SecureEnclave - Communcation between Node Server and Device

Question

LaurenzHonauer OP

Created May ’22

Replies 2

Boosts 0

Views 1.1k

Participants 2

Hi,

I want to use the iOs Secure Enclave to create a "Primary Device" Mechanism. It would work like this.

Device Creates Enclave Key Pair and Sends the Public Key to the Server (Preferably Node JS)
The Server encrypts a random message with the Public Key and sends it to the Device. I can be sure the Device is the only one able to decipher that string, because the private key is safe in the Secure Enclave
Now the client would decrypt the message and send the result to the server which can compare it to the original message.

When de- and encrypting Data in the ios ecosystem the process is straightforward. I Encrypt Data using SecKeyCreateEncryptedData and Decrypt using SecKeyCreateDecryptedData passing Public Key and CipherText Objects.

Now my question is: how can I export the public Key to have my Node JS Backend encrypt Messages which will be decryptable again with the SecureEnclave.

Boost

Answer 1

DTS Engineer OP

Apple

May ’22

You tagged this post with Apple CryptoKit but the APIs you referenced are from the Security framework. I’m going to assume CryptoKit, ’cause that’s easier (-:

A CryptoKit public key has various properties to export the key in various flavours. For example, the P256.Signing.PublicKey key supports the rawRepresentation, compactRepresentation, derRepresentation, pemRepresentation, and x963Representation properties. You’ll have to find a property that compatible with your server-side tooling.

For more background on these formats, see On Cryptographic Key Formats.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

DTS Engineer OP

Apple

May ’22

Is there any reason at all to go with the Security Framework?

There are two that I can think of:

Some algorithms are only supported the SecKey API, in which case CryptoKit isn’t an option.
The SecKey API is supported on older OS releases.

If you don’t need either of those, use CryptoKit. It’s generally easier. Probably the biggest friction is the round trip to and from the keychain, as discussed in Storing CryptoKit Keys in the Keychain.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0