Skip to main content
HashnodeExpert App Devs

Command Palette

Search for a command to run...

A Comprehensive Guide to Using CryptoKit on Different Platforms

Published
4 min read
E
Expert App Devs

We are a leading-edge mobile software and IoT solutions provider in India and the United States with award-winning teams of designers and developers.

cryptokit

CryptoKit is a cryptography framework for Apple’s platforms written in Swift.

It supports a good set of cryptography algorithms you’d expect to find in any other library.

It supports the most basic operations like hashing, encryption, and even key derivation and sharing.

It provides easy and convenient interfaces for cryptographic operations in a safe and high-level manner.

CryptoKit allows you to:

  • Compute and compare hashes.

  • Work with Public-Key cryptography to create and evaluate digital signatures and do a key exchange.

  • Work with symmetric cryptography to do message authentication and encryption.

What you need

CryptoKit is available on the following platforms:

  • iOS 13.0+

  • macOS 10.15+

  • Mac Catalyst 13.0+

  • tvOS 13.0+

  • watchOS 6.0+

  • Linux (as Swift Crypto)

Common Cryptographic Operations with CryptoKit

crypto operations in swift with cryptokit

Hashing

Hash functions generate a unique key that will stay the same as long as the input data is exactly the same.

For example, this could be very useful to verify that a shared piece of data is the same.

To perform hashing, CryptoKit provides the HashFunction protocol, along with three implementations of it.

At the time of this writing, said implementations are the following structs:

  • SHA256

  • SHA384

  • SHA512

Generating a hash for a file

Generating hashes for files is as easy as loading the file, selecting an algorithm, and hashing it.

Generating a hash for text or other data

To generate a hash for text or other data, just do the same thing as with generating file hashes, except directly with the data or by encoding the string as data.

Symmetric Encryption

Symmetric Encryption allows you to achieve both authenticity and confidentiality by converting the input data into cipher text that can only be read with the original, randomly generated key that is shared between users.

CryptoKit supports both the AES-GCM and ChaChaPoly algorithms, although ChaChaPoly is preferred as it is typically faster on mobile devices.

The return type of the seal method is a AES.GCM.SealedBox object which contains information about the box. A few important properties:

  • A ciphertext, which is the encrypted data with the same size as the input data.

  • A tag, which ensures the content cannot be tampered with in a way you would not notice.

  • A nonce, which is a random number to add entropy to the encrypted data.

If you need to share the data with somebody else, you can use the combined property which combines all the previous properties into one. Then they can decrypt this data using the same key.

Creating and Validating Digital Signatures

Digital signatures are used to validate the authenticity and integrity of a message or piece of data.

After signing the data with a private key, others can verify the signature using your public key.

CryptoKit comes with four different elliptic curve types, which are used to create and verify cryptographic signatures:

  • Curve25519

  • P521

  • P384

  • P256

First, generate a random secure public and private key-pair, and publish the public key.

Then, sign a piece of data with the private key, such as a string.

Finally, anyone can check that the signature is indeed authentic and from you using the public key:

If anyone tries to publish a fake signature, it will be rejected when someone tries to validate it.

Performing Key Agreement

The key agreement allows multiple users to determine a shared encryption key that can be used to sign or encrypt data that they want to exchange.

First, create a unique salt that you will use when deriving keys. Here, we are using an if let block to avoid the salt's encoded data from being optional, but you can also use a guard let block instead.

Then, both users A and B generate a public and private key-pair, and publish the public key while keeping the private key secret. You can use any of the elliptic curve types from the digital signatures section, such as P521.

User A derives a shared secret with both their private key and User B's public key.

let sharedSecretA = try? privateKeyA.sharedSecretFromKeyAgreement(with: publicKeyB)

let symmetricKeyA = sharedSecretA?.hkdfDerivedSymmetricKey(using: SHA256.self, salt: salt, sharedInfo: Data(), outputByteCount: 32)

Then, User B performs the same operation using their private key and User A's public key.

let sharedSecretB = try? privateKeyB.sharedSecretFromKeyAgreement(with: publicKeyA)

let symmetricKeyB = sharedSecretB.hkdfDerivedSymmetricKey(using: SHA256.self, salt: salt, sharedInfo: Data(), outputByteCount: 32)

You can check that both of the generated keys in this example are equal like this:

Both User A and User B now have a copy of the same key that they can each use to authenticate or encrypt messages to and from each other.

If you have any questions regarding iOS App Development Connect with us today!

#ios#app-development#ios-apps#ios-app-development#cryptokit

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Expert App Devs

16 posts

Expert App Devs is a leading customer-focused mobile app development company based out of India. We specialize in native app development as well as specific cross-platform technologies.