[aerogear-dev] Question around encryption for iOS push certificate passphrase

Matthias Wessendorf matzew at apache.org
Wed Feb 5 12:58:57 EST 2014


On Wed, Feb 5, 2014 at 6:53 PM, Daniel Passos <daniel at passos.me> wrote:

> On Wed, Feb 5, 2014 at 2:49 PM, Matthias Wessendorf <matzew at apache.org>wrote:
>
>> Hello Bruno,
>>
>>
>> On Wed, Feb 5, 2014 at 5:05 PM, Bruno Oliveira <bruno at abstractj.org>wrote:
>>
>>> You shouldn't store your private key, please make use of the suggested
>>> code and let me know.
>>>
>>
>>
>> OK, not storing the 'private key', but instead I am only storing the IV,
>> salt and ciphertext, right ?
>>
>
> Right. In this case you don't need store Private Key
>
>
>> The following code is basically the (relevant) code behind the web-form
>> when someone creates the logical construct of an iOS variant:
>>
>>
>> https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L44-L62
>>
>> In real I get all the information for the variant (e.g. its name, its
>> description, its certificate file and the passphrase for the certificate),
>> but the above has been limited to the passphrase, as everything else is not
>> so important here :-)
>>
>> So after that I have basically the following pieces in the database:
>> * IV
>> * salt
>> * ciphertex
>>
>> instead of the plaintext passphrase for the iOS certs.
>>
>
> *NEVER* store password/passphrase
>

yep, that's why I am thinking about:
https://issues.jboss.org/browse/AGPUSH-358



>
>
>>  But, now, somewhere later in in the program, I need to do the
>> decryption to get the actual passphrase for the stored Apple-certificate.
>> However, I don't see how to create the CryptoBox here, as I should not
>> stash the private/secret key, nor do I have access to the previous
>> CryptoBox object
>>
>>
>> https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L64-L85
>>
>>
>> Looks like I am missing something here
>>
>
> If you have Salt and password you can create a PrivateKey "on the fly"
>

As said in the comments of I don't have access to the password/passphrase:
https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L67



>
>
> Pbkdf2 pbkdf2 = AeroGearCrypto.pbkdf2();
>
> byte[] rawPassword = pbkdf2.encrypt(passphrase, salt);
>
> PrivateKey privateKey = new PrivateKey(rawPassword);
>
>
> And for create CriptoBox you only need a PrivateKey
>
>  CryptoBox cryptoBox = new CryptoBox(privateKey);
>
> Now you a able to decrypt using stored IV :)
>
> byte[] decryptedData = cryptoBox.decrypt(IV, data);
>
> That was exactly what we did in Ecrypted Store
>
>
> https://github.com/danielpassos/aerogear-android/blob/master/src/org/jboss/aerogear/android/impl/datamanager/EncryptedSQLStore.java#L115-L150
>
>
> -Matthias
>>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140205/8d34c714/attachment-0001.html 


More information about the aerogear-dev mailing list