21

I'm trying to incorporate ECC into an iPhone app that is being used for secure communications but I'm having a hard time finding a proper library / tutorial on how to do this in objective-c. I read this post: How to use ECC in iOS But it was posted almost a year ago and there weren't any responses. Any tips / advice would be greatly appreciated

Thanks!

Community
  • 1
  • 1
jrushing
  • 878
  • 1
  • 8
  • 11
  • 5
    Does it need to be Objective-C? Can you use one of the many C ECC libraries? – Joel Spolsky Feb 17 '13 at 01:01
  • 1
    What Joel said; just use a C API and wrap it in Objective-C as needed. NSData provides access to buffers quite conveniently. – bbum Feb 17 '13 at 01:30
  • Ahh yea that totally makes sense, just found this: https://github.com/x2on/OpenSSL-for-iPhone/blob/master/include/openssl/ecdh.h Thanks! – jrushing Feb 17 '13 at 01:38
  • @JustinRushing I'm struggling with this library - particularly loading in certificates that are passed in externally. If you could spare 5 mins to post a code snippet as to how you are using it, would be greatly appreciated. – PassKit Apr 17 '13 at 16:02
  • @PassKit, I didn't load in certificate files I took in strings representing the publicX and publicY. Here's some of the helper methods from my crypto class though: http://pastebin.com/3JBbzpX6 – jrushing Apr 17 '13 at 17:40
  • @JustinRushing This question is still open, could you post your solution as an answer? Preferably with some code of course... – Maarten Bodewes Jun 17 '13 at 11:28

5 Answers5

2

As my expereince you can use Nacl Library. This library has curve25519 elliptic curve implementation. This is the state of the art and the fastest library.

You can also use crypto++.

Dev
  • 21
  • 3
1

Unfortunately, the Security Transforms [1] (the iOS built-in framework one should go to and the one the post mentioned above uses) does not seem to have support for elliptic curves built in. You'll have to rely on a non-apple implementation of ECC.

[1] http://developer.apple.com/library/mac/#documentation/Security/Conceptual/SecTransformPG/SecurityTransformsBasics/SecurityTransformsBasics.html

NSSplendid
  • 1,957
  • 1
  • 13
  • 14
  • Are you sure? Apple uses a combination of ECC and AES for virtually all of their encryption on iOS. It can definitely be done, the only question is whether they expose it to developers or not. – Abhi Beckert Jun 10 '14 at 22:25
1

I'm unfortunately failing at finding a proper documentation, but maybe you can use the CommonCrypto framework from Apple?

This header seams promising: http://opensource.apple.com/source/CommonCrypto/CommonCrypto-60027/Source/CommonCryptoSPI/CommonECCryptor.h

Patrick
  • 415
  • 5
  • 11
  • 2
    That header is "SPI", Apple's term meaning private interface. The functions aren't exposed for client app developers. You could file a [bug report](http://bugreport.apple.com) with Apple asking that they make those functions public if you need them, though. –  May 10 '13 at 08:05
1

A quick search for elliptic curve crypto in Mac libraries yielded EllipticLicense, a product key generation/validation library for the Mac that uses EC crypto. It's using OpenSSL's support for EC, which is something you could do too.

Note that Apple has deprecated using their supplied OpenSSL dynamic libraries due to compatibility issues that stop them keeping it up to date, so you would need to grab OpenSSL from the source and bundle it with your app yourself.

-2

This isn't the answer you were asking for. But, my paranoia compels me to suggest that you take the time to really understand the nuts and bolts of your ECC implementation. Consider this publication on the NSA back door.

If you take nothing more than this from the article, note that: "RSA Security publicly renounced Dual_EC_DRBG".

I reviewed the list of vendors that had validated various DRBG algorithms. It appears as though Apple directly validated CRT_DRBG for most platforms and OSs. In the clear right? Not necessarily. If you look closer, there appears to be vendors that had validated Dual EC DRBG whose technology may have been built into Apple products. How and where it's used? I wasn't able to determine this.

For example: scroll down to validation number 309. I'm not sure if I'm reading correctly. But my take is Cummings is (or intended to be) the OEM vendor for Apple mobile devices distributed with an ARM A8 core and iOS 5.0. They validated their cryptographic communications module which included dual EC DRBG. When is it used? All I know is it says it is both "enabled and not enabled". When?! No idea. Note that there are several other flavors of DRBG that are both "enabled and not enabled". This can only decrease the probability of use.

It seems the bottom line is:

  • dual EC DRBG may be used in a the cryptographic functions that use SHA on the qualifying platforms in an unknown number of scenarios.

  • we'll have to wait for the resolve of the investigation to be sure
    it's back door that the authorities suspect.

Have a nice day. :)

P.S. I couldn't help but be concerned with OpenSSL. I found this post that sheds some light on the unknowns regarding how to clarify whether OpenSSL is using the black listed random number generator.

Community
  • 1
  • 1
stephen
  • 1,039
  • 14
  • 31
  • 1
    Added -1 as that NIST finding is very specific to a (slow, questionable) random number generator. It has little to do with e.g. ECIES. – Maarten Bodewes Jan 24 '14 at 16:09
  • If you're worried about NSA back door why not simply use a curve w/ values that they didn't declare? Ed25519 for example. RSA just isn't practical in some cases due to key size – Albert Renshaw Sep 10 '20 at 06:44