[aerogear-dev] Security.next - Encrypt all the things and your feedback

Matthias Wessendorf matzew at apache.org
Wed Sep 18 14:33:07 EDT 2013


On Wed, Sep 18, 2013 at 8:23 PM, Bruno Oliveira <bruno at abstractj.org> wrote:

> Maybe is my misinterpretation but answers inline.
>
> Matthias Wessendorf wrote:
> > One thing:
> > https://issues.jboss.org/browse/AGSEC-89
> > is not really something _on_ iOS; On the UnifiedPush Server the
> > passphrase for the certifcate is stored plain text, should be improved
> > by hashing and salting.
> I think they are consider completely different beasts. Once you have to
> implement it on iOS and the server right? "Encryption for iOS
> passphrase" is too generic and can be anything.
>


No it has nothing to do with an iOS device at all. It's really for the
UnifiedPush Server only.
For iOS notification you need a certificate and a passphrase:
https://github.com/aerogear/aerogear-unifiedpush-server#ios-variant

The passphrase is stored in plain text on the server, I filed this ticket
for adding hashing/salting.
https://issues.jboss.org/browse/AGPUSH-210

Since this is a 'security' related item I created the AGSEC-89 for the real
work, and keeping the AGPUSH item as reference only.

-Matthias



> >
> > So, not sure if we want to remove that AGSEC-89 ticket
> Basically the ticket wasn't missed and will be solved by:
>
> * AGSEC-XX: Provide easy to use cryptography interface
>
>     *Description*: We must build a foundation for encrypted storage,
> before start hacking on it. Having clearly defined goals in a single
> place might help to put things in perspective.
>
>     Ex: **Android**-crypto, **iOS**-crypto & **JS**-crypto libraries
>
>     * AGSEC-XX: Symmetric encryption support:
> [GCM](http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf)
> -> Link to  ** AGIOS - Implement my supercool encryption (just an example)
>     * AGSEC-XX: Asymmetric encryption support:
> [ECC](http://www.nsa.gov/business/programs/elliptic_curve.shtml)
>     * AGSEC-XX: Password based key derivation:
> [PBKDF2](
> http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf)
>     * AGSEC-XX: Hashing support: SHA-256, SHA-512
>     * AGSEC-XX: Message authentication support: GMAC, HMAC *See: AGSEC-57*
>     * AGSEC-XX: Digital signatures support: ECDSA
>
>
> --
> abstractj
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130918/a452e984/attachment.html 


More information about the aerogear-dev mailing list