[aerogear-dev] Security.next - Encrypt all the things and your feedback

Bruno Oliveira bruno at abstractj.org
Fri Sep 20 04:41:09 EDT 2013 

Roadmap updated:
http://staging.aerogear.org/docs/planning/roadmaps/AeroGearSecurity/ and
Jiras
https://issues.jboss.org/issues/?jql=project%20%3D%20AGSEC%20AND%20fixVersion%20%3D%20%221.3.0%22%20AND%20status%20%3D%20Open%20ORDER%20BY%20priority%20DESC

> Daniel Bevenius <mailto:daniel.bevenius at gmail.com>
> September 19, 2013 3:44 AM
> This sounds great! Looking forward to removing the custom
> encryption/decryption from SimplePush :)
>
>
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> Bruno Oliveira <mailto:bruno at abstractj.org>
> September 18, 2013 4:55 PM
> We can always revisit, change, move, delete...that's is just part of the
> game.
>
> Thanks for your feedback.
>
> Matthias Wessendorf <mailto:matzew at apache.org>
> September 18, 2013 4:48 PM
>
>
>
> On Wed, Sep 18, 2013 at 9:40 PM, Bruno Oliveira <bruno at abstractj.org
> <mailto:bruno at abstractj.org>> wrote:
>
>     I guess that what do you want is PBKDF2 aka password key derivation or
>     maybe hashing, right? 
>
>
> yep, exactly
>  
>
>     That's exactly what we are trying to achieve with
>     "AGSEC-XX: Provide easy to use cryptography interface"
>
>
> OK
>  
>
>
>     I can't see any reasons to keep that jira on AGSEC, but it seems
>     just a
>
>
> Ok, at some point you said all 'sec related issues' should go to
> AGSEC, otherwise hard for you to track.
> I am fine in not having it in AGSEC, if you prefer the issue to be on
> AGPUSH instead.
>
>  
>
>     duplicated jira or specifics to AGPUSH. At the end of the day, AGSEC
>     will solve UnifiedPush, SimplePush and other issues on AeroGear, I
>     hope.
>     Please read carefully the proposal and let me know.
>
>     Matthias Wessendorf wrote:
>     > No it has nothing to do with an iOS device at all. It's really
>     for the
>     > UnifiedPush Server only.
>     > For iOS notification you need a certificate and a passphrase:
>     > https://github.com/aerogear/aerogear-unifiedpush-server#ios-variant
>     >
>     > The passphrase is stored in plain text on the server, I filed this
>     > ticket for adding hashing/salting.
>     > https://issues.jboss.org/browse/AGPUSH-210
>     >
>     > Since this is a 'security' related item I created the AGSEC-89
>     for the
>     > real work, and keeping the AGPUSH item as reference only.
>
>     --
>     abstractj
>
>
>
>     _______________________________________________
>     aerogear-dev mailing list
>     aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
>
> -- 
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> Bruno Oliveira <mailto:bruno at abstractj.org>
> September 18, 2013 4:40 PM
> I guess that what do you want is PBKDF2 aka password key derivation or
> maybe hashing, right? That's exactly what we are trying to achieve with
> "AGSEC-XX: Provide easy to use cryptography interface"
>
> I can't see any reasons to keep that jira on AGSEC, but it seems just a
> duplicated jira or specifics to AGPUSH. At the end of the day, AGSEC
> will solve UnifiedPush, SimplePush and other issues on AeroGear, I hope.
> Please read carefully the proposal and let me know.
>
> Matthias Wessendorf <mailto:matzew at apache.org>
> September 18, 2013 3:33 PM
>
>
>
> On Wed, Sep 18, 2013 at 8:23 PM, Bruno Oliveira <bruno at abstractj.org
> <mailto:bruno at abstractj.org>> wrote:
>
>     Maybe is my misinterpretation but answers inline.
>
>     Matthias Wessendorf wrote:
>     > One thing:
>     > https://issues.jboss.org/browse/AGSEC-89
>     > is not really something _on_ iOS; On the UnifiedPush Server the
>     > passphrase for the certifcate is stored plain text, should be
>     improved
>     > by hashing and salting.
>     I think they are consider completely different beasts. Once you
>     have to
>     implement it on iOS and the server right? "Encryption for iOS
>     passphrase" is too generic and can be anything.
>
>
>
> No it has nothing to do with an iOS device at all. It's really for the
> UnifiedPush Server only.
> For iOS notification you need a certificate and a passphrase:
> https://github.com/aerogear/aerogear-unifiedpush-server#ios-variant
>
> The passphrase is stored in plain text on the server, I filed this
> ticket for adding hashing/salting.
> https://issues.jboss.org/browse/AGPUSH-210
>
> Since this is a 'security' related item I created the AGSEC-89 for the
> real work, and keeping the AGPUSH item as reference only.
>
> -Matthias
>
>  
>
>     >
>     > So, not sure if we want to remove that AGSEC-89 ticket
>     Basically the ticket wasn't missed and will be solved by:
>
>     * AGSEC-XX: Provide easy to use cryptography interface
>
>         *Description*: We must build a foundation for encrypted storage,
>     before start hacking on it. Having clearly defined goals in a single
>     place might help to put things in perspective.
>
>         Ex: **Android**-crypto, **iOS**-crypto & **JS**-crypto libraries
>
>         * AGSEC-XX: Symmetric encryption support:
>     [GCM](http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf)
>     -> Link to  ** AGIOS - Implement my supercool encryption (just an
>     example)
>         * AGSEC-XX: Asymmetric encryption support:
>     [ECC](http://www.nsa.gov/business/programs/elliptic_curve.shtml)
>         * AGSEC-XX: Password based key derivation:
>     [PBKDF2](http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf)
>         * AGSEC-XX: Hashing support: SHA-256, SHA-512
>         * AGSEC-XX: Message authentication support: GMAC, HMAC *See:
>     AGSEC-57*
>         * AGSEC-XX: Digital signatures support: ECDSA
>
>
>     --
>     abstractj
>
>
>
>     _______________________________________________
>     aerogear-dev mailing list
>     aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
>
> -- 
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-- 
abstractj


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130920/febaa4e8/attachment.bin

More information about the aerogear-dev mailing list