AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Passwordwallet iphone between android7/31/2023 ![]() I don't know, it seems that Apple supports RSA for encryption if I look at the description here. Which, to be honest, it probably is.īut perhaps I'm going around this all wrong? PasswordWallet for the iPhone features encrypted exports and Backup and Restore functionality that requires no special software, not even iTunes. And, to be honest, many auditors wouldn't know how to qualify if it is secure or not, so they see it as an avoidable risk. The apps allow users to automatically share all of their passwords between their Mac, iPhone, MobileMe, and DropBox, as well as their Windows, Android, Windows Mobile, and Palm Pre devices. The problem is that it is a huge red flag for auditors, who then have to look if the use of the hash is secure. However, I've had plenty of entities asking to deprecate SHA-1 in its entirety. It certainly doesn't depend on the collision resistance. For this kind of use SHA-1 is still secure, even though the relatively small output size doesn't help. Best to compare MGF1 with an expanding key derivation function probably. Nimbus JOSE deprecated it, is it discouraged to use it? Has it been proven vulnerable? So maybe it doesn't specify it explicitly, but it really must support it to be called OAEP.īut I'm wondering about RSA OAEP SHA-1. ![]() That's extremely unlikely since OAEP does need to use a Mask Generation Function, and there is only one defined: MGF1. Node-jose only supports RSA OAEP with SHA-1 and no MGF1 or RSA OAEP with SHA-256 and no MGF1 But perhaps I'm going around this all wrong? But considering Android only supports RSA with some flavors such as RSA OAEP with SHA-256 andMGF1+SHA1, and Apple only supports EC, I guess I'd have to support both RSA and EC on the backend, and if needed patch libraries such as node-jose and node-forge to fit my needs. My idea is that the mobile app creates a key pair in its hardware-backed Keystore, gives the public key to the backend, and the backend can then create JWEs where the public key is used to encrypt the CEK. So if one wanted to build a solution where a mobile phone and a backend server uses JWE for encrypted communication, what's my best bet? I don't know much about iOS, but it seems Apple also has an HW protected key store ("Secure Enclave"). Nimbus JOSE deprecated it, is it discouraged to use it? Has it been proven vulnerable?Īlso, in the future, I want to support the iPhone. The incompatibility is surprising to me, you'd think there would be an off-the-shelf solution for implementing JWE between Node.JS and Android.
0 Comments
Read More
Leave a Reply. |