Writing proposal for GSoC 2015 (Advance android application)

[Arjun Vijayvargiya]

Hi Shivam,

                 Can you throw more light on the fifth point of issue 35 https://github.com/privly/privly-android/issues/35 so that I can add its development in my proposal???I also want to know what kind of functionality additions and design considerations we will be expecting for this GsoC . This will help me in writing the proposal.

[Shivam Verma]

Do you have an idea of how keys work in case of Privly ? The academic paper[1] provides a good idea. 

I'd suggest reading through it to get started. 

[1]https://github.com/privly/privly-organization/tree/master/academic/privly-paper

On Wed, Mar 11, 2015 at 11:54 PM, Arjun Vijayvargiya <arjun....@gmail.com> wrote:

Hi Shivam,

                 Can you throw more light on the fifth point of issue 35 https://github.com/privly/privly-android/issues/35 so that I can add its development in my proposal???I also want to know what kind of functionality additions and design considerations we will be expecting for this GsoC . This will help me in writing the proposal.

--
You received this message because you are subscribed to the Google Groups "privly-mobile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privly-mobil...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Arjun Vijayvargiya]

Ok I will go through this paper.

[Arjun Vijayvargiya]

Hi shivam,

                 I have a doubt regarding the addition of "resolving  issue 30:https://github.com/privly/privly-android/issues/30 " to be included in the implementation plan of my proposal.Is that task ,a part of GSOC 2015 for Advance android application project.

Secondly,I want to ask about the dates The google melange website mentions the student coding period to be between May25th -August 24th

whereas the information on privly page citing "guidelines for studen.."https://github.com/privly/privly-organization/wiki/Guidelines-for-Students-Participating-in-GSOC-2015-for-Privly says that third trimester will end by 17 september. What to follow???

On Wednesday, March 11, 2015 at 9:24:47 PM UTC+5:30, Arjun Vijayvargiya wrote:

[Sean McGregor]

I updated the dates on the application template to better align with
this year's timeline. I must have been looking at a past year when I
updated the calendar this year.

-Sean

> --
> You received this message because you are subscribed to the Google Groups
> "privly-mobile" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to privly-mobil...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Sean McGregor

Oregon State University, Department of Computer Science
Twitter: seanmcgregor
irc.freenode.net: smcgregor

[Shivam Verma]

There's no fixed set of tasks you need to complete for GSoC.

[Arjun Vijayvargiya]

Hi shivam,

                   At what time you generally hangout on  IRC,I have some doubts regarding the project and want to clarify from you.

[Arjun Vijayvargiya]

Hi Shivam,

                   With reference to our previous discussion, I basically researched on How to generate PGP key-pair. Then I found that there is no sophisticated library being developed from their (PGP development Team) side that can be used in writing programs and implementing the concept.The PGP development Team has released a preliminary library but unfortunately the link is not working.ftp://ftp.netcom.com/pub/dd/ddt/crypto/crypto_info/.

Anyways their are other ways to generate key pair in Android based on RSA key-pair generation .I am just summarizing what I have found out:

1. USING Standard java libraries: http://developer.android.com/reference/java/security/KeyPairGenerator.html .Java built in cryptography is available through the Java Cryptography Extension.The extension has two parts Application API and service provider and we will use in android to interact with.

2.Bouncy Castle library for android: http://en.wikipedia.org/wiki/Bouncy_Castle_%28cryptography%29 which is not recommended for implementation in android

3.Spongy Castle library for android: https://github.com/rtyley/spongycastle

Using Bouncy Castle in Android is not desired because it "ships with a crippled version of Bouncy Castle" which may be prone to errors. Spongy Castle is simply a repackage of Bouncy Castle and is mostly used by the android developers to build such key pair values.

4.JScH:http://epaul.github.io/jsch-documentation/javadoc/ which is another library which I have not gone through as much

I think RSA key-pair generation would best take place by Spongy Castle library and their are enough documentations available for implementation in android. Once generated the key pair we can move forward with generation of QR code of Pub key of that pair.What do you suggest?????

[Arjun Vijayvargiya]

Hi shivam, 

As according to what Sean said,I have filled proposal part on Google Melange website with  Project Abstract and list of my closed and opened pull request with their current status.

[Shivam Verma]

I think its best to use the implementation that android provides. 

On Tue, Mar 17, 2015 at 8:42 PM, Arjun Vijayvargiya <arjun....@gmail.com> wrote:

Hi shivam, 

As according to what Sean said,I have filled proposal part on Google Melange website with  Project Abstract and list of my closed and opened pull request with their current status.

--

[Arjun Vijayvargiya]

Ok,I will use android for generation of pair-key generation.Now I have to look on the generation of QR code from public key of the generated pair.

[Shivam Verma]

You should test the Android implementation to generate a key pair. 

On Tue, Mar 17, 2015 at 10:40 PM, Arjun Vijayvargiya <arjun....@gmail.com> wrote:

Ok,I will use android for generation of pair-key generation.Now I have to look on the generation of QR code from public key of the generated pair.

[Sean McGregor]

I think it may be important to sign the keys in the webview since it would be difficult to maintain compatibility otherwise. Take a look at openpgpjs and sjcl.

[Shivam Verma]

AFAIK, sjcl does not support RSA but they do have something called ECC (Eliptical curve cryptography?) for public/private keypair generation.

There's this other library called forge js which does however allow you to do that.

(Did some research on this a little while ago)

[Arjun Vijayvargiya]

This Jsrsasign can also be a good option to use: http://kjur.github.io/jsrsasign/

The 'jsrsasign' (RSA-Sign JavaScript Library) is an opensource free cryptography library supporting RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL CMS SignedData, TimeStamp and CAdES in pure JavaScript. 

On Wednesday, March 11, 2015 at 9:24:47 PM UTC+5:30, Arjun Vijayvargiya wrote:

[Arjun Vijayvargiya]

Hi Shivam,

                      I have tested on the Android implementation to generate key pair.It generates unique set of keys every time we call the method .You can see the following result.I need to discuss you about signing and local storage of keys on web-view. I have done some research based on that and want to discuss with you.At what time you will be comfortable for the IRC hangout.   

 

[Arjun Vijayvargiya]

Hi Shivam, 

                   I have drawn out an implementation plan on generation,signing,and key exchange .Please see to it in your mail.Give suggestion.It may be in your spam folder.

[Sean McGregor]

(CCing in Daniel since he has spoken at a security conferences about
JS crypto libraries)

Daniel,

We talked a while back (before Mozilla persona) about a "fluidic" key
trust system, where the user's JS environment can scoop up identity
proofs via the browser extension. The Android GSoC project would
likely be the most-trusted key exchange in such a system that we would
layer additional key exchange mechanisms on top of.

Do you have a recommendation for a JS library for:

* Signing keys with identity strings
* Encrypting/decrypting content with those keys
* (potentially) sharing with multiple keys simultaneously

I know OpenPGPJS recently pushed a 1.0 release and they were audited
by somebody, but I am thinking it may be appropriate to jump to ECC
since we don't necessarily need to support all the legacy keys in
this.

Best,
Sean

[Sean McGregor]

Thanks Daniel. For the purposes of our design and prototype, we can
work with anything that supports sign/encrypt/decrypt. When we start
pushing to production we will make a final decision here.

In the meantime, I propose we adopt SJCL's ECC implementation since
their API is pretty tight. See documentation:
https://github.com/bitwiseshiftleft/sjcl/wiki/Asymmetric-Crypto

Does this sound good?

-Sean

On Wed, Mar 18, 2015 at 3:26 PM, Daniel Reichert <danie...@gmail.com> wrote:
> The most stable and compatible library is OpenPGP.js. However, if we're
> starting from scratch I would suggest having a look Google's E2E[0]. Google
> wrote their own PGP library that is objectively more safe. I say this
> because they used Google Closure to enforce type safety. This inherently
> eliminates a large number of bugs that OpenPGP.js will be susceptible to no
> matter how many security audits they go through.
>
> In addition to type safety E2E is only using ECC. This is both good and bad
> depending on your perspective. It's bad because it breaks backwards
> compatibility with other implementation of PGP. It's good because it has
> much better performance. The fact that Google, and now Yahoo[1] have
> announced they will be using ECC based PGP makes it seem that in the not too
> distant future the compatibility issue will soon be in favor of E2E.
> Considering that the existing user base for PGP is very small, I don't think
> breaking compatibility is a big issue even in the short term.
>
> What is a big issue is that to my knowledge the ECC-based PGP implementation
> used by E2E is not offered as a standalone library. When it was first
> announced I recall reading comments [2] that there would be efforts to make
> it available as a library, but don't know what kind of time frame, if any,
> was attached to that. It's unfortunate because this is really the only
> thing holding back projects like ours or Whiteout mail or mailvelope from
> using it.
>
> I would look into the status of the ECC library and then make your decision.
>
> Best,
> Daniel
>
> [0] https://github.com/google/end-to-end
> [1] https://github.com/yahoo/end-to-end
> [2] https://news.ycombinator.com/item?id=7842233

[Shivam Verma]

Yep. Sounds good. 

[Arjun Vijayvargiya]

Hi Shivam,

   I have gone through the Paper of SJCL written by Emily Stark, Mike Hamburg and Dan Boneh.LINK:http://bitwiseshiftleft.github.io/sjcl/acsac.pdf.I couldn't understand much but was able to figure out how it solves the security issues.Some of the key advantages of SJCL are:

• SJCL is secure. It uses the industry-standard AES algorithm at 128, 192 or 256 bits,the SHA256 hash function and   the HMAC                   authentication code.
  
• SJCL strengthens the passwords by a factor of 1000 and salts them to protect against rainbow tables(A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes), and it authenticates every message it sends to prevent it from being modified. I believe that SJCL provides the best security which is practically available in Javascript and beats openPGP JS in many sense.
  
• SJCL is a cross browser.
  

        About implementation part of SJCL ,not much examples have been given as people have preffered openPGP js over it as of now,so we will have to take the much of the help from its doc and information given on github repos whenever implementing it. I want to discuss about the "Local storage of exchanged keys in web-view".When will you be free for a IRC hangout????

[Daniel Reichert]

The SJCL is used inside of OpenPGP.js, so any of the benefits that apply to SJCL also apply to OpenPGP.js.  I would strongly advise against using SJCL on it's own to perform PGP.  It will be more cumbersome to setup during development, and should absolutely not be used in production.  Even though all of the same cryptographic primitives are present, the precise ordering of them can still result in total loss of security in the scheme.  This would be no different than rolling your own crypto protocol from the perspective of a security audit.  Using OpenPGP.js to perform PGP avoids all of these issues.

Best,

Daniel

[Sean McGregor]

I am looking to delay this discussion because we will have more
information and options at the end of the summer. We will likely adopt
ECC, which is a necessary assumption to make at this time since it
influences the size of the information being transferred.

I am willing to develop on top of SJCL with the unearned assumption it
is broken so long as we can change/validate/fix it when the rest of
the system is developed. I would bet our choice of libraries will be
obvious by the end of summer. Also, it ensures we write a proper suite
of unit and integration tests.

-Sean