WWDC2003 Session 101

Transcript

Kind: captions
Language: en
good afternoon I'm Craig Keithley I'm
the security technology evangelist in
Apple's Worldwide Developer relations
group I'm really pleased by this turnout
security is a really important part of
our architecture and it should be an
important part of your applications and
solutions as well today's session we're
going to give you an overview of our
security architecture we're going to go
into a bit of the structure and what
pieces are there and what they're for
and how you should use that so without
further ado carry the cynic okay oh good
well I'm glad somebody cares about
security never know five in the evening
okay security is different um most
features no you know you wanted it'll
while your users it'll sell lots of
copies that's why you using a technology
and you just want to use it right
security there's a few publications
where security actually is the main
feature you know your typical encryption
utilities and stuff like that but for
most of you it's something you put into
your application so things don't go
disastrously wrong and you get really
bad press you know like security
violation in public disclosure that kind
of stuff so for most of you security is
sort of a defensive kind of thing there
are situations where it'll add to the
value of a feature because you feeling
me you know make it work better than it
could saw you didn't have any way of
determining who soon who'd love guess
what they're supposed to be getting but
I think for most of you the experiences
that security tends to get in the way of
your application and I've certainly seen
a lot of application programmers a lot
of times just make that bad security get
out of the way so they can get their
feature to work one thing that you
probably all noticed at least one and if
you haven't you will security operate on
the weakest link effect there is nothing
that is absolutely
here but if your stuff is the weakest
the thing with the wicked security the
weakest application security wise or the
weakest library security wise the
attackers are going to come after you
because you're the easiest target so
like Neil joke with those are two people
in the forest which we've all heard so I
want repeated your task primarily is not
to be the easiest mark when the bad
hackers come calling so what are we
going to talk about this is security
architecture overview so you're not
going to see any lines of API scrolling
over the screen that's not the level of
detail I am going to tell you what we've
got in big brush stroke I'm going to
tell you what to look out for how these
things are supposed to be used and
basically if you have a problem which
documents you go to first which API
header you don't you first see maybe you
can solve your problem there well I
technology where we got a lot of what we
got is industry standard it's unix we
all making a big deal out of how this is
really unique so well you'll find unique
security technology all the kind of
stuff there is mach 3 under there most
of the time you won't notice most of the
time you don't have to know but if you
know something about mark or if you run
into something having to do with my
sport so that's a part of the security
here we can certainly break and our temp
system really wide open by doing stupid
things with my sport we use the common
data security architecture API
infrastructure that's an open group
standards it's in there that's how you
do crypto we have a pretty darn good
support for kerberos 5 this time around
some answers as a matter of fact we have
strategy to cover us cover eyes just
about every client-server application
and you'll find a lot of you know the
open source stuff in there SSH openssl
all that good stuff if you can't find it
in the system out of the box you can
probably just compile it there you may
have heard of unique sport which makes
it pretty easy to get stuff on
and if it's no reasonably portable yeah
okay well of course we can't just you
know do the open source stuff we want
you to pay extra money want everybody to
pay extra money so we have microwaves 10
specific stuff we have keychain um
everybody here know what the key trainer
I hope so this is where you put your
secret so they don't leak out we have
something called the authorization API
which you may not have heard of what you
should because it's pretty darn useful
particularly if you make a local client
server arrangement basically your way to
work well deal with authorizations in
the system we have x509certificate
support and associated trust management
that's our we think heck of a lot better
than what you get out of open SSL and I
put directory services on here not
because it's something that's a security
group does although we talk to those
folks once in a while but if your
problem if your security problem is how
to look up users and find them and
enumerate them and figure out what
they're supposed to be allowed to do
directory services is probably the API
that you want to go through all right
next level of detail and I shall I start
at the beginning as usual you know keep
your questions write them down you can
ask them at the end we'll stick around
for as long as it takes to answer all of
your questions which one of you is not
comfortable just dealing in UNIX terms
admit it raise your hand if this unique
thing just freaked you out and you you
know your sort of used to the OS 9 way
of doing things tell me all right that's
so thank you so very briefly for you
unlike oh it's mine on unix processes
are hard separated with address spaces
each process has its own address space
and that's really the main point of
security in unit within an address space
you have the OS 9 game back you know
everybody can look at each other state
or if they
only figure out where it is and you
can't really separate the or keep
secrets within one process so the UNIX
trick to the extended it either the
trick is if you want to protect data
stick it in its own process or stick it
in its own file managed by John process
and then that process can be send the
data against everybody else who's
sitting a different process what you
have is user identities user IDs numbers
names and groups you have the UNIX file
system just basically your primary way
of labeling the data with who owns it to
get access to it and so you have the
magic user user number 0 will get to do
everything to the system as you want now
see at that point my presentation
settles the nuclear weapon of UNIX and
they told me don't do that it fast and
I'm supposed to use scary words anymore
and we have the set uyd facility which
is essentially the one and only way that
you can get access to a user ID if you
don't already have access to a user ID
that's basically be one unix mechanism
for elevating privileges or getting
access and stuff that you don't already
