Misplaced Pages

Keychain (software): Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editContent deleted Content addedVisualWikitext
Revision as of 19:14, 29 November 2009 editCprompt (talk | contribs)Extended confirmed users1,670 editsm Rephrased versioning - Keychain appeared in 8.6 and all subsequent versions.← Previous edit Latest revision as of 22:22, 14 November 2024 edit undo0xC0000005 (talk | contribs)Extended confirmed users643 edits Keychain Access still exists in Sequoia 
(213 intermediate revisions by more than 100 users not shown)
Line 1: Line 1:
{{Short description|Password management system in macOS}}
{{Multiple issues|
{{More citations needed|date=July 2013}}
{{Primary sources|date=April 2020}}
}}
{{Use mdy dates|date=October 2013}}
{{Infobox software {{Infobox software
|name = Keychain |name = Keychain
| logo = ] | logo = ]
| screenshot = | screenshot =
| caption = | caption =
| developer = ] | developer = ]
| released = 1999
| replaced_by = ]
| latest_release_version = | latest_release_version =
| latest_release_date = | latest_release_date =
| operating_system = ]/] | operating_system = ], ]
| genre = ] | genre = ]
| license = ] | license = ]
| website = | website =
}}
{{Infobox software
| name = Keychain Access
| logo = ]
| screenshot = ]
| caption = Screenshot of Keychain Access on ].
| developer = ]
| latest_release_version = 11.0 (55314)
| latest_release_date = 2022
| replaced_by = ]
| latest_preview_version =
| latest_preview_date =
| operating_system = ], ]
| genre = ]
| license =
| website =
}} }}
'''Keychain''' is ]'s ] in ]. It was introduced with ], and has been included in all subsequent versions of Mac OS, including ]. A Keychain can contain various types of data: ]s (]s, ], ] accounts, ]s, ]s, ], ] ]s), ]s, ]s and secure notes. The default keychain file is the <tt>login</tt> keychain, typically opened on login by the user's login password (although the password for this keychain can instead be different from a user’s login password, adding security at the expense of some convenience). In Mac OS X, keychain files are stored in <tt>~/Library/Keychains/</tt>, <tt>/Library/Keychains/</tt>, and <tt>/Network/Library/Keychains/</tt>.


'''Keychain''' is a ] developed by ] for ]. It was introduced with ], and was included in all subsequent versions of the operating system, as well as in ]. A keychain can contain various types of data: ]s (for ]s, ], ] accounts, ]s, ]s, ], ] ]s), ]s, ]s, and secure notes. Some data, primarily passwords, in the Keychain are visible and editable using a user-friendly interface in ], a built in app in ] and ] and available in ]/] in earlier versions of Apple's operating systems.
It is ], ] software released under the terms of the ].


==History==
The keychain file(s) stores a variety of data fields including a title, URL, notes and password. Only the password is encrypted and it is encrypted with ]. <ref>http://images.apple.com/macosx/pdf/MacOSX_Leopard_Security_TB.pdf</ref>
Keychains were initially developed for Apple's e-mail system, ], in the early 1990s. Among its many features, PowerTalk used ] that allowed mail to be retrieved from a wide variety of mail servers and online services. The keychain concept naturally "fell out" of this code, and was used in PowerTalk to manage all of a user's various login credentials for the various e-mail systems PowerTalk could connect to.


The passwords were not easily retrievable due to the encryption, yet the simplicity of the interface allowed the user to select a different password for every system without fear of forgetting them, as a single password would open the file and return them all. At the time, implementations of this concept were not available on other platforms. Keychain was one of the few parts of PowerTalk that was obviously useful "on its own", which suggested it should be promoted to become a part of the basic Mac OS. But due to internal politics, it was kept inside the PowerTalk system and, therefore, available to very few Mac users.{{citation needed | date = March 2015}}
== History ==


It was not until the return of ] in 1997 that Keychain concept was revived from the now-discontinued PowerTalk. By this point in time the concept was no longer so unusual, but it was still rare to see a keychain system that was not associated with a particular piece of application software, typically a ]. Keychain was later made a standard part of Mac OS 9, and was included in ] in the first commercial versions.
Keychains were initially developed for Apple's e-mail system, ]. Among its many features, PowerTalk used plug-ins that allowed mail to be retrieved from a wide variety of mail servers and online services. The keychain concept naturally "fell out" of this code, and was used in PowerTalk to manage all of a user's various login credentials for the various e-mail systems PowerTalk could connect to. Keychain placed these passwords in an encrypted file, and automatically returned them on command if the file was "opened" using a password.


==Storage and access{{anchor|Keychain_Access}}==
The passwords were not easily retrievable due to the encryption, yet the simplicity of the interface allowed the user to select a different password for every system without fear of forgetting them, as a single password would open the file and return them all. At the time, this was a truly innovative concept that was not available on other platforms. Keychain was one of the few parts of PowerTalk that was obviously useful "on its own", which suggested it should be promoted to become a part of the basic Mac OS. But due to internal politics, it was kept inside the PowerTalk system and, therefore, available to very few Mac users.
In macOS, keychain files are stored in <code>~/Library/Keychains/</code> (and subdirectories), <code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>, and the Keychain Access GUI application is located in the Utilities folder in the Applications folder.<ref>{{cite web|url=http://docs.info.apple.com/article.html?path=Mac/10.5/en/9066.html |title=Mac OS X 10.5 Help - Changing your keychain password |publisher=Docs.info.apple.com |archive-url=https://web.archive.org/web/20120531093508/http://docs.info.apple.com/article.html?path=Mac%2F10.5%2Fen%2F9066.html |archive-date=May 31, 2012 |access-date=2016-03-28 |url-status=dead }}</ref><ref>{{cite web|url=http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh463.html |title=Mac OS X 10.4 Help - Changing your keychain password |publisher=Docs.info.apple.com |archive-url=https://web.archive.org/web/20120531093615/http://docs.info.apple.com/article.html?path=Mac%2F10.4%2Fen%2Fmh463.html |archive-date=May 31, 2012 |access-date=2016-03-28 |url-status=dead }}</ref> It is ], ] software released under the terms of the ].<ref name=":0">{{cite web|author=Apple Inc. |url=https://opensource.apple.com/source/libsecurity_keychain/libsecurity_keychain-27723/ |title=Source Browser |publisher=opensource.apple.com |access-date=February 26, 2012}}</ref> The command line equivalent of Keychain Access is <code>/usr/bin/security</code>.


The keychain database is encrypted per-table and per-row with ]. The time at which each credential is decrypted, how long it will remain decrypted, and whether the encrypted credential will be synced to iCloud varies depending on the type of data stored, and is documented on the Apple support website.<ref>{{cite web
It was not until the return of ] that Keychain was liberated from the now-dead PowerTalk. By this point in time the concept was no longer so unusual, but it was still rare to see a keychain system that was not associated with a particular piece of application software, typically a ]. Keychain became a standard part of Mac OS 9, and was included in Mac OS X in the first commercial versions.
| url=https://support.apple.com/guide/security/keychain-data-protection-secb0694df1a/web
| title=Keychain data protection
| publisher=]
| archive-url=https://web.archive.org/web/20211220080716/https://support.apple.com/guide/security/keychain-data-protection-secb0694df1a/web
| archive-date=2021-12-20
| date=2021-05-17
| access-date=2021-12-20}}</ref>


==Locking and unlocking==
Third-party adoption of Keychain has been somewhat spotty to date. Although most Apple software uses it (notably ] and ]), and Macintosh-only applications such as ] and ] do as well, cross-platform applications such as ] do not use Keychain, sticking to other cross-platform solutions instead. Many programs continue to store their login credentials in plain text files, although this is becoming rare for newer programs. Recent versions of the ] ] client use the Keychain on Mac OS X.
The default keychain file is the <code>login</code> keychain, typically unlocked on login by the user's login password, although the password for this keychain can instead be different from a user's login password, adding security at the expense of some convenience.<ref>{{cite web|url=http://docs.info.apple.com/article.html?path=Mac/10.5/en/9066.html |title=Mac OS X 10.5 Help: Changing your keychain password |publisher=Docs.info.apple.com |access-date=February 26, 2012 |archive-url=https://web.archive.org/web/20110613180425/http://docs.info.apple.com/article.html?path=Mac%2F10.5%2Fen%2F9066.html |archive-date=June 13, 2011 |url-status=dead }}</ref> The Keychain Access application does not permit setting an empty password on a keychain.


The keychain may be set to be automatically "locked" if the computer has been idle for a time,<ref>{{cite web|url=http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh848.html |title=Mac OS X 10.4 Help: Locking and unlocking your keychain |archive-url=https://web.archive.org/web/20110613180521/http://docs.info.apple.com/article.html?path=Mac%2F10.4%2Fen%2Fmh848.html |archive-date=June 13, 2011 |publisher=Docs.info.apple.com |access-date=February 26, 2012 |url-status=dead }}</ref> and can be locked manually from the Keychain Access application. When locked, the password has to be re-entered next time the keychain is accessed, to unlock it. Overwriting the file in <code>~/Library/Keychains/</code> with a new one (e.g. as part of a restore operation) also causes the keychain to lock and a password is required at next access.
==Notes==

<references />
==Password synchronization==
If the login keychain is protected by the login password, then the keychain's password will be changed whenever the login password is changed from within a logged-in session on macOS. On a shared Mac/non-Mac network, it is possible for the login keychain's password to lose synchronization if the user's login password is changed from a non-Mac system. Also, if the password is changed from a directory service like Active Directory or Open Directory, or if the password is changed from another admin account e.g. using the System Preferences. Some network administrators react to this by deleting the keychain file on logout, so that a new one will be created next time the user logs in. This means keychain passwords will not be remembered from one session to the next, even if the login password has not been changed. If this happens, the user can restore the keychain file in <code>~/Library/Keychains/</code> from a backup, but doing so will lock the keychain, which will then need to be unlocked at next use.

==Third-party software for keychain synchronization==
There was a 3rd party software application developed, that enabled synchronization of personal keychains generated using keychain access in ], these standard keychain access - generated users keychains could then be synchronised between devices (iPhones - desktop Apple computers), using a pair of keychain synchronization apps developed by Patrick Stein of Jinx Software, one for ] and another for iOS called Keychain2Go. Keychain2Go could not be successfully updated by the developer to account for restrictions that Apple made to Keychain and access to Keychain in ] Sierra 10.12.<ref>{{cite web |last1=Stein |first1=Patrick |title=Keychain2go keychain synhcronisation software |url=https://www.jinx.de/Keychain2Go.html |website=Jinx Software |access-date=22 March 2023}}</ref>

==Security==
Keychain is distributed with both iOS and macOS. The iOS version is simpler because applications that run on mobile devices typically need only very basic Keychain features. For example, features such as ACLs (Access Control Lists) and sharing Keychain items between different apps are not present. Thus, iOS Keychain items are only accessible to the app that created them.

As Mac users’ default storage for sensitive information, Keychain is a prime target for security attacks.

In 2019, 18-year-old German security researcher Linus Henze demonstrated his hack, dubbed KeySteal, that grabs passwords from the Keychain. Initially, he withheld details of the hack, demanding Apple set up a bug bounty for macOS. Apple had however not done so when Henze subsequently revealed the hack. It utilized Safari's access to security services, disguised as a utility in macOS that enables IT administrators to manipulate keychains.<ref>{{Cite magazine |last=Newman |first=Lily Hay |date=June 1, 2019 |title=The Tricky Shenanigans Behind a Stealthy Apple Keychain Attack |url=https://www.wired.com/story/keysteal-apple-keychain-attack-shenanigans/ |access-date=2021-07-09 |magazine=]}}</ref>


==See also== ==See also==
{{Portal|Free software|Free Software Portal Logo.svg}} {{Portal|Free and open-source software}}
* ]
*]
* ]
* ]


==External links== ==References==
{{Reflist}}
*


{{Mac OS X}} {{Apple}}
{{Mac OS}} {{Mac OS}}
{{macOS}}
{{Password managers}}


{{DEFAULTSORT:Keychain}} {{DEFAULTSORT:Keychain}}
] ]
] ]
]

]
]
]
]
]

Latest revision as of 22:22, 14 November 2024

Password management system in macOS
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "Keychain" software – news · newspapers · books · scholar · JSTOR (July 2013) (Learn how and when to remove this message)
This article relies excessively on references to primary sources. Please improve this article by adding secondary or tertiary sources.
Find sources: "Keychain" software – news · newspapers · books · scholar · JSTOR (April 2020) (Learn how and when to remove this message)
(Learn how and when to remove this message)

Keychain
Keychain Icon
Developer(s)Apple Inc.
Initial release1999
Operating systemMac OS 9, macOS
SuccessorPasswords
Typesystem utility
LicenseAPSL-2.0
WebsiteKeychain Services
Keychain Access
Screenshot of Keychain Access on macOS 12.
Developer(s)Apple Inc.
Stable release11.0 (55314) / 2022
Operating systemMac OS 9, macOS
SuccessorPasswords
Typepassword manager
WebsiteKeychain Access Help

Keychain is a password management system developed by Apple for macOS. It was introduced with Mac OS 8.6, and was included in all subsequent versions of the operating system, as well as in iOS. A keychain can contain various types of data: passwords (for websites, FTP servers, SSH accounts, network shares, wireless networks, groupware applications, encrypted disk images), private keys, certificates, and secure notes. Some data, primarily passwords, in the Keychain are visible and editable using a user-friendly interface in Passwords, a built in app in macOS Sequoia and iOS 18 and available in System Settings/Settings in earlier versions of Apple's operating systems.

History

Keychains were initially developed for Apple's e-mail system, PowerTalk, in the early 1990s. Among its many features, PowerTalk used plug-ins that allowed mail to be retrieved from a wide variety of mail servers and online services. The keychain concept naturally "fell out" of this code, and was used in PowerTalk to manage all of a user's various login credentials for the various e-mail systems PowerTalk could connect to.

The passwords were not easily retrievable due to the encryption, yet the simplicity of the interface allowed the user to select a different password for every system without fear of forgetting them, as a single password would open the file and return them all. At the time, implementations of this concept were not available on other platforms. Keychain was one of the few parts of PowerTalk that was obviously useful "on its own", which suggested it should be promoted to become a part of the basic Mac OS. But due to internal politics, it was kept inside the PowerTalk system and, therefore, available to very few Mac users.

It was not until the return of Steve Jobs in 1997 that Keychain concept was revived from the now-discontinued PowerTalk. By this point in time the concept was no longer so unusual, but it was still rare to see a keychain system that was not associated with a particular piece of application software, typically a web browser. Keychain was later made a standard part of Mac OS 9, and was included in Mac OS X in the first commercial versions.

Storage and access

In macOS, keychain files are stored in ~/Library/Keychains/ (and subdirectories), /Library/Keychains/, and /Network/Library/Keychains/, and the Keychain Access GUI application is located in the Utilities folder in the Applications folder. It is free, open source software released under the terms of the APSL-2.0. The command line equivalent of Keychain Access is /usr/bin/security.

The keychain database is encrypted per-table and per-row with AES-256-GCM. The time at which each credential is decrypted, how long it will remain decrypted, and whether the encrypted credential will be synced to iCloud varies depending on the type of data stored, and is documented on the Apple support website.

Locking and unlocking

The default keychain file is the login keychain, typically unlocked on login by the user's login password, although the password for this keychain can instead be different from a user's login password, adding security at the expense of some convenience. The Keychain Access application does not permit setting an empty password on a keychain.

The keychain may be set to be automatically "locked" if the computer has been idle for a time, and can be locked manually from the Keychain Access application. When locked, the password has to be re-entered next time the keychain is accessed, to unlock it. Overwriting the file in ~/Library/Keychains/ with a new one (e.g. as part of a restore operation) also causes the keychain to lock and a password is required at next access.

Password synchronization

If the login keychain is protected by the login password, then the keychain's password will be changed whenever the login password is changed from within a logged-in session on macOS. On a shared Mac/non-Mac network, it is possible for the login keychain's password to lose synchronization if the user's login password is changed from a non-Mac system. Also, if the password is changed from a directory service like Active Directory or Open Directory, or if the password is changed from another admin account e.g. using the System Preferences. Some network administrators react to this by deleting the keychain file on logout, so that a new one will be created next time the user logs in. This means keychain passwords will not be remembered from one session to the next, even if the login password has not been changed. If this happens, the user can restore the keychain file in ~/Library/Keychains/ from a backup, but doing so will lock the keychain, which will then need to be unlocked at next use.

Third-party software for keychain synchronization

There was a 3rd party software application developed, that enabled synchronization of personal keychains generated using keychain access in Mac OS X, these standard keychain access - generated users keychains could then be synchronised between devices (iPhones - desktop Apple computers), using a pair of keychain synchronization apps developed by Patrick Stein of Jinx Software, one for Mac OS X and another for iOS called Keychain2Go. Keychain2Go could not be successfully updated by the developer to account for restrictions that Apple made to Keychain and access to Keychain in Mac OS X Sierra 10.12.

Security

Keychain is distributed with both iOS and macOS. The iOS version is simpler because applications that run on mobile devices typically need only very basic Keychain features. For example, features such as ACLs (Access Control Lists) and sharing Keychain items between different apps are not present. Thus, iOS Keychain items are only accessible to the app that created them.

As Mac users’ default storage for sensitive information, Keychain is a prime target for security attacks.

In 2019, 18-year-old German security researcher Linus Henze demonstrated his hack, dubbed KeySteal, that grabs passwords from the Keychain. Initially, he withheld details of the hack, demanding Apple set up a bug bounty for macOS. Apple had however not done so when Henze subsequently revealed the hack. It utilized Safari's access to security services, disguised as a utility in macOS that enables IT administrators to manipulate keychains.

See also

References

  1. "Mac OS X 10.5 Help - Changing your keychain password". Docs.info.apple.com. Archived from the original on May 31, 2012. Retrieved March 28, 2016.
  2. "Mac OS X 10.4 Help - Changing your keychain password". Docs.info.apple.com. Archived from the original on May 31, 2012. Retrieved March 28, 2016.
  3. Apple Inc. "Source Browser". opensource.apple.com. Retrieved February 26, 2012.
  4. "Keychain data protection". Apple Inc. May 17, 2021. Archived from the original on December 20, 2021. Retrieved December 20, 2021.
  5. "Mac OS X 10.5 Help: Changing your keychain password". Docs.info.apple.com. Archived from the original on June 13, 2011. Retrieved February 26, 2012.
  6. "Mac OS X 10.4 Help: Locking and unlocking your keychain". Docs.info.apple.com. Archived from the original on June 13, 2011. Retrieved February 26, 2012.
  7. Stein, Patrick. "Keychain2go keychain synhcronisation software". Jinx Software. Retrieved March 22, 2023.
  8. Newman, Lily Hay (June 1, 2019). "The Tricky Shenanigans Behind a Stealthy Apple Keychain Attack". Wired. Retrieved July 9, 2021.
Apple Inc.
Products
Hardware
Mac
iPod
iPhone
iPad
AirPods
Other
Software
Operating
systems
Services
Financial
Media
Communication
Retail and
digital sales
Support
Other
Companies
Subsidiaries
Acquisitions
Partnerships
Related
People
Executives
Current
Former
Board of
directors
Current
Former
Founders
  • Italics indicate discontinued products, services, or defunct companies.
  • Category
Classic Mac OS
Versions
Applications
Developer
Technology
Related articles
macOS
Versions
Mac OS X
OS X
macOS
Applications
Core Applications
Developer Tools
Xcode
Former tools
Former Applications
Utilities
Discontinued
Technologies &
User Interface
Deprecated
Discontinued
  • Italics denote upcoming products.
  •  Category
Password managers
Proprietary
Open source
Discontinued
Categories: