Chapter 5. Storing Confidential Data in the Keychain
WHAT'S IN THIS CHAPTER?
What the keychain is
Why use the keychain
How to use the keychain on the Mac and iPhone
Both Mac OS X and the iPhone OS provide a keychain, a service for storing, retrieving, and manipulating secret information — in fact, the Classic Mac OS also provided a keychain. In addition to providing developers with a common way to securely deal with confidential assets, the Keychain Access utility gives users a single entry point for configuring and managing their secrets. Applications that take advantage of the keychain make it easy for users to understand how their passwords and other confidential information are used.
WHAT IS THE KEYCHAIN?
Passwords are dangerous pieces of information. Access to a user's password for a service allows an attacker to pose as that user to the service protected by the password. Remember the categorization in Chapter 1 of spoofing, tampering, repudiation, information leak, denial of service and elevation of privilege (STRIDE). A leaked password allows a spoofing attack, under which the attacker can view protected data (information disclosure) and modify it (tampering), potentially with elevated privileges. If you consider that the attacker can probably now choose to terminate the account he's logged in with, and that he appears to be acting as the user, a password loss comes under the repudiation and denial of service categories, too. One attack that checks all the threat boxes!