- access control list (ACL)
A structure containing information describing what must happen (display a confirmation dialog, ask for a password, and so forth) in order to permit a specific operation to occur. An ACL may also contain a list of applications that are always trusted to perform that operation. Each keychain item has one or more associated ACLs, and each ACL applies to a single operation that can be done with that item, such as encrypting or decrypting it. See also access object.
- access object
An opaque data structure containing one or more access control lists. Each keychain item has one access object.
- application programming interface (API)
The set of routines, data structures, constants, and other programming elements that allow developers to use some part of the system software.
One data item, such as the name, type, date modified, account number, and so on, for a keychain item, other than the secret. The attributes associated with a keychain item depend on the class of the item.
The act of verifying identity with something the user provides. For example, a user can provide information such as a name and password, a physical item such as a smart card, or a physical feature such as a fingerprint or retinal scan.
- authorization tag
A data field in an access control list (ACL) that specifies an operation that can be done with that keychain item, such as decrypting or authenticating
See digital certificate.
- CDSA (Common Data Security Architecture)
An open software standard for a security infrastructure that provides a wide array of security services, including fine-grained access permissions, authentication of users, encryption, and secure data storage. CDSA has a standard application programming interface, called CSSM (Common Security Services Manager). In addition, OS X includes its own security APIs that call the CDSA API for you.
- CSSM (Common Security Services Manager)
A public application programming interface for CDSA (Common Data Security Architecture). CSSM also defines an interface for plug-ins that implement security services for a particular operating system and hardware environment.
- default keychain
The keychain accessed by certain Keychain Services functions when no other keychain is specified in the function call. For example, newly-created keychain items are stored in the default keychain unless a different keychain is specified in the function call. A default keychain is created for each new login account, but the user can use the Keychain Access utility to designate another keychain as the default.
- default keychain search list
The list of keychains searched by certain Keychain Services functions when no other keychain or list of keychains is specified in the function call. The default keychain search list contains the same keychains as the keychain list displayed in the Keychain Access utility.
- digital certificate
Digitally signed data that can be used as a component of digital authentication systems. Because certificates might be referred to more than once, Keychain Services allows applications to store them in a keychain.
To secure data so that it cannot be read by unauthorized entities, in such a way that its original state can be restored later (decrypted). In most cryptographic systems, encryption and decryption are performed by manipulating the data with a string of bytes called a key.
- generic password
A password other than an Internet password.
- Internet password
A password for an Internet server, such as a Web or FTP server. Internet password items on the keychain include attributes such as the security domain and IP address.
A string of bytes used by an encryption algorithm to encrypt or decrypt data.
A container that holds encrypted secrets for multiple applications and secure services. See also keychain item.
- Keychain Access
A utility that allows users to create, delete, and modify keychains and keychain items.
- keychain item
A secret that is encrypted and protected by the keychain, plus its associated attributes and access object. Each keychain item has a class that determines what attributes it has; for example Internet password items include an IP address attribute. The password or other secret stored as a keychain item is encrypted and is inaccessible when the keychain is locked. When the keychain is unlocked, the secret can be read by the trusted applications listed in the item’s access object and by the user (with the Keychain Access utility). The attributes are not currently encrypted.
- Keychain Manager
A legacy API used to create, delete, and modify keychains and keychain items prior to OS X v10.2. Keychain Services is preferred for use with OS X v10.2 and later.
- Keychain Services
The API used to create, delete, and modify keychains and keychain items starting with OS X v10.2.
A keychain state in which no key is available in memory to decrypt the passwords and other secrets protected by the keychain. When an application attempts to retrieve a secret from a locked keychain, the user is prompted for a password. The login keychain is unlocked automatically at login if its password matches that of the user’s login account.
There is no way to extract secrets from a locked keychain without providing the keychain’s password. All of a users keychains lock automatically when the user logs out.
- login keychain
A keychain automatically created for a new login account. The login keychain is automatically unlocked at login if its password matches that of the user’s login account. For OS X v10.2, the login keychain had the same name as the login account. For OS X v10.3, the login keychain is named
login.keychain. OS X v10.3 also recognizes login keychains created under OS X v10.2.
Data, usually a character string, used to authenticate a user for a service or application.
The encrypted data in a keychain item, such as a password. Only a trusted application can read the secret of a keychain item. Compare with attribute.
- secure storage
Encrypted storage of data that requires a user or process to authenticate itself before the data is decrypted.
- system keychain
A keychain that belongs to the system as a whole, rather than to a particular user. System keychains are usually used by system daemons and services, but can also be accessed by applications on behalf of users. One system keychain, named
System.keychain, is created by the system and added by default to every user’s keychain list.
- transparent authentication
Authentication without intervention by the user. After unlocking the keychain, the user does not have to log in separately to any services whose passwords are stored in the keychain.
- trusted application
An application that can read a keychain item’s secret when the keychain is unlocked. See also access control list (ACL).
A state in which the keychain has a key in memory that can be used to encrypt or decrypt items in that particular keychain. A keychain is considered unlocked after its password has been entered (by the user or programmatically). An unlocked keychain can provide access to its secrets, subject to ACL checks, until it is locked again.
- user ID
Data, usually a character string, used to identify a user for a service or application.