--
abstractj
On January 20, 2014 at 3:00:54 PM, Tadeas Kriz (tkriz(a)redhat.com) wrote:
Hey,
I know we’ve been discussing this before, but with no solution.
I myself think, that the store should fail to open when the passphrase
is wrong, because that’s where you’d like to have your “try ..
catch ..” to handle the problem, not elsewhere, when you want
to actually read/write/delete from the store, that’s just not
very user friendly.
If the answer to that is YES, then the next question is, how to decide
when the passphrase is right and when it isn’t. Again I’ll write
Like I mentioned here (
https://issues.jboss.org/browse/AGDROID-173), our goal to the very
initial release was not to make anything perfect, but lay down the groundwork for
encryption. So if you where you read “Experimental”, by that means, not perfect.
Offline authentication didn’t start yet, so that might happen. The API will be user
friendly when become stable.
more ways I’ve got on mind, that’d solve this. Important is, that
none of them actually stores the passphrase!
On each call of ‘open()’:
1. do ‘readAll()’ to ensure the passphrase is right. Basically,
that’s what user has to do now to find out if the passphrase is right.
2. read the first row and if the read is successful, then the passphrase
is right. In this case, we’d have to be 100% sure that there is no
way to put data into the store with different key and thus all the
rows are encrypted with the same passphrase.
We are aware of it, at the same time we didn’t add support for querying into the database.
That’s planned, but not atm. Our focus was data encryption, optimizations will come with
the next releases, for this reason a jiras like this exist
https://issues.jboss.org/browse/AGSEC-137
3. Save some metadata for each data model, that would be encrypted
with the same passphrase and we’d read them and if successful,
the passphrase is right. This has two possible implementations.
a. The first row in the data model table would be reserved for the
metadata, so the verification would work similarly to the option
2.
b. There would be separate table, in which we’d add a row for each
data model table. Again, very similar to a. but without the pain
of having different data in the same table. Also, if the implementation
of SQLStore will become multi-table (instead of multi-database
which is now), there would be only one table for all the metadata.
So, what do you think?
Repeating what I said on that Jira, it seems too much. APIs like SQLCipher don’t do that.
PS: For abstractj, I’ve been trying to find any library that would
do the encryption on high-level, as AeroGear does, but couldn’t
find any. There are many ways to encrypt SQLite database though
they work on different approach of encrypting the whole database
file, not just rows themselves.
That’s the reason why we’ve been working on it.
—
Tadeas Kriz
tkriz(a)redhat.com
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev