User-Level Security Features
There are many security features built into Mac OS X, including industry-standard digital signatures and encryption for Apple’s Mail application and authentication for the Safari web browser. The four features most visible to users are:
Security system preferences
File Vault, which users can configure through Security system preferences
Accounts system preferences
the Keychain Access application
In this section:
Security System Preferences
FileVault
Accounts System Preferences
Keychain Access
Security System Preferences
Security system preferences let the user configure FileVault (discussed next) and control some aspects of authorization on the computer (Figure 3-5).
The Security system preferences dialog lets the user specify whether authorization should be required:
To wake the computer from sleep or a screen saver
For every account on login
To unlock each lockable system preference
At the bottom of the dialog is the lock icon provided by the authorization view (see “Security Objective-C API”). When this icon shows a closed lock, authorization is required before the user can change the settings in this system preferences dialog.
FileVault
When the user turns on FileVault (see Figure 3-5), Mac OS X uses 128-bit AES encryption to encrypt everything in the user’s home folder. As long as the user is authenticated and logged in, the system automatically unencrypts any file the user opens. However, no other user can gain access to these files.
AES (Advanced Encryption Standard) is a symmetric-key algorithm adopted by the National Institute of Standards and Technology (NIST) as a standard for government and private use to protect sensitive, nonclassified data. It enables very fast and highly secure encryption and decryption of data. Because it is a symmetric-key algorithm, keys are stored securely on the user’s computer.
Full documentation of the AES algorithm is available on the NIST website at http://csrc.nist.gov/CryptoToolkit/aes/rijndael/.
Accounts System Preferences
When a user installs Mac OS X on a computer, that user automatically becomes a member of the admin group (“The Admin Group”). Subsequently, the user or any other member of the admin group can use Accounts system preferences to add new users to the system.
For each new user, the administrator can specify whether that user is a member of the admin group (Figure 3-6). If a FileVault master password has been set, the administrator can also turn on FileVault for the new account.
If the new user is not a member of the admin group, the administrator can limit the system features and applications to which that user has access (Figure 3-7).
Keychain Access
Keychain Access is a utility that gives users access to Keychain Services (“Keychain Manager and Keychain Services”). A user can see the passwords, certificates, and other data that are stored in their keychain. They can create new keychains, add and delete keychain items, lock and unlock keychains, and select one keychain to be the default.
Keychain access lets the user see what certificates are available for use by email and web applications, who owns each certificate, and who issued each certificate. Certificates are described in “Digital Certificates.”
The user can see and change passwords stored for various applications and can securely store other secrets such as passwords, credit card numbers, and notes. When a keychain is locked and an application needs to gain access to a keychain item, Keychain Services prompts the user for a password.
Last updated: 2008-02-08
  |
||
|
|
|
|
| ||
Get information on Apple products.
Visit the Apple Store online or at retail locations. 1-800-MY-APPLE Copyright © 2007 Apple Inc. All rights reserved. | Terms of use | Privacy Notice |