Apple Data Security Framework 77
rschroeder writes: "Apple has opened their Common Data Security Architecture framework, which "contains an expandable set of cryptographic algorithms to perform code signing and encryption operations while maintaining the security of the cryptographic keys." Lots of good info in addition to the code."
Re:OpenSSL? (Score:1)
Re:Is this even a valid observation? (Score:1)
Re:Thanks Apple (Score:1)
Now imagine the heat they would get with a GUI to run on other OSs. You'd have the Linux camp crying bloody hell because it's not free and how superior KDE and Gnome are. You'd hear people blame about how insecure it was because it was closed, even if it wasn't insecure. You'd hear people complain about how the GUI contributed to a security hole, even theough the underlying security hole was due to that other OS.
Apple would hear about all the "incompatibilities" the GUI introduced. About how they couldn't "win in their own market on their own hardware" and had to "adopt" another market to survive.
If Apple went to try some quality control and made an agreement with an x86 hardware manufacturer, say AMD, Athlon, and Micron Memory, you'd get folks schreaking about how Apple "tied" products together, where limiting their hardware "choices".
And if they didn't "bundle" with hardware, the tech support issues they would have to deal with would be tremendous.
There is NO WAY IN HELL Apple is releasing this GUI for general mass consumption on other generic hardware unless they have a direct tie into the underlying OS and hardware, or with huge disclaimers--someone gets it to work, Apple doesn't support it. So yes, they could port it to x86, but they'll do it on their terms, not on the consumers. I don't like that decision, but I certainly understand it, given what I've read on /. and in the media since MacOS X's release.
The negative talk would hurt their bottom line on sales on their own proprietary hardware. Meanwhile, they would be losing money from the increased support. They'd have to charge upwards of $200 to cover this, and then the "bloody hell" cries would start and the cycle would begin again.
Not going to happen.
Re:Intel CDSA (Score:1)
Yes, Intel has its own implementation but, if you've looked at it, you'll know that it has various issues and does not fully implement the spec. Apple's implementation was developed completely in-house and is not a port.
Also, from what I hear, the Apple people are quite highly regarded by their peers at CDSA meetings...in fact, the Intel folk often go to them to get questions answered about the spec and the best way to implement it.
Re:No, Darwin isn't MacOS X lite (Score:1)
Remember, NEXTSTEP runs on SPARC, HP PA-RISC, x86, PPC, 680x0, etc., so the core OS is already proven to be highly portable.
Apple and CDSA (Score:2)
CDSA is a standard that was established by the open groups, a number of corporations are working on CDSA products, it does provide a large range of services other than providing a common API for cryptographic services, trust policy, certificate library and so on.
While it offers a standard way of securely communicating data, it also offers a common way to establish policies and the many things. it was meant to be a complete solution for security, especially for e-commerce.
It's nice to see an implementation openly available, if no one uses it it will still be easier to ensure interoperability with MacOS X...
Also it brings some publicity to CDSA, which is not bad.
In my opinion, it's a good thing.
Re:Good first step (Score:2)
The reality is, the Apple is not secure concerns are media spins by folks who are looking for a problem to write about. Not finding it, they write about "concerns" and play on the ignorant OS advocates and trollers, who respond and draw everyone else into the mix.
It's been like this for ages. Look at the /. articles. There's one that Apple is not being security conscious. Then there's an Ask Slashdot which accuses Apple of too many upgrades. Now this, where Apple has simply adapted technology to fit their machines--it's doubly played as if Apple invented it (they make no such claim) and is trying to take credit for it, and that Apple is upping security, as if Apple wasn't secure in the first place.
Sorry, but there have been MORE exploits for Linux than MacOS X from the time MacOS X has been released. Worse, Linux has been around awhile, while MacOS X, being the new, unproven OS, should have been littered with holes. The opposite proves true, but you won't have people in the media or other OS advocates pointing that out.
Intel CDSA (Score:3)
Re:Is this even a valid observation? (Score:1)
Re:Wow... more more more... (Score:2)
Of course, you're probably still right but about some other bit of hardware. Macs still have NVRAM, after all.
Re:Wow... more more more... (Score:1)
In order for clones to pop up, Apple would have to license the use of this ROM file, which as mentioned in other comments, they will not do!
Re:OpenSSL? (Score:3)
Longer answer: It's a security framework with hooks to a lot of things. If you'd read at least the introduction you'd have seen that it does, indeed, contain support for SSL, PGP and many other standard security/encryption/ham-and-cheese-sandwich technologies. Actually it's the MacOS X implementation of the OpenGroup standard. I do not know (did not find information more like it), however, if they _did_ implement the whole schmiel.
Longer longer answer: read the OpenGroup documentation. Download the code. Read the code. Come back and tell us about it.
Re:Secure except for... (Score:2)
-Dave
Re:Microsoft Response (Score:1)
That would make a change.
http://lwn.net/1999/1202/security.php3
http://www.cs.auckland.ac.nz/~pgut001/pubs/pwl.
http://www.cs.auckland.ac.nz/~pgut001/pubs/brea
http://www.cs.auckland.ac.nz/~pgut001/pubs/brea
http://www.cs.auckland.ac.nz/~pgut001/pubs/brea
--
Re:Some Background (Score:2)
Secondly I don't see any references as to the encryption used - it's a MS-specific blackbox as far as I can tell. Considering MS's shaky history of security implementations & the general problem of closed-source encryption this isn't particularly comperable to Apple's Open Source implementation of an outside published standard written by broad coalition of interested users.
Finally what uses this? Win2k has literally thousands of API's, some excellent, some half-baked, some simply broken or braindead, many overlapping or redundant. Having an API is one thing, using it or getting it used is another, particularly in the archeology that is Win2k.
Under MacOS 9 & 10 the Keychain is availiable from within the Finder, the Chooser, it's more modern implementation the Network Browser, the en/de-cryption applets, MS's Internet Explorer, most FTP clients including Interarchie & Fetch plus numerous other applications.
Some Background (Score:5)
One of the features of MacOS 9 [apple.com] has been the ability to encrypt [apple.com] any file via a set of system-level services. A second feature has been the ability to use a "Keychain [apple.com]" service where passwords & other information can be securely stored & automatically retrieved by authorized applications. A third feature has been the ability to use a Voiceprint [apple.com] as a password.
Here are a number of examples of how these features can be used:
- Macs running MacOS 9 and greater support Multiple Users [apple.com]. Thus folks can (or must) log in in order to access their materials. This login can be accomplished via typed password or Voiceprint [apple.com]. Macs with access to an appropriate server can store individual preferences on the server and these can used applied from client Macs as the user logs in.
- In order to encrypt or decrypt a file under MacOS 9 and greater on need simply drag-and-drop the file/folder/drive to the encryption application [apple.com]. This service can also be called from within any application utilizing the cryptographic API's.
- Utilizing the "Keychain [apple.com]" any program can store or retrieve settings, passwords and other secured bits of information. Thus instead of saving one's web-account passwords in an easily read text file they're stored encrypted in a file where explicit authorization must be given for access. The same for the other various servers one might utilize regularly or occasionally - their login information and passwords can be stored under a single master-password and applied at need.
Now, lots of folks are going to start reading this and trying to imagine lots of ways they could break this, the possible downsides, etc. Yes, it's not completely foolproof. On the other hand it's a lot better then many other OS's offer, particularly when you realize it's widely supported throughout the OS and by many (most?) applications. Furthermore it seems fairly well thought out and after being out in the field a bit it seems to be working well.It's good to see Apple is finally documenting the same hooks in MacOS X. Presumably by completely opening the material a better evaluation of the processes can be made and improvements implemented by third parties. Furthermore since it's a standard promulgated by a number of companies all in the security field this has a good chance of being implemented in a wide range of products.
It would also be great if other OS development folks could take this code and use it to compare/contrast their own efforts in this direction and use them to improve themselves, possibly even work towards adopting some common material where the specs are vague.
Finally, before going and making wild-assed assumptions based on how you assume this stuff is implemented or blue-skying on it's possible flaws howzabout investing the 10 minutes and actually getting the facts first, not wasting all of the rest of ours time? This is all Open Source and it's well documented so it's not up to everyone else to teach you: Go read it for yourself.
No, Darwin isn't MacOS X lite (Score:5)
That said there's a long distance between Darwin & MacOS X. Carbon, Quartz, Aqua, QuickTime, Classic - all are critical parts of MacOS X that aren't in Darwin. Without them Darwin is an interesting BSD variant with a Mach-based kernel, reworked IO & some nifty OO & "Frameworks" support and innovative configuration-files-settable-via-XML technology.
That doesn't a clone make. Indeed it's debatable if Apple could themselves easily make a clone-able Mac at this point. So much of MacOS X (not Darwin) is PPC-specific and relies so heavily on Apple hardware implementations it might not be easily possible.
Sure Next was ported many times & MacOS X has inherited much of that flexibility but since then there's been massive rewrites. It's likely that most of everything above Darwin might require a lot of work now move to another architecture or even motherboard design, there appear to be lots of assumptions made in the design.
Sure there are always rumors of MacOS X running on x86/Alpha/etc. chips and there was a Rhapsody release that was cross-platform as well as stories of a beta MacOS 8 runnable on an IBM RS6000 but at this point it seems unlikely that the MacOS X now out there could be easily moved to either an Intel-standard motherboard architecture (BIOS/ Northbridge/Southbridge etc.) or to another workstation architecture using OpenFirmware etc.
Possible: Yes.
Easily Achieved: No
Possible by someone other then Apple? No
Darwin does not MacOS X make.
Re:No, Darwin isn't MacOS X lite (Score:1)
--
Re:Wow... more more more... (Score:2)
Yes, but there's still a boot ROM on the Macs. The ROM-in-RAM does load a "ROM" from a file on disk, but the Boot ROM (basically a BIOS) does quite a bit at startup. Here's info from the original iMac's developer notes:
"The Boot ROM contains the code needed to start up the computer, initialize and examine the hardware, provide a device tree to describe the hardware, provide hardware access services (RTAS), and control to the OS. The Boot ROM can be grouped into the following major pieces. "
Granted, this doesn't contain a significant portion of the OS, like the ROMs used to, but it's pretty key.
-jon
Re:Wow... more more more... (Score:2)
-jon
Re:Thanks Apple (Score:3)
Uh, it is. By default, Mac OS X ships with Mac file sharing off, FTP off, Apache off, and ssh off. Telnet is disabled in all versions since 10.0.1. If you want to turn them on, it's just a checkbox, but 99% of all Mac users won't turn on any of them except for Mac file sharing, which should be pretty safe; I don't know of any AppleTalk exploits.
-jon
Re:Wow... more more more... (Score:3)
No, it doesn't. Darwin alone isn't much more than a BSD variant, and I'd be pretty surprised if Apple isn't using the copyrighted ROMs on every Mac's motherboard as some sort of dongle for the higher-level Mac OS X functionality. You couldn't copy those ROMs without Apple's permission and that will happen over Steve's cold, dead body.
Whether or not Apple could survive under a licensing system is a different debate. But I doubt that it'd be possible technically without Apple's blessing.
-jon
Re:AppleTalk exploits (Score:2)
License prevents implementing this spec? (Score:2)
"2.You are permitted to read the HTML and PDF versions of Open Group publications using your HTML browser/Acrobat software and to download them for your own personal use provided you have given your name and email address for each publication requested. However, you are NOT permitted to amend, copy, reprint, offer for sale, or otherwise re-use material from these documents without explicit permission from The Open Group.
I assume "otherwise re-use material" would include actually implementing the specification.
Funny thing about the security there... (Score:2)
Re:OpenSSL? (Score:3)
No. This is an extensible architecture that allows you to add modules for a ton of algorithms. Think of it more as a pluggable architecture something like Java's JCE.
I'd assumed that OpenSSL would work on MacOSX, given all the spiel about it being Unix based.
Mac OS X ships with TCPWrappers, OpenSSL and OpenSSH installed by default since version 10.0.1. There's a GUI interface available in the System Preferences panel to turn it on and off (if you're an administrator - ie. are in the wheel group).
CDSA specification... (Score:3)
Good stuff.
Re:AppleTalk exploits (Score:1)
--
Re:OpenSSL? (Score:1)
Yeah, but the public beta did have OpenSSH and OpenSSL. The first retail release did not have crypto because not everything got worked out with the government in time.
I've been told that the reason older versions of OpenSS[H/L] were included with the update was the same reason -- it takes time to get approval for newer software. I'm not sure how true this is, just what I was told.
- Scott
--
Scott Stevenson
WildTofu [wildtofu.com]
Re:Thanks Apple (Score:2)
--
Auth Encryption (Score:2)
--
Thanks Apple (Score:4)
--
Re:AppleTalk for Linux CAN use encryption (Score:1)
Re:voiceprint (Score:1)
Re: (Score:2)
Re:Some Background (Score:1)
One new feature in the Open Firmware updates for Mac is a setting that will prevent booting from CD. It's still defeatable if you can open the box and rearrange the RAM (safety feature for people that might get stuck with $2000 paperweights), but it works.
Re:Remember... to check your compiler. (Score:1)
OpenSSL? (Score:1)
(I'd assumed that OpenSSL would work on MacOSX, given all the spiel about it being Unix based.)
--
Too stupid to live.
Re:Thanks Apple (Score:2)
Of course, they could always just ship Aqua for OpenBSD... ; )
Re:Is this even a valid observation? (Score:3)
The main leverage Microsoft has on Apple is the threat of cancelling MS Office for the Mac. But that does make MS a ton of money, so they're not just doing it for leverage purposes.
Good first step (Score:3)
I'm glad to have the opportunity to look into this framework now. Hopefully Apple will keep addressing the security holes that'll pop up elsewhere in the OS from time to time.
Will this silence the rabid anti-Apple critics who haven't used a Mac since 1984 (if ever)? Not a chance.
Re:Is this even a valid observation? (Score:2)
Any code posted on their Publicsource [apple.com] site is open for all comers. For example, OpenPlay runs on Mac, Win, and various *nixes.
As for CDSA, a couple other people are already working on Windows [intel.com] and Linux [sourceforge.net] implementations.
Apple and MS (Score:1)
Re:Is this even a valid observation? (Score:1)
Re:voiceprint (Score:1)
Bummer. I guess this means I would need to use at least this high quality of a tape playback to defeat it.
Re:All that security, but insecure setuid (Score:1)
Mac OS 9 and predecessors, don't ship with very many services. AFP, Personal Web Sharing.
Just a very few years ago, this list was only AFP. Apple's AFP at least doesn't send passwords in the clear. (Unless client is a Mac, and server is a Linux box. See my other posting in this story titled AppleTalk exploits.)
As for security, AFAIK, there have never been any exploits. Very few things on Mac work in such a way that there could even be such a thing as a format string attack. You probably wouldn't find a lot of buffer overflows. Originally, MacOS was all done in Pascal, with a length byte for all strings instead of the zero-terminated C strings.
Even if you found a buffer overflow... What could an exploit do? There is no command shell. No pipes. No command line. No handy large library of pre-installed stuff like telnet, ftp, tftp, bash, netcat, etc.
This is probably why Mac OS has always been the most secure. There is nothing there to exploit. Even if you run a MacOS hosted web server, there just isn't anything there to exploit.
Re:AppleTalk exploits (Score:1)
That depends on the problem definition.
In this case, the problem is:
I've got a Linux box at home. I want to access files on it from work. AFP over TCP is great -- except for the plaintext password.
In this case, a Mac OS only solution, wouldn't be a solution at all. I also have some Macs at home and access two of them over the Internet in the same way. (Some of them are really old.) But only in the case of the Linux running Netatalk is there a security issue.
I wouldn't dare do this with samba to allow my Windows box at work to access my home directory at home over the Internet. I think there's just not enough people who know to grab passwords out of the AFP over TCP protocol.
Re:Auth Encryption (Score:1)
I'll look into it.
I don't do the remote-mount thing very often. So I don't tend to worry about it. I tend to change my password later that evening when I get home. (Paranoid.)
I use SuSE 6.4, and use the Netatalk that came with it. It's super easy to set up. (Unlike some of the setup nightmares I've read on usenet of people trying to set up Netatalk on other distributions.)
Re:All that security, but insecure setuid (Score:1)
Still, this is not exactly like having a shell. But you could, theoreticaly, send suitable AppleEvent's to the Finder to manipulate files, launch programs, etc. Of course, I suspect the knowledge to do this is not common to most crackers who seem to confine themselves to Unix & Windows.
Re:AppleTalk for Linux CAN use encryption (Score:1)
I am running SuSE 6.4, shipped in April 2000. Over a year old. I tend to install every update I can get my hands on. But I'm running the Netatalk that SuSE provides.
I'm looking forward to updating to SuSE 7.1 soon. Maybe this will improve the Netatalk.
AppleTalk exploits (Score:2)
Just because there are no exploits, doesn't mean you have security. (See my last sentence below.)
I remember from an Apple developer's conference about 1987 (yes that's EIGHY seven) that when the password traverses an AppleTalk network, it is DES encrypted, or something like that.
In recent years, you can use AFP (Apple Filing Protocol) over TCP as well as over AppleTalk. Now I don't know about Apple's implementation of AFP over TCP, but when I use a Netatalk server on a Linux box, the password is in the clear. Apparently, Netatalk doesn't have or use a UAM on the Mac side to scramble the password. Even bad ol' Microsoft does this -- although you need to use a custom UAM from MS to access AFP on an NT Server from a Mac. But it's easy, just drop the UAM into your System Folder. And has been this way for years. (UAM = <something> authentication module, or somesuch.)
At home, on Cable Modem, I have a Linux box, static IP, domain name. At work, using my Mac I sometimes mount my home directory using AFP. It's so easy. Just go to the chooser, mount it, etc. My home directory from Linux at home on my Mac desktop at work!
I've often suspected that the password goes naked (in the clear). I just now positively confirmed it. I ran Ethereal (from a Win98se box), while I mounted my home directory from home (Linux) to my Mac desktop. Yup, the password is in the clear. It's right there in the packets.
The next logical step is to write the cute dude responsible for dsniff to see what the possibilities are to get dsniff to reveal AFP passwords over TCP.
The irony of this is that Mac mounting an AFP server volume is insecure only when the server is a Linux box. (well, actually Netatalk)
Re:Wow... more more more... (Score:1)
You mean like RevRDist?! [purdue.edu]
Damn -- I was surpised to hear that what I was doing in 1997 has only this year become possible. If only I had listened to informed people like you, then I would've known better.
Seriously though, RevRDist is great stuff. If you like Macs, especially if you work with them, you owe it to yourself to learn how to work it. It takes some hacking: ResEdit, diffing files, understanding the Gestalt function, etc. It saves alot of work and maintenance in the long run, and you learn a lot about the MacOS at the file/resource level.
Re:Wow... more more more... (Score:1)
Re:Wow... more more more... (Score:2)
Wow... more more more... (Score:2)
Seems to me that Apple's in kind of a strange situation -- Darwin makes Mac cloning possible, at least for small operators. Apple needs to do some fast thinking at this point -- going completely Open Source is a good idea because MS-style licensing enforcement at this point goes out the window. But that means they need to start moving boxes, and more importantly, motherboards.
No doubt this is an interesting place for Apple to be working. They are giving up control, hopefully looking ahead to a point where software licensing is meaningless. That's good. Giving away an extensible crypto architecture is even better (not to mention that it makes hash of what little is left of export controls on crypto).
