[aerogear-dev] Encrypted Data and IVs

Bruno Oliveira bruno at abstractj.org
Wed Nov 6 16:45:30 EST 2013 

Sure, feel free to file jiras, into this way we don’t miss it to the further releases.

-- 
abstractj

On November 6, 2013 at 7:45:30 PM, Corinne Krych (corinnekrych at gmail.com) wrote:
>
>
>On Nov 6, 2013, at 10:23 PM, Bruno Oliveira wrote:
>
>>
>>
>> Corinne Krych wrote:
>>> I see 2 options:
>>> - the one you suggested, you encrypt all data with the same iv, salt + passphrase. The app stores globally iv+salt
>> That's the goal
>>> - or you encrypt each password (in the case of our demo app) with different IV+salt. You need to store salt+iv locally (in a header) within the encrypted stream. To decrypt, you need first to read the header, exact salt+iv.
>>>
>>> Second option is less efficient, but more secure because there is more randomness.
>> I must say that I will disappoint you for 2 reasons:
>>
>You're not disappointing me. I like to explore solutions in details.
>
>> 1. You are not adding any extra level of security here, once the IV,
>> salt is still predictable and stored on the local storage. You are just
>> delaying the attacker, for some hours and trying to solve the absence of
>> the server here, but if you guys think that this will add some security,
>> that's ok.
>>
>> 2. For this release we still don't have an API to query encrypted data.
>
>Definitively not for this release.
>
>> So unless someone has already implemented it I can't see how to do it,
>> targeting our release date.
>>> The granularity could be the responsibility of the app developer who can decide when to change the IV+salt.
>> Let people choose with previous skills about encryption never work.
>> That's the reason why we are trying to make it simple here.
>>> See some similar idea with code here:
>>> https://github.com/rnapier/RNCryptor/blob/master/RNCryptor/RNEncryptor.m#L115
>> As far as I know RNCryptor is just a wrapper, so I doubt they are
>> storing bazillion records + IV, salts. If some app does it locally, it's
>> just the false sense of security in my opinion.
>>
>> --
>> abstractj
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>_______________________________________________
>aerogear-dev mailing list
>aerogear-dev at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/aerogear-dev
>

More information about the aerogear-dev mailing list