[aerogear-dev] AeroGear Android Crypto / DataManager Proposal
Corinne Krych
corinnekrych at gmail.com
Wed Nov 6 13:34:08 EST 2013
+1 too.
++
corinne
On Nov 6, 2013, at 6:47 PM, Christos Vasilakis <cvasilak at gmail.com> wrote:
>
> On Nov 6, 2013, at 7:12 PM, Bruno Oliveira <bruno at abstractj.org> wrote:
>
>> Answers inline.
>>
>>> Daniel Passos <mailto:daniel at passos.me>
>>> November 6, 2013 at 2:24 PM
>>> <#>
>>>
>>>
>>> DataManager Crypto
>>>
>>> <#>
>>>
>>>
>>> Idea
>>>
>>> My idea is to read all fields, encrypt the field values and save it in
>>> store (Memory and SQLite)
>>>
>> Sounds like a plan.
>>> <#>
>>>
>>>
>>> Problems
>>>
>>> 1) CryptoBox needs byte[] data to encrypt[1]. We need to get byte[] of
>>> all types
>>> 2) CryptoBox#decrypt returns a byte[] and we need to convert it by
>>> field type
>>> 3) How does it work with nested objects?
>>>
>>> Ugly code to set decrypted data by field type[2]
>>>
>>> <#>
>>>
>>>
>>> Solution/Proposal
>>>
>>> What about serializing entity/model to json, encrypt it and save in Store?
>>>
>> Due to our target
>> (http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-Security-release-dates-and-deadlines-td5249.html),
>> the timing is too tight for encrypted queries (would be awesome indeed)
>> but we need to be realistic.
>>
>> So if the idea is to encrypt/decrypt a whole JSON +1 and we improve it
>> on the next release.
>>>
>>> If we decide on this, we will not be able to make queries /
>>> ReadWithFilter (I think).[3]
>>>
>>> Any questions, thoughts or tomatoes before I move forward?
>>>
>> From my side, go for it.
>
>
> +1 to move forward
>
>
>
>>>
>>> [1]
>>> https://github.com/aerogear/aerogear-crypto-java/blob/master/src/main/java/org/jboss/aerogear/crypto/CryptoBox.java#L86
>>> [2] https://gist.github.com/danielpassos/31e024a8cfd6c64e151c
>>> [3]
>>> http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-Querying-encrypted-data-td5068.html
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>> Hylke Bons <mailto:hbons at redhat.com>
>>> November 6, 2013 at 8:03 AM
>>> I already started a new thread for that and just wanted to refer to it
>>> as it's related.
>>>
>>> Hylke
>>>
>>> On 05/11/2013 16:51, Bruno Oliveira wrote:
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>> Bruno Oliveira <mailto:bruno at abstractj.org>
>>> November 5, 2013 at 2:51 PM
>>> I can be dead wrong, but please start a new thread to discuss about the
>>> site. Otherwise we will lose the real focus here.
>>>
>>> Hylke Bons <mailto:hbons at redhat.com>
>>> November 5, 2013 at 11:40 AM
>>> On 05/11/2013 07:41, Corinne Krych wrote:
>>>> Hello all,
>>>>
>>>> I've got 2 points:
>>>>
>>>> - modularity: AeroGear libs are small and modular: we have a separate aerogear-otp-ios, aerogear-push-ios-registration so that if the user wants to use aerogear without push, he can use aerogear-ios, if he needs the push-registration, he uses both. For encryption store, where do we want to put EncryptedStore? aerogear-android depends on aerogear-crypto.
>>>
>>> I'd like to chime in here a little bit, as this also involves the
>>> website mockup I sent to the list earlier. Whatever the decision, I
>>> highly recommend making the different (sub)libraries consistent across
>>> platforms, so the mental model is the same everwhere.
>>>
>>> That said, the libraries should probably reflect the different
>>> subprojects that we display on the main page.
>>>
>>> Hylke
>>>
>>>
>>>> - Encrypting data takes time. It would be nice to have EncryptedStore encrypts data on separate thread and provide callbacks on completion.
>>>> thoughts?
>>>>
>>>> ++
>>>> Corinne
>>>> On Nov 4, 2013, at 5:30 PM, Daniel Passos <daniel at passos.me> wrote:
>>>>
>>>>> The idea is implementing only save(add/update) and delete, using the stores we already have today by just adding crypt / decrypt and scheduling Query (readWithFilter) for the next release
>>>>> DataManager
>>>>>
>>>>> public Store encryptedStore(String storeName, String passphrase) {
>>>>> // TODO Create a default passphrase-based KeyStore
>>>>> KeyStore keyStore = null;
>>>>> return encryptedStore(storeName, keyStore);
>>>>> }
>>>>>
>>>>> public Store encryptedStore(String storeName, KeyStore keyStore) {
>>>>> StoreConfig storeConfig = new StoreConfig();
>>>>> storeConfig.setType(StoreTypes.ENCRYPTED_MEMORY);
>>>>> return encryptedStore(storeName, storeConfig, keyStore);
>>>>> }
>>>>>
>>>>> public Store encryptedStore(String storeName, StoreConfig config, String passphrase) {
>>>>> // TODO Create a default passphrase-based KeyStore
>>>>> KeyStore keyStore = null;
>>>>> return encryptedStore(storeName, config, keyStore);
>>>>> }
>>>>>
>>>>> public Store encryptedStore(String storeName, StoreConfig config, KeyStore keyStore) {
>>>>> config.setKeyStore(keyStore);
>>>>> Store store = storeFactory.createStore(config);
>>>>> stores.put(storeName, store);
>>>>> return store;
>>>>> }
>>>>>
>>>>> EncryptedMemoryStore
>>>>>
>>>>> public class EncryptedMemoryStore<T> implements Store<T> {
>>>>>
>>>>> private final MemoryStorage<T> memoryStorage;
>>>>> private final CryptoUtils<T> cryptoUtils;
>>>>>
>>>>> public EncryptedMemoryStore(IdGenerator idGenerator, KeyStore keyStore) {
>>>>> memoryStorage = new MemoryStorage(idGenerator);
>>>>> cryptoUtils = new CryptoUtils<T>(keyStore);
>>>>> }
>>>>>
>>>>> @Override
>>>>> public StoreType getType() {
>>>>> return StoreTypes.ENCRYPTED_MEMORY;
>>>>> }
>>>>>
>>>>> @Override
>>>>> public Collection<T> readAll() throws InvalidKeyException {
>>>>> Collection<T> encryptedCollection = memoryStorage.readAll();
>>>>> return cryptoUtils.decrypt(encryptedCollection);
>>>>> }
>>>>>
>>>>> @Override
>>>>> public T read(Serializable id) throws InvalidKeyException {
>>>>> T encryptedItem = memoryStorage.read(id);
>>>>> return cryptoUtils.decrypt(encryptedItem);
>>>>> }
>>>>>
>>>>> @Override
>>>>> public List<T> readWithFilter(ReadFilter filter) throws InvalidKeyException {
>>>>> List<T> encryptedList = memoryStorage.readWithFilter(filter);
>>>>> return cryptoUtils.decrypt(encryptedList);
>>>>> }
>>>>>
>>>>> @Override
>>>>> public void save(T item) {
>>>>> memoryStorage.save(cryptoUtils.encrypt(item));
>>>>> }
>>>>>
>>>>> @Override
>>>>> public void reset() {
>>>>> memoryStorage.reset();
>>>>> }
>>>>>
>>>>> @Override
>>>>> public void remove(Serializable id) {
>>>>> memoryStorage.remove(id);
>>>>> }
>>>>>
>>>>> @Override
>>>>> public boolean isEmpty() {
>>>>> return memoryStorage.isEmpty();
>>>>> }
>>>>>
>>>>> }
>>>>>
>>>>> CryptoUtils
>>>>>
>>>>> Here is where the magic happens.
>>>>>
>>>>>
>>>>> public class CryptoUtils<T> {
>>>>>
>>>>> private final KeyStore keyStore;
>>>>>
>>>>> public CryptoUtils(KeyStore keyStore) {
>>>>> this.keyStore = keyStore;
>>>>> }
>>>>>
>>>>> public Collection<T> decrypt(Collection<T> encryptedCollection) {
>>>>> List<T> decryptedList = new ArrayList<T>();
>>>>> for (T item : encryptedCollection) {
>>>>> decryptedList.add(decrypt(item));
>>>>> }
>>>>> return decryptedList;
>>>>> }
>>>>>
>>>>> public List<T> decrypt(List<T> encryptedList) {
>>>>> List<T> decryptedList = new ArrayList<T>();
>>>>> for (T item : encryptedList) {
>>>>> decryptedList.add(decrypt(item));
>>>>> }
>>>>> return decryptedList;
>>>>> }
>>>>>
>>>>> public T decrypt(T item) {
>>>>> // TODO Read all fields and decrypt
>>>>> return item;
>>>>> }
>>>>>
>>>>> public T encrypt(T item) {
>>>>> // TODO Read all fields and encrypt
>>>>> return item;
>>>>> }
>>>>>
>>>>> }
>>>>>
>>>>> _______________________________________________
>>>>> aerogear-dev mailing list
>>>>> aerogear-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>> _______________________________________________
>>>> aerogear-dev mailing list
>>>> aerogear-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>> Corinne Krych <mailto:corinnekrych at gmail.com>
>>> November 5, 2013 at 5:41 AM
>>> Hello all,
>>>
>>> I've got 2 points:
>>>
>>> - modularity: AeroGear libs are small and modular: we have a separate
>>> aerogear-otp-ios, aerogear-push-ios-registration so that if the user
>>> wants to use aerogear without push, he can use aerogear-ios, if he
>>> needs the push-registration, he uses both. For encryption store, where
>>> do we want to put EncryptedStore? aerogear-android depends on
>>> aerogear-crypto.
>>>
>>> - Encrypting data takes time. It would be nice to have EncryptedStore
>>> encrypts data on separate thread and provide callbacks on completion.
>>> thoughts?
>>>
>>> ++
>>> Corinne
>>>
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>> --
>> abstractj
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
More information about the aerogear-dev
mailing list