Get Keychain password in encrypted format

0
votes

I am working on an iOS app which uses the Keychain, Security.framework and Apple's KeychainWrapper class to securely store the users password in my app.

The app allows users to make accounts. When a user makes an account, the app needs to send the encrypted version of the users password to my server (POST request).

This all works, but the problem I am having is that I can store data securely and retrieve it, but I don't know how to go about retrieving the encrypted version of my data.

In other words, lets say the user makes an account and they set their password to "hello". I then set the app to securely store that in the keychain.

So then iOS encrypts it and stores it in the keychain. For the sake of this question lets pretend the encrypted version is "h235llo".

Now when I want to send the password to my server, I DONT want to send "hello". I want to send "h235llo" (the encrypted string). How do I get access to the encrypted string?

Here is the code I am using to access the Keychain:

To securely store username/password to the keychain, I am doing this:

KeychainItemWrapper *keychain = [[KeychainItemWrapper alloc] initWithIdentifier:@"UserLoginData" accessGroup:nil];
[keychain setObject:_username.text forKey:(__bridge id)kSecAttrAccount];
[keychain setObject:_password.text forKey:(__bridge id)kSecValueData];

And to securely retrieve the username/password from the keychain I am doing this:

NSString *secureUser = [keychain objectForKey:(__bridge id)kSecAttrAccount];
NSString *securePass = [keychain objectForKey:(__bridge id)kSecValueData];

Any help on this matter would be much appreciated.

Thanks for your time, Dan.

2
ioscocoa-touchencryptionkeychainsecurity-framework
You send the hash version of the password. Not the encrypted versionBlack Frog
using CommonCrypto to hash or encyrpte password.Mornirch
The idea of storing the password in the keychain is to store the real password, not a password hash. Why would you send a password hash to the server? If you are doing that for authentication, then that hash is really being used as the password, not the original password. Where is the authentication taking place, client side or on the server?picciano

2 Answers

2
votes

The internal encryption details of Keychain are private and subject to change. (They're not totally private. Apple does a pretty nice job of explaining them, but the specific details are not accessible to apps.)

I suspect you have some confusion about the difference between encryption (data that has been scrambled in such a way that the original can be later retrieved), and hashing (data that has been scrambled in such a way that the original is lost). Password authentication generally employs hashing, not encryption.

The particular kind of hashing (or encryption) that you need is entirely dependent on your server. It is impossible for your server to rely on the internal encryption state of the iOS Keychain on a specific device (and you wouldn't want to if you could). So the question is, what format does your server expect the authentication request to be in.

If you control the server, and you're just looking for a good way to authenticate without sending the plaintext password, then congratulations, you're thinking about this well. The tool you want is not, however, encryption. It's a Key Derivation Function like PBKDF2. You can find an intro in this Renaissance.io talk starting at minute 16. Or you can start at slide 33.

1
votes

You need to generate a one way HASH of the password. That is what you store and send to the server.

You would asked the server for the SALT for that user.