have actually cautionary worth about
roots always good idea Brutus dangerous
route is omnipotent which can do
anything which can mess you up can now
delete your data completely corrupt
system so be very afraid if you write
code that runs with root privilege the
primary advisors don't do it if you
don't have to if you have to then know
that you are dancing in a minefield and
either be an expert in how to do this
right or hire yourself an expert writing
root level code if you just sort of kind
of understanding unix it's just not a
good idea and it's worthwhile getting
yourself at least a consultant to
understand some stuff if you're not
comfortable with one principle about
root code
don't make it big make it really really
simple make it really really small and
make it really easy to understand
ideally you're the coach that you're
right that runs the food privilege is
about the page or two of source code
gosh yeah okay so your application we
have two hundred thousand lines of code
so what do you do remember prospect
separations this is how you do security
UNIX take your would coach make it as
small as possible to get in a separate
process easily to run as a process
separate from your big application and
then let that you talk to each other in
a secure way i'll tell you how later we
call this factoring it's a little bit
like the factoring you've got the OS
nine folks if you went through when you
did Apple script and you pack expected
your application anybody remember that
it's about the same idea well that'd
UNIX why marvelous UNIX not quite
totally normal eunuch there is a mouth
like a colonel in there if they said
most of the time you don't notice but it
is in there and it is not separated from
the UNIX kernel but you are sort of
sitting there like Siamese twins so you
have to understand it sometimes it's
possible to get things out of UNIX going
the mach route that on a normal unique
system you wouldn't be able to get for
example there are ways to get root
privilege by going through the mouth
passport facility so when you're doing
security analysis if this is the kind of
thing you do keep that in mind otherwise
for the most part don't worry about it
the root user doesn't actually exist by
default well ok it exists but don't have
a password so you can't login as the
root user an administrator can go in
turn it on give it a password it'll be a
perfectly nice user but by default it
doesn't exist and that's by design we
have invented a class of huge is called
administrators which technically is just
those users that are in the admin group
and administrators can actually do a lot
of things to your system if you look
around your Mac os10 system Jaguar
Panther earlier doesn't matter there's a
lot of directories that are writable by
good as new
so admin users are almost rude frankly
an admin user if he knows what he's
doing can get the roots pretty easily so
look out for that group make sure you
don't accidentally create directories so
that belongs to a cenar right able to
admin unless you mean them to be
basically system opening just a few
words about math it's in there you
probably don't care about it if for some
reason you actually want to use a mock
interface it's a different world it's
not like sort of UNIX so get yourself a
book you know nutshell book oh whatever
your preference is learn how to do this
right basically masport mass message
courts are the big thing in mass
security a mock message port if an
access right you can pass it around
between processes and the whole digital
you do security one warning word if you
know about Mark and you want to play
around with it in oh it's 10 we're
actually using the bootstrap storage
facility quite extensively we're using
mass bootstrap subsets again if you
don't know what this means never mind
but if you do we are using this don't
expect that every process in the system
has the same mass footsteps common data
security architecture yang cute it's an
open group standard you can tell by the
word we implemented that for mac OS 10
it's a pretty complete implementation
this is not a port of the until referent
platform this is a completely new
implementation we've open sourced it you
can get it out of the CVS repository
look at it play around with it be
impressed with how great it is it's c++
in case anybody cares basically anything
in the system well almost anything in
the system excuse me in the system that
does cryptography is actually doing it
with the CD SI api so whenever you see
something doing encryption whether it's
disk images or SSL or anything else
chances are ultimately it's calling down
into the tds a layer so what you see is
that
many times you're going to end up using
the CD SI layer implicitly by calling
hire a p.i so it's really great i mean
the open group standard is like 600
pages when you can spend many many
weekends just reading the standards and
it's a very very powerful set of API
it's very flexible it's all pluggable
with plugins it's also very verbose I
mean it basically takes about 50 lines
of C code it should start the thing up
you know calling initialization and
loading modules so unless this is
something that you really need to learn
because your job is doing good poverty
on our stem my advice would be that you
should try to use higher level api's for
example if you want to do with ssl call
the ssl api's they'll do all of this now
steep stuff under the hood there are
situations where you know there isn't a
higher level API or it doesn't quite do
what you want one of the features of our
API is the Apple API is that in almost
all places if you look there is an API
function that gets you CDFA data
structures out from underneath so if
high level API gets you ninety percent
to where you want to go you can get the
CD s a module handles and attachment
handles make a couple of calls get that
special extra option you need it and
then go back up and continue on the
higher level API so that's really how
you should look at this alright big
building block number one keychains so
you all have one well at least if you
have an OS 10 system that you've ever
logged into you all have a keychain at
least one because the system makes one
for you when you log in for the first
time the keychain is a file in your home
directory where you can stick secrets no
password he's all that stuff that you
don't want just everybody to know you
could put it on a sticky note or write
it on a piece of paper when I think
about keychain is that they actually
encrypt the data so if you
then you walk away and somebody carries
your system away on in his car they
can't get your secrets because of the
why 19 here says they're offline save
that literally means that short of
calculating for a couple of probably
hundreds of thousands of years on the
fastest known platform there was really
no way to get those secrets out of a
keychain if you're not around that's
assuming you picked a good password but
I hope you all know about the importance
of not picking your mother's maiden name
as your password the items in a keychain
are protected by access control
pacifically by EDSA access control list
I'll talk about that in a couple of
slides later but keep that in mind it's
really powerful if you look at it at the
CD SI layer these things are databases
they're really actually database is
complete with schemas you have different
item types each item type has a
different schema you have a set of typed
attributes assigned to items of a
particular type and behind your back
this stuff is actually done by a system
demon remember again unique separation
of address spaces all the good stuff all
of the secrets are not actually sitting
in your own address space they're
handled by the security server demon so
even if some bad virus actually manages
to grab a hold of your application all
is not lost some is lost but not all
scalable API hmm well there's a single
API function for store this secret in my
keychain somewhere please if all you
want is you know some back to stick you
a secret password into you and then get
it back out later that's the only call
you need to store that for me you know
you give an account name and its service
names but just so we can tell them apart
but that's all there is to it and
there's one other call which is you know
get stuff out from my keychain and give
it back to me cool
not very much detailed to this of course
so what if you actually have to deal in
this little situation with its multiple
keychain yes you can have multiple
keychain you can drop down to a somewhat
more interesting API with a lot more
arguments where you can say you know
which keychain and under what
circumstances so you can search through
them and do all kinds of interesting
stuff with it is that's still too too
simple for you if you really really need
to do the nitty-gritty details you can
actually drop down all the way to the
cbsa API level and manipulate keychains
from there and that's probably hundreds
of lines of code but it lets you do
anything that is physically possible to
do with key chains so this is your
choice here of course you know the
higher the API is simple to call the
lower the API the more work but at least
you got a choice so how is access to a
key chain and the items in the key chain
control these things a unique files at
least right now so if you don't have
unique file access permission you can't
get it done well if you want to make a
keychain that's just yours you can use
the usual you know you need to Mansoor
the finder get info to make it just
readable by you and not anybody else in
fine let's security the next thing is a
passphrase or some other secrets that
locks the whole thing this is basically
the key that encrypts the data in your
keychain if that pass phrase that secret
isn't around nobody can really get at
the content as long as you pick a good
pass phrase that makes it as I said
offline safe I mean you can feel pretty
confident we're like ninety-nine point
nine nine percent sure that we didn't
make a mistake there and that in
particular means that somebody walks
away with your powerbook which has a key
chain on it which has you know your
brokerage account password in it that's
okay as long as you didn't let your
keychain to stay open forever you think
good feeling
so we have the master unlock what we
call the passphrase for a keychain and
then the next step for each particular
item there's an access control list now
these access control lists can be as
simple as so I don't care anybody or it
can be put up a dialog and confirm with
me before you allow access to this item
or it can be a list of applications like
let me let app use this but ask me of
anybody else tries that's actually more
or less the default the creating
application gets free access and
everybody else puts up a dialogue the
dialogues they're mostly so if you end
up with a virus that tries to roam
through your keychain while it's open
you get a chance to figure out that
somebody is doing something weird here
in particular you don't need to trust
the file system a keychain is on because
the keychain as I said is encrypted the
secrets on it are encrypted that means
that the only thing the file system ever
sees this gobbledygook as far as the
real secret to our concern when the
structure of the keychain is
understandable you can see the item but
you can see the secret now this means
that it's actually from a cryptographic
point of view completely safe to put
your key chain on your idisk evenings
you don't trust Apple even if you think
that you know mac.com is run by evil
alien integral traders who read all the
data that's going through a mac com you
can still put your keychain there
because all that sodding getting on
there is encrypted data and the only one
who gets to actually see the clear text
data it's a security server demon on
your system same thing of course with a
feed servers and NFS servers or
removable volumes it doesn't matter you
don't have to trust the file system Lulu
yeah well advanced stuff sold off you
can have any number of key chains you
start with one you can make new one in a
double utility application called
keychain access we can make as many of
them as you want why would you want to
do that um well perhaps you want to make
one with some secrets in it that you
carry around with you you know one of
those little USB dongle things or
disk or whatever strikes your fancy
maybe you're comfortable with carrying
around some of them but not all of them
generally if you have more than one key
chain things are arranged for you so
when you search for an item you actually
end up searching them all there's a
search list that is part of your
preferences you don't have to put all of
your key channel on that search list but
that's what you get by default because
that's what normally users want portable
does not mean that you can take it to
your windows box and it'll do anything
useful there but it doesn't mean that if
you take a keychain put it on your USB
dongle or zip disk or wherever you go to
another OS 10 system and you stick it in
there it'll work it will you know
require your passphrase to actually
access it but there's nothing
particularly specific to the system
where you've made the keychain it'll
work on any other 10 system if you want
to store things in a keychain and find
that none of the defined item types
really do it for you because you need
very special attributes for example you
can extend the schemas on a keychain to
add your own item type that's definitely
advanced stuff um I don't generally
advise it because it's much easier to
just shoehorn it into one of the
existing data type but if you really
feel that's what you need you know call
developer support we can work with you
we can either tell you that that's not
what you should be doing or we can show
you how to do it there is in addition to
these user keychains you know the one
that each of you has automatically
there's also key chains in the system
that's new for Panther called system
keychain there normal keychain files
except they don't belong to a user they
belong to the system and since there
isn't any user around they're not
actually unlocked with a secret that I
user types in there unlocked in other
ways the only time when you actually
care about this is if you're writing
system demons you know things like PPP
demons or message servers or generally
if you're thinking of writing something
for always ten server
maybe you're a candidate for system
keychain look it up under that term the
same API its work for system keychain if
you're writing a system demon you will
automatically work with them by default
because the rules are a little bit
different authorization another big
building block of security a lot of code
that went in there our catchphrase is
the authorization API is about
authorization not authentication ya see
what does that mean it means that this
is about whether to allow a privilege
operation to proceed it's not about who
the requester is if that's sort of too
subtle I'll try to work out the
difference a little bit as we're going
along there is in your OS 10 system and
has been for quite a while a
configuration database it's currently in
flashy TC / authorization although
eventually we may move it elsewhere so
forget I told you about that and that's
the place where an administrator can set
authorization rules basically rules that
determine under what circumstances the
system lets you do certain things
authorization has the built-in
capability to do what people usually
call single sign-on basically what that
means is that once you've typed in
whatever it is needed or otherwise
proven that you're allowed access it can
remember that you did that and carry
that credential over to other operations
you may have noticed for example if
you're not an admin user you open up
preferences you know there's this little
lock item lock icon you have to click
site at a fancy you now what show me
your admin password if you n go up to
over to a different preferences panel it
doesn't ask you again because even
though that other panels you know does a
separate authorization it remembers that
you just proved your admin holy probably
still mad men
this is a pluggable architecture you can
if you need to write plugins to add off
authorization methods and if you're a
unique kind of person and you're
wondering why we're not just using Pam
for this stuff since Pam is you know
pluggable authorization because we think
that ours is a heck of a lot more
flexible but if you have your heart
Soulja Pam we're actually gateway in
both ways on to and from ham meaning you
there is a pan plug-in that can trigger
an authorization check and there is an
authorization rules that can run at am
chained all very theoretical I know and
this is keynote so I tried my hand and
graphics this is your program this is
some server your program would really
really very much like that sir but you
do something for it you know unmounted
cd-rom reboot the system you know unlock
the secrets of the universe whatever but
how can I serve a trust you I mean who
are you why do you want this why should
you be allowed to do this ok so your
program called the authorization API and
makes an authorization create call
there's a name in there that's just the
character strings and each of these
first rings we call them right strings
means something different they're just
suits by convention and of course we're
using a dotted hierarchical notation
here the authorization API hands you
back what we call an authorization ref
this is one of those opaque you don't
have to worry what's in them don't ever
look at them kind of abstract handle you
take this authorization ref and you hand
it together with your actual request to
the server the server looks at your
request and handset authorization rest
with a call called authorization
copyright back to the authorization API
in basically ask this guy over there
that sent me this handle is he supposed
to be allowed to do this and the
optimization API does something
magical and decides whether you're
supposed to you know be allowed to do
this and either sense back sure go ahead
or and the server basically does it or
doesn't do it and since its response
back to your program simple now
depending on which side you're on that
sort of means different things if you're
on the program side what you're doing is
you're creating an authorization and
handing it over to a server while you're
doing your writing a server then what
you're doing is you're taking
authorization reps in request from your
client and then you're checking them if
you're doing what I told you about
dealing with root privilege then we
factor in your application into a little
part that has root privilege and a large
part that doesn't you're actually going
to do both things because that server
will be you a little factored program
and well your program is the rest of
your program I don't know if you
actually care what's happening there but
I'll tell you anyway when you are making
these authorization calls you're
actually talking to the security server
demon in the system and what it does
behind your back is I should have
checked those slides one more time
anyway it is talking to a UI demon that
talks to the user behind your back so
the prototypical application of the
authorization API and remember the
little lock icons in the preferences is
that the dialog comes up and it says you
know proof that you're an administrator
type in the administrative password for
you know some administrator account this
dialogue does not actually come from the
application that you are working with it
doesn't come from preferences so that
doesn't come from any kind of background
server this actually comes in directly
from security server that's important
because you know the application
actually never sees that admin password
you're talking when you are typing in
your admin password you're talking to a
system demon that you better trust
because it's part of the system
um the result will be passed to some
server but not the secret that you are
is actually being checked here so again
unique different processes keep things
apart good for security so what
ingredients have we got here you have
right these are these strings they're
actually just ask these strings you know
no fancy unicode or anything we're
recommending that if you make these
strings for your own use you use the
Java convention of basically taking your
company dns name and reversing it so if
your company happens to be frost comes
then you're right strings would be
called comprobar dot and whatever's
after that is up to you we are also
