生成无法导出的私钥 [英] Generate private key that cannot be exported
问题描述
我想在iPhone上生成一个密钥对,以便只有可以使用私钥来对该特定iPhone上的数据块进行签名。
I want to generate a key pair on an iPhone such that the private key can only ever be used to sign blocks of data on that particular iPhone.
SecKeyGeneratePair 功能看起来很有前途。我可以生成一个密钥对到keychain(使用 kSecAttrIsPermanent ),我可以禁用解密,推导和解开与私钥(设置 kSecAttrCanDecrypt , kSecAttrCanDerive 和 kSecAttrCanUnwrap 到 false )。
The SecKeyGeneratePair function looks promising. I can generate a key pair to the keychain (using kSecAttrIsPermanent) and I can disable decryption, derivation and unwrapping with the private key (setting kSecAttrCanDecrypt, kSecAttrCanDerive and kSecAttrCanUnwrap to false).
有两件事情让我担心使用 SecKeyGeneratePair 生成的关键字对:
Two things worry me about key pairs generated with SecKeyGeneratePair:
-
是否可以将钥匙串以外的私钥导出到应用程序内存?
Is it possible to export the private key outside of the keychain into application memory?
是否可以在创建私钥后更改键属性(例如,将 kSecAttrCanDecrypt 更改为 true / p>
Is it possible to change a key property (e.g. set kSecAttrCanDecrypt to true) after a private key has been created?
推荐答案
This article provides more details (compared to other answers in this thread):
用于生成RSA和ECDSA密钥对的SecGenerateKeyPair()现在可以配置为将生成的私钥直接存储在设备的Keychain(在安全包中)。
SecGenerateKeyPair(), which is used to generate RSA and ECDSA key pairs, can now be configured to directly store the generated private key in the device’s Keychain (within the Secure Enclave). This means that the private key can be used without ever leaving the device’s Secure Enclave.
并且重要的附加功能:
生成密钥对时需要使用 kSecAttrTokenIDSecureEnclave 属性。
The kSecAttrTokenIDSecureEnclave attribute needs to be used when generating the key pair.
如果您不指定此属性,即使在iOS9上也可以访问私钥。
If you don't specify this attribute the private key will be accessible even on iOS9.
这篇关于生成无法导出的私钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
