<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Sep 18, 2013 at 8:23 PM, Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Maybe is my misinterpretation but answers inline.<br>
<div><br>
Matthias Wessendorf wrote:<br>
> One thing:<br>
> <a href="https://issues.jboss.org/browse/AGSEC-89" target="_blank">https://issues.jboss.org/browse/AGSEC-89</a><br>
> is not really something _on_ iOS; On the UnifiedPush Server the<br>
> passphrase for the certifcate is stored plain text, should be improved<br>
> by hashing and salting.<br>
</div>I think they are consider completely different beasts. Once you have to<br>
implement it on iOS and the server right? "Encryption for iOS<br>
passphrase" is too generic and can be anything.<br></blockquote><div><br></div><div><br></div><div>No it has nothing to do with an iOS device at all. It's really for the UnifiedPush Server only.</div><div>For iOS notification you need a certificate and a passphrase:</div>
<div><a href="https://github.com/aerogear/aerogear-unifiedpush-server#ios-variant" target="_blank">https://github.com/aerogear/aerogear-unifiedpush-server#ios-variant</a><br></div><div><br></div><div>The passphrase is stored in plain text on the server, I filed this ticket for adding hashing/salting.</div>
<div><a href="https://issues.jboss.org/browse/AGPUSH-210" target="_blank">https://issues.jboss.org/browse/AGPUSH-210</a><br></div><div><br></div><div>Since this is a 'security' related item I created<font color="#500050"> the AGSEC-89 for the real work, and keeping the AGPUSH item as reference only.</font></div>
<div><br></div><div>-Matthias</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div>><br>
> So, not sure if we want to remove that AGSEC-89 ticket<br>
</div>Basically the ticket wasn't missed and will be solved by:<br>
<div><br>
* AGSEC-XX: Provide easy to use cryptography interface<br>
<br>
*Description*: We must build a foundation for encrypted storage,<br>
before start hacking on it. Having clearly defined goals in a single<br>
place might help to put things in perspective.<br>
<br>
Ex: **Android**-crypto, **iOS**-crypto & **JS**-crypto libraries<br>
<br>
* AGSEC-XX: Symmetric encryption support:<br>
[GCM](<a href="http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf" target="_blank">http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf</a>)<br>
</div>-> Link to ** AGIOS - Implement my supercool encryption (just an example)<br>
<div><div> * AGSEC-XX: Asymmetric encryption support:<br>
[ECC](<a href="http://www.nsa.gov/business/programs/elliptic_curve.shtml" target="_blank">http://www.nsa.gov/business/programs/elliptic_curve.shtml</a>)<br>
* AGSEC-XX: Password based key derivation:<br>
[PBKDF2](<a href="http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf" target="_blank">http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf</a>)<br>
* AGSEC-XX: Hashing support: SHA-256, SHA-512<br>
* AGSEC-XX: Message authentication support: GMAC, HMAC *See: AGSEC-57*<br>
* AGSEC-XX: Digital signatures support: ECDSA<br>
<br>
<br>
</div></div><span><font color="#888888">--<br>
abstractj<br>
<br>
<br>
</font></span><br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br>
<br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>