Geek Answers Handbook

Create a private key that cannot be exported

I want to create a key pair on the iPhone so that the private key can only be used to sign data blocks on this particular iPhone.

The SecKeyGeneratePair function looks promising. I can generate a key pair in the keychain (using kSecAttrIsPermanent ), and I can turn off decryption, derivation and reversal using the private key (setting kSecAttrCanDecrypt , kSecAttrCanDerive and kSecAttrCanUnwrap to false ).

Two things about the key pairs generated with SecKeyGeneratePair :

  • Is it possible to export the private key outside the keychain to the application memory?

  • Is it possible to change the key property (for example, set kSecAttrCanDecrypt to true ) after creating the secret key?

+5
source share
2 answers

This article provides more detailed information (compared to the other answers in this thread):

SecGenerateKeyPair (), which is used to generate RSA and ECDSA key pairs, can now be configured to directly store the generated private key in Keychain devices (as part of a secure enclave). This means that the private key can be used without leaving the Secure Enclave device.

And an important addition :

The kSecAttrTokenIDSecureEnclave attribute should be used when creating a key pair.

If you do not specify this attribute, the private key will be available even on iOS9.

+5
source

To answer the first question, the private key cannot be restored according to this source :

One API call, SecKeyGeneratePair (), creates a public and private key. The public key is returned to the application, and the private key is sent directly to the Protected Enclave. This private key cannot be recovered .

Further information is available here :

Supported keys are the P256 elliptic curve, the private key is not retrievable in any form , it is even protected, and the RawSign and RawVerify applications.

+4
source

More articles:


All Articles