defining a bunch of these things for the
system they typically start with system
dot when we define them there's a couple
of other ones here let's do the most
part this is how we name them each of
these right strings have a different
meaning and these are these meanings are
there by convention there's nothing
magical about the characters in the
string there's no automatic mapping to
system services or anything it's just
that eventually when you make
authorizations based on these rights
they'll go to its server and the server
will check for a particular right in
order to determine whether it's supposed
to do something for you or not so if
you're wondering what rights things to
use there as a client look up the
documentation of the server or the
system service that you're calling if
you are writing a server you're going to
make up your own and as I said our
recommendation is that you use your
reversed dot-com name and then just use
something that's unique within your
company next credentials um credentials
are things that you are or that you have
or that you can prove again for the
typical credential is show me that you
have an admin password that happens
through that dialogue that we've already
talked about the
is other types of credentials this is
pluggable if you have a particular kind
of credential in mind that you thought
would be really cool in the system you
can write a plug-in and you know shove
it in and it will become available for
authorization rules credentials are
shareable as I said we have the single
sign-on capability in there if you share
a credential between authorizations then
you only have to enter it once and it
automatically carries over to other
authorization rules that use the same
credential that's cool because you don't
have to type in that administrator
password over and over again it's also
potentially dangerous because if you're
not really sure about who you're sharing
it with you may accidentally the user
may accidentally authorize more than you
think he thinks he does so women with a
little bit lose a little bit be careful
they're persistent in that you can
configure them to be remembered forever
which essentially means until the user
logs out or for a certain amount of time
there's another way of controlling the
single sign-on thing if you give it a
five minute lifetimes that means that it
becomes available for satisfying other
authorization requests for five minutes
after you type in that password and then
you have to do it again and then that's
rules on the administrative
authorization configuration database /
ET c / authorization and now you all
forget about this again basically maps
rights to credentials so it says things
like in order to make a change to the
network preferences you have to prove
you're an administrator or in order to
reboot the system it's okay anybody can
do that or no stuff like that if you are
wondering flashes a DC / authorization
is a normal plist file you can open it
in the papers editor with a bunch of
comments in there you can you know play
around with it
new for Panther there's actually an API
for adding entries to this that's really
cool particularly if you make up a new
right for yourself for example the talk
between your route factors part and the
rest of your application because again
we don't really want you to know that
the configuration is in this particular
file in flashy t see what you can do now
starting with pants are not in Jaguar is
you can call this new API say you know I
want to create this new authorization
right you also get to add some
descriptive strings and it can be
localized and you can do that in your
first install script or the first time
you run your application they will
simply add a right to the system that
you can then use for yourself and offer
as a service to others so where is this
stuff being you well your application
soon I know but pretty much all of these
little lock round button things you
click on that ask you for your admin
password or not because you've already
typed it before those are all based on
authorization there is a service called
authorization execute with privileges
very ugly name intentionally that
effectively is a way of getting root
access and as we recommend under very
specific circumstances rather than as a
generic facility to get root access now
let me say that one more time this is
for very specific circumstances like for
example third-party installers if you
write an application that for some
reason or other needs root access then
calling this is not the best way to deal
with it you actually are better off
writing a little factored very small set
uid roots application wealth tool
factoring your application remember and
then using authorization to make sure
that it's actually the rest of your
application is calling it new for
Panther authorization bind privilege
port
problem those of you who do networking I
probably figured out by now that in UNIX
you need to be rude to bind to a tcp/ip
port whose number is less than 1024
which at some point what's considered to
be a security feature by certain
students in Berkeley but because of
legacy and tradition and backward
compatibility it's still that like that
to this day if one thing to bind to a
low number port is the only reason why
you're considering gaining root
privilege starting with panther this
call can save you the trouble is
authorization bates which means that
again behind your back not in your
application there might be a dialog
popping up asking the user to confirm
that it's really ok or if the
administrator configured it differently
it'll just work or if the administrators
paranoid it just won't work like it can
under and cannot under any circumstances
be any worse than the current situation
which is if you're not root you can do
it so look at that one if you need low
number port x509certificate and I have a
show of hands on which wich one here
actually knows what that is that's not
that bad the rest of you are asleep
right ok well I'm not going to explain
certificates to you because I've got it
says here 21 minutes left but for those
of you who know what certificates x.509
certificates are we have full support
for them pretty much in the Panther
system some of it is preliminary but
it's there that's a pleasant change from
Jaguar where there was a lot of promise
in the system at that point at a CD of a
level we support you know things like
building certificate chains and
evaluating them to make sure that
they're cryptographically ok that's part
of the PDSA standards and that's where
it's implemented
we have higher level API for the stuff
that you really care about in particular
SSL it's supported by an int a pee i
called the secure transport which is our
own implementation of ssl that's using
cdsa for cryptography and doing a lot of
useful good stuff for you in addition to
the pure cryptographic verification
stuff one thing that you get if you call
our certificate and trust support api's
is there's a little database hidden in a
system at per user database that allows
the user to basically tag a certificate
with a level of trust allows the user to
say things like okay this certificates
fine I've looked at it I'll trust it for
our network connections now or alt
rustics for mail use now or that one
there I know it's cryptographically okay
but I hate this guy so never let me use
this we call it the user trust database
it's persistent it's per user and stuff
per policy there is a parent a session
on Thursday that I think talked about
that a little bit actually like a lot so
look it up in your program oh and yes
you can store certificates in your
keychain there's the item type for
certificates that lets them fit right
into your keychain files and as a matter
of fact we recommend that that's how you
store certificate because it works it's
easy and there's pretty good support for
searching for certificates in keychains
secure transport as I said that's our
ssl implementation it's a pretty good
ssl implementation it implements the
whole standard client-side and
server-side it automatically ties into
the user trust stuff that i just talked
about so by just using secure transport
you get that for free I
should give you one practical warning
there are some uses of SSL out there
particularly the openssl based ones that
are very very lenient about how they
interpret the rules of SSL they they
pass a lot of stuff that they really
shouldn't because otherwise the
customers complained some web browsers
come to mind by default if you use
secure transport it will actually
implement the standard which means that
if for example and ssl server has an
expired certificate it will not connect
to that server it will give you an error
back thing you know that expired
certificate this is not working there's
a number of flags and options to secure
transport to basically say it's okay I
know do it anyway but these are not on
by default and we don't recommend that
you just turn them on by default it
those of you transitioning for no
post-prom openssl it's a little bit
tempting you know just set all those
flags and it'll work its fine but it's
not the right answer because these are
actually potentially problems of a
security nature so lethal flags off by
default if you must keep the user
options to override you know with your
favorite checkboxes and like better
answer is to actually use our user trust
api's we have can do i that you can use
to essentially present to the user the
fact that something having to do with
certificates fails and how and why and
that allows the user to then go in and
express his opinion on whether to
proceed or not if you're using CF
network HTTPS protocol through the GF
network you're getting a secure
transport automatically because that's
what it calls so same things apply same
warnings and then congratulations very
good to using the right solution and
this is this is what we provide for ssl
use it preliminary
not an official API may change just to
play around with okay end of disclaimer
this is our preliminary implementation
of CMS and s/mime CMS the cryptographic
message syntax and s mine is secure mime
it's basically the way you do encrypted
email in the exercise 09 universe and
CMS is a sort of a generic way of making
encrypted bags of stuff these api's are
actually imported and somewhat modified
from what you will find in Mozilla so
yeah some of you may be familiar with it
as I said not an official APR yet but
this is what we're planning on making
official next time around so if this is
your area of interest if you interested
in encrypted email or otherwise making
encrypted blobs of stuff take a look at
that play around with it give us
feedback tell us what's not working or
what you think should be different and
again of course this stuff is using our
sex or use a trust implementation and
all of the good stuff automatically so
that's the major building blocks let me
give you an example of you know
something practical that you may have
actually run into and how it's using
those building blocks encrypted disk
image chips when you all know what disc
images are and if you make a disk image
there's actually a little pop-up that
lets you say make that encrypt it come
on actually very cool because our
cryptography is pretty darn good our
implementation we think is secure so you
can actually trust that security unlike
certain third-party utilities I could
think of of course the cryptography
itself the encrypting of the disk blocks
is done through cdsa you'd expect that
and that's what we do the disk images
are encrypted with keys based on a task
phrase that you type in when you create
the image the pass phrases are usually
stored in your keychain because that's
what secrets go
and therefore as long as your keychain
is unlocked and your access controls are
set up appropriately you're actually not
generally being bothered with having to
type in the passphrase for your
encrypted disk image again it'll just
fish it out of your keychain if you are
being paranoid with your keychain and
you have it unlocked you have it lock
itself after a couple of minutes well
maybe you'll get a prompt to unlock your
keychain with an appropriate description
that you know somebody wants to use the
passphrase for the encrypted disk image
another cool thing that we added I think
for Jaguar is if you mounted encrypted
disk image and then you put your system
to sleep and you wake it up again it
will actually yeah reacquire that
passphrase either exciting it out of
your keychain or if you don't have it in
the keychain by just popping up a dialog
and asking you for it why is that cool
because somebody could have stolen your
powerbook whether to sleep so with this
feature on your encrypted disk images
are actually pretty darn safe even
against physical removal because what
happens when the feeds opens the
powerbook I mean obviously if you
reboots it you're safe because the disk
image the mounted part of the disk image
is gone and the thief needs to have your
passphrase to decrypt it again but if
you still get your powerbook while it's
asleep it will still be asked for you
know either the passphrase for your
keychain in order to reopen the keychain
or directly for the passphrase for the
encrypted disk image if either of these
failed the image gets unmounted and your
data safe again and of course when we
actually go and we ask for the
passphrase either for the key chain of
the disk image that's again happening
through security server and the UI demon
that it uses so the application that
actually request the mount or the other
user interaction doesn't get to see your
passphrase so what's of how things get
put together
now having bombarded you with all of
those technologies I'm going to make up
for that a little bit by telling you how
to actually go and use them this is sort
of obvious we find the right api for
your job and don't try to subvert some
api that looks cool but isn't
necessarily made to do what you really
want to whenever you have a choice go
for the API that's simpler we call those
higher-level because they're probably
calling an explorer api with more
parameters and more options not only is
it easier to use but the fewer arguments
you have to explicitly specify the more
default you get and getting default is
actually good because if it turns out
that one of the default is not such a
great idea will change them for you next
time if you explicitly specify every
last option of an api call then you are
actually going to have to roll your
application to make a change so when in
doubt call the higher level API I have
seen a lot of creative use of API
security and otherwise I mean this is
sort of an apple developer tradition you
know look it's an APR how badly can we
mangle it that's sort of fun if it's an
API for drawing boxes on the screen or
maybe for writing files but if you're
doing this to a security API you are
probably hurting the security of your
program because these APRs aren't just
called that you make and something
wonderful happens magically and
everything's cool these api is a part of
a process they're part of a way of
working with your data so when you go
and start using a security api actually
read the parts that doesn't just
describe how what the api's are and what
the parameters look like read the part
on how to use them and then try as well
as you can to actually use them that way
because the further away from the
intended use you get the more likely you
are to get into some weird path that may
not be as well tested as you'd hoped
and even words that may actually break
the security model that you think you're
using so to the extent that you can stay
on the mark path and try to stay simple
in your application of these api and
security is not the kind of thing you
put in the last two weeks of your
development process I hope you all know
that the best thing to do is to design
it in at least you know have your
program once you've scaffold it is it up
if you don't think you know that much
about security find somebody who does
and have them look over it the longer
you wait the heart of the wake up
sometimes is when you realize that
you've done this wrong and there is no
easy way to fix it short of rewriting
major parts of your program so it's this
is not Mac os10 specific but I'll give
it to you because you paid good money
for this put the security in early and
if you don't think you're an expert get
yourself at least the advice of one it's
worth it so find the right APR he says
yeah what does that mean if you need to
store secrets if you don't need to keep
secrets particularly if you need to keep
secrets from other people use keychain
that's what they're for that's where you
stick secrets if you need to provide
some privileged service either to you
know the rest of your own program or to
third parties think authorization
authorization is specifically there to
answer the question am I supposed to do
this now or not if you have a network
connection tcp/ip probably to some other
machine and you're worried about people
snooping on it use the queue transport
that's ssl use it right and you
basically don't have to worry about
snoopers at that point now using right
is a little bit harder than it sounds
it's not as easy as just you know
calling secure transport and saying
we're cool now but
that's one level of detail that I'm not
going to go in here read the
documentation it's actually got some
good stuff in there if you need to
authenticate people over the network's
go to directory services that's good job
he deals with looking up users and
figuring out what their attributes are
if you work with x.509 certificates then
CMS is a good try again not an official
API yet really can change now
preliminary still that's our answer for
it so short of putting some third-party
code this is actually what you want to
call and if you need to do photography
sort of at the base level not for a
particular purpose but because your job
calls for cryptography when cdsa is what
you're going to call so there you are
and as it says here at the bottom of
course life is never that easy so you'll
end up mixing and matching these things
but that is an initial map do's and
don'ts I love to sand down so I get to
tell other people what to do wherever we
recommend a particular API like secure
transport for ssl use that don't try
don't go off and say well I've seen this
cool open source thing over there and
I'm sure it's much better than this
apple stuff okay so maybe there's a 0.1
percent chance that it actually is but
there's a 99 kern point many chance that
our stuff will actually work better on
oh it's 10 then something that you port
yourself in particular when you whatever
you find yourself in a situation where
am I supposed to do this now you know I
mean I'm root and I'm doing something
dangerous am I supposed to be that's
authorization think authorization that's
what that's for if you use that you are
actually slotting into a very
interesting and fairly complicated
machinery that allows the administrator
to configure how permissive the security
in his system is if you do this on your
own
going to end up reimplemented half of
authorization and the other half is
going to be missing so try not to do
that if you deal with x509certificate
and you want to know whether a
certificate chain validates or whether
to trust a certificate for a particular
operation SEC trust the SEC trust api's
are what you really should be using
rather than some generic x509certificate
library like openssl because again
they've stopped in there that is always
tan specific for example the user trust
database which if you call our api's you
get for free if you call they open SSL
or some mozilla library nope just the
raw stuff before you go off and use root
code try to find something in the system
that already does what you need so for
example before you go up and become rude
in order to mount it on Mount file
systems dig around a bit and you'll find
that there's something called the volume
manager that actually does these things
for a living and it has its own
authorization and authentication stuff
built in and actually work to find so
that gets you out of the business of
worrying about whether your route code
is right and back to the business of
making your application look really good
if you have to use root code as I said
factory or replication make the amount
of code that actually runs which would
privilege as small as possible and i
really mean two pages in rare cases
maybe five pages if you find yourself
writing ten pages of root code you'll
probably made a mistake so go back and
think about what you really need that
word privilege for of course they're
stones I mean there's never just do
if you need to keep the secret don't
just stuff it in a file don't just stuff
it in a file and make it readable and
writable only by yourself put it in the
keychain it is safer it's just you can
get into so much trouble trying to do
your own secret storage so it's not
worth it believe me if you have
communication between different
processes because your client server or
because you know you had to factor your
program don't try to come up with your
own ways of authenticating the two
pieces to each other use authorization
again let points4 it's very good at that
you can basically get the code template
stick them in your program and they will
for the most part work just fine for you
if you try to do this by hand it's very
hard to do it right it will definitely
take you longer to do it on your own
than to do it with authorization if you
are writing good code and this is only a
partial list of all the horrible things
you're never supposed to be doing well
your route don't ever load a plug-in
doesn't matter where you got it from
just don't ever load a plug-in don't
blink against any GUI libraries I've got
nothing against Joyce codes are
wonderful but Joe is a big a lot of code
in goo is going to have a nasty habit of
loading plugins behind your back don't
do that your root code should be a
simple tool that the glorious GUI
enabled cocoa or carbon apple of yours
is going to talk to you using
authorization did I mention that good
and there's also a laundry list of
dangerous system calls and library calls
that any unique security textbook can
tell you about that you are other note
circumstances to call while you are rich
things like you know system and P open
that's about two dozen others other
things you shouldn't be doing don't
assume there's a single user on the
system this is an old particularly you
who come from the OS mind slide I mean
there's always a user you know the user
after all we're a personal operating
system right now there isn't always just
one user
we've just introduced what's a nicely
called fast switching which means that
there can be any number of users on your
system and they're all logged in up
there in the front they typed in the
password at some point the programs are
still running one of them gets displayed
in the front but the other ones are
alive too and you have no idea which one
of them might be the one that you want
to talk to unless you actually belong to
a particular user yes and keychains
right now our files in the file system
single files if you can avoid it don't
assume that will always be the case
because it won't oki if you actually
have a little bit of spare time to think
about how to make your code more future
proof or less in risk of having to be
rewritten every time we release
something you standard API we have this
fairly strong policy about continuing to
maintain support for AP is once we call
the api so that's good for you if you
call them try to use them in this
standard form it's possible you don't
copy blindly any code from other
applications that just because it seems
to be working for them particularly the
other other applications are you know
large companies just because it works
for them doesn't mean that it's the
right way to do it don't assume that all
access is based on passwords that's
already no longer true in the system
today there are some smart card
interfaces and it'll become less true in
the future and you test with different
security configuration test with
different authorizations learn how to
play around with the authorization
database and play around with the access
controls on keychain items see if
suddenly your application throws up
dozens of dialogues that would be
embarrassing for users who care about
security I am running over so I'm going
to speed up like a dervish here almost
all this stuff is dormant the only stuff
that I've talked about that isn't Darvin
is the actual doing components
if you get Durbin from the open source
server and install it this is all in
there you got cdsa you've got the
security server you've got all this
stuff anywhere where there's you I
involved you gotta stop that doesn't do
anything so if you are really really
desperate you could take starving code
and you know hack it up to DUI again set
of cooked why would you it's only
hundred twenty nine dollars to get the
real stuff quick list of what's new for
Panther a lot of the x.509 certificates
support is new the EMS s/mime is new you
can now import certificate bundles p kc
s if you don't know what that is don't
worry about it system key chains on you
there is our two new frameworks called
security foundation and security
interface for cocoa programmers that
make nice can't user interface pains and
in views authorization got the access to
low numbers ports call and the API for
programmatically adding authorizations
on you and you get more flexibility in
controlling how the dialogues works at
sometimes get issued keychain access has
a lot it's a lot nicer now let's put it
this way and somebody struck Sakura
racing so you know if you're the kind of
guy who wants to erase something 20
times will be NSA can't get at your data
you can do it now takes a while okay I
am wrapping up now
somebody structures in so this is the
first time I've seen this these are
other things you may want to go to okay
yes they all sound really interesting
109 security certificate API if x.509
certificates rings you know your dinner
or it's something you need for your
program then definitely go there it'll
it'll discuss the api's we have and how
to use them cover us of course if that's
your area of interest oh yeah security
feedback in case you didn't like my
presentation FF 0 16 security feedback
forum that's where you get to complain
unless you want to do it now Frank you
play who officially is there to serve
your every whim and me yes you can send
me email I don't mind I don't promise to
answer but serious by the way I should
mention and mailing list that Apple has
it's called Apple dash PDSA at apple com
it was originally created as sort of a
self support and feedback kind of
mailing list with CD as a user's but in
the past it's low volume enough that if
you have other security questions it's
probably okay to just ask them they're
using the usual rules for mailing list
you know reach the archive first and be
patient at night for more information
well you know these places of cause this
is where our documentation sits and
under security you'll find what we've
got in particular there's well there's a
section on the keychain API than an
authorization there's the Apple cdsa
mailing list the CDF a is an open group
standard so if you really want some 600
pages you can get it from the open group