Bulk decrypt with SecKeyCreateDecryptedData

I have generated a ECSECPrimeRandom key in the Secure Enclave that I use to encrypt and decrypt data (mainly strings) using the eciesEncryptionCofactorX963SHA256AESGCM algorithm.

I have specified the access control on this key to be
Code Block swift
[.privateKeyUsage, .userPresence]

since I want to authenticate the user before using the private key.

The problem is that I sometimes want to "bulk" decrypt multiple encrypted Data items at once using this key. Under the current implementation, though, if I have n strings to decrypt at once, the user is prompted for authentication n times, which is quite cumbersome.

Is there a method I can use like SecKeyCreateDecryptedData, but for bulk decryption? Or is there a way I could tweak to .userPresence option to add some a few seconds of grace period so that the user is only prompted once for authentication?
Up vote post of thenewpotato Down vote post of thenewpotato
391 views
Posted by
thenewpotato
Reply
Add a Comment

Accepted Reply

I think you can do this using one of the techniques below but, alas, I don’t have the time today to dig up the details. If these don’t work out, I recommend that you open a DTS tech support incident and that’ll give me the time to look into this properly.


One approach is to supply an LAContext (using kSecUseAuthenticationContext) when you get the item from the keychain. This context gets authenticated the first time you use it, and subsequent uses can reuse that authentication.

Another option is to get the key, then gets its access object SecAccessControl, then evaluate that using evaluateAccessControl(_:operation:localizedReason:reply:).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

I think you can do this using one of the techniques below but, alas, I don’t have the time today to dig up the details. If these don’t work out, I recommend that you open a DTS tech support incident and that’ll give me the time to look into this properly.


One approach is to supply an LAContext (using kSecUseAuthenticationContext) when you get the item from the keychain. This context gets authenticated the first time you use it, and subsequent uses can reuse that authentication.

Another option is to get the key, then gets its access object SecAccessControl, then evaluate that using evaluateAccessControl(_:operation:localizedReason:reply:).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment
Hey Quinn,

Thank you so much for your help! I added a LAContext when retrieving the key and it does exactly what I need.

I remember reading about LAContext in the docs, but couldn’t figure out how / where to use it. Thanks for pointing me in the right direction!


Tiger
Posted by
thenewpotato
Up vote reply of thenewpotato Down vote reply of thenewpotato
Add a Comment