This looks very nice. I think I will have to trust you on the details ;)
Le 2010 8 5 11:28, "Caleb James DeLisle" <calebdelisle(a)lavabit.com> a
écrit :
Hello all,
I you have been watching on irc and in the sandbox commit notifications
you know
Alex and I have been working
hard on developing some high quality cryptographic
services, I think it is
ready to add to the core.
What xwiki-crypto provides:
* PasswordVerificationFunction provides ability to protect ("hash") a
password using functions which require a configurable amount of processor
power and RAM.
This allows a configurable level of difficulty for
password guessing
attacks and configurable memory costs even frustrate hardware
(GPU) based
cracking attempts.
This uses a standards conforming implementation of
what is a truly state
of the art password hashing technology developed by Colin
Percival, deputy
security officer for FreeBSD operating system.
The design paper is here:
http://www.tarsnap.com/scrypt/scrypt.pdf
This will be able to be used for
http://jira.xwiki.org/jira/browse/XWIKI-70 (Safe
password storage)
* Password based encryption using the function defined above for
converting the
password to the encryption key. The default encryption
algorithm is CAST-5 which has been used by PGP encryption system.
* RSA-2048 key generation and text signature.
Option #1: Generate key in user's browser (Supports Firefox and Opera,
possible
to add IE support.) and be able to use the crypto.signText function
in javascript allowing for signature which are unforgable even by the
administrator (or hacker) of the server.
Option #2: Generate key on the server and store
password encrypted (see
above) allowing for "pretty good" level of
signature non-reputability.
What this will look like to a script:
## Password Encryption
#set($ciphertext = $services.crypto.passwd.encryptText("this is a secret",
"hopefully a strong password"))
## Password Decryption
#set($plaintext = $services.crypto.passwd.decryptText($ciphertext,
"hopefully
a strong password"))
## Protecting a password (so can be validated but the original can't be
derived
from the protected password and it's hard to do password guessing
attacks)
#set($safePassword =
$services.crypto.passwd.protectPassword($userSuppliedPlaintextPassword)
## Validating a password against the "safe password"
#if($services.crypto.passwd.isPasswordCorrect($userSuppliedPlaintextPassword,
$safePassword)
you win!
#end
## Generating a key in the user's browser (this won't likely be used
often)
## $spkac is a public key given by the browser when
the user clicks on the
create certificate button, this is compatible with FOAFSSL.
## 365 is the number of days the certificate should be
valid for.
## this returns 2 certificate, one is the user's and the other is a self
signed
authority which trusts it.
#set($certAndAuthority =
$services.crypto.x509.certsFromSpkac($spkac,
365))
## Generating a key (x509 certificate + private key) on the server side
(this
won't likely be used often)
## this returns an XWikiX509KeyPair
#set($privateKeyAndCert = $services.crypto.x509.newCertAndPrivateKey(365,
"password for protecting private key")
## Serializing a keyPair to a base64 string (this does not conform to any
standard
because no decent standard was available)
#set($keyPairAsString =
$privateKeyAndCert.serializeAsBase64())
## Deserializing the keypair back from the string
#set($privateKeyAndCert =
$services.crypto.x509.keyPairFromBase64($keyPairAsString)
## Signing text with a "$privateKeyAndCert"
## This outputs a base64 String representing the signature.
#set($signature = $services.crypto.x509.signText("this is the text I want
to
sign", $privateKeyAndCert, "password for protecting private key")
## Verifying text (this verifies text signed with either the above
signText
function or with the mozilla/opera javascript crypto.signtText
function.)
## this outputs an XWikiX509Certificate object which
can then be compared
to known trusted certificates.
#set($signingCertificate =
$services.crypto.x509.verifyText("this is the
text I want to sign",
$signature))
## Serializing a certificate as a String in conforming PEM format
(readable by
OpenSSL)
#set($pemString = $signingCertificate.toPEMString())
## Deserializing a certificate from PEM format
#set($signingCertificate = $services.crypto.x509.certFromPEM($pemString)
The interfaces:
http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-crypto/src/main/ja…
http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-crypto/src/main/ja…
http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-crypto/src/main/ja…
http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-crypto/src/main/ja…
> WDYT?
> Caleb
>
_______________________________________________
> devs mailing list
> devs(a)xwiki.org
>
http://lists.xwiki.org/mailman/listinfo/devs