0

我正在开发一个 iOS 应用程序,它使用 Keychain、Security.framework 和 Apple 的 KeychainWrapper 类将用户密码安全地存储在我的应用程序中。

该应用程序允许用户创建帐户。当用户创建帐户时,应用程序需要将用户密码的加密版本发送到我的服务器(POST 请求)。

这一切都有效,但我遇到的问题是我可以安全地存储数据并检索它,但我不知道如何检索我的数据的加密版本。

换句话说,假设用户创建了一个帐户并将密码设置为“hello”。然后我将应用程序设置为将其安全地存储在钥匙串中。

因此,iOS 对其进行加密并将其存储在钥匙串中。为了这个问题,让我们假设加密版本是“h235llo”。

现在,当我想将密码发送到我的服务器时,我不想发送“你好”。我想发送“h235llo”(加密字符串)。如何访问加密字符串?

这是我用来访问钥匙串的代码:

为了安全地将用户名/密码存储到钥匙串,我这样做:

KeychainItemWrapper *keychain = [[KeychainItemWrapper alloc] initWithIdentifier:@"UserLoginData" accessGroup:nil];
[keychain setObject:_username.text forKey:(__bridge id)kSecAttrAccount];
[keychain setObject:_password.text forKey:(__bridge id)kSecValueData];

为了从钥匙串中安全地检索用户名/密码,我正在这样做:

NSString *secureUser = [keychain objectForKey:(__bridge id)kSecAttrAccount];
NSString *securePass = [keychain objectForKey:(__bridge id)kSecValueData];

对此问题的任何帮助将不胜感激。

谢谢你的时间,丹。

4

2 回答 2

2

The internal encryption details of Keychain are private and subject to change. (They're not totally private. Apple does a pretty nice job of explaining them, but the specific details are not accessible to apps.)

I suspect you have some confusion about the difference between encryption (data that has been scrambled in such a way that the original can be later retrieved), and hashing (data that has been scrambled in such a way that the original is lost). Password authentication generally employs hashing, not encryption.

The particular kind of hashing (or encryption) that you need is entirely dependent on your server. It is impossible for your server to rely on the internal encryption state of the iOS Keychain on a specific device (and you wouldn't want to if you could). So the question is, what format does your server expect the authentication request to be in.

If you control the server, and you're just looking for a good way to authenticate without sending the plaintext password, then congratulations, you're thinking about this well. The tool you want is not, however, encryption. It's a Key Derivation Function like PBKDF2. You can find an intro in this Renaissance.io talk starting at minute 16. Or you can start at slide 33.

于 2015-02-28T16:04:22.173 回答
1

您需要生成密码的单向哈希。那就是您存储并发送到服务器的内容。

您会向服务器询问该用户的 SALT。

于 2015-02-26T21:50:23.677 回答