How to use CCKeyDerivationPBKDF on iOS4 #22

rlalwani opened this Issue Apr 1, 2012 · 8 comments


None yet
3 participants

rlalwani commented Apr 1, 2012

Which piece do you need? Just CCKeyDerivationPBKDF? Have you tried just using CommonKeyDerivation.c? If it causes much trouble, open an issue on RNCryptor with what you're trying to achieve on iOS4 and I'll see what I can do.

Rob, Since CCKeyDerivationPBKDF is not available until after iOS 5.0, people have suggested using the open source code for CommonCrypto available here:

I think we cannot simply compile CommonKeyDerivation.c because it requires a few other functions. Can you help with what and how to compile appropriate files in an Xcode project which also needs to work with iOS4 devices? I can also pay a reasonable consulting fees for help with this - just let me know.


rnapier commented Apr 2, 2012

Just to check: did your adding the extra files resolve this sufficiently?

rlalwani commented Apr 2, 2012

Rob, yes.

I had to include CommonKeyDerivation.c, CommonKeyDerivation.h, CommonKeyDerivationPriv.h in my Xcode project, but that was enough – because it seems other supporting/underlying functions needed by CCKeyDerivationPBKDF are already included in iOS4 CommonCrypto.

So, now CCKeyDerivationPBKDF is available on iOS4 devices.

It seems only about 45% or so users have upgraded to iOS5 - so restricting the app to iOS5 would be too restricting.


rnapier commented Apr 2, 2012

I've never seen a number that low in 2012. That's about the number of people who switched by November or December of last year. Many important apps have gone iOS5-only. It's fine that you've chosen to support iOS4, but it's nowhere near 45% in general. Your specific market may be different, but the general market has upgraded.

rlalwani commented Apr 2, 2012

Rob, what numbers do you see or hear now? Can you point to any sources?


rnapier commented Apr 2, 2012

Your 45% number is about equal to the 40% number reported last Nov:

Instapaper went iOS5-only in March to little customer push-back.

Pxldot claims 75% iOS 5.

David Smith claims ~80% in March.

These aren't scientific; Apple won't give us the best numbers. But there's no way the answer is 45% for 5+ in April, 2012.

rlalwani commented Apr 2, 2012

Thanks Rob. If the iOS 5 numbers are in the 75-80% range, that's really awesome.

Other than the PBPKF functions, the only other iOS 5 function used is CCCryptorCreateWithMode(). Replacing this with the older CCCryptorCreate() in the readStream:stream:maxLength method would allow this to be used in iOS4.


rnapier commented Apr 10, 2012

The move to CCCryptorCreate() also forces it back to AES-CBC, which is less secure than AES-CTR (this is why CCCryptorCreateWithMode is used). The padding oracle attack isn't a huge issue in most of the uses that RNCryptor is likely to encounter, but I had hoped to move the bar forward. My solution will likely be to provide a different cryptor (which is why I built the system to allow multiple cryptor configurations).

@rnapier rnapier closed this Dec 26, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment