Elliptic Curve Crypto in iOS

2019-02-07 22:09发布

问题:

I'm trying to incorporate ECC into an iPhone app that is being used for secure communications but I'm having a hard time finding a proper library / tutorial on how to do this in objective-c. I read this post: How to use ECC in iOS But it was posted almost a year ago and there weren't any responses. Any tips / advice would be greatly appreciated

Thanks!

回答1:

Unfortunately, the Security Transforms [1] (the iOS built-in framework one should go to and the one the post mentioned above uses) does not seem to have support for elliptic curves built in. You'll have to rely on a non-apple implementation of ECC.

[1] http://developer.apple.com/library/mac/#documentation/Security/Conceptual/SecTransformPG/SecurityTransformsBasics/SecurityTransformsBasics.html



回答2:

I'm unfortunately failing at finding a proper documentation, but maybe you can use the CommonCrypto framework from Apple?

This header seams promising: http://opensource.apple.com/source/CommonCrypto/CommonCrypto-60027/Source/CommonCryptoSPI/CommonECCryptor.h



回答3:

A quick search for elliptic curve crypto in Mac libraries yielded EllipticLicense, a product key generation/validation library for the Mac that uses EC crypto. It's using OpenSSL's support for EC, which is something you could do too.

Note that Apple has deprecated using their supplied OpenSSL dynamic libraries due to compatibility issues that stop them keeping it up to date, so you would need to grab OpenSSL from the source and bundle it with your app yourself.



回答4:

As my expereince you can use Nacl Library. This library has curve25519 elliptic curve implementation. This is the state of the art and the fastest library.

You can also use crypto++.



回答5:

This isn't the answer you were asking for. But, my paranoia compels me to suggest that you take the time to really understand the nuts and bolts of your ECC implementation. Consider this publication on the NSA back door.

If you take nothing more than this from the article, note that: "RSA Security publicly renounced Dual_EC_DRBG".

I reviewed the list of vendors that had validated various DRBG algorithms. It appears as though Apple directly validated CRT_DRBG for most platforms and OSs. In the clear right? Not necessarily. If you look closer, there appears to be vendors that had validated Dual EC DRBG whose technology may have been built into Apple products. How and where it's used? I wasn't able to determine this.

For example: scroll down to validation number 309. I'm not sure if I'm reading correctly. But my take is Cummings is (or intended to be) the OEM vendor for Apple mobile devices distributed with an ARM A8 core and iOS 5.0. They validated their cryptographic communications module which included dual EC DRBG. When is it used? All I know is it says it is both "enabled and not enabled". When?! No idea. Note that there are several other flavors of DRBG that are both "enabled and not enabled". This can only decrease the probability of use.

It seems the bottom line is:

  • dual EC DRBG may be used in a the cryptographic functions that use SHA on the qualifying platforms in an unknown number of scenarios.

  • we'll have to wait for the resolve of the investigation to be sure
    it's back door that the authorities suspect.

Have a nice day. :)

P.S. I couldn't help but be concerned with OpenSSL. I found this post that sheds some light on the unknowns regarding how to clarify whether OpenSSL is using the black listed random number generator.