About Cryptographic Services
macOS and iOS contain a number of technologies that provide cryptographic services—encryption and decryption, hashing, random number generation, secure network communication, and so on. These technologies can be used to secure data at rest (when stored on your hard drive or other media), secure data in transit, determine the identity of a third party, and build additional security technologies.
At a Glance
Some of the cryptographic services provided by iOS and macOS include:
Encryption and decryption (both general-purpose and special-purpose)
Key management using keychains
Cryptographically strong random number generation
Secure communication (SSL and TLS)
Secure storage using FileVault and iOS File Protection
Encryption, Signing and Verifying, and Digital Certificates Can Protect Data from Prying Eyes
There are two main types of encryption: symmetric encryption, in which a single shared key is used for encrypting and decrypting data, and asymmetric encryption, in which you use one key to encrypt data and a separate (but related) key to decrypt the data. You can use a hash to detect modifications to a piece of data. You can combine hashes with asymmetric keys to create a digital signature that, when verified against a digital certificate, proves the source of a piece of data. Digital certificates, in turn, are verified by verifying the signature of the party that signed the certificate, then verifying that party’s certificate, and so on until you reach a certificate that you trust inherently, called an anchor certificate.
macOS and iOS Provide Encryption and Hashing APIs
macOS and iOS provide a number of APIs for encrypting and hashing data, including Keychain Services; Cryptographic Message Syntax Services; Certificate, Key, and Trust Services; and Security Transforms.
Keychains Help You Store Secret Information
If your app stores encryption keys, passwords, certificates, and other security-related information, use a keychain. Keychains provide secure storage for small pieces of information so that is not accessible by other apps running on the system, and so that it is accessible only after the user has logged in or unlocked the device. macOS and iOS provide two APIs for working with the keychain and keys obtained from the keychain: Certificate, Key, and Trust Services and Keychain Services.
macOS and iOS Provide Cryptographically Secure Random Number Generation
Some cryptographic tasks require you to generate cryptographically strong pseudorandom numbers. Use the Randomization Services API to generate these numbers.
macOS and iOS Provide Secure Network Communication APIs
Transmitting data securely requires a secure communications channel. macOS and iOS provide a number of APIs for establishing secure communications channels, including the URL Loading System, socket streams in Core Foundation and Foundation, and Secure Transport.
Although the CDSA and CSSM API is deprecated in macOS 10.7 and later, its documentation is provided as an appendix.
Before reading this document, you should be familiar with the concepts in Security Overview and Secure Coding Guide.
For more information about macOS authentication and authorization (built on top of encryption technologies), read Authentication, Authorization, and Permissions Guide.