Introduction to Security Overview
Contents:
Organization of This Document
See Also
Computer security has been much in the news in recent years, whether it’s the latest computer virus spread via email, questions about the safety of secrets on the computers of our national weapons laboratories, or stories about hackers stealing thousands of credit card numbers from an online vendor. Whatever the source of attack, the problem is the same: how to protect information and software from being accessed by unauthorized people. In response to this need, Apple has built a number of security features into the Mac OS X operating system and provides a variety of APIs that developers can use to make their applications more secure.
This document describes the security features of Mac OS X, explains concepts that you must understand in order to use the security APIs, and describes the security APIs. This document is intended for anyone who is interested in computer security, but especially for developers new to the security APIs in Mac OS X. No programming knowledge is assumed, though it will be helpful if you have some familiarity with Macintosh computers. If you are a software developer, this book will help you understand the security architecture of Mac OS X and will help you determine which of the available security features and APIs will be of most use to you. It will also direct you to further documentation and sample code, so you can get started writing secure code more quickly.
This book does not discuss how to write secure software. While the Mac OS X security APIs can help you write programs that are resistant to unauthorized access, malicious attacks often exploit vulnerabilities caused by avoidable coding errors. These coding issues are not particular to the Macintosh and are well covered in existing literature, such as the books listed in the section “Books on Computer Security.” See especially Viega and McGraw, Building Secure Software.
Organization of This Document
This document describes the security architecture of Mac OS X, explains some concepts common to computer security on all platforms, describes some features specific to security in Mac OS X, and describes the Mac OS X APIs that are useful in computer security. This document contains the following chapters:
“Mac OS X Security Architecture” describes and diagrams the components of Mac OS X that contribute to the security of data both on an individual computer and across networks. It shows where each of the major security APIs fits into the architecture of the operating system.
“Security Concepts” introduces and explains concepts and technologies important to keeping data secure on a computer and to preventing unauthorized access of files over a network. The section “Mac OS X” describes the differences in access permissions between Mac OS X and other UNIX systems, and the section “Network File Systems” describes the extent to which various networking protocols, including Apple Filing Protocol (AFP), implement Mac OS X access permissions.
“Mac OS X Security Services” describes all of the Mac OS X APIs that you can use to create secure applications or to ensure security over a network. It also has brief descriptions of some user-level security features, such as the Keychain Access application and FileVault.
“Glossary” defines security-related terms used in this document.
See Also
For a general background on Mac OS X and Mac OS X security, use the following resources:
To get the latest updates on Apple’s security services and for pointers to other Apple security resources, go to the ADC technology page for security at http://developer.apple.com/security/.
Reference and conceptual documentation, technical notes, Q&As, and sample code for security APIs are available from Reference Library > Security on the ADC website.
For an introduction to Mac OS X system architecture and system technologies, see Mac OS X Technology Overview.
To see which security protocols and algorithms are supported by Apple’s security implementation, see the documentation provided with the Open Source security code, which you can download at http://developer.apple.com/darwin/projects/security/, and the Security Release Notes in the latest Xcode Tools from Apple.
Mac OS X Security API Documentation
For documentation on the Mac OS X security APIs, see the following documents:
For information on Authorization Services, see Authorization Services C Reference and Performing Privileged Operations With Authorization Services.
Technical Note TN2095, Authorization for Everyone, also discusses the use of Authorization Services.
To learn how to store and retrieve secrets and certificates using the keychain, see Keychain Services Programming Guide and Keychain Services Reference.
To learn how to read and validate certificates, see Certificate, Key, and Trust Services Reference.
See Security Interface Framework Reference in Reference Library > Security for an objective-C interface to Authorization Services and for a variety of security-related user interface elements.
For information about the Secure Transport API, see Secure Transport Reference.
If you are want to set up a secure data stream, see CFNetwork Programming Guide.
To add passwords to QuickTime movies, see Movie Toolbox Access Keys.
Standards and Protocol References
For information on standards, protocols, and algorithms used by Apple, see the following sources:
The authentication model for HTTP is described in RFC 2617, HTTP Authentication: Basic and Digest Access Authentication, which you can find at http://www.ietf.org/rfc/rfc2617.txt.
For information on the SSL protocol for secure networking, see http://wp.netscape.com/eng/ssl3/. For the TLS protocol, see http://www.ietf.org/html.charters/tls-charter.html.
CDSA, implemented as part of the Mac OS X security architecture, is an Open Source standard by the Open Group (http://www.opengroup.org/security/cdsa.htm). For an introduction to CDSA, see CDSA Explained, second edition, from the Open Group. The CDSA/CSSM technical standard is Common Security: CDSA and CSSM, version 2 (with corrigenda), also from the Open Group.
Documentation of the AES encryption algorithm used for FileVault is available on the National Institute of Standards and Technology (NIST) website at http://csrc.nist.gov/CryptoToolkit/aes/rijndael/.
For information on Kerberos authentication, see http://web.mit.edu/kerberos/. For information on MIT’s Kerberos for Macintosh, see http://web.mit.edu/macdev/Development/MITKerberos/MITKerberosLib/Common/Documentation/KerberosFramework.html
See Mac OS X Server Open Directory Administration available at http://www.apple.com/server/documentation/ for details on the services that support Kerberos and on how to implement a Kerberos KDC on your Mac OS X server.
The PC/SC Workgroup has established a standard for accessing smart cards and writing card reader drivers. Their website is at http://www.pcscworkgroup.com/.
Apple’s smart card support is based on the Movement for the Use of Smart Cards in a Linux Environment (MUSCLE) Open Source implementation of the PC/SC standard. The MUSCLE home page is http://www.linuxnet.com/index.html.
Books on Computer Security
You may find the following books useful in learning more about security, cryptography, and networking.
Garfinkel, Simson, Gene Spafford, and Alan Schwartz. Practical Unix & Internet Security. 3d ed. O’Reilly & Associates, Inc. 2003.
Brands, S. Rethinking PKI and Digital Certificates: Building in Privacy. The MIT Press. 2000.
Gray, John Shapley. Interprocess Communications in UNIX. 2d ed. Prentice Hall Professional. 1997.
McKusick, M. K., K. Bostic, M. J. Karels, and J. S. Quarterman. The Design and Implementation of the 4.4 BSD Operating System. Addison-Wesley. 1996.
Schneier, Bruce. Applied Cryptography. 2d ed. Wiley. 1996.
Stevens, Richard W. UNIX Network Programming: Interprocess Communications. Vol. 2, 2d ed. Prentice Hall Professional. 1998.
Stevens, Richard W. UNIX Network Programming: Networking APIs: Sockets and XTI. Vol. 1. Prentice Hall Professional. 1997.
Viega, John, and Gary McGraw. Building Secure Software. Addison-Wesley. 2002.
Last updated: 2008-02-05
  |
||
|
|
|
|
| ||
Get information on Apple products.
Visit the Apple Store online or at retail locations. 1-800-MY-APPLE Copyright © 2007 Apple Inc. All rights reserved. | Terms of use | Privacy Notice |