Christos Vasilakis <mailto:cvasilak@gmail.com> October 10, 2013 2:29 PM Hi team, I am digging on the CommonCrypto API and I found some issues. Specifically: a) GCM mode for AES symmetric encryption is part of a private API. See [1] the public interface of the current definitions of supported modes of operation. 'kCCModeGCM' is missing _although_ digging on the source code of the apple's web site it is defined in [2] 'private' (The file is included from a private interface here [3]). Also here is the implementation of the GCM mode in [4] and test cases that exercise it [5]. Not sure why Apple left it out in public. On my search, one area in which they use this mode is on the KeyChain from iOS 5 onwards, see 'KeyChain' section here [6] b) Generation of asymmetric ECC keys and encryption is supported by CommonCrypto but _again_ under a private interface, see [7] and [8]. ECC is used in the protection class 'NSFileProtectionCompleteUnlessOpen' according to the iOS Security doc here [9]. In the meeting there was a plan B for it, RSA with Diffie Hellman. I am looking at it, but to my current knowledge is supported if you trust the apple docs here [10] My worry is how can we proceed with the first issue. As a side note, during my search I discovered Crypto++ [11] , which seems to offer many of the features we are trying to support. Con is a C++ interface although an iOS distribution of it exists (see [12]), and there is an iOS wiki page in the library home page [13]. Needs more research. Thanks, Christos [1] https://gist.github.com/cvasilak/b967893655a04cbe5b7b#file-gistfile1-txt-... [2] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/Comm... [3] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/Comm... [4] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/API/... [5] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/CCRegressio... [6] http://esec-lab.sogeti.com/post/iOS-5-data-protection-updates [7] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/Comm... [8] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/API/... [9] http://www.apple.com/ipad/business/docs/iOS_Security_Oct12.pdf [10]https://developer.apple.com/library/ios/documentation/security/concept... [11] http://www.cryptopp.com <http://www.cryptopp.com/> [12] https://github.com/noloader/cryptopp-5.6.2-ios [13] http://www.cryptopp.com/wiki/IOS_(Xcode) <http://www.cryptopp.com/wiki/IOS_%28Xcode%29> _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev

https://github.com/x2on/OpenSSL-for-iPhone

https://github.com/x2on/OpenSSL-for-iPhone

Matthias Wessendorf <mailto:matzew@apache.org> October 11, 2013 6:33 AM @licenses: * PolarSSL is dual-licensed (GPL + commercial) --> nope * the Crypto++ is licensed via Boost ( a C++ library license) I am not sure if for JBoss the license is OK, but.... the ASF is OK with using that license..... (see [1] and [2]). [1] http://www.apache.org/legal/resolved.html [2] https://issues.apache.org/jira/browse/LEGAL-101 regardless the _technical_ issue is: C++ based... so the integration is odd; -Matthias -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev Corinne Krych <mailto:corinnekrych@gmail.com> October 11, 2013 6:24 AM Hi All, Discussing with iOS team with all possible options taking into account OS licenses and encryption algorithms coverage, we'd like to move forward investigating openSSL srtarting with this interesting entry point: > https://github.com/x2on/OpenSSL-for-iPhone We'll tell you more soon. ++ Corinne. On Oct 10, 2013, at 9:36 PM, Corinne Krych <corinnekrych(a)gmail.com&gt; wrote: > According to > https://gist.github.com/cvasilak/b967893655a04cbe5b7b#file-gistfile1-txt-... > CBC is supported. > > Maybe it's worth investigating OpenSSL vs PolarSSL iOS support. > Interesting work dto dig further > https://github.com/x2on/OpenSSL-for-iPhone > http://x2on.de/2010/12/16/tutorial-script-for-building-openssl-for-ios-ip... > or > https://github.com/x2on/PolarSSL-for-iOS > > ++ > Corinne > > On Oct 10, 2013, at 8:39 PM, Bruno Oliveira <bruno(a)abstractj.org&gt; wrote: > >> Aloha, looks like Apple wants to hide all the good crypto! Have you got >> the chance to look at this? https://github.com/rnapier/RNCryptor I also >> see some developers using OpenSSL as an alternative. My suggestion: >> >> a) If you think this item is tricky to implement atm consider AES with >> CBC or AES with CCM (We can support it on the server if necessary). I >> was trying to find which modes is currently supported but looks like the >> documentation is super safe, because I can't find it >> >> b) It can be done with OpenSSL in the worst case scenario (not saying is >> a piece of cake to do, just possible). Let's start simple first. >> >> Regarding http://www.cryptopp.com/ looks like they have all that we >> need, maybe worth to take a look at this. What do you think? Off the top >> of my head I only can see 3 alternatives: >> >> 1- Implement encryption with what CommonCrypto provides >> 2- Try cryptopp or another alternative >> 3- Implement it with OpenSSL. For example SilentCircle make use of >> PolarSSL >> https://github.com/SilentCircle/silent-phone-base/tree/master/libs. I'm >> not saying to do the same, just an example. >> >>> Christos Vasilakis <mailto:cvasilak@gmail.com> >>> October 10, 2013 2:29 PM >>> Hi team, >>> >>> I am digging on the CommonCrypto API and I found some issues. >>> Specifically: >>> >>> a) GCM mode for AES symmetric encryption is part of a private API. >>> See [1] the public interface of the current definitions of supported >>> modes of operation. 'kCCModeGCM' is missing _although_ digging on the >>> source code of the apple's web site it is defined in [2] 'private' >>> (The file is included from a private interface here [3]). Also here >>> is the implementation of the GCM mode in [4] and test cases that >>> exercise it [5]. Not sure why Apple left it out in public. On my >>> search, one area in which they use this mode is on the KeyChain from >>> iOS 5 onwards, see 'KeyChain' section here [6] >>> >>> b) Generation of asymmetric ECC keys and encryption is supported by >>> CommonCrypto but _again_ under a private interface, see [7] and [8]. >>> ECC is used in the protection class >>> 'NSFileProtectionCompleteUnlessOpen' according to the iOS Security doc >>> here [9]. In the meeting there was a plan B for it, RSA with Diffie >>> Hellman. I am looking at it, but to my current knowledge is supported >>> if you trust the apple docs here [10] >>> >>> My worry is how can we proceed with the first issue. >>> >>> As a side note, during my search I discovered Crypto++ [11] , which >>> seems to offer many of the features we are trying to support. Con is a >>> C++ interface although an iOS distribution of it exists (see [12]), >>> and there is an iOS wiki page in the library home page [13]. Needs >>> more research. >>> >>> Thanks, >>> Christos >>> >>> >>> [1] https://gist.github.com/cvasilak/b967893655a04cbe5b7b#file-gistfile1-txt-... >>> [2] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/Comm... >>> [3] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/Comm... >>> [4] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/API/... >>> [5] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/CCRegressio... >>> [6] http://esec-lab.sogeti.com/post/iOS-5-data-protection-updates >>> [7] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/Comm... >>> [8] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/API/... >>> [9] http://www.apple.com/ipad/business/docs/iOS_Security_Oct12.pdf >>> [10]https://developer.apple.com/library/ios/documentation/security/concept... >>> [11] http://www.cryptopp.com <http://www.cryptopp.com/> >>> [12] https://github.com/noloader/cryptopp-5.6.2-ios >>> [13] http://www.cryptopp.com/wiki/IOS_(Xcode) >>> <http://www.cryptopp.com/wiki/IOS_%28Xcode%29> >>> _______________________________________________ >>> aerogear-dev mailing list >>> aerogear-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/aerogear-dev >> -- >> abstractj >> >> >> _______________________________________________ >> aerogear-dev mailing list >> aerogear-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/aerogear-dev _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev Corinne Krych <mailto:corinnekrych@gmail.com> October 10, 2013 4:36 PM According to https://gist.github.com/cvasilak/b967893655a04cbe5b7b#file-gistfile1-txt-... CBC is supported. Maybe it's worth investigating OpenSSL vs PolarSSL iOS support. Interesting work dto dig further https://github.com/x2on/OpenSSL-for-iPhone http://x2on.de/2010/12/16/tutorial-script-for-building-openssl-for-ios-ip... or https://github.com/x2on/PolarSSL-for-iOS ++ Corinne _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev Bruno Oliveira <mailto:bruno@abstractj.org> October 10, 2013 3:39 PM Aloha, looks like Apple wants to hide all the good crypto! Have you got the chance to look at this? https://github.com/rnapier/RNCryptor I also see some developers using OpenSSL as an alternative. My suggestion: a) If you think this item is tricky to implement atm consider AES with CBC or AES with CCM (We can support it on the server if necessary). I was trying to find which modes is currently supported but looks like the documentation is super safe, because I can't find it b) It can be done with OpenSSL in the worst case scenario (not saying is a piece of cake to do, just possible). Let's start simple first. Regarding http://www.cryptopp.com/ looks like they have all that we need, maybe worth to take a look at this. What do you think? Off the top of my head I only can see 3 alternatives: 1- Implement encryption with what CommonCrypto provides 2- Try cryptopp or another alternative 3- Implement it with OpenSSL. For example SilentCircle make use of PolarSSL https://github.com/SilentCircle/silent-phone-base/tree/master/libs. I'm not saying to do the same, just an example. Christos Vasilakis <mailto:cvasilak@gmail.com> October 10, 2013 2:29 PM Hi team, I am digging on the CommonCrypto API and I found some issues. Specifically: a) GCM mode for AES symmetric encryption is part of a private API. See [1] the public interface of the current definitions of supported modes of operation. 'kCCModeGCM' is missing _although_ digging on the source code of the apple's web site it is defined in [2] 'private' (The file is included from a private interface here [3]). Also here is the implementation of the GCM mode in [4] and test cases that exercise it [5]. Not sure why Apple left it out in public. On my search, one area in which they use this mode is on the KeyChain from iOS 5 onwards, see 'KeyChain' section here [6] b) Generation of asymmetric ECC keys and encryption is supported by CommonCrypto but _again_ under a private interface, see [7] and [8]. ECC is used in the protection class 'NSFileProtectionCompleteUnlessOpen' according to the iOS Security doc here [9]. In the meeting there was a plan B for it, RSA with Diffie Hellman. I am looking at it, but to my current knowledge is supported if you trust the apple docs here [10] My worry is how can we proceed with the first issue. As a side note, during my search I discovered Crypto++ [11] , which seems to offer many of the features we are trying to support. Con is a C++ interface although an iOS distribution of it exists (see [12]), and there is an iOS wiki page in the library home page [13]. Needs more research. Thanks, Christos [1] https://gist.github.com/cvasilak/b967893655a04cbe5b7b#file-gistfile1-txt-... [2] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/Comm... [3] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/Comm... [4] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/API/... [5] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/CCRegressio... [6] http://esec-lab.sogeti.com/post/iOS-5-data-protection-updates [7] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/Comm... [8] https://github.com/Apple-FOSS-Mirror/CommonCrypto/blob/master/Source/API/... [9] http://www.apple.com/ipad/business/docs/iOS_Security_Oct12.pdf [10]https://developer.apple.com/library/ios/documentation/security/concept... [11] http://www.cryptopp.com <http://www.cryptopp.com/> [12] https://github.com/noloader/cryptopp-5.6.2-ios [13] http://www.cryptopp.com/wiki/IOS_(Xcode) <http://www.cryptopp.com/wiki/IOS_%28Xcode%29> _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev

On Fri, Oct 11, 2013 at 06:40:49AM -0300, Bruno Oliveira wrote: > Let's make it simple and start with AES CBC, makes sense? +9001

-- qmx _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev