[aerogear-dev] iOS Crypto findings

Matthias Wessendorf matzew at apache.org
Fri Oct 11 05:33:05 EDT 2013 

@licenses:
* PolarSSL is dual-licensed (GPL + commercial) --> nope
* the Crypto++ is licensed via Boost ( a C++ library license)

I am not sure if for JBoss the license is OK, but.... the ASF is OK with
using that license..... (see [1] and [2]).
[1] http://www.apache.org/legal/resolved.html
[2] https://issues.apache.org/jira/browse/LEGAL-101

regardless the _technical_ issue is: C++ based... so the integration is odd;

-Matthias



On Fri, Oct 11, 2013 at 11:24 AM, Corinne Krych <corinnekrych at gmail.com>wrote:

> Hi All,
>
> Discussing with iOS team with all possible options taking into account OS
> licenses and encryption algorithms coverage, we'd like to move forward
> investigating openSSL srtarting with this interesting entry point:
> > https://github.com/x2on/OpenSSL-for-iPhone
>
>
> We'll tell you more soon.
> ++
> Corinne.
>
> On Oct 10, 2013, at 9:36 PM, Corinne Krych <corinnekrych at gmail.com> wrote:
>
> > According to
> >
> https://gist.github.com/cvasilak/b967893655a04cbe5b7b#file-gistfile1-txt-L669
> > CBC is supported.
> >
> > Maybe it's worth investigating OpenSSL vs PolarSSL iOS support.
> > Interesting work dto dig further
> > https://github.com/x2on/OpenSSL-for-iPhone
> >
> http://x2on.de/2010/12/16/tutorial-script-for-building-openssl-for-ios-iphoneipad/
> > or
> > https://github.com/x2on/PolarSSL-for-iOS
> >
> > ++
> > Corinne
> >
> > On Oct 10, 2013, at 8:39 PM, Bruno Oliveira <bruno at abstractj.org> wrote:
> >
> >> Aloha, looks like Apple wants to hide all the good crypto! Have you got
> >> the chance to look at this? https://github.com/rnapier/RNCryptor I also
> >> see some developers using OpenSSL as an alternative. My suggestion:
> >>
> >> a) If you think this item is tricky to implement atm consider AES with
> >> CBC or AES with CCM (We can support it on the server if necessary). I
> >> was trying to find which modes is currently supported but looks like the
> >> documentation is super safe, because I can't find it
> >>
> >> b) It can be done with OpenSSL in the worst case scenario (not saying is
> >> a piece of cake to do, just possible). Let's start simple first.
> >>
> >> Regarding http://www.cryptopp.com/ looks like they have all that we
> >> need, maybe worth to take a look at this. What do you think? Off the top
> >> of my head I only can see 3 alternatives:
> >>
> >> 1- Implement encryption with what CommonCrypto provides
> >> 2- Try cryptopp or another alternative
> >> 3- Implement it with OpenSSL. For example SilentCircle make use of
> >> PolarSSL
> >> https://github.com/SilentCircle/silent-phone-base/tree/master/libs. I'm
> >> not saying to do the same, just an example.
> >>
> >>> Christos Vasilakis <mailto:cvasilak at gmail.com>
> >>> October 10, 2013 2:29 PM
> >>> Hi team,
> >>>
> >>> I am digging on the CommonCrypto API and I found some issues.
> >>> Specifically:
> >>>
> >>> a)  GCM mode for AES symmetric encryption is part of a private API.
> >>> See [1] the public interface of the current definitions of supported
> >>> modes of operation. 'kCCModeGCM' is missing _although_ digging on the
> >>> source code of the apple's web site it is defined in [2]  'private'
> >>> (The file is included from a private interface here [3]).  Also here
> >>> is the implementation of the GCM mode in [4] and test cases that
> >>> exercise it [5]. Not sure why Apple left it out in public. On my
> >>> search, one area in which they use this mode is on the KeyChain from
> >>> iOS 5 onwards, see 'KeyChain' section here [6]
> >>>
> >>> b) Generation of asymmetric  ECC keys and encryption is supported by
> >>> CommonCrypto but _again_ under a private interface, see [7] and [8].
> >>> ECC is used in the protection class
> >>> 'NSFileProtectionCompleteUnlessOpen' according to the iOS Security doc
> >>> here [9]. In the meeting there was a plan B for it, RSA with Diffie
> >>> Hellman. I am looking at it, but to my current knowledge is supported
> >>> if you trust the apple docs here [10]
> >>>
> >>> My worry is how can we proceed with the first issue.
> >>>
> >>> As a side note, during my search I discovered Crypto++ [11] , which
> >>> seems to offer many of the features we are trying to support. Con is a
> >>> C++ interface although an iOS distribution of it exists (see [12]),
> >>> and there is an iOS wiki page in the library home page [13].  Needs
> >>> more research.
> >>>
> >>> Thanks,
> >>> Christos
> >>>
> >>>
> >>> [1]
> https://gist.github.com/cvasilak/b967893655a04cbe5b7b#file-gistfile1-txt-L667
> >>> [2]
> https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/CommonCryptoSPI/CommonCryptorSPI.h#L70
> >>> [3]
> https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/CommonCryptoSPI/CommonCryptoPriv.h
> >>> [4]
> https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/API/CommonGCMCryptor.c
> >>> [5]
> https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/CCRegression/CommonCrypto/CommonCryptoSymGCM.c
> >>> [6] http://esec-lab.sogeti.com/post/iOS-5-data-protection-updates
> >>> [7]
> https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/CommonCryptoSPI/CommonECCryptor.h
> >>> [8]
> https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/API/CommonECCryptor.c
> >>> [9] http://www.apple.com/ipad/business/docs/iOS_Security_Oct12.pdf
> >>> [10]
> https://developer.apple.com/library/ios/documentation/security/conceptual/cryptoservices/CryptographyConcepts/CryptographyConcepts.html#//apple_ref/doc/uid/TP40011172-CH8-CHDCCDIA
> >>> [11] http://www.cryptopp.com <http://www.cryptopp.com/>
> >>> [12] https://github.com/noloader/cryptopp-5.6.2-ios
> >>> [13] http://www.cryptopp.com/wiki/IOS_(Xcode)
> >>> <http://www.cryptopp.com/wiki/IOS_%28Xcode%29>
> >>> _______________________________________________
> >>> aerogear-dev mailing list
> >>> aerogear-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >>
> >> --
> >> abstractj
> >>
> >>
> >> _______________________________________________
> >> aerogear-dev mailing list
> >> aerogear-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20131011/d9d0e685/attachment.html

More information about the aerogear-dev mailing list