Note: This is NOT a replacement for SSL
- Developers wants to upload passphrase and certificate for iOS variants. The passphrase must be stored encrypted and restored in clear while sending messages.
- https://issues.jboss.org/browse/AGPUSH-565 (Dropped). After a hangout with Matthias, we agreed that would complicate the developer's workflow.
- https://issues.jboss.org/browse/AGPUSH-358
Today we can't guarantee that our developers will have an HSM to manage encryption keys. Neither we can store the private keys in a separated database, for the push server.
If somehow the database is compromised, private keys could be exposed and most of the sensitive data decrypted.
The suggestion is to make use of a KDF function per application to encrypt passphrases, not perfect, but helps (like we did in the past for password reset). Where encryption key means:
PK = PBKDF2(Secret Key, Salt)
Secret Key: In the ideal world, users would be required to provide a password for encryption. In this scenario we don't want them to be prompted to input the password, or add extra parameters to the UPS endpoints. So the suggestion is to provide secret key configured on the server and protected by the ACL's from the operating system
Salt: 16 bytes non-deterministic used to encrypt/decrypt the data on the server per application and stored into the database.
The file can be generated and checked if something exists during the application start up.
- config.properties
secret_key = "d9eb5171c59a4c817f68b0de27b8c1e340c2341b52cdbc60d3083d4e8958532" \
"18dcc5f589cafde048faec956b61f864b9b5513ff9ce29bf9e5d58b0f234f8e3b"
or
- config.json
{"secret_key":"d9eb5171c59a4c817f68b0de27b8c1e340c2341b52cdbc60d3083d4e8958532" \
"18dcc5f589cafde048faec956b61f864b9b5513ff9ce29bf9e5d58b0f234f8e3b"}
Passphrases must be reversible for Apple, that's why we make use of symmetric encryption here.
POST | rest/applications
Remain unchanged
Remain unchanged
Remain unchanged
Remain unchanged
Remain unchanged
Remain unchanged
No changes at the client side.