2

I am pretty much a newbie at cryptography but I am trying to encrypt some data and save it in a file in iOS 3 because I do not want the user to just go in and edit the file. What is the proper way to securely (relatively) encrypt the data in iOS 3? Most of the documentations I found online were for iOS 5.

Any help would be appreciated!

Thanks, Alex

Alan L
  • 133
  • 1
  • 2
  • 8

2 Answers2

0

I do not know iOS3 well enough to suggest something that is already built-in. If you need to develop encryption from scratch, then RC4 is absurdly easy to program. It is obsolescent now, but still reasonably secure. Its major fault from your point of view is that you need to pick a secure key using a good KDF (Key Derivation Function), such as PBKDF2.

rossum
  • 15,344
  • 1
  • 24
  • 38
0

The "proper" way to do it is to use Apple's Key chain in IOS. Unfortunately, as this post says, this isn't really that secure for IOs3. For ios4 it works fine.

Someone probably has a paid solution out there , but you may well end up writing one yourself. You are going to want to

  1. Derive your key from a user supplied password using a key derivation function such as PBKDF2. In fact your need to derive two keys, so you are gong to run it twice with two different RANDOM salts.

  2. Use AES with a RANDOM IV and one of your derived keys (that parts important and all the example code I've seen didn't). prepend the salts and the IV to your cipher text

  3. Use an hmac with the other derived key on all of the above data. Prepend that.

  4. To decrypt, rederive the keys using the key derivation algorithm with the password and prepended salts, regenerate the hmac , take the sha1 hash of the generated one and separately the sha1 hash of the one in the message, and verify that they are the same ( don't directly compare the hmacs directly) and then decrypt the data using the other derived key and the prepended IV.

This is a pain to write and annoying to users since they need to put in a separate password, but there is no way to do it securely otherwise. If you store the key on the iphone, someone can read it and decrypt the data. Yeah you could encrypt the key, but then how do you store that key?

I don't believe apple has decent objective c bindings for any of this,so you need to use the common crypto c API. Its documented here. The objective-c APIs which appear to be useless, are documented here

Community
  • 1
  • 1
imichaelmiers
  • 3,449
  • 2
  • 19
  • 25