Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Generate private key that cannot be exported

Tags:

ios

cryptography

iphone

keychain

I want to generate a key pair on an iPhone such that the private key can only ever be used to sign blocks of data on that particular iPhone.

The SecKeyGeneratePair function looks promising. I can generate a key pair to the keychain (using kSecAttrIsPermanent) and I can disable decryption, derivation and unwrapping with the private key (setting kSecAttrCanDecrypt, kSecAttrCanDerive and kSecAttrCanUnwrap to false).

Two things worry me about key pairs generated with SecKeyGeneratePair:

  1. Is it possible to export the private key outside of the keychain into application memory?

  2. Is it possible to change a key property (e.g. set kSecAttrCanDecrypt to true) after a private key has been created?

like image 736
Randomblue Avatar asked Sep 13 '15 14:09

Randomblue

People also ask

Why can I not export private key?

If the option "Yes, export the private key" is greyed out during you export this certificate, it means the private key of this certificate cannot be exported after this certificate is enrolled/requested.

How do I make my private key exportable?

In the details pane, click the certificate that you want to export. On the Action menu, point to All Tasks, and then click Export. In the Certificate Export Wizard, click Yes, export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)

Can you export a private key?

Go to: Certificates > Personal > Certificates. Right-click on the certificate you wish to export and go to All Tasks and hit Export. Hit Next on the Certificate Export Wizard to begin the process. Select “Yes, export the private key” and hit next.

How do I export a certificate marked as not exportable?

Jailbreak is a tool for exporting certificates marked as non-exportable from the Windows certificate store. This can help when you need to extract certificates for backup or testing. You must have full access to the private key on the filesystem in order for jailbreak to work.

2 Answers

This article provides more details (compared to other answers in this thread):

SecGenerateKeyPair(), which is used to generate RSA and ECDSA key pairs, can now be configured to directly store the generated private key in the device’s Keychain (within the Secure Enclave). This means that the private key can be used without ever leaving the device’s Secure Enclave.

And the important addition:

The kSecAttrTokenIDSecureEnclave attribute needs to be used when generating the key pair.

If you don't specify this attribute the private key will be accessible even on iOS9.

like image 60
Alexey Avatar answered Oct 30 '22 19:10

Alexey

To answer the first question, the private key cannot be retrieved according to this source:

One API call, SecKeyGeneratePair(), creates a public and private key. The public key is returned to the app, and the private key is sent directly to the Secure Enclave. This private key cannot be retrieved.

More information is available here:

The supported keys are Elliptic Curve P256, the private key is not extractible in any form, even protected, and the applications are RawSign and RawVerify.

like image 26
Randomblue Avatar answered Oct 30 '22 19:10

Randomblue
Sign in to Comment

Related questions

Convert iOS developer account from individual to company [closed]
Swift sending data from child view to parent view controller
UIDocumentPickerViewController -> "No Documents" because iCloud not available
How to make Playground execution time is as fast as if we run in iOS application
ObjC protocol Implementation in Swift
Retrieve Facebook user ID in Swift
NativeScript CLI fail when running "tns run ios"
WatchOS2 WCSession How many delegates can the WCSession have in WatchKitExtension?
Generate a Random Word in Swift
Best way to handle multiple NSURL connections
NSKeyedArchiver thread safe?
How can Xcode 7 Stack Views be backwards-compatible with iOS 8 and iOS 7?
How to launch iOS Simulator in specific language from command line?
Background Scanning for BLE in Swift
How to use actions in SceneKit Editor
Swift, custom UITableViewCell with UIImageView. Need to resize cell to image height
xcodebuild stuck on codesign? how to disable prompt?
How can I move an image in Swift?
Understanding swift Alamofire completionHandler
Why is my IOS app rejecting cdvfile:// and file:/// links?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!