Re: [cryptography] Apple Keychain (was Keyspace: client-side encryption for key/value stores)

[Peter Gutmann]

Paul Walker p...@blacksun.org.uk writes:

I'm curious which bits you feel Apple got right with the Keychain - not
because I disbelieve you, but because I don't know.  :-) Have you got any
links or documents, either for what they did right or for what the others do
wrong?

Link sent off-list.  Another nice thing Apple have done, which no-one else has
managed so far, is to get people to actively use the Keychain API and
capabilities.  When was the last time you saw an app (not produced by
Microsoft or part of the Gnome desktop) that used DPAPI or the Gnome Keyring?

Peter.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Apple Keychain (was Keyspace: client-side encryption for key/value stores)

[Jeffrey Goldberg]

[Posted to list only]

On 2013-03-25, at 8:02 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:

 Another nice thing Apple have done, which no-one else has
 managed so far, is to get people to actively use the Keychain API and
 capabilities.

I just looked in my login (default) OS X Keychain for Application Passwords
that aren't from Apple supplied applications. I found 27 distinct applications
used. (I suspect that I also have a bunch of Login Passwords that are tied
to non-Apple applications as well, but don't have a convenient way to count
these).

The first versions of 1Password (the password management software
I've involved with) used the OS X Keychain for the site passwords we stored.
(There were reasons why we moved away from the OS X keychain, most notably
because MobileMe syncing of keychains wasn't reliable). It used a distinct
Keychain from the user's login Keychain.

In later versions of 1Password we used the OS X keychain only for
the purposes that Keyspace seems designed for. We had different components
that needed to talk to each other security (The stuff that ran the browser
plug-ins and the main application). So using the OS X Keychain to restrict
some data to specific applications was a good solution for us.

Now, with browser sandboxing and extension requirements, we can't use that
same technique (we can't write pure JavaScript extensions that make use of
the OS X Keychain, and so now use a websocket daemon running on localhost)
and we want a solution that works across platforms. So something like Keyspace
may be the sort of thing we will have to rely on. We are also looking at
whitebox cryptography so that at least we will have some theory behind how
good (or bad) our obfuscation is.

Basically, we'd love to have access to something like the OS X Keychain
everywhere. It worked, and we didn't have to develop our own techniques
for managing secrets needed by multiple related applications.

Cheers,

-j

–- 
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Apple Keychain (was Keyspace: client-side encryption for key/value stores)

[Paul Walker]

Hi Peter,

 In a perfect world, yes.  However having an OS-provided, standardised
 mechanism that gets things mostly right (Apple Keyring) is far, far better
 than forcing every developer to invent their own one (Unix and to a lesser
 extent Windows), which 90% will get wrong.

I'm curious which bits you feel Apple got right with the Keychain - not
because I disbelieve you, but because I don't know.  :-) Have you got any
links or documents, either for what they did right or for what the others do
wrong?

(I use OS X, so I'm happy to hear they got it mostly right...)

Thanks,

-- 
Paul
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography