Keychain (Apple)

The keychain is a system from Apple to manage passwords and digital certificates. It first appeared in Mac OS 8.6 as part of Apple's Mail System Power Talk, and since Mac OS 9 is integrated into the system.

Access to it, the user receives via the Keychain Access utility. In addition, the command line program security is available on Mac OS X.

The keychain is included in iOS; there can not access it directly, the user, however.

Keyrings

A keychain is a file in which passwords (eg for websites or wireless networks ), digital certificates, secure notes can be saved. By default, each user has its own system and a shared keyring. About the program Keychain Access more keyrings can be added and managed. By default, three keyrings available:

  • The user - keyring ( called application; located in ~ / Library / Keychains / ) can alter the respective user; it includes, for example, personal certificates or passwords.
  • In the System Keychain ( called system; located in / Library / Keychains / ) are eg Secured certificates for all users or Wi-Fi passwords.
  • A special keychain is system - Roots: it houses all root CAs of the system, and trusted certificate authorities.

It may also, depending on the configuration, such as in corporate networks under / Network / Library / Keychains /, give more keyrings.

Security

All keyrings are secured with a password. The user - keyring is encrypted with the user's password and opened on login, and only closed when you log off.

More keyrings can be backed up with their own passwords, and it can be determined that the keychain closes after a few minutes of inactivity.

By default, you have to view the content of, for example Display passwords or secure notes, enter the password, even if the keychain is open.

Functions

Certificates

The Keychain Access application offers a very comprehensive management for digital certificates. Among other things, the following is possible:

  • View certificate details and verification of certificates.
  • Certificates may be withdrawn or given confidence.
  • Creating a Certificate Authority ( CA) with OpenSSL as the backend. Since Mac OS X Lion and the creation of a root CA is also possible.
  • Creating self-signed certificates.
  • Creating certificate requests to a CA position.
  • Storing public and private keys.

Strictly speaking, is the creation / signing certificates not in the Keychain Access instead, but in the certificate program assistant. The Keychain Access is therefore used only the display and management of certificates.

Passwords

Users and programs can write passwords in the user keyring. In this manner, e.g. e -mail password or passwords for websites stored securely, and the users they must not enter it each time.

By default, access is only allowed to the program that created the entry; access other programs to it, a warning appears. The user can change this behavior though.

The Keychain Access also features a password generator for arbitrarily strong passwords.

Secure Notes

Users can also create so-called safe and store notes in a keychain. These notes are, like the rest of the key pair stored in encrypted form.

Technology

The keychain consists of two parts: the UI ( eg the Keychain Access or the command line tool security) and the underlying framework.

Apple has released the source code of the framework, libsecurity_keychain, under the Apple Public Source License.

For developers, Apple has combined Security.framework a publicly documented API to C for libsecurity_framework; with this API programs can read and write the keychain.

The keyrings are themselves encrypted with Triple DES; for root CAs under Mac OS X Lion Elliptic Curve Cryptography is being used.

715804
de