 |
The Keychain Manager allows users to invent long or complicated passwords, enter them once into secure storage and then forget them. Secure storage means that when the keychain is locked, only the keychain owner can access or modify the passwords in the keychain.
The Keychain Manager enables your application to store user passwords in a keychain. A keychain is a secure database for multiple passwords, accessed by a passphrase, that belongs to one owner and allows transparent authentication to multiple services. Transparent authentication , or single sign-on, means that by entering one master passphrase, the user can access all the applications and services that have passwords in the keychain. A passphrase is the password used by the owner of the keychain to unlock the keychain and store passwords to applications and services. The passphrase to the keychain is never stored on disk and it is never accessible to applications.
A keychain may contain four different items: AppleShare passwords, which is the password to an AppleShare server; Internet passwords, which might be the password to a web site; generic passwords, which might allow the user access to a scheduling database; and keys and certificates. Each of these items has a set of attributes . You can use these attributes to record and track the passwords the user has chosen in your application. Some attributes are common to all items, while others are specific to a particular keychain item. For a description of common and item-specific attributes, see "Keychain Item Attribute Tag Constants".
Certificates are an integral part of many security-related tasks. Because the MacOS currently does not have an OS-level address book, certificates of people the user knows will be stored in their keychain along with their own personal certificate and the root certificates they have allowed to be added. The Keychain Manager provides functions that allow your application to display a user interface for the user to select a certificate, as well as to search for a certificate.
Note that keys come in two major flavors: symmetric and asymmetric. Symmetric keys are typically used for session or password-based encryption. This is considered a shared secret key. Asymmetric key pairs are used to do signing and encryption without a shared secret. When an asymmetric key pair is generated, it is typically associated with a certificate. The keychain will eventually provide the ability to create, store, and display symmetric and asymmetric keys. Symmetric keys can only be generated using the API. Asymmetric keys can be generated using the Certificate Assistant or the Signing Application.
In Keychain Manager 2.0, your application can search locked keychains allowing the search mechanism to be more sophisticated. In prior versions, the user had to unlock a keychain before an application could know whether a given password was in the keychain. This results in unnecessary unlocking of the keychain. For example, when AppleShare attempts to log on to a server, it may issue a
FindAppleSharePassword
call. The keychain will search all unlocked keychains for the password and if it is not found, search the locked keychains. If it is found in a locked keychain, the user will be prompted to unlock the keychain so the password can be retrieved. If it is not found in any keychain, the find result will be itemNotFound and user interaction will have been required.
Since a computer can be shared by more than one user, the Keychain Manager specifies the default keychain . The currently unlocked keychain in which items are added is also known as the default keychain. New items are always added to the default keychain. When an API call is made and the Keychain Manager detects there aren't any keychains available, the user is prompted to create one using the Keychain Manager user interface.
The default keychain is automatically selected for the user by the Keychain Manager when an unspecified keychain is to be unlocked. The default keychain preference is stored in Internet Config and is modified by the user via the Keychain Access control panel. The default keychain is automatically configured by the Keychain Manager when a keychain is created for the first time on the user's machine. If the default keychain isn't configured (i.e. a non-existent Internet Preferences file), the user is prompted to choose among the locked keychains (first one chosen in the list).
Though many passwords, accessing different applications and services, can be stored on a keychain, each keychain has only one passphrase. This master password unlocks the keychain and allows applications to access the user's application and service passwords. When the computer is started up, all keychains are locked. The keychains remain locked until the user established authentication. Until the user unlocks the keychain, applications have no access to keychain items.
The user can create or unlock a keychain or view the items stored in a Keychain via the Keychain Access Control Panel. Keychain Access is a control panel that allows users to view and manage items in a keychain. After the user has created and unlocked their keychain, applications can begin using it.
When a keychain is unlocked, the user's passwords are available to any application running on their machine. If their computer is left unattended and their keychain is unlocked, anyone who has access to their system can access their passwords. To ensure that this doesn't occur, the user should set their keychain to lock automatically.
The Keychain Manager enables the user to open multiple keychains simultaneously. The user can use drag and drop to manipulate keychain contents. In addition, the user can drag certificates to and from the keychain, effectively importing or exporting them. This allows users to have their secure data spread across multiple keychains and be able to access the information no matter where it resides.
Searching is performed across all open keychains, starting with the default keychain. All keychains are searched. If a match is found in more than one keychain, the user is presented with a dialog asking them to select the item they want to use. Keychain Manager now enables your application to search locked keychains. In prior versions, the user had to unlock a keychain before you could determine whether a password was in the keychain.
Every active keychain has a lock interval timer, which locks the keychain automatically after a period of time that you specify. This feature is useful for security reasons. Without a lock interval timer, a user might forget to lock the keychain before leaving the computer, and anyone else with access to that computer can potentially access the user's passwords.
