I have seen many examples on verifying client or server certificates using Security framework APIs but this will solve only problem of Identification of security features but what about Confidentiality of data? How do I exchange private and public keys between client and server? What about Interception, Modifications, or Fabrication attacks? What if someone pretending and sending correct certificate as expected by client?
Cryptographic Keys exchange between client and server
740 Views Asked by Paresh Masani At
1
There are 1 best solutions below
Related Questions in IOS
- URLSession requesting JSON array from server not working
- Incorrect display of LinearGradientBrush in IOS
- Module not found when building flutter app for IOS
- How to share metadata of an audio url file to a WhatsApp conversation with friends
- Occasional crash at NSURLSessionDataTask dataTaskWithRequest:completionHandler:
- Expo Deep linking on iOS is not working (because of Google sign-in?)
- On iOS, the keyboard does not offer a 6-character SMS code
- Hi, there is an error happened when I build my flutter app, after I'm installing firebase packages occurs that error
- The copy/paste functionalities don't work only on iOS in the Flutter app
- Hide LiveActivityIntent Button from Shortcuts App
- While Running Github Actions Pipeline: No Signing Certificate "iOS Development" found: No "iOS Development" signing certificate matching team ID
- Actionable notification api call not working in background
- Accessibility : Full keyboard access with scroll view in swiftui
- There is a problem with the request entity - You are not allowed to create 'iOS' profile with App ID 'XXXX'
- I am getting "binding has not yet been initialized" error when trying to connect firebase with flutter
Related Questions in SECURITY
- HTTPS configuration in Spring Boot, server returning timeout
- HSM ZKA control mask values
- OWASP Amass Subcommands
- Is there a need for BPF Linux namespace?
- Error when trying to execute a binary compiled in a Kali Linux machine on an Ubuntu system
- When sanitize/encode while implementing tags system like on SO
- spring security version in spring-boot-starter-security
- I am currently trying to implement a rudimentary firewall from a video I watched but the nimda worm detection is not working and i do not know why?
- Is it possible for `sudo` to fail temporarily with the correct password? Hacking suspected
- Is it viable proxying all my mobile apps requests, to some kind knowing that a request is coming from a secure source
- What abilities should I concentrate on while bug hunting, and how can I improve the quality of my bug bounty reports?
- System.ArgumentOutOfRangeException: I passed this error in every single program
- How to prevent users from creating custom client apps?
- Does server-side content security policy exist for youtube video player API, app, mod apks and website?
- Can we pass a hostname/IP address as a query string in a GET request in REST API
Related Questions in INTERCEPTION
- Camel 3 testing - AdviceWith interception onException fails
- using the interception driver when the mouse is not connected to the computer
- How to get Java Unflagged Key Inputs Like With Pyinterception?
- Can keyboard binary inputs mimic Xbox analog sticks by using key press "rates" to approximate tilt? (I'm using Keyboardsplitter Github project to try)
- interceptor concept for SqsListener
- Squid cache peer and HTTP Connect with SSL Interception
- How can I execute a function before ALL of my class functions in Dart?
- Webpage does not load while intercepting with Burp
- Is it possible to log traffic (responses in particular) on a domain using javascript?
- Cypress cy.wait() only waits for the first networkcall, need to wait for all calls
- javascript - Intercept and modify XHR response in chrome plugin
- Burp proxy interception doesn't work for localhosted web apps with Firefox
- Can you throttle requests rather than responses in Cypress?
- Playwright intercept server side network request
- Puppeteer redirect throws ERR_BLOCKED_BY_CLIENT
Related Questions in CONFIDENTIALITY
- How to secure a Python project on Windows from domain administrators?
- Restrict access to confidential files on server
- Anonymize spatial data
- Does Violation of integrity violate privacy in communication?
- Hyperledger private data collection and confidentiality
- How to exhibit specific data without compromising entire database?
- Is there an R function/package to transform time series data for confidentiality reasons?
- Multicast Encryption
- How Safe is your data in Azure VM
- Do RStudio projects store any temporary data?
- How can I protect Java/Javafx code from being seen by final user?
- Hyperledger Fabric Data Confidentiality
- Cookies policies for big companies
- Encrypting secret data in kubernetes etcd store
- Docker: Secrets required in configuration files
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Identification is provided by verifying the cert as you note. Confidentiality is provided via encryption. Authentication is provided by signing the data. Together they are often implemented via TLS over a network connection.
In short, if you properly implement and deploy HTTPS, and validate your certificates, then you will get all of the things you're describing.
NSURLConnectionwill do almost all of this for you by default if you just use an "https" URL.If you deploy a certificate on the server and protect its private key, then it is not feasible for an attacker to pretend to have that certificate. Only the server has the server's private key (it is up to you to protect the private key from copying or theft).
A typical approach is to use a commercial certificate, in which a certificate authority (CA) like Verisign attests that the private key was issued to the owner of a given host (known as the CN or common name). This is a simple-to-use approach and generally cost effective. Go to one of the well-known CAs and buy a cert.
However, you can also create your own public/private server keypair, protect the private key, and distribute the public key in your client. You can then configure your client to only accept that one certificate and no others. This is actually more secure than the commercial certificate. For an example of this, see SelfCert. This is from my CocoaConf-RTP-2012 talk. I'll be giving a similar talk at CocoaConf-DC-2013. It is also discussed at length in chapter 15 of iOS:PTL.
Client certificates are less common. They are used to authenticate the client, not the server. For a client certificate to work correctly, each client must have its own certificate. You can't ship a private key as part of your bundle. If you do, anyone can use that private key to impersonate a client. (Conversely, it is completely fine to put the server's public key in the bundle. It's public; you don't care who sees it.)
With
CFNetwork, after connecting, you would need to useCFReadStreamCopyPropertyto fetch thekCFStreamPropertySSLPeerTrust. You could then evaluate the returnedSecTrustobject. That said, I recommend theNSURLConnectioncode if you can use it. If you need lower-level access, you could still useNSStream. Jeff Lamarche discusses this in NSStream: TCP and SSL. But I'd recommend a tool like AFNetworking or CocoaAsyncSocket instead if you need lower-level control over TCP+SSL.