0

I'm trying to implement Json Web Encryption aka JWE by JOSE standards.

I have tried encryption with CommonCrypto lib available in iOS but it doesn't support OAEP-256 padding.

I can't use iOS Security framework since it's classes like SecKeyAlgorithm and encryption modes like rsaEncryptionOAEPSHA256AESGCM are available only iOS 10 onward. Else libraries like JOSESwift (https://github.com/airsidemobile/JOSESwift) would have helped.

I can't write my own encryption since I'm not a security expert (hence not recommended).

Other questions on SO & google searches don't help either: Objective c RSA with OAEP padding sha256 prior ios 10

What is the any possible way of doing it on iOS? Any help is appreciated.

iphondroid
  • 498
  • 7
  • 19
  • If you can only get raw RSA then writing OAEP would not be the biggest hurdle when it comes to security. Most of the security relevant code when it e.g. comes to timing attacks is performed during modular exponentiation performed before the UN-padding. Probably best to lift it out of some existing OAEP code. Does Apple release the source? – Maarten Bodewes Jul 12 '19 at 22:30
  • Well OAEP-256 is only first of my requirements. Need to implement other standards like A128GCM encryption, DH key exchange, JWS signature checking etc. as well . – iphondroid Jul 15 '19 at 06:20
  • Yeah, well, iOS 8 is already 4 years out of production. That's a long time for a smart phone OS, especially for Apple. You either find a library (OpenSSL?) or you'll have to program yourself. And indeed, if you need all that it is going to take some time and worse, you may not code it correctly. Question is: do you want to run highly secure code on a device that has been left behind long ago? – Maarten Bodewes Jul 15 '19 at 08:29
  • Well iOS 8 is the minimum supported version for the framework I'm creating according to the project requirements. I suppose zero users are on iOS 8 but I have to do it. How about I use a C library like https://github.com/cisco/cjose or https://github.com/latchset/jose clubbed with openssl? Is that a right direction? – iphondroid Jul 15 '19 at 09:34
  • 1
    Please question the project requirements. You seem to have new data why this is not a good idea. Probably the requirements were made by project managers that have insufficient data to see that having to support these old frameworks brings big development and maintainability issues. And that's not even counting the security issues with an OS that is not updated anymore. You're in the development phase, you're not even in the release phase! I do unfortunately not know enough about iOS to make those kind of design decisions, so I cannot answer that latest question. – Maarten Bodewes Jul 15 '19 at 09:52
  • Thanks for the info. I'll post about further development on this. For now I'm going to try with C libs. – iphondroid Jul 15 '19 at 10:07

0 Answers0