Good morning all, just to start the discussion about the APIs and
encrypted storage I wrote this gist. Probably after some revisions I
hope to make it a specification.
Regarding the available scenarios, feel free to add or change the priority.
Gist: https://gist.github.com/abstractj/f1229ae075f8e6688c75
# AeroGear Crypto API
**Note**: This document is a working progress
# Authors
- Bruno Oliveira
- *put your pretty name here*
## Goals
- User friendly interface for non crypto experts
- Advanced developers can make use of the pure crypto provider
implementation.
## Supported Algorithms
- https://issues.jboss.org/browse/AGSEC-114
## Scenarios
**Note**: For all scenarios the authentication process was intentionally
ignored.
- A logged in user wants to store sensitive data on mobile
- The mobile device goes offline but the sensitive data must be safe
[Under development]
- Device was stolen and data must be destroyed
[Under development]
- The data must be backed up on the server, but passwords can't be exposed
[Under development]
- The application was installed into another device and the keys must be
revoked on the server
[Under development]
- User wants to configure for how long the keys will be considered valid
## JavaScript
### Dependencies
- [sjcl](http://crypto.stanford.edu/sjcl/) with wrappers for basic
functionalities like: encrypt, decrypt, password salting and key pair
generation.
### Implementation details
- The size of sjcl library is still a concern (28K)
- Crypto bits were built in a separate module so it may be
included/excluded in a custom build.
- The project will be developed under AeroGear.js repository
(https://github.com/aerogear/aerogear-js/pull/57)
### API (draft 0)
- Password based key derivation support (PBKDF2)
myEncryptedPassword = AeroGear.password("strong");
- Symmetric encryption support (GCM)
- Encryption:
var options = {
IV: superRandomInitializationVector,
AAD: "whateverAuthenticatedData",
key: generatedKey,
data: "My bonnie lies over the ocean"
};
var cipherText = AeroGear.encrypt( options );
- Decryption:
var options = {
IV: superRandomInitializationVector,
AAD: "whateverAuthenticatedData",
key: generatedKey,
data: cipherText
};
AeroGear.decrypt( options );
- Message authentication support (GMAC, HMAC)
[Under development]
**Note**: The implementations below are currently under discussion at
https://github.com/aerogear/aerogear-js/pull/62
- Hashing support (SHA-256, SHA-512)
digest = AeroGear.crypto.hash("some message");
- Asymmetric encryption support (ECC)
var hex = sjcl.codec.hex,
keyPair = new AeroGear.crypto.KeyPair(),
cipherText, plainText,
options = {
IV: superRandomInitializationVector,
AAD: "whateverAuthenticatedData",
key: keyPair.publicKey,
data: ""My bonnie lies over the ocean"
};
cipherText = AeroGear.crypto.encrypt( options );
options.key = keyPair.privateKey;
options.data = cipherText;
plainText = AeroGear.crypto.decrypt( options );
- Digital signatures support (ECDSA)
var validation,
options = {
keys: sjcl.ecc.ecdsa.generateKeys(192),
message: "My bonnie lies over the ocean"
};
options.signature = AeroGear.crypto.sign( options );
validation = AeroGear.crypto.verify( options );
## Android
### Dependencies
- [Spongy Castle](http://rtyley.github.io/spongycastle/) with wrappers
for basic functionalities like: encrypt, decrypt, password salting and
key pair generation.
### Implementation details
- The bouncycastle "provided" in Android doesn't have ECDH that's the
reason why Spongy Castle was chosen.
- aerogear-crypto-java will be the main repository to provide a crypto
API for Android and the Java server.
### API (draft 0)
**Note**: The implementations below are currently under discussion at
https://github.com/aerogear/aerogear-crypto-java/tree/refactoring
- Password based key derivation support (PBKDF2)
Pbkdf2 pbkdf2 = AeroGearCrypto.pbkdf2();
byte[] rawPassword = pbkdf2.encrypt(PASSWORD);
- Symmetric encryption support (GCM)
- Encryption:
CryptoBox cryptoBox = new CryptoBox(new
PrivateKey(SOME_SECRET_KEY));
final byte[] IV = new Random().randomBytes();
final byte[] message = "My bonnie lies over the
ocean".getBytes();
final byte[] ciphertext = cryptoBox.encrypt(IV, message);
- Decryption:
CryptoBox pandora = new CryptoBox(new
PrivateKey(SOME_SECRET_KEY));
final byte[] message = pandora.decrypt(IV, ciphertext);
- Message authentication support (GMAC, HMAC)
[Under development]
- Hashing support (SHA-256, SHA-512)
[Under development]
- Asymmetric encryption support (ECC)
KeyPair keyPair = new KeyPair();
KeyPair keyPairPandora = new KeyPair();
CryptoBox cryptoBox = new CryptoBox(keyPair.getPrivateKey(),
keyPairPandora.getPublicKey());
final byte[] IV = new Random().randomBytes();
final byte[] message = "My bonnie lies over the ocean".getBytes();
final byte[] ciphertext = cryptoBox.encrypt(IV, message);
CryptoBox pandora = new
CryptoBox(keyPairPandora.getPrivateKey(), keyPair.getPublicKey());
final byte[] message = pandora.decrypt(IV, ciphertext);
- Digital signatures support (ECDSA)
[Under development]
## iOS
### Dependencies
[TBD] - http://oksoclap.com/p/iOS_Meeting_(Security)
- [Common
Crypto](https://developer.apple.com/library/mac/documentation/security/conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html)
### Implementation details
[TBD]
### API (draft 0)
- Password based key derivation support (PBKDF2)
[Under development]
- Symmetric encryption support (GCM)
[Under development]
- Message authentication support (GMAC, HMAC)
[Under development]
- Hashing support (SHA-256, SHA-512)
[Under development]
- Asymmetric encryption support (ECC)
[Under development]
- Digital signatures support (ECDSA)
[Under development]
--
abstractj
_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev