Good morning all, just to start the discussion about the APIs and
encrypted storage I wrote this gist. Probably after some revisions I
hope to make it a specification.
Regarding the available scenarios, feel free to add or change the priority.
Gist: https://gist.github.com/abstractj/f1229ae075f8e6688c75
# AeroGear Crypto API
**Note**: This document is a working progress
# Authors
- Bruno Oliveira
- *put your pretty name here*
## Goals
- User friendly interface for non crypto experts
- Advanced developers can make use of the pure crypto provider
implementation.
## Supported Algorithms
- https://issues.jboss.org/browse/AGSEC-114
## Scenarios
**Note**: For all scenarios the authentication process was intentionally
ignored.
- A logged in user wants to store sensitive data on mobile

- The mobile device goes offline but the sensitive data must be safe
[Under development]
- Device was stolen and data must be destroyed
[Under development]
- The data must be backed up on the server, but passwords can't be exposed
[Under development]
- The application was installed into another device and the keys must be
revoked on the server
[Under development]
- User wants to configure for how long the keys will be considered valid
## JavaScript
### Dependencies
- [sjcl](http://crypto.stanford.edu/sjcl/) with wrappers for basic
functionalities like: encrypt, decrypt, password salting and key pair
generation.
### Implementation details
- The size of sjcl library is still a concern (28K)
- Crypto bits were built in a separate module so it may be
included/excluded in a custom build.
- The project will be developed under AeroGear.js repository
(https://github.com/aerogear/aerogear-js/pull/57)
### API (draft 0)
- Password based key derivation support (PBKDF2)
� � � � myEncryptedPassword = AeroGear.password("strong");
- Symmetric encryption support (GCM)
� � - Encryption:
� � � � � � var options = {
� � � � � � � � IV: superRandomInitializationVector,
� � � � � � � � AAD: "whateverAuthenticatedData",
� � � � � � � � key: generatedKey,
� � � � � � � � data: "My bonnie lies over the ocean"
� � � � � � };
� � � � � � var cipherText = AeroGear.encrypt( options );
� � - Decryption:
� � � � � � var options = {
� � � � � � � � IV: superRandomInitializationVector,
� � � � � � � � AAD: "whateverAuthenticatedData",
� � � � � � � � key: generatedKey,
� � � � � � � � data: cipherText
� � � � � � };
� � � � � � AeroGear.decrypt( options );
- Message authentication support (GMAC, HMAC)
[Under development]
**Note**: The implementations below are currently under discussion at
https://github.com/aerogear/aerogear-js/pull/62
- Hashing support (SHA-256, SHA-512)
� � � � digest = AeroGear.crypto.hash("some message");
- Asymmetric encryption support (ECC)
� � � � var hex = sjcl.codec.hex,
� � � � � � keyPair = new AeroGear.crypto.KeyPair(),
� � � � � � cipherText, plainText,
� � � � � � options = {
� � � � � � � � IV: superRandomInitializationVector,
� � � � � � � � AAD: "whateverAuthenticatedData",
� � � � � � � � key: keyPair.publicKey,
� � � � � � � � data: ""My bonnie lies over the ocean"
� � � � � � };
� � � � cipherText = AeroGear.crypto.encrypt( options );
� � � � options.key = keyPair.privateKey;
� � � � options.data = cipherText;
� � � � plainText = AeroGear.crypto.decrypt( options );
- Digital signatures support (ECDSA)
� � � � var validation,
� � � � � � options = {
� � � � � � � � keys: sjcl.ecc.ecdsa.generateKeys(192),
� � � � � � � � message: "My bonnie lies over the ocean"
� � � � � � };
� � � � options.signature = AeroGear.crypto.sign( options );
� � � � validation = AeroGear.crypto.verify( options );
## Android
### Dependencies
- [Spongy Castle](http://rtyley.github.io/spongycastle/) with wrappers
for basic functionalities like: encrypt, decrypt, password salting and
key pair generation.
### Implementation details
- The bouncycastle "provided" in Android doesn't have ECDH that's the
reason why Spongy Castle was chosen.
- aerogear-crypto-java will be the main repository to provide a crypto
API for Android and the Java server.
### API (draft 0)
**Note**: The implementations below are currently under discussion at
https://github.com/aerogear/aerogear-crypto-java/tree/refactoring
- Password based key derivation support (PBKDF2)
� � � � Pbkdf2 pbkdf2 = AeroGearCrypto.pbkdf2();
� � � � byte[] rawPassword = pbkdf2.encrypt(PASSWORD);
- Symmetric encryption support (GCM)
� � - Encryption:
� � � � � � CryptoBox cryptoBox = new CryptoBox(new
PrivateKey(SOME_SECRET_KEY));
� � � � � � final byte[] IV = new Random().randomBytes();
� � � � � � final byte[] message = "My bonnie lies over the
ocean".getBytes();
� � � � � � final byte[] ciphertext = cryptoBox.encrypt(IV, message);
� � - Decryption:
� � � � � � CryptoBox pandora = new CryptoBox(new
PrivateKey(SOME_SECRET_KEY));
� � � � � � final byte[] message = pandora.decrypt(IV, ciphertext);
- Message authentication support (GMAC, HMAC)
[Under development]
- Hashing support (SHA-256, SHA-512)
[Under development]
- Asymmetric encryption support (ECC)
� � � � KeyPair keyPair = new KeyPair();
� � � � KeyPair keyPairPandora = new KeyPair();
� � � � CryptoBox cryptoBox = new CryptoBox(keyPair.getPrivateKey(),
keyPairPandora.getPublicKey());
� � � � final byte[] IV = new Random().randomBytes();
� � � � final byte[] message = "My bonnie lies over the ocean".getBytes();
� � � � final byte[] ciphertext = cryptoBox.encrypt(IV, message);
� � � � CryptoBox pandora = new
CryptoBox(keyPairPandora.getPrivateKey(), keyPair.getPublicKey());
� � � � final byte[] message = pandora.decrypt(IV, ciphertext);
- Digital signatures support (ECDSA)
[Under development]
## iOS
### Dependencies
[TBD] - http://oksoclap.com/p/iOS_Meeting_(Security)
- [Common
Crypto](https://developer.apple.com/library/mac/documentation/security/conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html)
### Implementation details
[TBD]
### API (draft 0)
- Password based key derivation support (PBKDF2)
[Under development]
- Symmetric encryption support (GCM)
[Under development]
- Message authentication support (GMAC, HMAC)
[Under development]
- Hashing support (SHA-256, SHA-512)
[Under development]
- Asymmetric encryption support (ECC)
[Under development]
- Digital signatures support (ECDSA)
[Under development]
--
abstractj
_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev