[aerogear-dev] AeroGear Crypto API - Draft 0. Your brain is required

Kris Borchers kris at redhat.com
Wed Oct 9 16:46:53 EDT 2013 

So I have been waiting to see if others would chime in since I tend to be one of the first to always chime in on these types of things and Luke and I have been working very closely with Bruno on this. I am happy with the intro and JS portions but can't fully speak to the other sections. Other input is needed please.

On Oct 7, 2013, at 2:02 PM, Bruno Oliveira <bruno at abstractj.org> wrote:

> Good morning all, just to start the discussion about the APIs and
> encrypted storage I wrote this gist. Probably after some revisions I
> hope to make it a specification.
> 
> Regarding the available scenarios, feel free to add or change the priority.
> 
> 
> Gist: https://gist.github.com/abstractj/f1229ae075f8e6688c75
> 
> # AeroGear Crypto API
> 
> **Note**: This document is a working progress
> 
> # Authors
> 
> - Bruno Oliveira
> - *put your pretty name here*
> 
> ## Goals
> 
> - User friendly interface for non crypto experts
> - Advanced developers can make use of the pure crypto provider
> implementation.
> 
> ## Supported Algorithms
> 
> - https://issues.jboss.org/browse/AGSEC-114
> 
> 
> ## Scenarios
> 
> **Note**: For all scenarios the authentication process was intentionally
> ignored.
> 
> - A logged in user wants to store sensitive data on mobile
> 
> ![](http://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgRGF0YSBlbmNyeXB0aW9uCgpDbGllbnQtPlNlcnZlcjogUmVxdWVzdAAZCyBrZXlzCgAaBgAeCkdlbmVyYXRlIHRoZQAdBSBhbmQgc3RvcmUAIwkAVgY6IFNlbmQAIAggYmFjayB0bwAzBWMAeAUAewkAKAhFAIEaBgBWBWRhdGEK&s=napkin)
> 
> - The mobile device goes offline but the sensitive data must be safe
> 
> [Under development]
> 
> - Device was stolen and data must be destroyed 
> 
> [Under development]
> 
> - The data must be backed up on the server, but passwords can't be exposed
> 
> [Under development]
> 
> - The application was installed into another device and the keys must be
> revoked on the server
> 
> [Under development]
> 
> - User wants to configure for how long the keys will be considered valid
> 
> 
> ## JavaScript
> 
> ### Dependencies
> 
> - [sjcl](http://crypto.stanford.edu/sjcl/) with wrappers for basic
> functionalities like: encrypt, decrypt, password salting and key pair
> generation.
> 
> 
> ### Implementation details
> 
> - The size of sjcl library is still a concern (28K)
> 
> - Crypto bits were built in a separate module so it may be
> included/excluded in a custom build.
> 
> - The project will be developed under AeroGear.js repository
> (https://github.com/aerogear/aerogear-js/pull/57)
> 
> ### API (draft 0)
> 
> - Password based key derivation support (PBKDF2)
> 
>        myEncryptedPassword = AeroGear.password("strong");
> 
> - Symmetric encryption support (GCM)
> 
>    - Encryption:
> 
>            var options = {
>                IV: superRandomInitializationVector,
>                AAD: "whateverAuthenticatedData",
>                key: generatedKey,
>                data: "My bonnie lies over the ocean"
>            };
> 
>            var cipherText = AeroGear.encrypt( options );
> 
>    - Decryption:
> 
>            var options = {
>                IV: superRandomInitializationVector,
>                AAD: "whateverAuthenticatedData",
>                key: generatedKey,
>                data: cipherText
>            };
>            AeroGear.decrypt( options );
> 
> 
> - Message authentication support (GMAC, HMAC)
> 
> [Under development]
> 
> 
> **Note**: The implementations below are currently under discussion at
> https://github.com/aerogear/aerogear-js/pull/62
> 
> - Hashing support (SHA-256, SHA-512)
> 
>        digest = AeroGear.crypto.hash("some message");
> 
> - Asymmetric encryption support (ECC)
> 
>        var hex = sjcl.codec.hex,
>            keyPair = new AeroGear.crypto.KeyPair(),
>            cipherText, plainText,
>            options = {
>                IV: superRandomInitializationVector,
>                AAD: "whateverAuthenticatedData",
>                key: keyPair.publicKey,
>                data: ""My bonnie lies over the ocean"
>            };
>        cipherText = AeroGear.crypto.encrypt( options );
>        options.key = keyPair.privateKey;
>        options.data = cipherText;
>        plainText = AeroGear.crypto.decrypt( options );
> 
> - Digital signatures support (ECDSA)
> 
>        var validation,
>            options = {
>                keys: sjcl.ecc.ecdsa.generateKeys(192),
>                message: "My bonnie lies over the ocean"
>            };
>        options.signature = AeroGear.crypto.sign( options );
>        validation = AeroGear.crypto.verify( options );
> 
> ## Android
> 
> ### Dependencies
> 
> - [Spongy Castle](http://rtyley.github.io/spongycastle/) with wrappers
> for basic functionalities like: encrypt, decrypt, password salting and
> key pair generation.
> 
> 
> ### Implementation details
> 
> - The bouncycastle "provided" in Android doesn't have ECDH that's the
> reason why Spongy Castle was chosen.
> 
> - aerogear-crypto-java will be the main repository to provide a crypto
> API for Android and the Java server.
> 
> 
> ### API (draft 0)
> 
> **Note**: The implementations below are currently under discussion at
> https://github.com/aerogear/aerogear-crypto-java/tree/refactoring
> 
> - Password based key derivation support (PBKDF2)
> 
>        Pbkdf2 pbkdf2 = AeroGearCrypto.pbkdf2();
>        byte[] rawPassword = pbkdf2.encrypt(PASSWORD);
> 
> - Symmetric encryption support (GCM)
> 
>    - Encryption:
> 
>            CryptoBox cryptoBox = new CryptoBox(new
> PrivateKey(SOME_SECRET_KEY));
>            final byte[] IV = new Random().randomBytes();
>            final byte[] message = "My bonnie lies over the
> ocean".getBytes();
>            final byte[] ciphertext = cryptoBox.encrypt(IV, message);
> 
>    - Decryption:
> 
>            CryptoBox pandora = new CryptoBox(new
> PrivateKey(SOME_SECRET_KEY));
>            final byte[] message = pandora.decrypt(IV, ciphertext);
> 
> 
> - Message authentication support (GMAC, HMAC)
> 
> [Under development]
> 
> - Hashing support (SHA-256, SHA-512)
> 
> [Under development]
> 
> - Asymmetric encryption support (ECC)
> 
>        KeyPair keyPair = new KeyPair();
>        KeyPair keyPairPandora = new KeyPair();
> 
>        CryptoBox cryptoBox = new CryptoBox(keyPair.getPrivateKey(),
> keyPairPandora.getPublicKey());
>        final byte[] IV = new Random().randomBytes();
>        final byte[] message = "My bonnie lies over the ocean".getBytes();
>        final byte[] ciphertext = cryptoBox.encrypt(IV, message);
> 
>        CryptoBox pandora = new
> CryptoBox(keyPairPandora.getPrivateKey(), keyPair.getPublicKey());
>        final byte[] message = pandora.decrypt(IV, ciphertext);
> 
> - Digital signatures support (ECDSA)
> 
> [Under development]
> 
> 
> ## iOS
> 
> ### Dependencies
> 
> [TBD] - http://oksoclap.com/p/iOS_Meeting_(Security)
> 
> - [Common
> Crypto](https://developer.apple.com/library/mac/documentation/security/conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html)
> 
> 
> ### Implementation details
> 
> [TBD]
> 
> 
> ### API (draft 0)
> 
> - Password based key derivation support (PBKDF2)
> 
> [Under development]
> 
> - Symmetric encryption support (GCM)
> 
> [Under development]
> 
> - Message authentication support (GMAC, HMAC)
> 
> [Under development]
> 
> - Hashing support (SHA-256, SHA-512)
> 
> [Under development]
> 
> - Asymmetric encryption support (ECC)
> 
> [Under development]
> 
> - Digital signatures support (ECDSA)
> 
> [Under development]
> 
> 
> -- 
> abstractj
> 
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

More information about the aerogear-dev mailing list