Keychain (software)
| Keychain management | |
|---|---|
| Basic data
|
|
| developer | Apple Inc. |
| Current version | 9.0 (October 2014) |
| operating system | macOS , Mac OS Classic |
| category | Password management |
| License | Apple EULA |
| German speaking | Yes |
| www.apple.com/osx/preview/ | |
The keychain ( English Keychain ) is a system of Apple to manage passwords and digital certificates . It first appeared in Mac OS 8.6 (1999) as part of Apple's PowerTalk mail system and has been integrated into the system since Mac OS 9.
Access to the user will receive the utility Keychain Access ( English Keychain Access ). The command line program is also securityavailable
under Mac OS X.
The keychain is also included in iOS .
Keychains
A keyring is a file that can be used to store passwords (such as those for websites or wireless networks), digital certificates, and secure notes. By default, each user has his own key ring and the system has a shared key ring. Additional key rings can be added and managed via the keychain management program. By default there are three keyrings:
- The user can change the user keyring ( called login ; is located under
~/Library/Keychains/); it includes z. B. personal certificates or passwords. - In the system keyring ( called the system ; is located under
/Library/Keychains/) z. B. Certificates for all users or WLAN passwords secured. - A special key ring is system roots : it contains all the system's root CAs and trustworthy certification authorities.
In addition, depending on the configuration, e.g. in company networks under /Network/Library/Keychains/, there may be other key rings.
safety
All key rings are secured with a password. The user keyring is encrypted with the user password and opened when you log in and only closed when you log out.
Additional key rings can be secured with their own passwords, and the key ring can be set to close after a few minutes of inactivity.
By default, to view the content of e.g. For example, to view passwords or secure notes, enter the password even with the keychain open.
Security gap
In February 2019, security researcher Linus Henze succeeded in reading passwords from the keychain with a manipulated macOS app without the user having given permission. The exploit works for both the “Registration” keychain and the “System” keychain. This vulnerability (CVE-2019-8526) was closed by Apple in March 2019 as part of macOS 10.14.4.
Functions
Certificates
The keychain management offers a very extensive management for digital certificates. Among other things, the following is possible:
- View certificate details and check certificates.
- Trust can be withdrawn or given to certificates.
- Creation of a certification authority (CA), with OpenSSL as backend. Since Mac OS X Lion it is also possible to create a root CA.
- Creation of self-signed certificates.
- Creation of certificate requests for submission to a CA.
- Storage of public and private keys.
Strictly speaking, the creation / signing of certificates does not take place in the keychain management, but in the certificate assistant program . The keychain management is only used to display and manage certificates.
Passwords
Users and programs can write passwords to the user keychain. In this way z. For example, e-mail passwords or passwords for websites are securely stored and the user does not have to re-enter them every time.
By default, access is only allowed to the program that created the entry; if other programs access it, a warning appears. However, the user can change this behavior.
The keychain management also offers a password generator for any secure passwords.
Safe notes
Users can also create so-called secure notes and save them in a keychain. These notes, like the rest of the keyring, are stored in encrypted form.
technology
The keychain consists of two parts: the UI (e.g. the keychain management or the command line tool security) and the underlying framework.
Apple has published the source code of the framework,, libsecurity_keychainunder the Apple Public Source License .
For developers, Apple offers Security.frameworka publicly documented C- API for libsecurity_framework; programs can also use this API to read and write the keychain.
The key rings themselves are encrypted with Triple DES ; Elliptic Curve Cryptography is used for root CAs under Mac OS X Lion .
iCloud keychain
The iCloud keychain is a key ring that is stored in the iCloud of the same name and can thus be used on all devices connected to the iCloud. Passwords, addresses or credit card numbers, for example, can be securely stored in this key ring.
Individual evidence
- ↑ security (1) Mac OS X manual page . Retrieved November 13, 2011.
- ↑ heise online: Security researcher: Critical loophole in macOS allows reading out of passwords. Retrieved June 4, 2019 .
- ↑ Lily Hay Newman: The Tricky Shenanigans Behind a Stealthy Apple Keychain Attack. In: Wired. June 1, 2019, accessed June 4, 2019 .
- ↑ Linus Henze: Keysteal: A macOS <= 10.14.3 Keychain exploit. Retrieved June 4, 2019 .
- ↑ About the security content of macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, and Security Update 2019-002 Sierra. Retrieved June 4, 2019 .
- ↑ Repository on Apple Open Source . Retrieved November 12, 2011.
- ^ Security Framework Reference . Retrieved November 12, 2011.
- ↑ Keychain Services Reference . Retrieved November 13, 2011.
- ^ Everything you need to know about iCloud Keychain. June 30, 2017, accessed May 25, 2019 .