I don't know, it seems that Apple supports RSA for encryption if I look at the description here. Which, to be honest, it probably is.īut perhaps I'm going around this all wrong? And, to be honest, many auditors wouldn't know how to qualify if it is secure or not, so they see it as an avoidable risk. The problem is that it is a huge red flag for auditors, who then have to look if the use of the hash is secure. However, I've had plenty of entities asking to deprecate SHA-1 in its entirety. It certainly doesn't depend on the collision resistance. For this kind of use SHA-1 is still secure, even though the relatively small output size doesn't help. Best to compare MGF1 with an expanding key derivation function probably. Nimbus JOSE deprecated it, is it discouraged to use it? Has it been proven vulnerable? So maybe it doesn't specify it explicitly, but it really must support it to be called OAEP.īut I'm wondering about RSA OAEP SHA-1. That's extremely unlikely since OAEP does need to use a Mask Generation Function, and there is only one defined: MGF1. Node-jose only supports RSA OAEP with SHA-1 and no MGF1 or RSA OAEP with SHA-256 and no MGF1 But perhaps I'm going around this all wrong? But considering Android only supports RSA with some flavors such as RSA OAEP with SHA-256 andMGF1+SHA1, and Apple only supports EC, I guess I'd have to support both RSA and EC on the backend, and if needed patch libraries such as node-jose and node-forge to fit my needs. 4 The security of Face ID and Touch ID means only you can show your ID. My idea is that the mobile app creates a key pair in its hardware-backed Keystore, gives the public key to the backend, and the backend can then create JWEs where the public key is used to encrypt the CEK. Add your driver’s license or state ID to Wallet, and with just a tap of your iPhone or Apple Watch you can present your ID at select TSA checkpoints without handing over your device. So if one wanted to build a solution where a mobile phone and a backend server uses JWE for encrypted communication, what's my best bet? I don't know much about iOS, but it seems Apple also has an HW protected key store ("Secure Enclave"). Nimbus JOSE deprecated it, is it discouraged to use it? Has it been proven vulnerable?Īlso, in the future, I want to support the iPhone. The problem doesn’t appear to be tied to today’s. The incompatibility is surprising to me, you'd think there would be an off-the-shelf solution for implementing JWE between Node.JS and Android. The problem seems to happen primarily when an iPhone user texts an Android user on AT&T, regardless of what carrier the iPhone user has. Nimbus JOSE has deprecated RSA-OAEP (SHA-1) in favor of RSA-OAEP (SHA-256).When you subscribe to Ledger Recover, a pre-BIP39 version of your private key is encrypted, duplicated and divided into three fragments, with each fragment secured by a separate compan圜oincover, Ledger and EscrowTech. Nimbus JOSE Java library doesn't support the Android KeyStore out of the box, but I've patched it to use RSA/ECB/OAEPWithSHA-256AndMGF1Padding(SHA-1) In short, only you can access your wallet.
0 Comments
Leave a Reply. |