[aerogear-dev] AeroGear Crypto API - Draft 0. Your brain is required

Bruno Oliveira bruno at abstractj.org
Mon Oct 7 15:02:55 EDT 2013


Good morning all, just to start the discussion about the APIs and
encrypted storage I wrote this gist. Probably after some revisions I
hope to make it a specification.

Regarding the available scenarios, feel free to add or change the priority.


Gist: https://gist.github.com/abstractj/f1229ae075f8e6688c75

# AeroGear Crypto API

**Note**: This document is a working progress

# Authors

- Bruno Oliveira
- *put your pretty name here*

## Goals

- User friendly interface for non crypto experts
- Advanced developers can make use of the pure crypto provider
implementation.

## Supported Algorithms

- https://issues.jboss.org/browse/AGSEC-114


## Scenarios

**Note**: For all scenarios the authentication process was intentionally
ignored.

- A logged in user wants to store sensitive data on mobile

![](http://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgRGF0YSBlbmNyeXB0aW9uCgpDbGllbnQtPlNlcnZlcjogUmVxdWVzdAAZCyBrZXlzCgAaBgAeCkdlbmVyYXRlIHRoZQAdBSBhbmQgc3RvcmUAIwkAVgY6IFNlbmQAIAggYmFjayB0bwAzBWMAeAUAewkAKAhFAIEaBgBWBWRhdGEK&s=napkin)

- The mobile device goes offline but the sensitive data must be safe

[Under development]

- Device was stolen and data must be destroyed 

[Under development]

- The data must be backed up on the server, but passwords can't be exposed

[Under development]

- The application was installed into another device and the keys must be
revoked on the server

[Under development]

- User wants to configure for how long the keys will be considered valid


## JavaScript

### Dependencies

- [sjcl](http://crypto.stanford.edu/sjcl/) with wrappers for basic
functionalities like: encrypt, decrypt, password salting and key pair
generation.


### Implementation details

- The size of sjcl library is still a concern (28K)
   
- Crypto bits were built in a separate module so it may be
included/excluded in a custom build.

- The project will be developed under AeroGear.js repository
(https://github.com/aerogear/aerogear-js/pull/57)

### API (draft 0)

- Password based key derivation support (PBKDF2)

        myEncryptedPassword = AeroGear.password("strong");

- Symmetric encryption support (GCM)

    - Encryption:

            var options = {
                IV: superRandomInitializationVector,
                AAD: "whateverAuthenticatedData",
                key: generatedKey,
                data: "My bonnie lies over the ocean"
            };
           
            var cipherText = AeroGear.encrypt( options );

    - Decryption:

            var options = {
                IV: superRandomInitializationVector,
                AAD: "whateverAuthenticatedData",
                key: generatedKey,
                data: cipherText
            };
            AeroGear.decrypt( options );
           

- Message authentication support (GMAC, HMAC)

[Under development]


**Note**: The implementations below are currently under discussion at
https://github.com/aerogear/aerogear-js/pull/62

- Hashing support (SHA-256, SHA-512)

        digest = AeroGear.crypto.hash("some message");
 
- Asymmetric encryption support (ECC)

        var hex = sjcl.codec.hex,
            keyPair = new AeroGear.crypto.KeyPair(),
            cipherText, plainText,
            options = {
                IV: superRandomInitializationVector,
                AAD: "whateverAuthenticatedData",
                key: keyPair.publicKey,
                data: ""My bonnie lies over the ocean"
            };
        cipherText = AeroGear.crypto.encrypt( options );
        options.key = keyPair.privateKey;
        options.data = cipherText;
        plainText = AeroGear.crypto.decrypt( options );

- Digital signatures support (ECDSA)

        var validation,
            options = {
                keys: sjcl.ecc.ecdsa.generateKeys(192),
                message: "My bonnie lies over the ocean"
            };
        options.signature = AeroGear.crypto.sign( options );
        validation = AeroGear.crypto.verify( options );

## Android

### Dependencies

- [Spongy Castle](http://rtyley.github.io/spongycastle/) with wrappers
for basic functionalities like: encrypt, decrypt, password salting and
key pair generation.


### Implementation details

- The bouncycastle "provided" in Android doesn't have ECDH that's the
reason why Spongy Castle was chosen.
   
- aerogear-crypto-java will be the main repository to provide a crypto
API for Android and the Java server.


### API (draft 0)

**Note**: The implementations below are currently under discussion at
https://github.com/aerogear/aerogear-crypto-java/tree/refactoring

- Password based key derivation support (PBKDF2)

        Pbkdf2 pbkdf2 = AeroGearCrypto.pbkdf2();
        byte[] rawPassword = pbkdf2.encrypt(PASSWORD);

- Symmetric encryption support (GCM)

    - Encryption:

            CryptoBox cryptoBox = new CryptoBox(new
PrivateKey(SOME_SECRET_KEY));
            final byte[] IV = new Random().randomBytes();
            final byte[] message = "My bonnie lies over the
ocean".getBytes();
            final byte[] ciphertext = cryptoBox.encrypt(IV, message);

    - Decryption:

            CryptoBox pandora = new CryptoBox(new
PrivateKey(SOME_SECRET_KEY));
            final byte[] message = pandora.decrypt(IV, ciphertext);
           

- Message authentication support (GMAC, HMAC)

[Under development]

- Hashing support (SHA-256, SHA-512)

[Under development]
 
- Asymmetric encryption support (ECC)

        KeyPair keyPair = new KeyPair();
        KeyPair keyPairPandora = new KeyPair();

        CryptoBox cryptoBox = new CryptoBox(keyPair.getPrivateKey(),
keyPairPandora.getPublicKey());
        final byte[] IV = new Random().randomBytes();
        final byte[] message = "My bonnie lies over the ocean".getBytes();
        final byte[] ciphertext = cryptoBox.encrypt(IV, message);

        CryptoBox pandora = new
CryptoBox(keyPairPandora.getPrivateKey(), keyPair.getPublicKey());
        final byte[] message = pandora.decrypt(IV, ciphertext);

- Digital signatures support (ECDSA)

[Under development]


## iOS

### Dependencies

[TBD] - http://oksoclap.com/p/iOS_Meeting_(Security)

- [Common
Crypto](https://developer.apple.com/library/mac/documentation/security/conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html)


### Implementation details

[TBD]


### API (draft 0)

- Password based key derivation support (PBKDF2)

[Under development]

- Symmetric encryption support (GCM)

[Under development]

- Message authentication support (GMAC, HMAC)

[Under development]

- Hashing support (SHA-256, SHA-512)

[Under development]
 
- Asymmetric encryption support (ECC)

[Under development]

- Digital signatures support (ECDSA)

[Under development]


-- 
abstractj


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/aerogear-dev/attachments/20131007/54d2dc49/attachment.bin 


More information about the aerogear-dev mailing list