one other call which is you know get stuff out from my keychain and give it back to me cool not very much detailed to this of course so what if you actually have to deal in this little situation with its multiple keychain yes you can have multiple keychain you can drop down to a somewhat more interesting API with a lot more arguments where you can say you know which keychain and under what circumstances so you can search through them and do all kinds of interesting stuff with it is that's still too too simple for you if you really really need to do the nitty-gritty details you can actually drop down all the way to the cbsa API level and manipulate keychains from there and that's probably hundreds of lines of code but it lets you do anything that is physically possible to do with key chains so this is your choice here of course you know the higher the API is simple to call the lower the API the more work but at least you got a choice so how is access to a key chain and the items in the key chain control these things a unique files at least right now so if you don't have unique file access permission you can't get it done well if you want to make a keychain that's just yours you can use the usual you know you need to Mansoor the finder get info to make it just readable by you and not anybody else in fine let's security the next thing is a passphrase or some other secrets that locks the whole thing this is basically the key that encrypts the data in your keychain if that pass phrase that secret isn't around nobody can really get at the content as long as you pick a good pass phrase that makes it as I said offline safe I mean you can feel pretty confident we're like ninety-nine point nine nine percent sure that we didn't make a mistake there and that in particular means that somebody walks away with your powerbook which has a key chain on it which has you know your brokerage account password in it that's okay as long as you didn't let your keychain to stay open forever you think good feeling so we have the master unlock what we call the passphrase for a keychain and then the next step for each particular item there's an access control list now these access control lists can be as simple as so I don't care anybody or it can be put up a dialog and confirm with me before you allow access to this item or it can be a list of applications like let me let app use this but ask me of anybody else tries that's actually more or less the default the creating application gets free access and everybody else puts up a dialogue the dialogues they're mostly so if you end up with a virus that tries to roam through your keychain while it's open you get a chance to figure out that somebody is doing something weird here in particular you don't need to trust the file system a keychain is on because the keychain as I said is encrypted the secrets on it are encrypted that means that the only thing the file system ever sees this gobbledygook as far as the real secret to our concern when the structure of the keychain is understandable you can see the item but you can see the secret now this means that it's actually from a cryptographic point of view completely safe to put your key chain on your idisk evenings you don't trust Apple even if you think that you know mac.com is run by evil alien integral traders who read all the data that's going through a mac com you can still put your keychain there because all that sodding getting on there is encrypted data and the only one who gets to actually see the clear text data it's a security server demon on your system same thing of course with a feed servers and NFS servers or removable volumes it doesn't matter you don't have to trust the file system Lulu yeah well advanced stuff sold off you can have any number of key chains you start with one you can make new one in a double utility application called keychain access we can make as many of them as you want why would you want to do that um well perhaps you want to make one with some secrets in it that you carry around with you you know one of those little USB dongle things or disk or whatever strikes your fancy maybe you're comfortable with carrying around some of them but not all of them generally if you have more than one key chain things are arranged for you so when you search for an item you actually end up searching them all there's a search list that is part of your preferences you don't have to put all of your key channel on that search list but that's what you get by default because that's what normally users want portable does not mean that you can take it to your windows box and it'll do anything useful there but it doesn't mean that if you take a keychain put it on your USB dongle or zip disk or wherever you go to another OS 10 system and you stick it in there it'll work it will you know require your passphrase to actually access it but there's nothing particularly specific to the system where you've made the keychain it'll work on any other 10 system if you want to store things in a keychain and find that none of the defined item types really do it for you because you need very special attributes for example you can extend the schemas on a keychain to add your own item type that's definitely advanced stuff um I don't generally advise it because it's much easier to just shoehorn it into one of the existing data type but if you really feel that's what you need you know call developer support we can work with you we can either tell you that that's not what you should be doing or we can show you how to do it there is in addition to these user keychains you know the one that each of you has automatically there's also key chains in the system that's new for Panther called system keychain there normal keychain files except they don't belong to a user they belong to the system and since there isn't any user around they're not actually unlocked with a secret that I user types in there unlocked in other ways the only time when you actually care about this is if you're writing system demons you know things like PPP demons or message servers or generally if you're thinking of writing something for always ten server maybe you're a candidate for system keychain look it up under that term the same API its work for system keychain if you're writing a system demon you will automatically work with them by default because the rules are a little bit different authorization another big building block of security a lot of code that went in there our catchphrase is the authorization API is about authorization not authentication ya see what does that mean it means that this is about whether to allow a privilege operation to proceed it's not about who the requester is if that's sort of too subtle I'll try to work out the difference a little bit as we're going along there is in your OS 10 system and has been for quite a while a configuration database it's currently in flashy TC / authorization although eventually we may move it elsewhere so forget I told you about that and that's the place where an administrator can set authorization rules basically rules that determine under what circumstances the system lets you do certain things authorization has the built-in capability to do what people usually call single sign-on basically what that means is that once you've typed in whatever it is needed or otherwise proven that you're allowed access it can remember that you did that and carry that credential over to other operations you may have noticed for example if you're not an admin user you open up preferences you know there's this little lock item lock icon you have to click site at a fancy you now what show me your admin password if you n go up to over to a different preferences panel it doesn't ask you again because even though that other panels you know does a separate authorization it remembers that you just proved your admin holy probably still mad men this is a pluggable architecture you can if you need to write plugins to add off authorization methods and if you're a unique kind of person and you're wondering why we're not just using Pam for this stuff since Pam is you know pluggable authorization because we think that ours is a heck of a lot more flexible but if you have your heart Soulja Pam we're actually gateway in both ways on to and from ham meaning you there is a pan plug-in that can trigger an authorization check and there is an authorization rules that can run at am chained all very theoretical I know and this is keynote so I tried my hand and graphics this is your program this is some server your program would really really very much like that sir but you do something for it you know unmounted cd-rom reboot the system you know unlock the secrets of the universe whatever but how can I serve a trust you I mean who are you why do you want this why should you be allowed to do this ok so your program called the authorization API and makes an authorization create call there's a name in there that's just the character strings and each of these first rings we call them right strings means something different they're just suits by convention and of course we're using a dotted hierarchical notation here the authorization API hands you back what we call an authorization ref this is one of those opaque you don't have to worry what's in them don't ever look at them kind of abstract handle you take this authorization ref and you hand it together with your actual request to the server the server looks at your request and handset authorization rest with a call called authorization copyright back to the authorization API in basically ask this guy over there that sent me this handle is he supposed to be allowed to do this and the optimization API does something magical and decides whether you're supposed to you know be allowed to do this and either sense back sure go ahead or and the server basically does it or doesn't do it and since its response back to your program simple now depending on which side you're on that sort of means different things if you're on the program side what you're doing is you're creating an authorization and handing it over to a server while you're doing your writing a server then what you're doing is you're taking authorization reps in request from your client and then you're checking them if you're doing what I told you about dealing with root privilege then we factor in your application into a little part that has root privilege and a large part that doesn't you're actually going to do both things because that server will be you a little factored program and well your program is the rest of your program I don't know if you actually care what's happening there but I'll tell you anyway when you are making these authorization calls you're actually talking to the security server demon in the system and what it does behind your back is I should have checked those slides one more time anyway it is talking to a UI demon that talks to the user behind your back so the prototypical application of the authorization API and remember the little lock icons in the preferences is that the dialog comes up and it says you know proof that you're an administrator type in the administrative password for you know some administrator account this dialogue does not actually come from the application that you are working with it doesn't come from preferences so that doesn't come from any kind of background server this actually comes in directly from security server that's important because you know the application actually never sees that admin password you're talking when you are typing in your admin password you're talking to a system demon that you better trust because it's part of the system um the result will be passed to some server but not the secret that you are is actually being checked here so again unique different processes keep things apart good for security so what ingredients have we got here you have right these are these strings they're actually just ask these strings you know no fancy unicode or anything we're recommending that if you make these strings for your own use you use the Java convention of basically taking your company dns name and reversing it so if your company happens to be frost comes then you're right strings would be called comprobar dot and whatever's after that is up to you we are also defining a bunch of these things for the system they typically start with system dot when we define them there's a couple of other ones here let's do the most part this is how we name them each of these right strings have a different meaning and these are these meanings are there by convention there's nothing magical about the characters in the string there's no automatic mapping to system services or anything it's just that eventually when you make authorizations based on these rights they'll go to its server and the server will check for a particular right in order to determine whether it's supposed to do something for you or not so if you're wondering what rights things to use there as a client look up the documentation of the server or the system service that you're calling if you are writing a server you're going to make up your own and as I said our recommendation is that you use