Hi, I am interested in your crypto API specially on iOS and via the cordova plugin. The docs at https://aerogear.org/docs/specs/aerogear-crypto/ clearly state that on iOS the GCM mode for symmetric AES encryption is not supported (because iOS CommonCrypto itself does not provide it as a public interface) And reading the latest code in the corresponding cordova plugin tells me the same. Nevertheless, the docs of the cordova plugin at https://aerogear.org/docs/specs/aerogear-cordova/AeroGear.Crypto.html and https://github.com/edewit/aerogear-crypto-cordova/blob/master/README.md state the contrary: it seemslike GCM is supported both on iOS and android. So my 2 questions are: - Is GCM mode for AES encryption supported on iOS aerogear crypto module (and the cordova plugin) ? (my bet is no) - If not, how difficult would it be to use the private API in iOS CommonCrypto ? I didnt try it myself, i have just been reading the code.... Thanks in advance :) Niko _______________________________________________ Aerogear-users mailing list [hidden email] https://lists.jboss.org/mailman/listinfo/aerogear-users |
I did the plugin and I'm not sure about all the Implementation
details, but on iOS the plugin calls this method https://github.com/aerogear/aerogear-crypto-ios/blob/master/crypto-sdk/AGCryptoBox.m#L40 so no GCM it seems this is only done on android. On iOS we have created a wrapper around NaCI and it seems that is able to do GCM, but we don't use it there because it's not the most common algorithm. On Wed, Jun 17, 2015 at 3:06 PM, Niko - Whitebox.one <[hidden email]> wrote: > Hi, > > I am interested in your crypto API specially on iOS and via the cordova > plugin. > > The docs at > > https://aerogear.org/docs/specs/aerogear-crypto/ > > clearly state that on iOS the GCM mode for symmetric AES encryption is not > supported (because iOS CommonCrypto itself does not provide it as a public > interface) > > And reading the latest code in the corresponding cordova plugin tells me the > same. > > Nevertheless, the docs of the cordova plugin at > > https://aerogear.org/docs/specs/aerogear-cordova/AeroGear.Crypto.html > > and > > https://github.com/edewit/aerogear-crypto-cordova/blob/master/README.md > > state the contrary: it seemslike GCM is supported both on iOS and android. > > So my 2 questions are: > > - Is GCM mode for AES encryption supported on iOS aerogear crypto module > (and the cordova plugin) ? (my bet is no) > > - If not, how difficult would it be to use the private API in iOS > CommonCrypto ? I didnt try it myself, i have just been reading the code.... > > Thanks in advance :) > > Niko > > > > > > _______________________________________________ > Aerogear-users mailing list > [hidden email] > https://lists.jboss.org/mailman/listinfo/aerogear-users > -- Cheers, Erik Jan _______________________________________________ Aerogear-users mailing list [hidden email] https://lists.jboss.org/mailman/listinfo/aerogear-users |
In reply to this post by niko lavan
Good morning Niko, I hope you're doing well. Please, notice that GCM mode support is not a limitation of AG iOS, but a restriction from Apple.
If the document on https://github.com/edewit/aerogear-crypto-cordova/blob/master/README.md states that GCM is support, it pretty much relates to Android. If the senteces are not clear enough, feel free to file a Jira https://issues.jboss.org/browse/AGCORDOVA. Answering your questions: - Is GCM mode for AES encryption supported on iOS aerogear crypto module (and the cordova plugin) ? No. But, we are open for suggestions. In the future we plan to make aerogear-ios-crypto pluggable. Into this way you're free to go with CommonCrypto or whatever provider you want. - If not, how difficult would it be to use the private API in iOS CommonCrypto ? I didnt try it myself, i have just been reading the code.... I'd say, would take time and the only way I see today is plugging OpenSSL. The reason why NaCl was choosen, was not only the fact of CommonCrypto not supporting GCM, but also, because it's safer[1]. If you feel like, that should be reconsidered. Feel free to create a feature request against https://issues.jboss.org/browse/agios. I hope it helps. [1] - https://cryptojedi.org/papers/aesbs-20090616.pdf |
Thanks Bruno and Erik Jan for the quick and detailed answers! I noticed indeed that you are using the Elliptic curves crypto of NaCl on iOS, which is a smart choice. And thanks for pointing out the timing attack (tables and cache) published in 2009. I am well aware of this kind of attack on AES and GCM when lookup tables are used, but since 2009, we got some improvements, on intel CPU (AES-NI) at least, which patches are already included in openssl (Gueron et al). But I agree with you that for ARM, we are a bit left behind. About the question if elliptic curves are safer than AES-GCM, i would say it is a question of trust.... ECC is way too young for me to trust it. I prefer plain old "modulo a prime" groups, with their caveats (longer keys, more cpu intensive) and their limitations (side-channel attacks) but that have benefited from a huge community of cryptographers, coders and debuggers for now 40 years. I believe that, if used correctly, RSA, AES, GCM, and DHE can be very efficient. And I am a bit afraid of the sudden euphoria for "magical" curves. Now if we come back to our subject of interest, which is ARM and iOS, i would say that the situation is tricky, but we can find a solution, and I am interested in helping. For ARMv7 we have NEON VMULL.P8 instructions (from iPhone 3GS and above, if i am not mistaken, ARM11 doesnt have VMULL.P8) For ARMv8 we have much more, including AES HW accel... (this is in iPhone 5S and above) You can have a look at : - About binary polynominal multiplication for GCM on ARMv7: "Fast Software Polynomial Multiplication on ARM Processors using the NEON Engine." Danilo Camara, Conrado P. L. Gouvea⋆, Julio Lopez and Ricardo Dahab. 2010/2013 [1] and - Implementing GCM on ARMv8. Conrado P. L. Gouvêa, Julio López. 2015 [3] In addition: It seems that the openssl implementation benefits from NEON in the GHASH (coded by Polyakov) since march 2011 [6] which means GCM timing attack is not possible (no lookup tables). Also to be checked, is the AES timing resistant bitsliced implementation from Bernstein and Schwabe that Bruno referred to in the linked PDF. It is probable that the ARM version has been integrated into openssl, but I haven't double checked. If it is not there, then it most probably is present in [5]. So... I am quite interested in helping with having a fully secure AES-GCM stack on ARM, including on iOS. Let's see how to proceed, starting probably from [5] and then integrate it in OpenSSL? Any idea is welcomed. Finally, just a small comment: If AES-GCM is not as secure as ECC, then why are you still using it in the android implementation of your crypto box? (Dont get me wrong, i prefer AES-GCM over ECC!) All the best, [1] http://conradoplg.cryptoland.net/files/2010/12/mocrysen13.pdf [2] http://conradoplg.cryptoland.net/software/ecc-and-ae-for-arm-neon/ [3] https://www.rsaconference.com/writable/presentations/file_upload/cryp-w01-secure-and-efficient-implementation-of-aes-based-cryptosystems.pdf [4] http://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf [5] https://github.com/conradoplg/authenc [6] http://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/modes/asm/ghash-armv4.pl;h=d91586ee2925bb695899b17bb8a7242aa3bf9150;hb=9575d1a91ad9dd6eb5c964365dfbb72dbd3d1333#l35 On 2015-06-19 13:54, abstractj wrote: Good morning Niko, I hope you're doing well. Please, notice that GCM mode support is not a limitation of AG iOS, but a restriction from Apple. If the document on https://github.com/edewit/aerogear-crypto-cordova/blob/master/README.md states that GCM is support, it pretty much relates to Android. If the senteces are not clear enough, feel free to file a Jira https://issues.jboss.org/browse/AGCORDOVA. Answering your questions: - Is GCM mode for AES encryption supported on iOS aerogear crypto module (and the cordova plugin) ? No. But, we are open for suggestions. In the future we plan to make aerogear-ios-crypto pluggable. Into this way you're free to go with CommonCrypto or whatever provider you want. - If not, how difficult would it be to use the private API in iOS CommonCrypto ? I didnt try it myself, i have just been reading the code.... I'd say, would take time and the only way I see today is plugging OpenSSL. The reason why NaCl was choosen, was not only the fact of CommonCrypto not supporting GCM, but also, because it's safer[1]. If you feel like, that should be reconsidered. Feel free to create a feature request against https://issues.jboss.org/browse/agios. I hope it helps. [1] - https://cryptojedi.org/papers/aesbs-20090616.pdf -- View this message in context: http://aerogear-users.1116366.n5.nabble.com/Aerogear-users-AeroGear-Crypto-API-on-iOS-with-AES-GCM-tp55p61.html Sent from the aerogear-users mailing list archive at Nabble.com. _______________________________________________ Aerogear-users mailing list [hidden email] https://lists.jboss.org/mailman/listinfo/aerogear-users _______________________________________________ Aerogear-users mailing list [hidden email] https://lists.jboss.org/mailman/listinfo/aerogear-users |
Good morning Niko, sorry about the late response. Answers inline.
On Fri, Jun 19, 2015 at 2:06 PM, Niko - Whitebox.one <[hidden email]> wrote:
I think we might be talking about different things here. AES-GCM is regularly used for symmetric encryption, ECC for public key encryption.
At least in our project, there's no euphoria, but pretty much common sense and a technical decision. We decided to use ECC for public key encryption, AES-GCM as our prefered choice for symmetric encryption. For platforms that we do not have the port yet for NaCl.
You are more than welcome to help.
My idea around the crypto libraries for AeroGear is not to be tied to any providers; i.e OpenSSL, NaCL or CommonCrypto. Today we only support NaCL, but the goal is to let people choose whatever they want.
I feel like we're comparing apples and oranges here. GCM is the mode of operation for symmetric encryption, ECC for public encryption, the alternative to ECC would be RSA. Btw I didn't mean that GCM was not secure, but NaCl was the safer option for iOS. For Android, we decided to stick with ECC over RSA for public key encryption and AES-GCM as our default mode of operation for symmetric encryption. Why? We wanted to provide a simple library on top of BouncyCastle. Also, due to the timeframe, the Java implementation of NaCl for Android was postponed.
I haven't got any performances. But if you have other alternatives to BC, I'm open to listen. Also, if you see performance issues, let us know.
-- "The measure of a man is what he does with power" - Plato - @abstractj - Volenti Nihil Difficile _______________________________________________ Aerogear-users mailing list [hidden email] https://lists.jboss.org/mailman/listinfo/aerogear-users |
Free forum by Nabble | Edit this page |