[cryptography] Apple Keychain (was Keyspace: client-side encryption for key/value stores)

Jeffrey Goldberg jeffrey at goldmark.org
Mon Mar 25 11:38:03 EDT 2013


[Posted to list only]

On 2013-03-25, at 8:02 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:

> Another nice thing Apple have done, which no-one else has
> managed so far, is to get people to actively use the Keychain API and
> capabilities.

I just looked in my login (default) OS X Keychain for "Application Passwords"
that aren't from Apple supplied applications. I found 27 distinct applications
used. (I suspect that I also have a bunch of "Login Passwords" that are tied
to non-Apple applications as well, but don't have a convenient way to count
these).

The first versions of 1Password (the password management software
I've involved with) used the OS X Keychain for the site passwords we stored.
(There were reasons why we moved away from the OS X keychain, most notably
because MobileMe syncing of keychains wasn't reliable). It used a distinct
Keychain from the user's login Keychain.

In later versions of 1Password we used the OS X keychain only for
the purposes that Keyspace seems designed for. We had different components
that needed to talk to each other security (The stuff that ran the browser
plug-ins and the main application). So using the OS X Keychain to restrict
some data to specific applications was a good solution for us.

Now, with browser sandboxing and extension requirements, we can't use that
same technique (we can't write pure JavaScript extensions that make use of
the OS X Keychain, and so now use a websocket daemon running on localhost)
and we want a solution that works across platforms. So something like Keyspace
may be the sort of thing we will have to rely on. We are also looking at
whitebox cryptography so that at least we will have some theory behind how
good (or bad) our obfuscation is.

Basically, we'd love to have access to something like the OS X Keychain
everywhere. It worked, and we didn't have to develop our own techniques
for managing secrets needed by multiple related applications.

Cheers,

-j

–- 
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com


More information about the cryptography mailing list