your reversed dot-com name and then just use something that's unique within your company next credentials um credentials are things that you are or that you have or that you can prove again for the typical credential is show me that you have an admin password that happens through that dialogue that we've already talked about the is other types of credentials this is pluggable if you have a particular kind of credential in mind that you thought would be really cool in the system you can write a plug-in and you know shove it in and it will become available for authorization rules credentials are shareable as I said we have the single sign-on capability in there if you share a credential between authorizations then you only have to enter it once and it automatically carries over to other authorization rules that use the same credential that's cool because you don't have to type in that administrator password over and over again it's also potentially dangerous because if you're not really sure about who you're sharing it with you may accidentally the user may accidentally authorize more than you think he thinks he does so women with a little bit lose a little bit be careful they're persistent in that you can configure them to be remembered forever which essentially means until the user logs out or for a certain amount of time there's another way of controlling the single sign-on thing if you give it a five minute lifetimes that means that it becomes available for satisfying other authorization requests for five minutes after you type in that password and then you have to do it again and then that's rules on the administrative authorization configuration database / ET c / authorization and now you all forget about this again basically maps rights to credentials so it says things like in order to make a change to the network preferences you have to prove you're an administrator or in order to reboot the system it's okay anybody can do that or no stuff like that if you are wondering flashes a DC / authorization is a normal plist file you can open it in the papers editor with a bunch of comments in there you can you know play around with it new for Panther there's actually an API for adding entries to this that's really cool particularly if you make up a new right for yourself for example the talk between your route factors part and the rest of your application because again we don't really want you to know that the configuration is in this particular file in flashy t see what you can do now starting with pants are not in Jaguar is you can call this new API say you know I want to create this new authorization right you also get to add some descriptive strings and it can be localized and you can do that in your first install script or the first time you run your application they will simply add a right to the system that you can then use for yourself and offer as a service to others so where is this stuff being you well your application soon I know but pretty much all of these little lock round button things you click on that ask you for your admin password or not because you've already typed it before those are all based on authorization there is a service called authorization execute with privileges very ugly name intentionally that effectively is a way of getting root access and as we recommend under very specific circumstances rather than as a generic facility to get root access now let me say that one more time this is for very specific circumstances like for example third-party installers if you write an application that for some reason or other needs root access then calling this is not the best way to deal with it you actually are better off writing a little factored very small set uid roots application wealth tool factoring your application remember and then using authorization to make sure that it's actually the rest of your application is calling it new for Panther authorization bind privilege port problem those of you who do networking I probably figured out by now that in UNIX you need to be rude to bind to a tcp/ip port whose number is less than 1024 which at some point what's considered to be a security feature by certain students in Berkeley but because of legacy and tradition and backward compatibility it's still that like that to this day if one thing to bind to a low number port is the only reason why you're considering gaining root privilege starting with panther this call can save you the trouble is authorization bates which means that again behind your back not in your application there might be a dialog popping up asking the user to confirm that it's really ok or if the administrator configured it differently it'll just work or if the administrators paranoid it just won't work like it can under and cannot under any circumstances be any worse than the current situation which is if you're not root you can do it so look at that one if you need low number port x509certificate and I have a show of hands on which wich one here actually knows what that is that's not that bad the rest of you are asleep right ok well I'm not going to explain certificates to you because I've got it says here 21 minutes left but for those of you who know what certificates x.509 certificates are we have full support for them pretty much in the Panther system some of it is preliminary but it's there that's a pleasant change from Jaguar where there was a lot of promise in the system at that point at a CD of a level we support you know things like building certificate chains and evaluating them to make sure that they're cryptographically ok that's part of the PDSA standards and that's where it's implemented we have higher level API for the stuff that you really care about in particular SSL it's supported by an int a pee i called the secure transport which is our own implementation of ssl that's using cdsa for cryptography and doing a lot of useful good stuff for you in addition to the pure cryptographic verification stuff one thing that you get if you call our certificate and trust support api's is there's a little database hidden in a system at per user database that allows the user to basically tag a certificate with a level of trust allows the user to say things like okay this certificates fine I've looked at it I'll trust it for our network connections now or alt rustics for mail use now or that one there I know it's cryptographically okay but I hate this guy so never let me use this we call it the user trust database it's persistent it's per user and stuff per policy there is a parent a session on Thursday that I think talked about that a little bit actually like a lot so look it up in your program oh and yes you can store certificates in your keychain there's the item type for certificates that lets them fit right into your keychain files and as a matter of fact we recommend that that's how you store certificate because it works it's easy and there's pretty good support for searching for certificates in keychains secure transport as I said that's our ssl implementation it's a pretty good ssl implementation it implements the whole standard client-side and server-side it automatically ties into the user trust stuff that i just talked about so by just using secure transport you get that for free I should give you one practical warning there are some uses of SSL out there particularly the openssl based ones that are very very lenient about how they interpret the rules of SSL they they pass a lot of stuff that they really shouldn't because otherwise the customers complained some web browsers come to mind by default if you use secure transport it will actually implement the standard which means that if for example and ssl server has an expired certificate it will not connect to that server it will give you an error back thing you know that expired certificate this is not working there's a number of flags and options to secure transport to basically say it's okay I know do it anyway but these are not on by default and we don't recommend that you just turn them on by default it those of you transitioning for no post-prom openssl it's a little bit tempting you know just set all those flags and it'll work its fine but it's not the right answer because these are actually potentially problems of a security nature so lethal flags off by default if you must keep the user options to override you know with your favorite checkboxes and like better answer is to actually use our user trust api's we have can do i that you can use to essentially present to the user the fact that something having to do with certificates fails and how and why and that allows the user to then go in and express his opinion on whether to proceed or not if you're using CF network HTTPS protocol through the GF network you're getting a secure transport automatically because that's what it calls so same things apply same warnings and then congratulations very good to using the right solution and this is this is what we provide for ssl use it preliminary not an official API may change just to play around with okay end of disclaimer this is our preliminary implementation of CMS and s/mime CMS the cryptographic message syntax and s mine is secure mime it's basically the way you do encrypted email in the exercise 09 universe and CMS is a sort of a generic way of making encrypted bags of stuff these api's are actually imported and somewhat modified from what you will find in Mozilla so yeah some of you may be familiar with it as I said not an official APR yet but this is what we're planning on making official next time around so if this is your area of interest if you interested in encrypted email or otherwise making encrypted blobs of stuff take a look at that play around with it give us feedback tell us what's not working or what you think should be different and again of course this stuff is using our sex or use a trust implementation and all of the good stuff automatically so that's the major building blocks let me give you an example of you know something practical that you may have actually run into and how it's using those building blocks encrypted disk image chips when you all know what disc images are and if you make a disk image there's actually a little pop-up that lets you say make that encrypt it come on actually very cool because our cryptography is pretty darn good our implementation we think is secure so you can actually trust that security unlike certain third-party utilities I could think of of course the cryptography itself the encrypting of the disk blocks is done through cdsa you'd expect that and that's what we do the disk images are encrypted with keys based on a task phrase that you type in when you create the image the pass phrases are usually stored in your keychain because that's what secrets go and therefore as long as your keychain is unlocked and your access controls are set up appropriately you're actually not generally being bothered with having to type in the passphrase for your encrypted disk image again it'll just fish it out of your keychain if you are being paranoid with your keychain and you have it unlocked you have it lock itself after a couple of minutes well maybe you'll get a prompt to unlock your keychain with an appropriate description that you know somebody wants to use the passphrase for the encrypted disk image another cool thing that we added I think for Jaguar is if you mounted encrypted disk image and then you put your system to sleep and you wake it up again it will actually yeah reacquire that passphrase either exciting it out of your keychain or if you don't have it in the keychain by just popping up a dialog and asking you for it why is that cool because somebody could have stolen your powerbook whether to sleep so with this feature on your encrypted disk images are actually pretty darn safe even against physical removal because what happens when the feeds opens the powerbook I mean obviously if you reboots it you're safe because the disk image the mounted part of the disk image is gone and the thief needs to have your passphrase to decrypt it again but if you still get your powerbook while it's asleep it will still be asked for you know either the passphrase for your keychain in order to reopen the keychain or directly for the passphrase for the encrypted disk image if either of these failed the image gets unmounted and your data safe again and of course when we actually go and we ask for the passphrase either for the key chain of the disk image that's again happening through security server and the UI demon that it uses so the application that actually request the mount or the other user interaction doesn't get to see your passphrase so what's of how things get put together now having bombarded you with all of those technologies I'm going to make up for that a little bit by telling you how to actually go and use them this is sort of obvious we find the right api for your job and don't try to subvert some api that looks cool but isn't necessarily made to do what you really want to whenever you have a choice go for the API that's simpler we call those higher-level because they're probably calling an explorer api with more parameters and more options not only is it easier to use but the fewer arguments you have to explicitly specify the more default you get and getting default is actually good because if it turns out that one of the default is not such a great idea will change them for you next time if you explicitly specify every last option of an api call then you are actually going to have to roll your application to make a change so when in doubt call the higher level API I have seen a lot of creative use of API security and otherwise I mean this is sort of an apple developer tradition you know look it's an APR how badly can we mangle it that's sort of fun if it's an API for drawing boxes on the screen or maybe for writing files but if you're doing this to a security API you are probably hurting the security of your program because these APRs aren't just called that you make and something wonderful happens magically and everything's cool these api is a part of a process they're part of a way of working with your data so when you go and start using a security api actually read the parts that doesn't just describe how what the api's are and what the parameters look like read the part on how to use them and then try as well as you can to actually use them that way because the further away from the intended use you get the more likely you are to get into some weird path that may not be as well tested as you'd hoped and even words that may actually break the security model that you think you're using so to the extent that you can stay on the mark path and try to stay simple in your application of these api and security is not the kind of thing you put in the last two weeks of your development process I hope you all know that the best thing to do is to design it in at least you know have your program once you've scaffold it is it up if you don't think you know that much about security find somebody who does and have them look over it the longer you wait the heart of the wake up sometimes is when you realize that you've done this wrong and there is no easy way to fix it short of rewriting major parts of your program so it's this is not Mac os10 specific but I'll give it to you because you paid good money for this put the security in early and if you don't think you're an expert get yourself at least the advice of one it's worth it so find the right APR he says yeah what does that mean if you need to store secrets if you don't need to keep secrets particularly if you need to keep secrets from other people use keychain that's what they're for that's where you stick secrets if you need to provide some privileged service either to you know the rest of your own program or to third parties think authorization authorization is specifically there to answer the question am I supposed to do this now or not if you have a network connection tcp/ip probably to some other machine and you're worried about people snooping on it use the queue transport that's ssl use it right and you basically don't have to worry about snoopers at that point now using right is a little bit harder than it sounds it's not as easy as just you know calling secure transport and saying we're cool now but that's one level of detail that I'm not going to go in here read the documentation it's actually got some good stuff in there if you need to authenticate people over the network's go to directory services that's good job he deals with looking up users and figuring out what their attributes are if you work with x.509 certificates then CMS is a good try again not an official API yet really can change now preliminary still that's our answer for it so short of putting some third-party code this is actually what you want to call and if you need to do photography sort of at the base level not for a particular purpose but because your job calls for cryptography when cdsa is what you're going to call so there you are and as it says here at the bottom of course life is never that easy so you'll end up mixing and matching these things but that is an initial map do's and don'ts I love to sand down so I get to tell other people what to do wherever we recommend a particular API like secure transport for ssl use that don't try don't go off and say well I've seen this cool open source thing over there and I'm sure it's much better than this apple stuff okay so maybe there's a 0.1 percent chance that it actually is but there's a 99 kern point many chance that our stuff will actually work better on oh it's 10 then something that you port yourself in particular when you whatever you find yourself in a situation where am I supposed to do this now you know I mean I'm root and I'm doing something dangerous am I supposed to be that's authorization think authorization that's what that's for if you use that you are actually slotting into a very interesting and fairly complicated machinery that allows the administrator to configure how permissive the security in his system is if you do this on your own going to end up reimplemented half of authorization and the other half is going to be missing so try not to do that if you deal with x509certificate and you want to know whether a certificate chain validates or whether to trust a certificate for a particular operation SEC trust the SEC trust api's are what you really should be using rather than some generic x509certificate library like openssl because again they've stopped in there that is always tan specific for example the user trust database which if you call our api's you get for free if you call they open SSL or some mozilla library nope just the raw stuff before you go off and use root code try to find something in the system that already does what you need so for example before you go up and become rude in order to mount it on Mount file systems dig around a bit and you'll find that there's something called the volume manager that actually does these things for a living and it has its own authorization and authentication stuff built in and actually work to find so that gets you out of the business of worrying about whether your route code is right and back to the business of making your application look really good if you have to use root code as I said factory or replication make the amount of code that actually runs which would privilege as small as possible and i really mean two pages in rare cases maybe five pages if you find yourself writing ten pages of root code you'll probably made a mistake so go back and think about what you really need that word privilege for of course they're stones I mean there's never just do if you need to keep the secret don't just stuff it in a file don't just stuff it in a file and make it readable and writable only by yourself put it in the keychain it is safer it's just you can get into so much trouble trying to do your own secret storage so it's not worth it believe me if you have communication between different processes because your client server or because you know you had to factor your program don't try to come up with your own ways of authenticating the two pieces to each other use authorization again let points4 it's very good at that you can basically get the code template stick them in your program and they will for the most part work just fine for you if you try to do this by hand it's very hard to do it right it will definitely take you longer to do it on your own than to do it with authorization if you are writing good code and this is only a partial list of all the horrible things you're never supposed to be doing well your route don't ever load a plug-in doesn't matter where you got it from just don't ever load a plug-in don't blink against any GUI libraries I've got nothing against Joyce codes are wonderful but Joe is a big a lot of code in goo is going to have a nasty habit of loading plugins behind your back don't do that your root code should be a simple tool that the glorious GUI enabled cocoa or carbon apple of yours is going to talk to you using authorization did I mention that good and there's also a laundry list of dangerous system calls and library calls that any unique security textbook can tell you about that you are other note circumstances to call while you are rich things like you know system and P open that's about two dozen others other things you shouldn't be doing don't assume there's a single user on the system this is an old particularly you who come from the OS mind slide I mean there's always a user you know the user after all we're a personal operating system right now there isn't always just one user we've just introduced what's a nicely called fast switching which means that there can be any number of users on your system and they're all logged in up there in the front they typed in the password at some point the programs are still running one of them gets displayed in the front but the other ones are alive too and you have no idea which one of them might be the one that you want to talk to unless you actually belong to a particular user yes and keychains right now our files in the file system single files if you can avoid it don't assume that will always be the case because it won't oki if you actually have a little bit of spare time to think about how to make your code more future proof or less in risk of having to be rewritten every time we release something you standard API we have this fairly strong policy about continuing to maintain support for AP is once we call the api so that's good for you if you call them try to use them in this standard form it's possible you don't copy blindly any code from other applications that just because it seems to be working for them particularly the other other applications are you know large companies just because it works for them doesn't mean that it's the right way to do it don't assume that all access is based on passwords that's already no longer true in the system today there are some smart card interfaces and it'll become less true in the future and you test with different security configuration test with different authorizations learn how to play around with the authorization database and play around with the access controls on keychain items see if suddenly your application throws up dozens of dialogues that would be embarrassing for users who care about security I am running over so I'm going to speed up like a dervish here almost all this stuff is dormant the only stuff that I've talked about that isn't Darvin is the actual doing components if you get Durbin from the open source server and install it this is all in there you got cdsa you've got the security server you've got all this stuff anywhere where there's you I involved you gotta stop that doesn't do anything so if you are really really desperate you could take starving code and you know hack it up to DUI again set of cooked why would you it's only hundred twenty nine dollars to get the real stuff quick list of what's new for Panther a lot of the x.509 certificates support is new the EMS s/mime is new you can now import certificate bundles p kc s if you don't know what that is don't worry about it system key chains on you there is our two new frameworks called security foundation and security interface for cocoa programmers that make nice can't user interface pains and in views authorization got the access to low numbers ports call and the API for programmatically adding authorizations on you and you get more flexibility in controlling how the dialogues works at sometimes get issued keychain access has a lot it's a lot nicer now let's put it this way and somebody struck Sakura racing so you know if you're the kind of guy who wants to erase something 20 times will be NSA can't get at your data you can do it now takes a while okay I am wrapping up now somebody structures in so this is the first time I've seen this these are other things you may want to go to okay yes they all sound really interesting 109 security certificate API if x.509 certificates rings you know your dinner or it's something you need for your program then definitely go there it'll it'll discuss the api's we have and how to use them cover us of course if that's your area of interest oh yeah security feedback in case you didn't like my presentation FF 0 16 security feedback forum that's where you get to complain unless you want to do it now Frank you play who officially is there to serve your every whim and me yes you can send me email I don't mind I don't promise to answer but serious by the way I should mention and mailing list that Apple has it's called Apple dash PDSA at apple com it was originally created as sort of a self support and feedback kind of mailing list with CD as a user's but in the past it's low volume enough that if you have other security questions it's probably okay to just ask them they're using the usual rules for mailing list you know reach the archive first and be patient at night for more information well you know these places of cause this is where our documentation sits and under security you'll find what we've got in particular there's well there's a section on the keychain API than an authorization there's the Apple cdsa mailing list the CDF a is an open group standard so if you really want some 600 pages you can get it from the open group