Getting Started with Security

Technology Overview

Security is about restricting access, whether to a physical object, a location, information, an application, or a particular feature of an application. Depending on what you need to protect, you may want to:

• Verify someone’s identity (authenticate the user) with digital certificates, password verification, or some other method

• Determine what information a user has permission to see or what software a user has permission to use (that is, determine their access permissions)

• Set policies controlling who can see particular information or use particular software (perform authorization or set trust policy)

• Store information securely in the keychain or retrieve the information when needed

• Issue credentials someone can use to certify their identity (issue digital certificates)

• Ensure the integrity of documents and emails by adding digital signatures

• Encrypt or decrypt data

• Encrypt data while it is in transit (set up a secure transport channel)

If your software needs to protect information or if you need to control access to your software, then you need to be familiar with the security features and APIs of Mac OS X.

In addition to the documentation pointed to in this overview, read the Security topic page.

Start Here

Start with Security Overview to get a high-level view of Mac OS X security features:

• Chapter 1 introduces the book and includes a list of references for further reading.

• Chapter 2 describes the Mac OS X security architecture.

• Chapter 3 introduces security concepts such as authentication, authorization, permissions, access control lists (ACLs), and digital certificates. Even if you’re already an expert, look at the sections titled “Mac OS X” and “Network”, which describe how Mac OS X access controls differ from BSD, AppleShare, and other common systems.

• Chapter 4 introduces the security APIs provided by Mac OS X.

Choose a Learning Path

If you want to verify the identity of a user before granting access to your program or data, you need to learn about the authentication methods available. To control users’ access to programs and data, you need to know how to get and set access rights. To create a secure mail, web, or network application or server, you need to learn how to transport data securely over a network. To protect data and ensure data integrity, you can use digital signatures and encryption.

Authenticating a User

Before you determine whether to grant a user access to your software or data, you must verify their identity. Authorization Services can prompt the user for their password or other authentication information. You can also use certificates to authenticate a user or server.

• To learn how to have Authorization Services prompt the user for authentication information, see Authorization Services Programming Guide and Security Foundation Framework Reference .

• To learn how to exchange certificates over a remote connection, read Secure Transport Reference.

You can also store and retrieve passwords from the Keychain, and validate a user’s digital certificate stored on the Keychain.

• To learn how to store and retrieve secrets and certificates using the Keychain, read Keychain Services Programming Guide.

• To learn how to read and validate certificates, read Certificate, Key, and Trust Services Reference.

• To learn how to display certificate information to the user , read Security Interface Framework Reference .

Controlling Access

You can control who has access to your data, to your application, or to particular features of your application by using the Authorization Services APIs to set and get access rights for users and to verify a user’s identity. There are procedural-C and Objective-C interfaces to Authorization Services.

• If you are using procedural C and prefer to start with textual documentation, read Authorization Services Programming Guide.

• If you are using procedural C and prefer to start with sample code, look at the sample code AuthForAll, which illustrates the common tasks done with Authorization Services, and Technical Note TN2095, Authorization for Everyone, which discusses AuthForAll.

• If you are using Objective-C, see Security Foundation Framework Reference for an ObjectiveC interface to Authorization Services.

Transporting Data Securely Over a Network

You can download data from a secure URL using the HTTPS protocol, or you can send data securely over a network using a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) data stream:

• If you are using Cocoa and want to download data from a URL, see URL Loading System.

• If you are using Cocoa and want to set up a secure data stream, see CFNetwork Programming Guide.

• If you are using Carbon and prefer to start with textual documentation, read Secure Transport Reference.

• If you are using Carbon and prefer to start with sample code, look at SSLSample, which illustrates the use of Secure Transport.

Protecting Data

To ensure the integrity of data in a file or email, you can use digital signatures. For functions to create and evaluate digital signatures and to encrypt and decrypt data, use Apple’s implementation of the Common Data Security Architecture (CDSA). For pointers to CDSA, see the Security topic page. The sample code CryptoSample contains source code and example programs for encryption and for message digest creation. Message digests are used in digital signatures.

Next Steps

The Security Reference Library includes the following high-level resource pages, which can be bookmarked for easy access:

• Guides

  Conceptual and how-to information for security technologies.

• Reference

  Focused, detailed descriptions in reference format for security technologies.

• Release Notes

  Late-breaking news and highlights of new or changed features in the latest release.

• Sample Code

  Samples demonstrating the use of Security APIs.

• Technical Notes

  Late-breaking documents on security issues.

• Technical Q&As

  Programming tips, code snippets, and FAQs by Apple’s support engineers.

• Mailing Lists

  The Apple CDSA mailing list (apple-cdsa) is an excellent place to discuss issues people have encountered using the security features of Mac OS X.