Re: [aerogear-dev] AeroGear Android Crypto / DataManager Proposal

Daniel Passos <mailto:daniel@passos.me> November 6, 2013 at 2:24 PM <#> DataManager Crypto <#> Idea My idea is to read all fields, encrypt the field values and save it in store (Memory and SQLite)

<#> Problems 1) CryptoBox needs byte[] data to encrypt[1]. We need to get byte[] of all types 2) CryptoBox#decrypt returns a byte[] and we need to convert it by field type 3) How does it work with nested objects? Ugly code to set decrypted data by field type[2] <#> Solution/Proposal What about serializing entity/model to json, encrypt it and save in Store?

If we decide on this, we will not be able to make queries / ReadWithFilter (I think).[3] Any questions, thoughts or tomatoes before I move forward?

[1] https://github.com/aerogear/aerogear-crypto-java/blob/master/src/main/jav... [2] https://gist.github.com/danielpassos/31e024a8cfd6c64e151c [3] http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-Querying-encrypted... _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev Hylke Bons <mailto:hbons@redhat.com> November 6, 2013 at 8:03 AM I already started a new thread for that and just wanted to refer to it as it's related. Hylke On 05/11/2013 16:51, Bruno Oliveira wrote: _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev Bruno Oliveira <mailto:bruno@abstractj.org> November 5, 2013 at 2:51 PM I can be dead wrong, but please start a new thread to discuss about the site. Otherwise we will lose the real focus here. Hylke Bons <mailto:hbons@redhat.com> November 5, 2013 at 11:40 AM On 05/11/2013 07:41, Corinne Krych wrote: > Hello all, > > I've got 2 points: > > - modularity: AeroGear libs are small and modular: we have a separate aerogear-otp-ios, aerogear-push-ios-registration so that if the user wants to use aerogear without push, he can use aerogear-ios, if he needs the push-registration, he uses both. For encryption store, where do we want to put EncryptedStore? aerogear-android depends on aerogear-crypto. I'd like to chime in here a little bit, as this also involves the website mockup I sent to the list earlier. Whatever the decision, I highly recommend making the different (sub)libraries consistent across platforms, so the mental model is the same everwhere. That said, the libraries should probably reflect the different subprojects that we display on the main page. Hylke > - Encrypting data takes time. It would be nice to have EncryptedStore encrypts data on separate thread and provide callbacks on completion. > thoughts? > > ++ > Corinne > On Nov 4, 2013, at 5:30 PM, Daniel Passos <daniel(a)passos.me&gt; wrote: > >> The idea is implementing only save(add/update) and delete, using the stores we already have today by just adding crypt / decrypt and scheduling Query (readWithFilter) for the next release >> DataManager >> >> public Store encryptedStore(String storeName, String passphrase) { >> // TODO Create a default passphrase-based KeyStore >> KeyStore keyStore = null; >> return encryptedStore(storeName, keyStore); >> } >> >> public Store encryptedStore(String storeName, KeyStore keyStore) { >> StoreConfig storeConfig = new StoreConfig(); >> storeConfig.setType(StoreTypes.ENCRYPTED_MEMORY); >> return encryptedStore(storeName, storeConfig, keyStore); >> } >> >> public Store encryptedStore(String storeName, StoreConfig config, String passphrase) { >> // TODO Create a default passphrase-based KeyStore >> KeyStore keyStore = null; >> return encryptedStore(storeName, config, keyStore); >> } >> >> public Store encryptedStore(String storeName, StoreConfig config, KeyStore keyStore) { >> config.setKeyStore(keyStore); >> Store store = storeFactory.createStore(config); >> stores.put(storeName, store); >> return store; >> } >> >> EncryptedMemoryStore >> >> public class EncryptedMemoryStore<T> implements Store<T> { >> >> private final MemoryStorage<T> memoryStorage; >> private final CryptoUtils<T> cryptoUtils; >> >> public EncryptedMemoryStore(IdGenerator idGenerator, KeyStore keyStore) { >> memoryStorage = new MemoryStorage(idGenerator); >> cryptoUtils = new CryptoUtils<T>(keyStore); >> } >> >> @Override >> public StoreType getType() { >> return StoreTypes.ENCRYPTED_MEMORY; >> } >> >> @Override >> public Collection<T> readAll() throws InvalidKeyException { >> Collection<T> encryptedCollection = memoryStorage.readAll(); >> return cryptoUtils.decrypt(encryptedCollection); >> } >> >> @Override >> public T read(Serializable id) throws InvalidKeyException { >> T encryptedItem = memoryStorage.read(id); >> return cryptoUtils.decrypt(encryptedItem); >> } >> >> @Override >> public List<T> readWithFilter(ReadFilter filter) throws InvalidKeyException { >> List<T> encryptedList = memoryStorage.readWithFilter(filter); >> return cryptoUtils.decrypt(encryptedList); >> } >> >> @Override >> public void save(T item) { >> memoryStorage.save(cryptoUtils.encrypt(item)); >> } >> >> @Override >> public void reset() { >> memoryStorage.reset(); >> } >> >> @Override >> public void remove(Serializable id) { >> memoryStorage.remove(id); >> } >> >> @Override >> public boolean isEmpty() { >> return memoryStorage.isEmpty(); >> } >> >> } >> >> CryptoUtils >> >> Here is where the magic happens. >> >> >> public class CryptoUtils<T> { >> >> private final KeyStore keyStore; >> >> public CryptoUtils(KeyStore keyStore) { >> this.keyStore = keyStore; >> } >> >> public Collection<T> decrypt(Collection<T> encryptedCollection) { >> List<T> decryptedList = new ArrayList<T>(); >> for (T item : encryptedCollection) { >> decryptedList.add(decrypt(item)); >> } >> return decryptedList; >> } >> >> public List<T> decrypt(List<T> encryptedList) { >> List<T> decryptedList = new ArrayList<T>(); >> for (T item : encryptedList) { >> decryptedList.add(decrypt(item)); >> } >> return decryptedList; >> } >> >> public T decrypt(T item) { >> // TODO Read all fields and decrypt >> return item; >> } >> >> public T encrypt(T item) { >> // TODO Read all fields and encrypt >> return item; >> } >> >> } >> >> _______________________________________________ >> aerogear-dev mailing list >> aerogear-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/aerogear-dev > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/aerogear-dev _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev Corinne Krych <mailto:corinnekrych@gmail.com> November 5, 2013 at 5:41 AM Hello all, I've got 2 points: - modularity: AeroGear libs are small and modular: we have a separate aerogear-otp-ios, aerogear-push-ios-registration so that if the user wants to use aerogear without push, he can use aerogear-ios, if he needs the push-registration, he uses both. For encryption store, where do we want to put EncryptedStore? aerogear-android depends on aerogear-crypto. - Encrypting data takes time. It would be nice to have EncryptedStore encrypts data on separate thread and provide callbacks on completion. thoughts? ++ Corinne _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev