10:40 a.m.
Aloha kakou and good morning, the time to have fun has come. This week I
was trying to put some ideas for crypto altogether and update our
roadmap for security to reflect what do we want to achieve, basically I
want to hear your opinion on it, otherwise you will implement what was
written here :)
I will wait for some feedback until friday (20) and if I don't hear
anything our roadmap as well AGSEC jiras will be automagically updated.
I don't want to html-ish you, so here comes my proposal formatted in
markdown:
# 1.3.0 (draft)
### Crypto library
* Provide easy to use APIs for symmetric encryption:
[GCM](http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf)
* Provide easy to use APIs for asymmetric encryption:
[ECC](http://www.nsa.gov/business/programs/elliptic_curve.shtml)
* Provide easy to use APIs for password based key derivation:
[PBKDF2](http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132...
* Provide easy to use APIs for hashing: SHA-256, SHA-512
* Provide easy to use APIs for message authentication: GMAC, HMAC *See:
[AGSEC-57](https://issues.jboss.org/browse/AGSEC-57)*
* Provide easy to use APIs for digital signatures: ECDSA
### Examples:
* Symmetric encryption: SimplePush server
* Asymmetric encryption: shared encryption keys between two parties, to
allow encryption and decryption of messages and prevent tampering.
* Password-based key derivation: every application which requires password
* Hashing: store passwords on the server's database
* Message authentication: message integrity/tampering mitigation
* Digital signatures: HTTP signed requests, digitally sign mobile
application keys (*nonrepudiation*)
**Add more scenarios or exclude but please make sure they are DOABLE and
real**
### Scenarios
* A mobile health system wants to store sensitive patients' data offline
for web or mobile applications
* Bob gets his phone stolen and wants to wipe the data to protect his
privacy
* Alice gets phone stolen and an attacker wants to steal her data
* A web application must be able to provide encryption for users' password
* A TOTP application wants to store shared secrets
* A push mobile application wants to protect the messages exchanged
between client and server
* Showcase **proposed**:
* Password manager
* A password manager app which could be tested with offline sync as a
next step. Initially we can start with the bare minimum
## Jiras
* AGSEC-XX: Provide easy to use cryptography interface
*Description*: We must build a foundation for encrypted storage, before
start hacking on it. Having clearly defined goals in a single place
might help to put things in perspective.
Ex: **Android**-crypto, **iOS**-crypto & **JS**-crypto libraries
* AGSEC-XX: Symmetric encryption support:
[GCM](http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf)
* AGSEC-XX: Asymmetric encryption support:
[ECC](http://www.nsa.gov/business/programs/elliptic_curve.shtml)
* AGSEC-XX: Password based key derivation:
[PBKDF2](http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132...
* AGSEC-XX: Hashing support: SHA-256, SHA-512
* AGSEC-XX: Message authentication support: GMAC, HMAC *See: AGSEC-57*
* AGSEC-XX: Digital signatures support: ECDSA
*(I'm considering to remove the Jiras below once they are too broad)*
<strike>
* AGSEC-57: Add message integrity verification
* AGIOS-3: Implementation and API usage for iOS crypto
* AGSEC-26: Authentication schemes for mobile devices
</strike>
* AGSEC-2: Secure storage and cache *documentation* (*I'm considering to
make it a doc task. Thoughts?*)
<strike>* AGSEC-7: Provide a detailed specification about how it should
work (*I'm considering to rephrase it*)</strike>
* AGSEC-7: Provide a specification about how to properly do key management
*Description*: Each platform will have its own implementation and
singularity to store/retrieve the keys. For example: *KeyStore* for
Android, *SessionStorage* or *LocalStorage* for JavaScript or *Keychain
services* API with iOS.
* AGSEC-XX: Provide some use case scenarios for encryption: JS, Android, iOS
*Description*: Joint effort from AeroGear team with some scenarios per
platform.
* AGSEC-9: Provide a specification and which kind of algorithms will be
provided
*Description*: Algorithms supported on AeroGear by default. Ex: *GCM,
ECC, GHASH…etc*
* AGSEC-27: Provide a specification and which kind of authentication
schemes will be supported
*Description*: Similar idea to *AGSEC-9* (nothing bureaucratic, just a
short description)
* AGSEC-47: Create a documentation with the overview of AeroGear Security
* AGSEC-XX: Generating encryption keys
* Provide password based encryption support to generate the keys
* Automatically key generation with no interaction
* AGSEC-XX: Manage cryptographic keys and respective owners
*Description*: During the offline encryption a pair of keys (*asymmetric
encryption*) or a single key (*symmetric encryption*) will be generated
to encrypt the local data, we have to figure out what is the best way to
<*put your platform here*> manage those keys.
* AGSEC-XX: Encrypted offline storage (*for sensitive data*)
*Description*: Sensitive data like patients information, social number
security, GPS position or data from your biggest company oil
* AGSEC-XX: Encrypted cache
*Description*: Developers must be allowed to have their application
privacy protected enabling data cache anonymity.
* AGSEC-XX: Key agreement with the server
*Description*: Key agreement between two parties mobile application and
the server
* AGSEC-XX: Key privilege revocation
*Description*: If for some reason a phone get lost or stolen, keys must
be revoked by the server
* AGSEC-XX: Key privilege expiration
*Description*: Allows to specify the valid period of time for the key
added on mobile device or server. Working in both ways.
* AGSEC-XX: Data seek and destroy
*Description*: User/Developer must be able to notify the application
using another authorized computer if the data stored on mobile device
must be destroyed. Ex: *Phone get lost and I want to wipe all the
passwords stored on my device*
* AGSEC-XX: Showcase app
*Description*: An application to showcase the goal of this release.
Suggestion: password manager (*a nice fit for testing encryption locally
and later the integration with the server*)
* AGSEC-XX: Provide a screen to input user's password
* AGSEC-XX: Allow user to include passwords specifying the alias
* AGSEC-XX: Allow password to be decrypted and displayed on the screen
* AGSEC-XX: Backup the data on to the server (*but do not expose the
passwords to the server*)
* AGSEC-XX: Performance checks
*Description*: Check how much encryption will degrade CPU/memory on devices
* AGSEC-XX: Hold the fort
*Description*: Coordinate attacks against our platform. Ex: *DDoS, dump
databases to check if the data was properly encrypted…etc*
*(I'm considering to remove the Jiras below once they are too broad)*
<strike>
* AGSEC-6: Encryption for mobile devices
* AGSEC-89: Encryption for iOS
</strike>
* AGSEC-59: Inclusion of a responsible disclosure for security at
aerogear.org
* AGSEC-58: Setup a mailing list to report security issues
<strike>* AGSEC-61: Http Basic and Http Digest are mutually
exclusive</strike> (*moved*)
--
abstractj