Apple should stay the course. Their next trick, though, needs to be establishing a commodity PowerPC hardware market. I'd be interested to see how that can be pulled off...
/Brian
Re:No, Darwin isn't MacOS X lite (Score:2)
My thought on the matter: get a Sandpoint board or something similar, get Darwin running on it, then copy over all the rest of the system and see if it will work. Unless they are in fact making high-level components hardware-dependent, it should work. Maybe not flawlessly mind you (Apple System Profiler would probably choke), but unless Apple's pulling some kind of funny business like was suggested above it shouldn't really be a problem... That is, after all, what microkernels are for...
/Brian
Re:No, Darwin isn't MacOS X lite (Score:2)
Re:Some Background (Score:1)
The same is true for AIX (with an AIX cd and a couple different keys of course)
Remember... (Score:1)
I didn't mean to imply (Score:1)
voiceprint (Score:1)
Re:But intel doesn't have a *nix OS! (Score:1)
Re:AppleTalk exploits (Score:1)
Sounds like you need to go to a MacOS only solution. OR you should get to work updating the Netatalk code...Open source is never broken, it's just got a long to-do list, or has fallen out of maintenance.
Re:All that security, but insecure setuid (Score:1)
Wait a minute...Apple is giving back! (Score:1)
Baby steps people.
Re:Is this even a valid observation? (Score:1)
Re:Microsoft Response (Score:1)
Thank god
Microsoft Response (Score:2)
Secure except for... (Score:1)
embrace and... um (Score:1)
communications. At least some segments of end
user population will start using crypto on daily
basis.
Apple is notorious though for looking at something
that has potentia (gui, networking) and taking
clean page, start from scratch taking some ideas,
make so-so implementation and start selling it,
like its the only thing acceptable to end users.
What should've happend is they should at least
bought out PGP industries, and cut time and
development costs, but that would be alot like
Microsoft. Or should've taken GPG framework and
promote just that. Just do code audit, compared
to whole redesign. GPG should be LGPL, I think,
because it sole purpose is not to compete with
PGP, but rather get everybody to use crypto
whatever the cost is. Now starting to use crypto
is somewhat time consuming and cumbersome.
There are too many standarts, as from end
users prospective.
This is overall good move from Apple's side.
I hope they will not make crypto that is licenced
default in whatever software/recommendations, so
we all can communicate, by lowest common
denominator cipher that is available.
interoperability (Score:1)
Is this even a valid observation? (Score:2)
Apple code for Apple OS, right?
Geek dating! [bunnyhop.com]
Re:Some Background (Score:2)
No, but it's a good start. Unfortunately, any Mac can be accessed by anyone with a copy of the Mac OS 9 cd. All they need to do is put the cd into the tray and hold down the "c" key after hitting the reset switch. The machine will boot off the cd, and allow access to any file on any of the drives attached. Copy, delete, do what you like.
Granted, you can't open specific files that have been encrypted by the system. But like I said, it's a start.
What's even more interesting in my opinion is that Apple has recognized this vulnerability and finally released an Open Firmware update [apple.com] that password-protects the machine before the OS is loaded - either from the cd or internal hard drive.But they don't recommend using it [apple.com].
OS 9 will never have security that's on par with any *NIX OS (it's just not multi-user at its heart), but it is better than nothing.
Re:Wow... more more more... (Score:1)
No, it doesn't. Darwin alone isn't much more than a BSD variant, and I'd be pretty surprised if Apple isn't using the copyrighted ROMs on every Mac's motherboard as some sort of dongle for the higher-level Mac OS X functionality.
I may be wrong, but Macs stopped shipping with those OS ROMs a long time ago... so I think you're totally off base.
Re:Some Background (Score:2)
Windows NT utilized a third party package to provide similar capabilities, the PStoreAPI.
Richard Bondi
All that security, but insecure setuid (Score:2)
Here's hoping someone at Apple fixes this before someone else not at Apple finds a way to hack the soon-to-be-masses of Mac OS X boxen en masse.
Re:All that security, but insecure setuid (Score:3)