<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Nov 6, 2013 at 3:31 PM, Summers Pittman <span dir="ltr"><<a href="mailto:supittma@redhat.com" target="_blank">supittma@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
<div>On 11/06/2013 07:06 AM, Christos
Vasilakis wrote:<br>
</div>
<blockquote type="cite">
Hi,
<div><br>
</div>
<div>thanks for sharing, some questions I have:</div>
<div><br>
</div>
<div>- I guess the CryptoConfig will be a stand-alone class which
can be applied as a param to the existing ‘StoreConfig’ and
‘PipeConfig’ (later on), right? <br>
</div>
</blockquote></div>
I'm not 100% sure on that, but it is something passos and I have
talked about.</div></blockquote><div><br></div><div><br></div><div>It would be good if that behaviour would be similar on all the platforms</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im"><br>
<blockquote type="cite">
<div><br>
</div>
<div>Based on a previous email discussion [1], how this looks from
the client? Is it sth like this:</div>
<div><br>
</div>
<div>
<div><span style="line-height:14px;white-space:pre-wrap;color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;background-color:rgb(248,248,255)">// crypto configuration</span></div>
<div><span style="background-color:rgb(248,248,255)"><font size="1" color="#333333" face="Consolas, Inconsolata,
Courier, monospace"><span style="line-height:14px;white-space:pre-wrap">CryptoConfig cryptoConfig = new PasswordProtectedKeystoreConfig();<br>
</span></font></span><span style="color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;line-height:14px;white-space:pre-wrap;background-color:rgb(248,248,255)">cryptoC</span><span style="color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;line-height:14px;white-space:pre-wrap;background-color:rgb(248,248,255)">onfig</span><span style="background-color:rgb(248,248,255)"><font size="1" color="#333333" face="Consolas, Inconsolata, Courier,
monospace"><span style="line-height:14px;white-space:pre-wrap">.setAlias("myalias");<br>
</span></font></span><span style="color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;line-height:14px;white-space:pre-wrap;background-color:rgb(248,248,255)">cryptoC</span><span style="color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;line-height:14px;white-space:pre-wrap;background-color:rgb(248,248,255)">onfig</span><span style="background-color:rgb(248,248,255)"><font size="1" color="#333333" face="Consolas, Inconsolata, Courier,
monospace"><span style="line-height:14px;white-space:pre-wrap">.setKeystoreFileName("app.keystore");<br>
</span></font></span><span style="color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;line-height:14px;white-space:pre-wrap;background-color:rgb(248,248,255)">cryptoC</span><span style="color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;line-height:14px;white-space:pre-wrap;background-color:rgb(248,248,255)">onfig</span><span style="background-color:rgb(248,248,255)"><font color="#333333" face="Consolas, Inconsolata, Courier,
monospace"><font size="1"><span style="line-height:14px;white-space:pre-wrap">.setPassword("somePassword");
<br>
</span></font></font></span></div>
<div><span style="background-color:rgb(248,248,255)"><font color="#333333" face="Consolas, Inconsolata, Courier,
monospace"><font size="1"><span style="line-height:14px;white-space:pre-wrap">// store configuration</span></font></font></span></div>
<div>
<div><span style="background-color:rgb(248,248,255)"><font size="1" color="#333333" face="Consolas, Inconsolata,
Courier, monospace"><span style="white-space:pre-wrap;line-height:14px">StoreConfig config = new
StoreConfig();
config.setType(ENCRYPTED_MEMORY);
config.setName("encrypted”)</span></font></span></div>
</div>
<div><span style="background-color:rgb(248,248,255)"><font size="1" color="#333333" face="Consolas, Inconsolata,
Courier, monospace"><span style="line-height:14px;white-space:pre-wrap">// apply crypto config</span></font></span></div>
<div><span style="line-height:14px;white-space:pre-wrap;font-size:x-small;color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;background-color:rgb(248,248,255)">config.setCryptoConfig(cryptoConfig);</span></div>
<div><font size="1" color="#333333" face="Consolas, Inconsolata,
Courier, monospace"><span style="line-height:14px;white-space:pre-wrap"><br>
</span></font></div>
<div><font size="1" color="#333333" face="Consolas, Inconsolata,
Courier, monospace"><span style="line-height:14px;white-space:pre-wrap">// build store</span></font></div>
<div><span style="line-height:14px;white-space:pre-wrap;font-size:x-small;color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;background-color:rgb(248,248,255)">EncryptedStore =
dataManager.store(config);</span></div>
</div>
<div><br>
</div>
<div>Further, I guess Pbkdf2 can be used as:</div>
<div><span style="color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;line-height:14px;white-space:pre-wrap;background-color:rgb(248,248,255)"><br>
</span></div>
<div><span style="color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;line-height:14px;white-space:pre-wrap;background-color:rgb(248,248,255)">cryptoC</span><span style="color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;line-height:14px;white-space:pre-wrap;background-color:rgb(248,248,255)">onfig</span><span style="background-color:rgb(248,248,255)"><font color="#333333" face="Consolas, Inconsolata, Courier,
monospace"><font size="1"><span style="line-height:14px;white-space:pre-wrap">.setPassword(AeroGearCrypto.pbkdf2().encrypt(“passphrase-entered-by-user”));</span></font></font></span></div>
</blockquote>
<br></div>
It will probably look more like your first block than your second
block. <br>
<br>
In the second block we will probably have something similar to this:<br>
<br>
<div><span style="line-height:14px;white-space:pre-wrap;color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;background-color:rgb(248,248,255)">// crypto configuration</span></div>
<span style="background-color:rgb(248,248,255)"><font size="1" color="#333333" face="Consolas, Inconsolata, Courier, monospace"><span style="line-height:14px;white-space:pre-wrap">CryptoConfig cryptoConfig = new
Pbkdf2Config();<br>
</span></font></span><span style="color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;line-height:14px;white-space:pre-wrap;background-color:rgb(248,248,255)">cryptoC</span><span style="color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;line-height:14px;white-space:pre-wrap;background-color:rgb(248,248,255)">onfig</span><span style="background-color:rgb(248,248,255)"><font size="1" color="#333333" face="Consolas, Inconsolata, Courier, monospace"><span style="line-height:14px;white-space:pre-wrap">.setSalt("myalias");<br>
</span></font></span><span style="color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;line-height:14px;white-space:pre-wrap;background-color:rgb(248,248,255)">cryptoC</span><span style="color:rgb(51,51,51);font-family:Consolas,Inconsolata,Courier,monospace;font-size:x-small;line-height:14px;white-space:pre-wrap;background-color:rgb(248,248,255)">onfig</span><span style="background-color:rgb(248,248,255)"><font size="1" color="#333333" face="Consolas, Inconsolata, Courier, monospace"><span style="line-height:14px;white-space:pre-wrap">.setPassword("app.keystore");<br>
<br>
KeyServices service = manager.keyService(cryptoConfig);<br>
CryptoBox crypto = service.getCrypto(context, </span></font></span><span style="background-color:rgb(248,248,255)"><font size="1" color="#333333" face="Consolas, Inconsolata, Courier, monospace"><span style="line-height:14px;white-space:pre-wrap">cryptoConfig</span></font></span><span style="background-color:rgb(248,248,255)"><font color="#333333" face="Consolas, Inconsolata, Courier, monospace"><font size="1"><span style="line-height:14px;white-space:pre-wrap">);<br>
<br>
</span></font></font></span>`service` in this case will be a
Pbkdf2Service which will generate the key based on your config.<div class="im"><br>
<br>
<blockquote type="cite">
<div><br>
</div>
<div>As I understand, the passphrase is used only to unlock the
keystore and _not_ for encrypt/decrypt of data. Then the
private/public keys are generated and stored in the keystore
which can be accessed later. A benefit for this as I see is that
you don’t need to reencrypt the data if the passphrase is
changed. Only decrypt keystore (old-passphrase) and update
keystore (with the new passphrase).</div>
<div><br>
</div>
<div>- apart from ‘PasswordKeyServices’ which unlocks the
'keystore based on a password, what other impls of KeyServices
are in mind?</div>
</blockquote></div>
See Pbkdf2Service above as an example.<div class="im"><br>
<blockquote type="cite">
<div><br>
</div>
<div>- apart from keys, IV is a param needed to encrypt, not
shown yet but I guess this should be stored on the keystore too
and be accessible from the client when does ‘encrypt’/‘decrypt’.</div>
</blockquote></div>
I feel like how you handle the IV is a application specific thing
not a library specific thing.<br>
<br>
For example, in the case of a EncryptedMemoryStore it will only be
stored in memory with the EncryptedStore. Once the Store gets
garbage collected the IV will go away as well.<br>
In the case of long running encryption, the IV will need to be
stored with the encrypted message to recover it. We can provide
utilities or best pratice docs for that.<br>
<br>
<br>
As an aside, the Keystore (java.security.Keystore) can not store the
IV as far as I can tell.<div class="im"><br>
<br>
<blockquote type="cite">
<div>Thanks,</div>
<div>Christos</div>
<div><br>
</div>
<div><br>
</div>
<div>[1] <a href="http://lists.jboss.org/pipermail/aerogear-dev/2013-November/005213.html" target="_blank">http://lists.jboss.org/pipermail/aerogear-dev/2013-November/005213.html</a></div>
<div><br>
</div>
<div>On Nov 5, 2013, at 10:00 PM, Summers Pittman <<a href="mailto:supittma@redhat.com" target="_blank">supittma@redhat.com</a>>
wrote:</div>
<div>
<div><br>
<blockquote type="cite">One of the things we briefly discussed
on the chat was key generation <br>
and secret storage.<br>
<br>
For Android we want to combine the two in an "easy" API
which follows <br>
the Object/Factory/Config patterns of our other systems
(Pipeline, <br>
Authentication, Push).<br>
<br>
Here is a high level code flavored example of what I am
talking about.<br>
<br>
<a href="https://gist.github.com/secondsun/d602d19255b1fd085ac8" target="_blank">https://gist.github.com/secondsun/d602d19255b1fd085ac8</a><br>
<br>
Actual work is going forward here: <br>
<a href="https://github.com/secondsun/aerogear-android/tree/security" target="_blank">https://github.com/secondsun/aerogear-android/tree/security</a><br>
<br>
wdyt?<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
aerogear-dev mailing list
<a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></pre>
</blockquote>
<br>
</div></div>
<br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br>
<br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>