在iOS中使用SecRandomCopyBytes()随机256位密钥 [英] Random 256bit key using SecRandomCopyBytes( ) in iOS
问题描述
我一直在使用UUIDString作为存储在我的iPAD上的文件的加密密钥,但第三方在我的应用程序上进行的安全性审查建议如下。
I have been using UUIDString as an encrption key for the files stored on my iPAD, but the security review done on my app by a third party suggested the following.
随着应用程序的启动,生成一个全局数据库密钥并存储在钥匙串中。在生成期间,使用由iOS提供的类NSUUID的方法UUIDString。该函数生成由字母A至F,数字和连字符组成的随机字符串,并且不必要地限制关键字空间,导致熵的削弱。
由于密钥仅由应用程序逻辑使用,并且不必由个人读取,理解或处理,因此不需要将密钥空间限制为可读字符。因此,应使用 SecRandomCopyBytes ()生成的随机256位密钥作为主密钥。
With the launch of the application, a global database key is generated and stored in the keychain. During generation, the method UUIDString of the class NSUUID provided by the iOS is used. This function generates a random string composed of letters A to F, numbers and hyphens and unnecessarily restricts the key space, resulting in a weakening of the entropy.
Since the key is used only by application logic and does not have to be read, understood or processed by an individual, there is no need to restrict the key space to readable characters. Therefore, a random 256-bit key generated via SecRandomCopyBytes () should be used as the master key.
现在我已经搜索了很多,并尝试一些代码实现,但havent发现了确切的事情。
我试过的:
Now I have searched a lot and tried some code implementation but havent found the exact thing. What I have tried:
NSMutableData* data = [NSMutableData dataWithLength:32];
int result = SecRandomCopyBytes(kSecRandomDefault, 32, data.mutableBytes);
NSLog(@"Description %d",result);
我的理解是这应该给我一个整数,我应该将其转换为NSString,作为我的关键,但我很确定这不是这里需要的,也是上述方法总是给出结果为0.我完全失去了这里,任何帮助是赞赏。
My understanding is that this should give me an integer and I should convert it to an NSString and use this as my key, but I am pretty sure that this is not what is required here and also the above method always gives the result as 0. I am completely lost here and any help is appreciated.
感谢。
推荐答案
SecRandomCopyBytes应始终为0 ,除非有一些错误(我不能想象为什么会发生),然后结果将是-1。您不会将 转换为NSString。
The result of SecRandomCopyBytes should always be 0, unless there is some error (which I can't imagine why that might happen) and then the result would be -1. You're not going to convert that into a NSString.
您尝试获取的是正在写入的随机字节到可变字节部分,这就是你将用作主键而不是UUID字符串。
The thing you're trying to get are the random bytes which are being written into the mutable bytes section, and that's what you'll be using as your "master key" instead of the UUID string.
我的方法是:
uint8_t randomBytes[16];
int result = SecRandomCopyBytes(kSecRandomDefault, 16, randomBytes);
if(result == 0) {
NSMutableString *uuidStringReplacement = [[NSMutableString alloc] initWithCapacity:16*2];
for(NSInteger index = 0; index < 16; index++)
{
[uuidStringReplacement appendFormat: @"%02x", randomBytes[index]];
}
NSLog(@"uuidStringReplacement is %@", uuidStringReplacement);
} else {
NSLog(@"SecRandomCopyBytes failed for some reason");
}
使用UUIDString对我来说足够安全,但它听起来像你的第三方安全审计公司正在努力证明他们的费用是合理的。
Using a UUIDString feels secure enough to me, but it sounds like your third party security audit firm is trying really hard to justify their fees.
EDITED:因为我现在开始收集downvote,因为弗拉德的替代答案,我不能删除我的(因为它仍然有接受的复选标记),这里是另一个我的代码的版本。我用16个随机字节(在转换为十六进制时,翻倍)。
EDITED: since I'm now starting to collect downvotes because of Vlad's alternative answer and I can't delete mine (as it still has the accepted checkmark), here's another version of my code. I'm doing it with 16 random bytes (which gets doubled in converting to Hex).
这篇关于在iOS中使用SecRandomCopyBytes()随机256位密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
