Answers inline.
> Daniel Passos <mailto:daniel@passos.me>
> November 6, 2013 at 2:24 PM
> <#>
>
>
> DataManager Crypto
>
> <#>
>
>
> Idea
>
> My idea is to read all fields, encrypt the field values and save it in
> store (Memory and SQLite)
>
Sounds like a plan.
> <#>
>
>
> Problems
>
> 1) CryptoBox needs byte[] data to encrypt[1]. We need to get byte[] of
> all types
> 2) CryptoBox#decrypt returns a byte[] and we need to convert it by
> field type
> 3) How does it work with nested objects?
>
> Ugly code to set decrypted data by field type[2]
>
> <#>
>
>
> Solution/Proposal
>
> What about serializing entity/model to json, encrypt it and save in Store?
>
Due to our target
(
http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-Security-release-d...),
the timing is too tight for encrypted queries (would be awesome indeed)
but we need to be realistic.
So if the idea is to encrypt/decrypt a whole JSON +1 and we improve it
on the next release.
>
> If we decide on this, we will not be able to make queries /
> ReadWithFilter (I think).[3]
>
> Any questions, thoughts or tomatoes before I move forward?
>
From my side, go for it.
>
> [1]
>
https://github.com/aerogear/aerogear-crypto-java/blob/master/src/main/jav...
> [2]
https://gist.github.com/danielpassos/31e024a8cfd6c64e151c
> [3]
>
http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-Querying-encrypted...
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
> Hylke Bons <mailto:hbons@redhat.com>
> November 6, 2013 at 8:03 AM
> I already started a new thread for that and just wanted to refer to it
> as it's related.
>
> Hylke
>
> On 05/11/2013 16:51, Bruno Oliveira wrote:
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
> Bruno Oliveira <mailto:bruno@abstractj.org>
> November 5, 2013 at 2:51 PM
> I can be dead wrong, but please start a new thread to discuss about the
> site. Otherwise we will lose the real focus here.
>
> Hylke Bons <mailto:hbons@redhat.com>
> November 5, 2013 at 11:40 AM
> On 05/11/2013 07:41, Corinne Krych wrote:
>> Hello all,
>>
>> I've got 2 points:
>>
>> - modularity: AeroGear libs are small and modular: we have a separate
aerogear-otp-ios, aerogear-push-ios-registration so that if the user wants to use aerogear
without push, he can use aerogear-ios, if he needs the push-registration, he uses both.
For encryption store, where do we want to put EncryptedStore? aerogear-android depends on
aerogear-crypto.
>
> I'd like to chime in here a little bit, as this also involves the
> website mockup I sent to the list earlier. Whatever the decision, I
> highly recommend making the different (sub)libraries consistent across
> platforms, so the mental model is the same everwhere.
>
> That said, the libraries should probably reflect the different
> subprojects that we display on the main page.
>
> Hylke
>
>
>> - Encrypting data takes time. It would be nice to have EncryptedStore encrypts
data on separate thread and provide callbacks on completion.
>> thoughts?
>>
>> ++
>> Corinne
>> On Nov 4, 2013, at 5:30 PM, Daniel Passos <daniel(a)passos.me> wrote:
>>
>>> The idea is implementing only save(add/update) and delete, using the stores
we already have today by just adding crypt / decrypt and scheduling Query (readWithFilter)
for the next release
>>> DataManager
>>>
>>> public Store encryptedStore(String storeName, String passphrase) {
>>> // TODO Create a default passphrase-based KeyStore
>>> KeyStore keyStore = null;
>>> return encryptedStore(storeName, keyStore);
>>> }
>>>
>>> public Store encryptedStore(String storeName, KeyStore keyStore) {
>>> StoreConfig storeConfig = new StoreConfig();
>>> storeConfig.setType(StoreTypes.ENCRYPTED_MEMORY);
>>> return encryptedStore(storeName, storeConfig, keyStore);
>>> }
>>>
>>> public Store encryptedStore(String storeName, StoreConfig config, String
passphrase) {
>>> // TODO Create a default passphrase-based KeyStore
>>> KeyStore keyStore = null;
>>> return encryptedStore(storeName, config, keyStore);
>>> }
>>>
>>> public Store encryptedStore(String storeName, StoreConfig config, KeyStore
keyStore) {
>>> config.setKeyStore(keyStore);
>>> Store store = storeFactory.createStore(config);
>>> stores.put(storeName, store);
>>> return store;
>>> }
>>>
>>> EncryptedMemoryStore
>>>
>>> public class EncryptedMemoryStore<T> implements Store<T> {
>>>
>>> private final MemoryStorage<T> memoryStorage;
>>> private final CryptoUtils<T> cryptoUtils;
>>>
>>> public EncryptedMemoryStore(IdGenerator idGenerator, KeyStore keyStore)
{
>>> memoryStorage = new MemoryStorage(idGenerator);
>>> cryptoUtils = new CryptoUtils<T>(keyStore);
>>> }
>>>
>>> @Override
>>> public StoreType getType() {
>>> return StoreTypes.ENCRYPTED_MEMORY;
>>> }
>>>
>>> @Override
>>> public Collection<T> readAll() throws InvalidKeyException {
>>> Collection<T> encryptedCollection = memoryStorage.readAll();
>>> return cryptoUtils.decrypt(encryptedCollection);
>>> }
>>>
>>> @Override
>>> public T read(Serializable id) throws InvalidKeyException {
>>> T encryptedItem = memoryStorage.read(id);
>>> return cryptoUtils.decrypt(encryptedItem);
>>> }
>>>
>>> @Override
>>> public List<T> readWithFilter(ReadFilter filter) throws
InvalidKeyException {
>>> List<T> encryptedList = memoryStorage.readWithFilter(filter);
>>> return cryptoUtils.decrypt(encryptedList);
>>> }
>>>
>>> @Override
>>> public void save(T item) {
>>> memoryStorage.save(cryptoUtils.encrypt(item));
>>> }
>>>
>>> @Override
>>> public void reset() {
>>> memoryStorage.reset();
>>> }
>>>
>>> @Override
>>> public void remove(Serializable id) {
>>> memoryStorage.remove(id);
>>> }
>>>
>>> @Override
>>> public boolean isEmpty() {
>>> return memoryStorage.isEmpty();
>>> }
>>>
>>> }
>>>
>>> CryptoUtils
>>>
>>> Here is where the magic happens.
>>>
>>>
>>> public class CryptoUtils<T> {
>>>
>>> private final KeyStore keyStore;
>>>
>>> public CryptoUtils(KeyStore keyStore) {
>>> this.keyStore = keyStore;
>>> }
>>>
>>> public Collection<T> decrypt(Collection<T>
encryptedCollection) {
>>> List<T> decryptedList = new ArrayList<T>();
>>> for (T item : encryptedCollection) {
>>> decryptedList.add(decrypt(item));
>>> }
>>> return decryptedList;
>>> }
>>>
>>> public List<T> decrypt(List<T> encryptedList) {
>>> List<T> decryptedList = new ArrayList<T>();
>>> for (T item : encryptedList) {
>>> decryptedList.add(decrypt(item));
>>> }
>>> return decryptedList;
>>> }
>>>
>>> public T decrypt(T item) {
>>> // TODO Read all fields and decrypt
>>> return item;
>>> }
>>>
>>> public T encrypt(T item) {
>>> // TODO Read all fields and encrypt
>>> return item;
>>> }
>>>
>>> }
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
> Corinne Krych <mailto:corinnekrych@gmail.com>
> November 5, 2013 at 5:41 AM
> Hello all,
>
> I've got 2 points:
>
> - modularity: AeroGear libs are small and modular: we have a separate
> aerogear-otp-ios, aerogear-push-ios-registration so that if the user
> wants to use aerogear without push, he can use aerogear-ios, if he
> needs the push-registration, he uses both. For encryption store, where
> do we want to put EncryptedStore? aerogear-android depends on
> aerogear-crypto.
>
> - Encrypting data takes time. It would be nice to have EncryptedStore
> encrypts data on separate thread and provide callbacks on completion.
> thoughts?
>
> ++
> Corinne
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
abstractj
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev