Android Hardware-backed KeyStore - android-keystore

I am interested in the hardware-backed KeyStore. I was looking at some documentation and I have noticed some contradiction.
The official documentation (here) confirms that all implementations must provide, among others, AES encryption.
Multiple implementations exist for the KeyStore. I looked at the Qualcomm one that is based on QSEE. As far as I understood from The keymaster glue (here), the QSEE-based KeyStore implements only RSA encryption.
Am I missing something ? I am considering the case that this keymaster glue is not up-to-date. In this case, where can I find the latest one ?
Thanks for any help.

Related

Searching for usable implementation of CSP on top of pkcs 11

I found a few dead projects on this title.
Some referenced here.
I need one. But why are they all dead?
Is it bad idea to use such design? do you know of any good implementation which does this?
Some Smart Card vendors were providing CSP over PKCS#11 (not open source). In my opitnion, htis is not the best way of developping a CSP. These 2 standards are very different, and even more different since the venue of CNG and Credential Providers under 'recent' Windows OS.

Diffie Hellman and AES on Android

I am trying to use Diffie Hellman for key exchange and AES to encrypt data with keys. Can anyone provide me a suitable work sample for android ?
I've actually been working on a similar problem lately myself. I don't have a working sample, but here are some points you should be aware of:
Android uses a partial Bouncy Castle package to handle most of its cryptography, but some people prefer to user their own cryptographic package (Spongy Castle is a commonly cited alternative) since Android's is incomplete. See the discussion in here.
If you choose to use Android's existing tools, you can access them through Cipher. Here is a useful list of algorithms Android supports.
Be aware that if you choose to use some non-Android Java crypto library, Android does not support all Java packages your library may need. See my (currently unanswered) question about how to deal with that in Spongy Castle.
Hope these help!

I Have: RSA key, exponent, plaintext. I Want: cipher text. Should be 2 lines of Obj-C no?

As the title says. Using the iPhone SDK, I want to RSA encrypt some (small) plaintext using an existing key and exponent I am given from a server for authentication. Surely this is a trivial task that requires one library import and a couple of lines of code? If not, why not?
Unfortunately the only way to work with RSA keys on the iPhone is by importing them in the KeyChain. If you don't mind to use a third-party library then you can go around this. For example by using libcrypto from OpenSSL.

Is it possible to create a FIPS 140-2 compliant server in Perl?

The question is pretty simple, is it possible to create a FIPS 140-2 compliant server in Perl? Especially, is it possible without modifying any of the C code for the modules? If it's not possible in straight Perl, what would be the easiest way to go about it from a C perspective?
I'm basically creating a mini-httpd that only serves up a single file, but due to security restrictions it needs to be served up on SSL under FIPS compliance.
I don't know all of the rules when it comes to FIPS 140-2. However, unlike HIPAA and PCI-DSS its a standard that governs the strength of cryptography and doesn't take the system as a whole into consideration. Parts of OpenSSL can be FIPS 140-2 compliant and this library is exposed to perl via the Crypt::OpenSSL module. You just have to make sure your key size is large enough for the level of FIPS certification you need and that you don't violate a one of the many Cryptographic Issues.
Take a look at Mozilla's FIPS strategy. Triple DES is most likely to be Open Source. I am unaware of any certified FIPS 140-2 solutions in Perl.
Most implementation approvals are very restrictive, such as being on a certain hardware platform, CPU, and OS version. If you are on one of those platforms, you can often piggyback on the OS approval, such as Windows 7, Redhat, etc.

Secure Remote Password Implementation for iPhone

I've been reading about Stanford's Secure Remote Password protocol, and it looks ideal for the sort of environment in which iPhone apps run. Unfortunately, I haven't been able to find a good Objective-C implementation of the protocol. Nor, as far as I can tell, do the crypto libraries in the SDK implement it.
Does anyone know of such an implementation?
Failing that, what's my best bet going to be, do you think? I could try to build OpenSSL into my app, but that feels like a really big thing to add for this one little piece. I could try to translate the JavaScript or Java implementations into Objective-C, but that violates the #1 rule of crypto (use a known, tested implementation).
Couple of follow-up items: first, it should probably be obvious from context, but I'm going to need something that is compatible with closed-source commercial usage (the JavaScript implementation I linked to, I later noticed, is AGPL).
Also, assuming I do end up going with OpenSSL, I'm having real trouble finding an example of using it to do SRP. Their site claims the code is in there, but I can't find any evidence of it, either in the OpenSSL documentation, or grepping the source code (v 0.9.8k). (Or am I seriously misreading things, and I still have to apply one of their patches to the OpenSSL source?)
EDIT:
What I could really use at this point is ready-to-use code, a fairly complete recipe, or some kind of example of using SRP in OpenSSL. I'm pretty sure I could cobble something together from scratch with the protocol docs, but I'm really trying to avoid reinventing the wheel, if I can help it.
The OpenSSL and GnuTLS implementations of SRP-TLS are the only C-based ones I know that are maintained (TinySRP hasn't been updated since 2001, and there have been many security notices against the underlying OpenSSL version it's based on, though I don't know if they impact TinySRP itself).
That said, every iPhone project I've built has eventually had to include a copy of OpenSSL for something or other. I recommend just biting the bullet and using it. The instructions you link to work fine.
Personally, I build OpenSSL into a Universal library using lipo that has both arm and x86 versions. That way I can link to a single .a for both Simulator and Device. The lipo is very easy. Just build the two libraries and glue them together. Here's the rule from my Makefile:
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/lipo \
-create \
-arch armv6 iPhoneOS$(SDK_VER)/lib/$(1) \
-arch i386 iPhoneSimulator$(SDK_VER)/lib/$(1) \
-output iPhoneUniversal$(SDK_VER)/lib/$(1)
The implementation of SRP in iOS platform requires OpenSSL, so a good way is to install OpenSSL via pods.
There's a good C implementation of srp by hoccer called csrp.
I have written an iOS wrapper for this implementation, which you can find here. But I must mention that csrp is already well implemented and self-explained from its documentation.