Apple Data Security Framework

rschroeder writes: "Apple has opened their Common Data Security Architecture framework, which "contains an expandable set of cryptographic algorithms to perform code signing and encryption operations while maintaining the security of the cryptographic keys." Lots of good info in addition to the code."

Some Background

[maggard]

First of all it needs to be pointed out Apple has been supporting encryption in their products for several years now.

One of the features of MacOS 9 has been the ability to encrypt any file via a set of system-level services. A second feature has been the ability to use a "Keychain" service where passwords & other information can be securely stored & automatically retrieved by authorized applications. A third feature has been the ability to use a Voiceprint as a password.

Here are a number of examples of how these features can be used:

1. Macs running MacOS 9 and greater support Multiple Users. Thus folks can (or must) log in in order to access their materials. This login can be accomplished via typed password or Voiceprint. Macs with access to an appropriate server can store individual preferences on the server and these can used applied from client Macs as the user logs in.

2. In order to encrypt or decrypt a file under MacOS 9 and greater on need simply drag-and-drop the file/folder/drive to the encryption application. This service can also be called from within any application utilizing the cryptographic API's.

3. Utilizing the "Keychain" any program can store or retrieve settings, passwords and other secured bits of information. Thus instead of saving one's web-account passwords in an easily read text file they're stored encrypted in a file where explicit authorization must be given for access. The same for the other various servers one might utilize regularly or occasionally - their login information and passwords can be stored under a single master-password and applied at need.

Now, lots of folks are going to start reading this and trying to imagine lots of ways they could break this, the possible downsides, etc. Yes, it's not completely foolproof. On the other hand it's a lot better then many other OS's offer, particularly when you realize it's widely supported throughout the OS and by many (most?) applications. Furthermore it seems fairly well thought out and after being out in the field a bit it seems to be working well.

It's good to see Apple is finally documenting the same hooks in MacOS X. Presumably by completely opening the material a better evaluation of the processes can be made and improvements implemented by third parties. Furthermore since it's a standard promulgated by a number of companies all in the security field this has a good chance of being implemented in a wide range of products.

It would also be great if other OS development folks could take this code and use it to compare/contrast their own efforts in this direction and use them to improve themselves, possibly even work towards adopting some common material where the specs are vague.

Finally, before going and making wild-assed assumptions based on how you assume this stuff is implemented or blue-skying on it's possible flaws howzabout investing the 10 minutes and actually getting the facts first, not wasting all of the rest of ours time? This is all Open Source and it's well documented so it's not up to everyone else to teach you: Go read it for yourself.

No, Darwin isn't MacOS X lite

[maggard]

Darwn is the base of MacOS X. Yes it's OpenSource. Yes it's freely avialable, Apple even hosts the servers & has engineers assigned to porting it to non-Apple platforms (to wit the x86.)

That said there's a long distance between Darwin & MacOS X. Carbon, Quartz, Aqua, QuickTime, Classic - all are critical parts of MacOS X that aren't in Darwin. Without them Darwin is an interesting BSD variant with a Mach-based kernel, reworked IO & some nifty OO & "Frameworks" support and innovative configuration-files-settable-via-XML technology.

That doesn't a clone make. Indeed it's debatable if Apple could themselves easily make a clone-able Mac at this point. So much of MacOS X (not Darwin) is PPC-specific and relies so heavily on Apple hardware implementations it might not be easily possible.

Sure Next was ported many times & MacOS X has inherited much of that flexibility but since then there's been massive rewrites. It's likely that most of everything above Darwin might require a lot of work now move to another architecture or even motherboard design, there appear to be lots of assumptions made in the design.

Sure there are always rumors of MacOS X running on x86/Alpha/etc. chips and there was a Rhapsody release that was cross-platform as well as stories of a beta MacOS 8 runnable on an IBM RS6000 but at this point it seems unlikely that the MacOS X now out there could be easily moved to either an Intel-standard motherboard architecture (BIOS/ Northbridge/Southbridge etc.) or to another workstation architecture using OpenFirmware etc.

Possible: Yes.
Easily Achieved: No
Possible by someone other then Apple? No

Darwin does not MacOS X make.