Skip to content

Instantly share code, notes, and snippets.

@abstractj

abstractj/pushthepush.md Secret

Last active August 29, 2015 13:57
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save abstractj/55905ed53fce2ca22388 to your computer and use it in GitHub Desktop.
Save abstractj/55905ed53fce2ca22388 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
pushthepush.md

REST api changes suggested for UPS

Register push app:

  • HTTP request

    Remain unchanged

  • HTTP response

    Remain unchanged

Public key request

  • HTTP GET resquest

    Ask for the public key sending pushApplicationID

  • HTTP response

    {"publicKey":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpsPA31qRWrtiAhnpGBzgwoE435c18gD42y13urb0JSdx4AHQRthhAUFVnu+RqUU8NTp9tGnEEhyBZfbV67arVw==“, “nonce”:”6KbYGZKvTusU+IL3sdY9g=="}

publicKey: Is the public key created per application and will be optional for developers who do care about security. If for some reason they don’t want to encrypt their passphrase or certificate, that’s ok.

nonce: 16 bytes non-deterministic used to encrypt the data on the server

Note: Both would be stored into UPS database (not perfect, but a good start)

Keep in mind that this is just the initial idea, for example, masterSecret should never return in clear. To the further interactions it will be fixed establishing a key agreement between client and server and encrypt the whole response (only for sensitive data). Yeah, I know, we are protected by SSL, but we shouldn’t trust on it.

iOS Variant:

  • HTTP request

    Remain unchanged, but now certificate and passphrase can be send encrypted and the server will store it.

  • HTTP response

    Remain unchaged

Sender:

  • HTTP request

    Remain unchanged, but now the server will search for the application ID and retrieve the public key to decrypt application's passphrase

  • HTTP response

    Remain unchanged

AeroGear Clients

  • cURL

Yesterday I had the amusing experience of dig into the sources of OpenSSL and their documentation, to see how people could encrypt it from the command line. If I recommend that people would remember my name for the eternity in a bad way. Another insane idea was to provide encoders for GPG. The simplest idea, I think, would be provide code for people encrypt their passphrase and certificate, instead of trust in some software.

Action item: Write a Java class to make it easy for developers

  • aerogear-unifiedpush-java-client

No problem to implement it.

  • aerogear-simplepush-java-client

No problem to implement it.

  • aerogear-simplepush-node-client

Not so easy, but they do OpenSSL behind the scenes

  • aerogear-unifiedpush-nodejs-client

Not so easy, but they do OpenSSL behind the scenes

So, what do you think? Yay/Nay? I would never use that?

The goal is to provide secure alternatives to developers, but if the whole process will turn into a pain, I won’t move forward.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment