<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/06/2013 07:06 AM, Christos
Vasilakis wrote:<br>
</div>
<blockquote
cite="mid:26EC9134-40AE-4743-9A8A-136AFD9968B4@gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Hi,
<div><br>
</div>
<div>thanks for sharing, some questions I have:</div>
<div><br>
</div>
<div>- I guess the CryptoConfig will be a stand-alone class which
can be applied as a param to the existing ‘StoreConfig’ and
‘PipeConfig’ (later on), right? <br>
</div>
</blockquote>
I'm not 100% sure on that, but it is something passos and I have
talked about.<br>
<blockquote
cite="mid:26EC9134-40AE-4743-9A8A-136AFD9968B4@gmail.com"
type="cite">
<div><br>
</div>
<div>Based on a previous email discussion [1], how this looks from
the client? Is it sth like this:</div>
<div><br>
</div>
<div>
<div><span style="line-height: 14px; white-space: pre-wrap;
color: rgb(51, 51, 51); font-family: Consolas, Inconsolata,
Courier, monospace; font-size: x-small; background-color:
rgb(248, 248, 255);">// crypto configuration</span></div>
<div><span style="background-color: rgb(248, 248, 255);"><font
size="1" color="#333333" face="Consolas, Inconsolata,
Courier, monospace"><span style="line-height: 14px;
white-space: pre-wrap;">CryptoConfig cryptoConfig = new PasswordProtectedKeystoreConfig();<br>
</span></font></span><span style="color: rgb(51, 51, 51);
font-family: Consolas, Inconsolata, Courier, monospace;
font-size: x-small; line-height: 14px; white-space:
pre-wrap; background-color: rgb(248, 248, 255);">cryptoC</span><span
style="color: rgb(51, 51, 51); font-family: Consolas,
Inconsolata, Courier, monospace; font-size: x-small;
line-height: 14px; white-space: pre-wrap; background-color:
rgb(248, 248, 255);">onfig</span><span
style="background-color: rgb(248, 248, 255);"><font size="1"
color="#333333" face="Consolas, Inconsolata, Courier,
monospace"><span style="line-height: 14px; white-space:
pre-wrap;">.setAlias("myalias");<br>
</span></font></span><span style="color: rgb(51, 51, 51);
font-family: Consolas, Inconsolata, Courier, monospace;
font-size: x-small; line-height: 14px; white-space:
pre-wrap; background-color: rgb(248, 248, 255);">cryptoC</span><span
style="color: rgb(51, 51, 51); font-family: Consolas,
Inconsolata, Courier, monospace; font-size: x-small;
line-height: 14px; white-space: pre-wrap; background-color:
rgb(248, 248, 255);">onfig</span><span
style="background-color: rgb(248, 248, 255);"><font size="1"
color="#333333" face="Consolas, Inconsolata, Courier,
monospace"><span style="line-height: 14px; white-space:
pre-wrap;">.setKeystoreFileName("app.keystore");<br>
</span></font></span><span style="color: rgb(51, 51, 51);
font-family: Consolas, Inconsolata, Courier, monospace;
font-size: x-small; line-height: 14px; white-space:
pre-wrap; background-color: rgb(248, 248, 255);">cryptoC</span><span
style="color: rgb(51, 51, 51); font-family: Consolas,
Inconsolata, Courier, monospace; font-size: x-small;
line-height: 14px; white-space: pre-wrap; background-color:
rgb(248, 248, 255);">onfig</span><span
style="background-color: rgb(248, 248, 255);"><font
color="#333333" face="Consolas, Inconsolata, Courier,
monospace"><font size="1"><span style="line-height: 14px;
white-space: pre-wrap;">.setPassword("somePassword");
<br>
</span></font></font></span></div>
<div><span style="background-color: rgb(248, 248, 255);"><font
color="#333333" face="Consolas, Inconsolata, Courier,
monospace"><font size="1"><span style="line-height: 14px;
white-space: pre-wrap;">// store configuration</span></font></font></span></div>
<div>
<div><span style="background-color: rgb(248, 248, 255);"><font
size="1" color="#333333" face="Consolas, Inconsolata,
Courier, monospace"><span style="white-space: pre-wrap;
line-height: 14px;">StoreConfig config = new
StoreConfig();
config.setType(ENCRYPTED_MEMORY);
config.setName("encrypted”)</span></font></span></div>
</div>
<div><span style="background-color: rgb(248, 248, 255);"><font
size="1" color="#333333" face="Consolas, Inconsolata,
Courier, monospace"><span style="line-height: 14px;
white-space: pre-wrap;">// apply crypto config</span></font></span></div>
<div><span style="line-height: 14px; white-space: pre-wrap;
font-size: x-small; color: rgb(51, 51, 51); font-family:
Consolas, Inconsolata, Courier, monospace; background-color:
rgb(248, 248, 255);">config.setCryptoConfig(cryptoConfig);</span></div>
<div><font size="1" color="#333333" face="Consolas, Inconsolata,
Courier, monospace"><span style="line-height: 14px;
white-space: pre-wrap;"><br>
</span></font></div>
<div><font size="1" color="#333333" face="Consolas, Inconsolata,
Courier, monospace"><span style="line-height: 14px;
white-space: pre-wrap;">// build store</span></font></div>
<div><span style="line-height: 14px; white-space: pre-wrap;
font-size: x-small; color: rgb(51, 51, 51); font-family:
Consolas, Inconsolata, Courier, monospace; background-color:
rgb(248, 248, 255);">EncryptedStore =
dataManager.store(config);</span></div>
</div>
<div><br>
</div>
<div>Further, I guess Pbkdf2 can be used as:</div>
<div><span style="color: rgb(51, 51, 51); font-family: Consolas,
Inconsolata, Courier, monospace; font-size: x-small;
line-height: 14px; white-space: pre-wrap; background-color:
rgb(248, 248, 255);"><br>
</span></div>
<div><span style="color: rgb(51, 51, 51); font-family: Consolas,
Inconsolata, Courier, monospace; font-size: x-small;
line-height: 14px; white-space: pre-wrap; background-color:
rgb(248, 248, 255);">cryptoC</span><span style="color: rgb(51,
51, 51); font-family: Consolas, Inconsolata, Courier,
monospace; font-size: x-small; line-height: 14px; white-space:
pre-wrap; background-color: rgb(248, 248, 255);">onfig</span><span
style="background-color: rgb(248, 248, 255);"><font
color="#333333" face="Consolas, Inconsolata, Courier,
monospace"><font size="1"><span style="line-height: 14px;
white-space: pre-wrap;">.setPassword(AeroGearCrypto.pbkdf2().encrypt(“passphrase-entered-by-user”));</span></font></font></span></div>
</blockquote>
<br>
It will probably look more like your first block than your second
block. <br>
<br>
In the second block we will probably have something similar to this:<br>
<br>
<div><span style="line-height: 14px; white-space: pre-wrap; color:
rgb(51, 51, 51); font-family: Consolas, Inconsolata, Courier,
monospace; font-size: x-small; background-color: rgb(248, 248,
255);">// crypto configuration</span></div>
<span style="background-color: rgb(248, 248, 255);"><font size="1"
color="#333333" face="Consolas, Inconsolata, Courier, monospace"><span
style="line-height: 14px; white-space: pre-wrap;">CryptoConfig cryptoConfig = new
Pbkdf2Config();<br>
</span></font></span><span style="color: rgb(51, 51, 51);
font-family: Consolas, Inconsolata, Courier, monospace; font-size:
x-small; line-height: 14px; white-space: pre-wrap;
background-color: rgb(248, 248, 255);">cryptoC</span><span
style="color: rgb(51, 51, 51); font-family: Consolas, Inconsolata,
Courier, monospace; font-size: x-small; line-height: 14px;
white-space: pre-wrap; background-color: rgb(248, 248, 255);">onfig</span><span
style="background-color: rgb(248, 248, 255);"><font size="1"
color="#333333" face="Consolas, Inconsolata, Courier, monospace"><span
style="line-height: 14px; white-space: pre-wrap;">.setSalt("myalias");<br>
</span></font></span><span style="color: rgb(51, 51, 51);
font-family: Consolas, Inconsolata, Courier, monospace; font-size:
x-small; line-height: 14px; white-space: pre-wrap;
background-color: rgb(248, 248, 255);">cryptoC</span><span
style="color: rgb(51, 51, 51); font-family: Consolas, Inconsolata,
Courier, monospace; font-size: x-small; line-height: 14px;
white-space: pre-wrap; background-color: rgb(248, 248, 255);">onfig</span><span
style="background-color: rgb(248, 248, 255);"><font size="1"
color="#333333" face="Consolas, Inconsolata, Courier, monospace"><span
style="line-height: 14px; white-space: pre-wrap;">.setPassword("app.keystore");<br>
<br>
KeyServices service = manager.keyService(cryptoConfig);<br>
CryptoBox crypto = service.getCrypto(context, </span></font></span><span
style="background-color: rgb(248, 248, 255);"><font size="1"
color="#333333" face="Consolas, Inconsolata, Courier, monospace"><span
style="line-height: 14px; white-space: pre-wrap;">cryptoConfig</span></font></span><span
style="background-color: rgb(248, 248, 255);"><font
color="#333333" face="Consolas, Inconsolata, Courier, monospace"><font
size="1"><span style="line-height: 14px; white-space:
pre-wrap;">);<br>
<br>
</span></font></font></span>`service` in this case will be a
Pbkdf2Service which will generate the key based on your config.<br>
<br>
<blockquote
cite="mid:26EC9134-40AE-4743-9A8A-136AFD9968B4@gmail.com"
type="cite">
<div><br>
</div>
<div>As I understand, the passphrase is used only to unlock the
keystore and _not_ for encrypt/decrypt of data. Then the
private/public keys are generated and stored in the keystore
which can be accessed later. A benefit for this as I see is that
you don’t need to reencrypt the data if the passphrase is
changed. Only decrypt keystore (old-passphrase) and update
keystore (with the new passphrase).</div>
<div><br>
</div>
<div>- apart from ‘PasswordKeyServices’ which unlocks the
'keystore based on a password, what other impls of KeyServices
are in mind?</div>
</blockquote>
See Pbkdf2Service above as an example.<br>
<blockquote
cite="mid:26EC9134-40AE-4743-9A8A-136AFD9968B4@gmail.com"
type="cite">
<div><br>
</div>
<div>- apart from keys, IV is a param needed to encrypt, not
shown yet but I guess this should be stored on the keystore too
and be accessible from the client when does ‘encrypt’/‘decrypt’.</div>
</blockquote>
I feel like how you handle the IV is a application specific thing
not a library specific thing.<br>
<br>
For example, in the case of a EncryptedMemoryStore it will only be
stored in memory with the EncryptedStore. Once the Store gets
garbage collected the IV will go away as well.<br>
In the case of long running encryption, the IV will need to be
stored with the encrypted message to recover it. We can provide
utilities or best pratice docs for that.<br>
<br>
<br>
As an aside, the Keystore (java.security.Keystore) can not store the
IV as far as I can tell.<br>
<br>
<blockquote
cite="mid:26EC9134-40AE-4743-9A8A-136AFD9968B4@gmail.com"
type="cite">
<div>Thanks,</div>
<div>Christos</div>
<div><br>
</div>
<div><br>
</div>
<div>[1] <a moz-do-not-send="true"
href="http://lists.jboss.org/pipermail/aerogear-dev/2013-November/005213.html">http://lists.jboss.org/pipermail/aerogear-dev/2013-November/005213.html</a></div>
<div><br>
</div>
<div>On Nov 5, 2013, at 10:00 PM, Summers Pittman <<a
moz-do-not-send="true" href="mailto:supittma@redhat.com">supittma@redhat.com</a>>
wrote:</div>
<div>
<div><br class="Apple-interchange-newline">
<blockquote type="cite">One of the things we briefly discussed
on the chat was key generation <br>
and secret storage.<br>
<br>
For Android we want to combine the two in an "easy" API
which follows <br>
the Object/Factory/Config patterns of our other systems
(Pipeline, <br>
Authentication, Push).<br>
<br>
Here is a high level code flavored example of what I am
talking about.<br>
<br>
<a moz-do-not-send="true"
href="https://gist.github.com/secondsun/d602d19255b1fd085ac8">https://gist.github.com/secondsun/d602d19255b1fd085ac8</a><br>
<br>
Actual work is going forward here: <br>
<a class="moz-txt-link-freetext" href="https://github.com/secondsun/aerogear-android/tree/security">https://github.com/secondsun/aerogear-android/tree/security</a><br>
<br>
wdyt?<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
aerogear-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></pre>
</blockquote>
<br>
</body>
</html>