<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hi,<div><br></div><div>thanks for sharing, some questions I have:</div><div><br></div><div>- I guess the CryptoConfig will be a stand-alone class which can be applied as a param to the existing ‘StoreConfig’ and ‘PipeConfig’ (later on), right? </div><div><br></div><div>Based on a previous email discussion [1], how this looks from the client? Is it sth like this:</div><div><br></div><div><div><span style="line-height: 14px; white-space: pre-wrap; color: rgb(51, 51, 51); font-family: Consolas, Inconsolata, Courier, monospace; font-size: x-small; background-color: rgb(248, 248, 255);">// crypto configuration</span></div><div><span style="background-color: rgb(248, 248, 255);"><font color="#333333" face="Consolas, Inconsolata, Courier, monospace" size="1"><span style="line-height: 14px; white-space: pre-wrap;">CryptoConfig cryptoConfig = new PasswordProtectedKeystoreConfig();<br></span></font></span><span style="color: rgb(51, 51, 51); font-family: Consolas, Inconsolata, Courier, monospace; font-size: x-small; line-height: 14px; white-space: pre-wrap; background-color: rgb(248, 248, 255);">cryptoC</span><span style="color: rgb(51, 51, 51); font-family: Consolas, Inconsolata, Courier, monospace; font-size: x-small; line-height: 14px; white-space: pre-wrap; background-color: rgb(248, 248, 255);">onfig</span><span style="background-color: rgb(248, 248, 255);"><font color="#333333" face="Consolas, Inconsolata, Courier, monospace" size="1"><span style="line-height: 14px; white-space: pre-wrap;">.setAlias("myalias");<br></span></font></span><span style="color: rgb(51, 51, 51); font-family: Consolas, Inconsolata, Courier, monospace; font-size: x-small; line-height: 14px; white-space: pre-wrap; background-color: rgb(248, 248, 255);">cryptoC</span><span style="color: rgb(51, 51, 51); font-family: Consolas, Inconsolata, Courier, monospace; font-size: x-small; line-height: 14px; white-space: pre-wrap; background-color: rgb(248, 248, 255);">onfig</span><span style="background-color: rgb(248, 248, 255);"><font color="#333333" face="Consolas, Inconsolata, Courier, monospace" size="1"><span style="line-height: 14px; white-space: pre-wrap;">.setKeystoreFileName("app.keystore");<br></span></font></span><span style="color: rgb(51, 51, 51); font-family: Consolas, Inconsolata, Courier, monospace; font-size: x-small; line-height: 14px; white-space: pre-wrap; background-color: rgb(248, 248, 255);">cryptoC</span><span style="color: rgb(51, 51, 51); font-family: Consolas, Inconsolata, Courier, monospace; font-size: x-small; line-height: 14px; white-space: pre-wrap; background-color: rgb(248, 248, 255);">onfig</span><span style="background-color: rgb(248, 248, 255);"><font color="#333333" face="Consolas, Inconsolata, Courier, monospace"><font size="1"><span style="line-height: 14px; white-space: pre-wrap;">.setPassword("somePassword");
<br></span></font></font></span></div><div><span style="background-color: rgb(248, 248, 255);"><font color="#333333" face="Consolas, Inconsolata, Courier, monospace"><font size="1"><span style="line-height: 14px; white-space: pre-wrap;">// store configuration</span></font></font></span></div><div><div><span style="background-color: rgb(248, 248, 255);"><font color="#333333" face="Consolas, Inconsolata, Courier, monospace" size="1"><span style="white-space: pre-wrap; line-height: 14px;">StoreConfig config = new StoreConfig();
config.setType(ENCRYPTED_MEMORY);
config.setName("encrypted”)</span></font></span></div></div><div><span style="background-color: rgb(248, 248, 255);"><font color="#333333" face="Consolas, Inconsolata, Courier, monospace" size="1"><span style="line-height: 14px; white-space: pre-wrap;">// apply crypto config</span></font></span></div><div><span style="line-height: 14px; white-space: pre-wrap; font-size: x-small; color: rgb(51, 51, 51); font-family: Consolas, Inconsolata, Courier, monospace; background-color: rgb(248, 248, 255);">config.setCryptoConfig(cryptoConfig);</span></div><div><font color="#333333" face="Consolas, Inconsolata, Courier, monospace" size="1"><span style="line-height: 14px; white-space: pre-wrap;"><br></span></font></div><div><font color="#333333" face="Consolas, Inconsolata, Courier, monospace" size="1"><span style="line-height: 14px; white-space: pre-wrap;">// build store</span></font></div><div><span style="line-height: 14px; white-space: pre-wrap; font-size: x-small; color: rgb(51, 51, 51); font-family: Consolas, Inconsolata, Courier, monospace; background-color: rgb(248, 248, 255);">EncryptedStore = dataManager.store(config);</span></div></div><div><br></div><div>Further, I guess Pbkdf2 can be used as:</div><div><span style="color: rgb(51, 51, 51); font-family: Consolas, Inconsolata, Courier, monospace; font-size: x-small; line-height: 14px; white-space: pre-wrap; background-color: rgb(248, 248, 255);"><br></span></div><div><span style="color: rgb(51, 51, 51); font-family: Consolas, Inconsolata, Courier, monospace; font-size: x-small; line-height: 14px; white-space: pre-wrap; background-color: rgb(248, 248, 255);">cryptoC</span><span style="color: rgb(51, 51, 51); font-family: Consolas, Inconsolata, Courier, monospace; font-size: x-small; line-height: 14px; white-space: pre-wrap; background-color: rgb(248, 248, 255);">onfig</span><span style="background-color: rgb(248, 248, 255);"><font color="#333333" face="Consolas, Inconsolata, Courier, monospace"><font size="1"><span style="line-height: 14px; white-space: pre-wrap;">.setPassword(AeroGearCrypto.pbkdf2().encrypt(“passphrase-entered-by-user”));</span></font></font></span></div><div><br></div><div>As I understand, the passphrase is used only to unlock the keystore and _not_ for encrypt/decrypt of data. Then the private/public keys are generated and stored in the keystore which can be accessed later. A benefit for this as I see is that you don’t need to reencrypt the data if the passphrase is changed. Only decrypt keystore (old-passphrase) and update keystore (with the new passphrase).</div><div><br></div><div>- apart from ‘PasswordKeyServices’ which unlocks the 'keystore based on a password, what other impls of KeyServices are in mind?</div><div><br></div><div>- apart from keys, IV is a param needed to encrypt, not shown yet but I guess this should be stored on the keystore too and be accessible from the client when does ‘encrypt’/‘decrypt’.</div><div><br></div><div>Thanks,</div><div>Christos</div><div><br></div><div><br></div><div>[1] <a href="http://lists.jboss.org/pipermail/aerogear-dev/2013-November/005213.html">http://lists.jboss.org/pipermail/aerogear-dev/2013-November/005213.html</a></div><div><br></div><div>On Nov 5, 2013, at 10:00 PM, Summers Pittman <<a href="mailto:supittma@redhat.com">supittma@redhat.com</a>> wrote:</div><div><div><br class="Apple-interchange-newline"><blockquote type="cite">One of the things we briefly discussed on the chat was key generation <br>and secret storage.<br><br>For Android we want to combine the two in an "easy" API which follows <br>the Object/Factory/Config patterns of our other systems (Pipeline, <br>Authentication, Push).<br><br>Here is a high level code flavored example of what I am talking about.<br><br><a href="https://gist.github.com/secondsun/d602d19255b1fd085ac8">https://gist.github.com/secondsun/d602d19255b1fd085ac8</a><br><br>Actual work is going forward here: <br>https://github.com/secondsun/aerogear-android/tree/security<br><br>wdyt?<br>_______________________________________________<br>aerogear-dev mailing list<br>aerogear-dev@lists.jboss.org<br>https://lists.jboss.org/mailman/listinfo/aerogear-dev<br></blockquote></div><br></div></body></html>