Skip to content

Instantly share code, notes, and snippets.

@abstractj

abstractj/AeroGear - Crypto.md Secret

Last active December 23, 2015 18:19
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save abstractj/f1229ae075f8e6688c75 to your computer and use it in GitHub Desktop.
Save abstractj/f1229ae075f8e6688c75 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
AeroGear - Crypto.md

AeroGear Crypto API

Note: This document is a working progress

Authors

  • Bruno Oliveira
  • put your pretty name here

Goals

  • User friendly interface for non crypto experts
  • Advanced developers can make use of the pure crypto provider implementation.

Supported Algorithms

Scenarios

Note: For all scenarios the authentication process was intentionally ignored.

  • A logged in user wants to store sensitive data on mobile

Another alternative (We need to think about the entropy, would be nice to have something coming from the server)

  • The mobile device goes offline but the sensitive data must be protected

  • The data must be backed up on the server, but passwords can't be exposed

  • The application was installed into another device and the keys must be revoked on the server

[Under development]

  • User wants to configure for how long the keys will be considered valid

[Under development]

  • Device was stolen and data must be destroyed

[Under development]

JavaScript

Dependencies

  • sjcl with wrappers for basic functionalities like: encrypt, decrypt, password salting and key pair generation.

Implementation details

  • The size of sjcl library is still a concern (28K)

  • Crypto bits were built in a separate module so it may be included/excluded in a custom build.

  • The project will be developed under AeroGear.js repository (aerogear-attic/aerogear-js#57)

API (draft 0)

  • Password based key derivation support (PBKDF2)

      myEncryptedPassword = AeroGear.password("strong");

  • Symmetric encryption support (GCM)

    • Encryption:

        var options = {
      IV: superRandomInitializationVector,
      AAD: "whateverAuthenticatedData",
      key: generatedKey,
      data: "My bonnie lies over the ocean"
  };
  
  var cipherText = AeroGear.encrypt( options );

    • Decryption:

        var options = {
      IV: superRandomInitializationVector,
      AAD: "whateverAuthenticatedData",
      key: generatedKey,
      data: cipherText
  };
  AeroGear.decrypt( options );

  • Message authentication support (GMAC, HMAC)

[Under development]

Note: The implementations below are currently under discussion at aerogear-attic/aerogear-js#62

  • Hashing support (SHA-256, SHA-512)

      digest = AeroGear.crypto.hash("some message");

  • Asymmetric encryption support (ECC)

      var hex = sjcl.codec.hex,
      keyPair = new AeroGear.crypto.KeyPair(),
      cipherText, plainText,
      options = {
          IV: superRandomInitializationVector,
          AAD: "whateverAuthenticatedData",
          key: keyPair.publicKey,
          data: ""My bonnie lies over the ocean"
      };
  cipherText = AeroGear.crypto.encrypt( options );
  options.key = keyPair.privateKey;
  options.data = cipherText;
  plainText = AeroGear.crypto.decrypt( options );

  • Digital signatures support (ECDSA)

      var validation,
      options = {
          keys: sjcl.ecc.ecdsa.generateKeys(192),
          message: "My bonnie lies over the ocean"
      };
  options.signature = AeroGear.crypto.sign( options );
  validation = AeroGear.crypto.verify( options );

Android

Dependencies

  • Spongy Castle with wrappers for basic functionalities like: encrypt, decrypt, password salting and key pair generation.

Implementation details

  • The bouncycastle "provided" in Android doesn't have ECDH that's the reason why Spongy Castle was chosen.

  • aerogear-crypto-java will be the main repository to provide a crypto API for Android and the Java server.

API (draft 0)

Note: The implementations below are currently under discussion at https://github.com/aerogear/aerogear-crypto-java/tree/refactoring

  • Password based key derivation support (PBKDF2)

      Pbkdf2 pbkdf2 = AeroGearCrypto.pbkdf2();
  byte[] rawPassword = pbkdf2.encrypt(PASSWORD);

  • Symmetric encryption support (GCM)

    • Encryption:

        CryptoBox cryptoBox = new CryptoBox(new PrivateKey(SOME_SECRET_KEY));
  final byte[] IV = new Random().randomBytes(); 
  final byte[] message = "My bonnie lies over the ocean".getBytes();
  final byte[] ciphertext = cryptoBox.encrypt(IV, message);

    • Decryption:

        CryptoBox pandora = new CryptoBox(new PrivateKey(SOME_SECRET_KEY));
  final byte[] message = pandora.decrypt(IV, ciphertext);

  • Message authentication support (GMAC, HMAC)

[Under development]

  • Hashing support (SHA-256, SHA-512)

[Under development]

  • Asymmetric encryption support (ECC)

      KeyPair keyPair = new KeyPair();
  KeyPair keyPairPandora = new KeyPair();

  CryptoBox cryptoBox = new CryptoBox(keyPair.getPrivateKey(), keyPairPandora.getPublicKey());
  final byte[] IV = new Random().randomBytes();
  final byte[] message = "My bonnie lies over the ocean".getBytes();
  final byte[] ciphertext = cryptoBox.encrypt(IV, message);

  CryptoBox pandora = new CryptoBox(keyPairPandora.getPrivateKey(), keyPair.getPublicKey());
  final byte[] message = pandora.decrypt(IV, ciphertext);

  • Digital signatures support (ECDSA)

[Under development]

iOS

Dependencies

[TBD] - http://oksoclap.com/p/iOS_Meeting_(Security)

Implementation details

[TBD]

API (draft 0)

  • Password based key derivation support (PBKDF2)

[Under development]

  • Symmetric encryption support (GCM)

[Under development]

  • Message authentication support (GMAC, HMAC)

[Under development]

  • Hashing support (SHA-256, SHA-512)

[Under development]

  • Asymmetric encryption support (ECC)

[Under development]

  • Digital signatures support (ECDSA)

[Under development]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment