钥匙串 - 安全数据存储 [英] Keychain - Secure Data Storage
问题描述
我正在开发一个带钥匙串实现的应用程序。我能够创造&将数据保存到钥匙串中。我正在使用Apple提供的 Keychain Wrapper classes 。
根据要求,我必须在KeyChain中实现最佳安全性(安全团队指出了失误,例如它在Jail-broken设备上的可访问性)。 / p>
有人可以给我指示吗?
我还实施了钥匙串在应用程序中返回使用您引用的相同Wrapper,但当然需要进行大量修改。
基本上Keychain非常安全。根据Apple的说法,它是一个加密的容器保存多个应用程序的安全信息,这意味着当钥匙串被锁定时,没有人可以访问其受保护的内容。
在iOS中,只有创建钥匙串的应用程序才能访问它。
根据Apple的文档,iOS可以选择内存缓存或磁盘缓存。
但是从iOS 4.xx ++,它只是磁盘缓存(dunno)为什么),因此总是创建一个
sqlite数据库,其中钥匙串中的所有数据都存储在对应于特定标识符的位置。
Sqlite DB可以被黑客攻击在root或Jail-broken设备上。
保护钥匙串
1添加安全关键字 kSecAttrAccessibleWhenUnlockedThisDeviceOnly 在添加或者
时更新方法中钥匙串中的数据 SecItemUpdate & SecItemAdd 。
类似于: -
- (void)writeToKeychain
{
NSDictionary * attributes = NULL;
NSMutableDictionary * updateItem = NULL;
OSStatus结果;
if(SecItemCopyMatching((CFDictionaryRef)genericPasswordQuery,(CFTypeRef *)& attributes)== noErr)
{
updateItem = [NSMutableDictionary dictionaryWithDictionary:attributes];
[updateItem setObject:[genericPasswordQuery objectForKey:(id)kSecClass] forKey:(id)kSecClass];
NSMutableDictionary * tempCheck = [self dictionaryToSecItemFormat:keychainItemData];
[tempCheck removeObjectForKey:(id)kSecClass];
#if TARGET_IPHONE_SIMULATOR
[tempCheck removeObjectForKey:(id)kSecAttrAccessGroup];
#endif
[updateItem setObject:(id)kSecAttrAccessibleWhenUnlockedThisDeviceOnly forKey:(id)kSecAttrAccessible];
result = SecItemUpdate((CFDictionaryRef)updateItem,(CFDictionaryRef)tempCheck);
NSAssert(结果== noErr,@无法更新钥匙串项目。);
CFRelease(属性);
}
else
{
[keychainItemData setObject:(id)kSecAttrAccessibleWhenUnlockedThisDeviceOnly forKey:(id)kSecAttrAccessible];
result = SecItemAdd((CFDictionaryRef)[self dictionaryToSecItemFormat:keychainItemData],NULL);
NSAssert(结果== noErr,@无法添加钥匙串项目。);
}
}
2在添加到钥匙串之前加密数据.I使用AES-128加密。
还要确保用于加密的密钥是RSA密钥。(由SSL Web服务发送)。
注意: - 钥匙串数据存储在< iPhone上的code> /private/var/Keychains/keychain-2.db 文件。
希望它可以帮到你。
I am developing an application with keychain implementation . i am able to create & Save data into keychain . I am using the Keychain Wrapper classes provided By Apple.
According to requirement , I have to implement best possible Security in the KeyChain (The security team pointed out lapses , such as it's accessibility on Jail-broken devices).
Could Someone give me direction?
I had also Implemented keychain in application long Back using the same Wrapper you cited , but , of course with a lot of modifications.
Basically Keychain is quite secure .According to Apple , it's an encrypted container that holds secure information for multiple applications ,which means that when the keychain is locked, no one can access its protected contents .
In iOS , only the application creating the keychain can access it. According to Apple's documentation , iOS can choose to Memory-Cache or Disk Cache it.
But from iOS 4.xx++ , it's only disk-cached(dunno why) , thus always creating a sqlite DB , where all the data in the keychain are stored corresponding to a particular Identifier.
The Sqlite DB Can be Hacked on rooted or Jail-broken devices.
To Secure the Keychain
1 Add the security keyword "kSecAttrAccessibleWhenUnlockedThisDeviceOnly" while adding or
updating the data in keychain on the methods "SecItemUpdate" & "SecItemAdd".
Something like :-
- (void)writeToKeychain
{
NSDictionary *attributes = NULL;
NSMutableDictionary *updateItem = NULL;
OSStatus result;
if (SecItemCopyMatching((CFDictionaryRef)genericPasswordQuery, (CFTypeRef *)&attributes) == noErr)
{
updateItem = [NSMutableDictionary dictionaryWithDictionary:attributes];
[updateItem setObject:[genericPasswordQuery objectForKey:(id)kSecClass] forKey:(id)kSecClass];
NSMutableDictionary *tempCheck = [self dictionaryToSecItemFormat:keychainItemData];
[tempCheck removeObjectForKey:(id)kSecClass];
#if TARGET_IPHONE_SIMULATOR
[tempCheck removeObjectForKey:(id)kSecAttrAccessGroup];
#endif
[updateItem setObject:(id)kSecAttrAccessibleWhenUnlockedThisDeviceOnly forKey:(id)kSecAttrAccessible];
result = SecItemUpdate((CFDictionaryRef)updateItem, (CFDictionaryRef)tempCheck);
NSAssert( result == noErr, @"Couldn't update the Keychain Item." );
CFRelease(attributes);
}
else
{
[keychainItemData setObject:(id)kSecAttrAccessibleWhenUnlockedThisDeviceOnly forKey:(id)kSecAttrAccessible];
result = SecItemAdd((CFDictionaryRef)[self dictionaryToSecItemFormat:keychainItemData], NULL);
NSAssert( result == noErr, @"Couldn't add the Keychain Item." );
}
}
2 Encrypt the data before Adding to the Keychain .I used AES-128 Encryption. Also ensure that the key used for Encryption is RSA key.(sent by SSL Web Service ).
NOTE :-The Keychain Data is stored in the /private/var/Keychains/keychain-2.db file on the iPhone.
Hope it helps you.
这篇关于钥匙串 - 安全数据存储的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
