I am working on an iOS app which uses the Keychain, Security.framework and Apple's KeychainWrapper class to securely store the users password in my app.
The app allows users to make accounts. When a user makes an account, the app needs to send the encrypted version of the users password to my server (POST request).
This all works, but the problem I am having is that I can store data securely and retrieve it, but I don't know how to go about retrieving the encrypted version of my data.
In other words, lets say the user makes an account and they set their password to "hello". I then set the app to securely store that in the keychain.
So then iOS encrypts it and stores it in the keychain. For the sake of this question lets pretend the encrypted version is "h235llo".
Now when I want to send the password to my server, I DONT want to send "hello". I want to send "h235llo" (the encrypted string). How do I get access to the encrypted string?
Here is the code I am using to access the Keychain:
To securely store username/password to the keychain, I am doing this:
KeychainItemWrapper *keychain = [[KeychainItemWrapper alloc] initWithIdentifier:@"UserLoginData" accessGroup:nil];
[keychain setObject:_username.text forKey:(__bridge id)kSecAttrAccount];
[keychain setObject:_password.text forKey:(__bridge id)kSecValueData];
And to securely retrieve the username/password from the keychain I am doing this:
NSString *secureUser = [keychain objectForKey:(__bridge id)kSecAttrAccount];
NSString *securePass = [keychain objectForKey:(__bridge id)kSecValueData];
Any help on this matter would be much appreciated.
Thanks for your time, Dan.
The internal encryption details of Keychain are private and subject to change. (They're not totally private. Apple does a pretty nice job of explaining them, but the specific details are not accessible to apps.)
I suspect you have some confusion about the difference between encryption (data that has been scrambled in such a way that the original can be later retrieved), and hashing (data that has been scrambled in such a way that the original is lost). Password authentication generally employs hashing, not encryption.
The particular kind of hashing (or encryption) that you need is entirely dependent on your server. It is impossible for your server to rely on the internal encryption state of the iOS Keychain on a specific device (and you wouldn't want to if you could). So the question is, what format does your server expect the authentication request to be in.
If you control the server, and you're just looking for a good way to authenticate without sending the plaintext password, then congratulations, you're thinking about this well. The tool you want is not, however, encryption. It's a Key Derivation Function like PBKDF2. You can find an intro in this Renaissance.io talk starting at minute 16. Or you can start at slide 33.