About Cryptographic Services
OS X and iOS provide a number of technologies that provide cryptographic services—encryption and decryption, hashing, random number generation, secure network communication, and so on. These technologies can be used to secure data at rest (when stored on your hard drive or other media), secure data in transit, determine the identity of a third party, and build additional security technologies.
At a Glance
Some of the cryptographic services provided by iOS and OS X include:
Encryption and decryption (both general-purpose and special-purpose)
Key management using keychains
Cryptographically strong random number generation
Secure communication (SSL and TLS)
Secure storage using FileVault and iOS File Protection
Encryption, Signing and Verifying, and Digital Certificates Can Protect Data from Prying Eyes
There are two main types of encryption: symmetric encryption, in which a single shared key is used for encrypting and decrypting data, and asymmetric encryption, in which you use one key to encrypt data and a separate (but related) key to decrypt the data. You can use a hash to detect modifications to a piece of data. You can combine hashes with asymmetric keys to create a digital signature that, when verified against a digital certificate, proves the source of a piece of data. Digital certificates, in turn, are verified by verifying the signature of the party that signed the certificate, then verifying that party’s certificate, and so on until you reach a certificate that you trust inherently, called an anchor certificate.
OS X and iOS Provide Encryption and Hashing APIs
OS X and iOS provide a number of APIs for encrypting and hashing data, including Keychain Services; Cryptographic Message Syntax Services; Certificate, Key, and Trust Services; Common Crypto; and Security Transforms.
Keychains Help You Store Secret Information
If your app must store encryption keys, passwords, certificates, and other security-related information, it should use a keychain. Keychains provide secure storage for small pieces of information so that is not accessible by other apps running on the system, and so that it is accessible only after the user has logged in or unlocked the device. OS X and iOS provide two APIs for working with the keychain and keys obtained from the keychain: the Certificate, Key, and Trust Services API and the Keychain Services API.
OS X and iOS Provide Cryptographically Secure Random Number Generators
Some cryptographic tasks require you to generate cryptographically strong pseudorandom numbers. OS X can provide these numbers through the
/dev/random device node. iOS can provide these numbers through the Randomization Services API.
OS X and iOS Provide Secure Network Communication APIs
Transmitting data securely requires a secure communications channel. OS X and iOS provide a number of APIs for establishing secure communications channels, including the URL Loading System, socket streams in Core Foundation and Foundation, and Secure Transport.
Although the CDSA and CSSM API is deprecated in OS X v10.7 and later, you may still need to use it in a few situations. For this reason, its documentation is provided as an appendix.
Before reading this document, you should be familiar with the concepts in Security Overview and Secure Coding Guide.
For more information about OS X authentication and authorization (built on top of encryption technologies), read Authentication, Authorization, and Permissions Guide.