---

Introduction to Security Overview

Contents:

Organization of This Document
See Also

Computer security has been much in the news in recent years, whether it’s the latest computer virus spread via email, questions about the safety of secrets on the computers of our national weapons laboratories, or stories about hackers stealing thousands of credit card numbers from an online vendor. Whatever the source of attack, the problem is the same: how to protect information and software from being accessed by unauthorized people. In response to this need, Apple has built a number of security features into the Mac OS X and iPhone OS operating systems and provides a variety of APIs that developers can use to make their applications more secure.

This document describes the security features of Mac OS X and iPhone OS, explains concepts that you must understand in order to use the security APIs, and describes the security APIs. This document is intended for anyone who is interested in computer security, but especially for developers new to the security APIs in Mac OS X and iPhone OS. No programming knowledge is assumed, though it will be helpful if you have some familiarity with Apple computers or mobile devices. If you are a software developer, this book will help you understand the security architecture of Mac OS X and iPhone OS and will help you determine which of the available security features and APIs will be of most use to you. It will also direct you to further documentation and sample code, so you can get started writing secure code more quickly.

This book does not discuss how to write secure software. While the security APIs can help you write programs that are resistant to unauthorized access, malicious attacks often exploit vulnerabilities caused by avoidable coding errors. For more information on writing secure code, see Secure Coding Guide and the books listed in the section “Books on Computer Security.”

Organization of This Document

This document describes the security architecture of Mac OS X and iPhone OS, explains some concepts common to computer security on all platforms, describes some features specific to security in Mac OS X and iPhone OS, and describes the APIs that are useful in computer security. Where appropriate, it points out the differences in APIs and security features between Mac OS X and iPhone OS. This document contains the following chapters:

• “Security Architecture” describes and diagrams the operating system components that contribute to the security of data both on an individual device and across networks. It shows where each of the major security APIs fits into the architecture of the operating system.

• “Security Concepts” introduces and explains concepts and technologies important to keeping data secure and to preventing unauthorized access of files over a network. The section “Mac OS X” describes the differences in access permissions between Mac OS X and other UNIX systems, and the section “Network File Systems” describes the extent to which various networking protocols, including Apple Filing Protocol (AFP), implement Mac OS X access permissions.

• “Security Services” describes all of the Mac OS X and iPhone OS APIs that you can use to create secure applications or to ensure security over a network. It also has brief descriptions of some user-level security features, such as the Keychain Access application and FileVault.

• “Glossary” defines security-related terms used in this document.

See Also

For a general background on Mac OS X and iPhone OS security, use the following resources:

• To get the latest updates on Apple’s security services and for pointers to other Apple security resources, go to the ADC technology page for security at http://developer.apple.com/security/.

• Reference and conceptual documentation, technical notes, Q&As, and sample code for security APIs are available from Reference Library > Security on the ADC Mac OS X website or [Topics > Security] on the iPhone Reference Library site.

• For an introduction to Mac OS X system architecture and system technologies, see Mac OS X Technology Overview.

• For an introduction to iPhone OS system architecture and system technologies, see iPhone OS Technology Overview.

• To see which security protocols and algorithms are supported by Apple’s Mac OS X security implementation, see the documentation provided with the Open Source security code, which you can download at http://developer.apple.com/opensource/security/, and the Security Release Notes in the latest Xcode Tools from Apple.

Security API Documentation

For documentation on the security APIs, see the following documents:

• For information on Mac OS X Authorization Services, see Authorization Services C Reference and Authorization Services Programming Guide. Authorization services APIs are not available on iPhone OS.

• Technical Note TN2095, Authorization for Everyone, also discusses the use of Authorization Services.

• To learn how to store and retrieve secrets and certificates using the keychain, see Keychain Services Programming Guide and Keychain Services Reference.

• To learn how to read and validate certificates, see Certificate, Key, and Trust Services Reference.

• See Security Interface Framework Reference in Reference Library > Security for an objective-C interface to Authorization Services and for a variety of security-related user interface elements (Mac OS X only).

• For information about the Secure Transport API, see Secure Transport Reference (Mac OS X only).

• If you are want to set up a secure data stream, see CFNetwork Programming Guide.

• To add passwords to QuickTime movies, see Movie Toolbox Access Keys.

Standards and Protocol References

For information on standards, protocols, and algorithms used by Apple, see the following sources:

• The authentication model for HTTP is described in RFC 2617, HTTP Authentication: Basic and Digest Access Authentication, which you can find at http://www.ietf.org/rfc/rfc2617.txt.

• For information on the SSL protocol for secure networking, see http://wp.netscape.com/eng/ssl3/. For the TLS protocol, see http://www.ietf.org/html.charters/tls-charter.html.

• CDSA, implemented as part of the Mac OS X security architecture, is an Open Source standard by the Open Group (http://www.opengroup.org/security/cdsa.htm). For an introduction to CDSA, see CDSA Explained, second edition, from the Open Group. The CDSA/CSSM technical standard is Common Security: CDSA and CSSM, version 2 (with corrigenda), also from the Open Group.

• Documentation of the AES encryption algorithm used for FileVault is available on the National Institute of Standards and Technology (NIST) website at http://csrc.nist.gov/CryptoToolkit/aes/rijndael/.

• For information on Kerberos authentication, see http://web.mit.edu/kerberos/. For information on MIT’s Kerberos for Macintosh, see http://web.mit.edu/macdev/Development/MITKerberos/MITKerberosLib/Common/Documentation/KerberosFramework.html

• See Mac OS X Server Open Directory Administration available at http://www.apple.com/server/documentation/ for details on the services that support Kerberos and on how to implement a Kerberos KDC on your Mac OS X server.

• The PC/SC Workgroup has established a standard for accessing smart cards and writing card reader drivers. Their website is at http://www.pcscworkgroup.com/.

• Apple’s smart card support is based on the Movement for the Use of Smart Cards in a Linux Environment (MUSCLE) Open Source implementation of the PC/SC standard. The MUSCLE home page is http://www.linuxnet.com/.

Books on Computer Security

You may find the following books useful in learning more about security, cryptography, and networking.

• Garfinkel, Simson, Gene Spafford, and Alan Schwartz. Practical Unix & Internet Security. 3d ed. O’Reilly & Associates, Inc. 2003.

• Brands, S. Rethinking PKI and Digital Certificates: Building in Privacy. The MIT Press. 2000.

• Gray, John Shapley. Interprocess Communications in UNIX. 2d ed. Prentice Hall Professional. 1997.

• McKusick, M. K., K. Bostic, M. J. Karels, and J. S. Quarterman. The Design and Implementation of the 4.4 BSD Operating System. Addison-Wesley. 1996.

• Schneier, Bruce. Applied Cryptography. 2d ed. Wiley. 1996.

• Stevens, Richard W. UNIX Network Programming: Interprocess Communications. Vol. 2, 2d ed. Prentice Hall Professional. 1998.

• Stevens, Richard W. UNIX Network Programming: Networking APIs: Sockets and XTI. Vol. 1. Prentice Hall Professional. 1997.

• Viega, John, and Gary McGraw. Building Secure Software. Addison-Wesley. 2002.

---