<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">

<HTML>

<HEAD>

  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">

  <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.4">

</HEAD>

<BODY>

On Mon, 2013-10-07 at 16:02 -0300, Bruno Oliveira wrote:

<BLOCKQUOTE TYPE=CITE>

<PRE>

Gist: <A HREF="https://gist.github.com/abstractj/f1229ae075f8e6688c75">https://gist.github.com/abstractj/f1229ae075f8e6688c75</A>

</PRE>

</BLOCKQUOTE>

+1 for having something coming from the server (entropy) on the alternative scenario<BR>

<BR>

Since the Web Crypto API [1] has not stabilized yet and we will probably face browser compatibility issues when using the window.crypto.getRandomValues [2], having something coming from the server seems to be the best approach.<BR>

<BR>

<IMG SRC="cid:1381414609.1818.45.camel@dhcp129-205.brq.redhat.com" ALIGN="bottom" BORDER="0"><BR>

<BR>

<BLOCKQUOTE TYPE=CITE>

<PRE>

- Asymmetric encryption support (ECC)

        var hex = sjcl.codec.hex,

            keyPair = new AeroGear.crypto.KeyPair(),

            cipherText, plainText,

            options = {

                IV: superRandomInitializationVector,

                AAD: &quot;whateverAuthenticatedData&quot;,

                key: keyPair.publicKey,

                data: &quot;&quot;My bonnie lies over the ocean&quot;

            };

        cipherText = AeroGear.crypto.encrypt( options );

        options.key = keyPair.privateKey;

        options.data = cipherText;

        plainText = AeroGear.crypto.decrypt( options );

</PRE>

</BLOCKQUOTE>

Where will the private key be stored (local storage, other options)? Not sure if local storage should be considered an option since it creates a tightly coupled connection between a specific browser and the data stored. <BR>

<BR>

<BLOCKQUOTE TYPE=CITE>

<PRE>

## Android

### Dependencies

- [Spongy Castle](<A HREF="http://rtyley.github.io/spongycastle/">http://rtyley.github.io/spongycastle/</A>) with wrappers

for basic functionalities like: encrypt, decrypt, password salting and

key pair generation.

### Implementation details

- The bouncycastle &quot;provided&quot; in Android doesn't have ECDH that's the

reason why Spongy Castle was chosen.

&nbsp;&nbsp; 

</PRE>

</BLOCKQUOTE>

+1 for Spongy Castle<BR>

<BR>

[1]: <A HREF="http://www.w3.org/TR/2013/WD-WebCryptoAPI-20130625/#dfn-RandomSource">http://www.w3.org/TR/2013/WD-WebCryptoAPI-20130625/#dfn-RandomSource</A><BR>

[2]: <A HREF="https://developer.mozilla.org/en-US/docs/Web/API/window.crypto.getRandomValues">https://developer.mozilla.org/en-US/docs/Web/API/window.crypto.getRandomValues</A><BR>

<BR>

</BODY>

</HTML>