I have seen many examples on verifying client or server certificates using Security framework APIs but this will solve only problem of Identification of security features but what about Confidentiality of data? How do I exchange private and public keys between client and server? What about Interception, Modifications, or Fabrication attacks? What if someone pretending and sending correct certificate as expected by client?
Cryptographic Keys exchange between client and server
740 Views Asked by Paresh Masani At
1
There are 1 best solutions below
Related Questions in IOS
- Overlapping UICollectionView in storyboard
- Cannot pod spec lint because of undeclared type errors
- Is the transactionReceipt data present in dataWithContentsOfURL?
- UIWebView Screen Fitting Issue
- ZXingObjC encoding issues
- iOS: None of the valid provisioning profiles allowed the specific entitlements
- How to hide "Now playing url" in control center
- CloudKit: Preventing Duplicate Records
- Slow performance on ipad erasing image
- Swift code with multiple NSDateFormatter - optimization
- iOS 8.3 Safari crashes on input type=file
- TTTTimeIntervalFormatter always returns strings in English
- How do I add multiple in app purchases in Swift Spritekit?
- Setup code for xibs in iOS. -awakFromNb:
- iOS Voice Over only reads out the title of any alert views
Related Questions in SECURITY
- Can MVC.NET prevent SQL-injection at razor or controller level?
- Forgotten password reset page: should the user need to enter a username/email as well?
- Dynamic roles list in CustomAuthorize ASP MVC
- Access roles from multiple applications
- How to Fix TLS CBC Incorrect Padding Abuse Vulnerability on Windows 2003 Server
- Evernote Web Clipper and Content Security Policy
- Invalidate user credentials when password changes
- Spring Boot MVC non-role based security
- Correct Captcha behaviour on error
- Is macro more secure than static const if I don't want someone to know or change the hardcode value?
- In Android, ensuring only pre-decided users can only use the app
- Authenticating plain text passwords against md5 hash in DB using Apache Shiro
- Symfony2 - handle HTTP/Entity user access restrictions
- Client side computation without exposing code?
- searchable row level encryption using java?
Related Questions in INTERCEPTION
- How to vary between child and parent view group touch events
- How does the svcutil (WCF) create task based methods for every service?
- ninject interception with attribute
- Unable to intercept Android hybrid application HTTPS traffic using burp suite
- Sending mouse clicks/sending coordinates with the Oblita/Interception library?
- Prolog intersection of three lists
- Ninject Interception Extension (AOP) - Good working example/tutorial?
- Intercepting global functions with Valgrind on Linux using g++
- Check finite line interception C
- Sending Key Presses with Interception
- Is it possible to intercept private methods using unity 3.0?
- Automatic Model Validation using DataAnnotations outside MVC
- PostSharp Field Interception to Encrypt and Decrypt
- How can I write Interceptor (AOP) with Castle Core or Other libraries (just free libraries) for Cross Cutting Concerns
- How to intercept key strokes in Matlab while GUI is running
Related Questions in CONFIDENTIALITY
- Does TLS ensure message integrity and confidentiality of data transmission in a RESTful Java enterprise
- Anonymize spatial data
- Multicast Encryption
- JMS / MQ confidentiality between clients
- Docker: Secrets required in configuration files
- Hyperledger private data collection and confidentiality
- How to exhibit specific data without compromising entire database?
- Cryptographic Keys exchange between client and server
- Information Security
- Handling confidentiality in application
- AES encryption and the need for Integrity
- Hyperledger Fabric Data Confidentiality
- Secure Way of storing Passwords to APIs without OpenID?
- Do RStudio projects store any temporary data?
- Does Violation of integrity violate privacy in communication?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Identification is provided by verifying the cert as you note. Confidentiality is provided via encryption. Authentication is provided by signing the data. Together they are often implemented via TLS over a network connection.
In short, if you properly implement and deploy HTTPS, and validate your certificates, then you will get all of the things you're describing.
NSURLConnectionwill do almost all of this for you by default if you just use an "https" URL.If you deploy a certificate on the server and protect its private key, then it is not feasible for an attacker to pretend to have that certificate. Only the server has the server's private key (it is up to you to protect the private key from copying or theft).
A typical approach is to use a commercial certificate, in which a certificate authority (CA) like Verisign attests that the private key was issued to the owner of a given host (known as the CN or common name). This is a simple-to-use approach and generally cost effective. Go to one of the well-known CAs and buy a cert.
However, you can also create your own public/private server keypair, protect the private key, and distribute the public key in your client. You can then configure your client to only accept that one certificate and no others. This is actually more secure than the commercial certificate. For an example of this, see SelfCert. This is from my CocoaConf-RTP-2012 talk. I'll be giving a similar talk at CocoaConf-DC-2013. It is also discussed at length in chapter 15 of iOS:PTL.
Client certificates are less common. They are used to authenticate the client, not the server. For a client certificate to work correctly, each client must have its own certificate. You can't ship a private key as part of your bundle. If you do, anyone can use that private key to impersonate a client. (Conversely, it is completely fine to put the server's public key in the bundle. It's public; you don't care who sees it.)
With
CFNetwork, after connecting, you would need to useCFReadStreamCopyPropertyto fetch thekCFStreamPropertySSLPeerTrust. You could then evaluate the returnedSecTrustobject. That said, I recommend theNSURLConnectioncode if you can use it. If you need lower-level access, you could still useNSStream. Jeff Lamarche discusses this in NSStream: TCP and SSL. But I'd recommend a tool like AFNetworking or CocoaAsyncSocket instead if you need lower-level control over TCP+SSL.