snej@0: // snej@0: // MYSymmetricKey.h snej@0: // MYCrypto snej@0: // snej@0: // Created by Jens Alfke on 4/2/09. snej@0: // Copyright 2009 Jens Alfke. All rights reserved. snej@0: // snej@0: snej@0: #import "MYKey.h" snej@0: #import snej@0: snej@0: jens@16: /** An old-fashioned symmetric key, so named because it both encrypts and decrypts. jens@16: A key can be generated at random, stored in the keychain, or derived from a user-entered jens@16: passphrase. jens@16: jens@16: These days, symmetric encryption is used mostly on local data such as files, with jens@16: passphrases; or as a transient "session key" for data sent between users, with the jens@16: session key itself encrypted in the message using public-key encryption. (The jens@16: MYEncoder/MYDecoder classes manage this second usage, whose details are tricky.) */ snej@0: @interface MYSymmetricKey : MYKey snej@12: { jens@16: @private snej@12: #if !MYCRYPTO_USE_IPHONE_API snej@12: CSSM_KEY *_ownedCSSMKey; snej@12: #endif snej@12: } snej@0: snej@1: /** Initializes a symmetric key from the given key data and algorithm. */ snej@1: - (id) initWithKeyData: (NSData*)keyData snej@1: algorithm: (CCAlgorithm)algorithm; snej@1: snej@1: /** Randomly generates a new symmetric key, using the given algorithm and key-size in bits. snej@1: The key is not added to any keychain; if you want to keep the key persistently, use snej@1: the method of the same name in the MYKeychain class. */ snej@0: + (MYSymmetricKey*) generateSymmetricKeyOfSize: (unsigned)keySizeInBits snej@0: algorithm: (CCAlgorithm)algorithm; snej@0: snej@14: /** The key's algorithm. */ snej@14: @property (readonly) CCAlgorithm algorithm; snej@14: snej@14: /** The key's size/length, in bits. */ snej@14: @property (readonly) unsigned keySizeInBits; snej@14: snej@14: snej@14: #if !TARGET_OS_IPHONE snej@14: jens@16: /** Exports the key as a data blob, so that it can be stored as a backup, or transferred jens@16: to another computer. Since the key is sensitive, it must be exported in encrypted form jens@16: using a user-chosen passphrase. This method will display a standard alert panel, run by jens@16: the Security agent, that prompts the user to enter a new passphrase for encrypting the key. jens@16: The same passphrase must be re-entered when importing the key from the data blob. */ jens@16: - (NSData*) exportWrappedKeyWithPassphrasePrompt: (NSString*)prompt; jens@16: jens@16: /** Recreates a symmetric key from its wrapped (encrypted) form. The user will be prompted for jens@16: the passphrase to decrypt the key; this must be the same passphrase that was entered when jens@16: wrapping the key, e.g. when -exportWrappedKeyWithPassphrasePrompt: was called. */ jens@16: - (id) initWithWrappedKeyData: (NSData*)wrappedKeyData; snej@14: snej@12: /** Converts a passphrase into a symmetric key. snej@12: The same passphrase (and salt) will always return the same key, so you can use this method snej@12: to encrypt and decrypt data using a user-entered passphrase, without having to store the key snej@12: itself in the keychain. snej@12: @param alertTitle A title for the alert (this seems to be ignored by the OS). snej@12: @param prompt A prompt string displayed in the alert. snej@12: @param creating Is a new passphrase being created? If YES, the user will have to enter the snej@12: passphrase twice, to check for errors, and the nifty passphrase-strength meter will be snej@12: displayed. If NO, there's only one text-field, and an option to display its contents in snej@12: the clear. jens@16: @param saltObj An arbitrary value whose data will be mixed in with the passphrase before snej@12: hashing, to perturb the resulting bits. The purpose of this is to make it harder for snej@12: an attacker to brute-force the key using a precompiled list of digests of common snej@12: passwords. Changing the salt changes the key, so you need to pass the same value when snej@12: re-deriving the key as you did when first generating it. */ jens@16: + (MYSymmetricKey*) generateFromUserPassphraseWithAlertTitle: (NSString*)alertTitle snej@12: alertPrompt: (NSString*)prompt snej@12: creating: (BOOL)creating snej@12: salt: (id)saltObj; snej@12: snej@12: /** A utility that prompts for a passphrase, using the Security agent's nice modal panel, snej@12: and returns the raw passphrase as a string. snej@12: @param alertTitle A title for the alert (this seems to be ignored by the OS). snej@12: @param prompt A prompt string displayed in the alert. snej@12: @param creating Is a new passphrase being created? snej@12: (See description in +generateFromUserPassphrase... method.) */ snej@12: + (NSString*) promptForPassphraseWithAlertTitle: (NSString*)alertTitle snej@12: alertPrompt: (NSString*)prompt snej@12: creating: (BOOL)creating; snej@14: #endif TARGET_OS_IPHONE snej@12: snej@0: @end