5 Replies
      Latest reply: Feb 1, 2017 2:49 PM by eskimo RSS
      Ankitthakur Level 1 Level 1 (0 points)

        Hi team,

         

        I want to implement ECC in our iOS application. Could you please confirm, if it is available in CommonCrypto, or could be achieved using CommonCrypto or any other security framework.

         

        There are some apis available in OpenSSL, but as per CommonCrypto's documentation, OpenSSL is not stable and is getting updated quite soon.

         

        Thanks

        Ankit

        • Re: Elliptic Curve Cryptography
          eskimo Apple Staff Apple Staff (6,310 points)

          What do you mean by “implement ECC in our iOS application”.  iOS supports EC cryptography in general, but there are places where that support is not complete (I’m actually struggling to think of an example of this because recently releases have fleshed out the EC support).  If you explain how you plan to use EC keys, I should be able to give you more concrete details.

          Could you please confirm, if it is available in CommonCrypto, or could be achieved using CommonCrypto or any other security framework.

          Just FYI, this isn’t in CommonCrypto.  Asymmetric key cryptography is supported by the Security framework itself.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Elliptic Curve Cryptography
              Ankitthakur Level 1 Level 1 (0 points)

              Hi,

               

              You can look into GMEllipticCurveCrypto, I want to know, if we are having similar APIs for ECC implementation in Security framework.

               

              I am currently working on development of JOSE security (JWE/JWA/JWT) and in that instead of using RSA encryption for JWE, we need to use ECC Cryptography.

                • Re: Elliptic Curve Cryptography
                  eskimo Apple Staff Apple Staff (6,310 points)

                  You can look into GMEllipticCurveCrypto, I want to know, if we are having similar APIs for ECC implementation in Security framework.

                  AFAICT that library supports two features:

                  • signature signing and verification (A)

                  • shared secret generation (B)

                  You can definitely do A using the Security framework; check out this thread, which discusses that in the context of Touch ID.

                  I don’t think you can do B using the Security framework or CommonCrypto.  IIRC the APIs necessary to do DH are part of CommonCrypto, but aren’t public )-:

                  As always, if iOS APIs aren’t available to do things that you need to do, you should file an enhancement request describing your requirements.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: Elliptic Curve Cryptography
                      markau Level 1 Level 1 (0 points)

                      ECDH really only requires a few things:

                       

                      1. generating an ephemeral keypair, which you can do with `SecKeyGeneratePair()`

                       

                      2. send the public key to the other party, which means you need to

                          (a) get the data of the key which requires a stupid round-trip via Keychain using `SecItemCopyMatching()`

                          (b) conform the key to the other end's requirements. In most cases of BLE devices etc. they will use a format where you just want the x & y points on the curve - the data you get from `SecItemCopyMatching()` has an extra 0x04 byte at the start (which I think is in an RFC somewhere - it defines the format?) that you will probably need to strip off. In most web service cases they will want an ASN.1 formatted key and there is excellent info on that from Quinn in this forum thread: https://forums.developer.apple.com/thread/8030 and there is also excellent code examples in https://github.com/DigitalLeaves/CryptoExportImportManager

                       

                      3. generate the shared secret - as far as I can see the Security Framework doesn't expose a funciton to do this. `CCECCryptorComputeSharedSecret()` is in CommonCrypto but it is not a public function. You probably need to roll your own. It's all standardised stuff, and hopefully the primitives are all in Security.framework - in any case there are plenty of C libraries to do it, we can probably pull the code out of CommonCrypto ourselves if we have to.

                       

                      4. encrypt a small piece of data to exchange to verify you both have the right key. This is the variable g that RFC-5114 specifies a few versions of - the spec of your api/device should say what the value of g is supposed to be. https://tools.ietf.org/html/rfc5114#section-3 Again there doesn't seem to be a canned way of either getting a standard g value, or doing this all in one step, but the steps are not too hard.

                       

                      I'm currently replacing a custom C library with the Security framework and it really would be useful if 3 & 4 had a simple interface. ECDH is something that everyone should be doing a lot more of - if it were a simple matter of calling 3 or 4 functions in the right sequence and exchanging data, then I think a lot more people would use it (correctly).

                       

                      I should probably raise a radar - but Quinn or anyone else, please correcty me if I'm missing any simple functions in the framework for 3 & 4.

                        • Re: Elliptic Curve Cryptography
                          eskimo Apple Staff Apple Staff (6,310 points)

                          I should probably raise a radar …

                          Lots of this stuff has changed with the new unified SecKey APIs we added in iOS 10 (and macOS 10.12).  For example, you no longer need to round trip via the keychain to get the public key bits of a generated key (yay for SecKeyCopyExternalRepresentation).  I recommend you dig into the new API before going further.

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"