[aerogear-dev] iOS Crypto questions

Corinne Krych corinnekrych at gmail.com
Fri Oct 18 17:52:11 EDT 2013 

Doug,

Thanks for your reply.
I think one the goal of AeroGear is to provide an unified API across different platforms even if it brings some challenges…
I'm convinced we can come up with a similar API for encryption.

++
Corinne
On Oct 18, 2013, at 10:23 PM, Douglas Campos <qmx at qmx.me> wrote:

> On Fri, Oct 18, 2013 at 04:56:24PM +0200, Corinne Krych wrote:
>> Hello All
>> 
>> I've just updated the crypto iOS API documentation
>> https://github.com/corinnekrych/aerogear.org/blob/77ab01e16bd385c7d8a507dfb4b0a6838c4d6c13/docs/specs/aerogear-crypto.md#api-draft-0-2
>> 
>> I would like to discuss with you the actual symmetric encryption method in the API. Atm, we have:
>> => Java:
>> cryptoBox.encrypt(IV, message);
>> => objective-C
>> NSData* encryptedData = [cryptoBox encrypt:dataToEncrypt IV:encryptionSalt];
> 
> Sorry for breaking the flow, but it's really really important to
> distinguish an IV from a salt - they're different things for different
> purposes.
> 
>> => JavaScript
>> AeroGear.encrypt( options );
>> 
>> I think JavaScript grouping everything (key, IV, data to encrypt) in
>> options is not the best approach but I like the encrypt method with
>> only one argument. I rather have options containing key/IV information
>> and have a separate method encrypt that takes the message to encrypt. 
> 
> This is a place where we respect each language's idiomatism - JS is this
> way, and I don't think it's a good idea to aim for a one-size-fits-all
> in this case.
> 
>> 
>> Something like:
>> 
>> => Java:
>> CryptoBox cryptoBox = new CryptoBox(new PrivateKey(SOME_SECRET_KEY), IV);
> 
> Like I replied to Christos, the IV has to be unique and non-predictable,
> so this isn't an option.
> 
> I'm almost 100% sure I'll turn this into factory calls too, stay tuned.
> 
>> cryptoBox.encrypt(message);
> 
> It's really common to setup a session based on a key, then just go
> encrypting stuff with it. So reusing the `CryptoBox` instance is
> something that is probably a good idea.
> 
>> => objective-C
>> cryptoBox = [[AGCryptoBox alloc] initWithKey:key salt:encryptionSalt initializationVector:vector]];
>> NSData* encryptedData = [cryptoBox encrypt:dataToEncrypt];
> 
> ...
> 
>> => JavaScript
>> var options = {
>>    IV: superRandomInitializationVector,
>>    AAD: "whateverAuthenticatedData",
>>    key: generatedKey
>> };
>> AeroGear.setOptions(options);
>> AeroGear.encrypt(message);
> 
> That would be a global setting - just think what happens if you create a
> secure chat app and each user uses a different key... this fails.
> 
> -- 
> qmx_______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

More information about the aerogear-dev mailing list