1

I am looking forward to develop a secure mobile application.

I find my needs getting full-filled with PGP. Since pgp includes full data encryption (symmetric-key).

So, is PGP a viable solution for mobile applications? (Computation power wise)

I plan to secure only my API responses (String only) with PGP.

  • Can a mobile processor stand PGP while providing seamless communication?
  • Or will it be an over-kill for a mobile device to use PGP?

My platforms of development (If that matters):

  1. iPhone

  2. Android

Under PGP I will use: [Since, PGP uses an Asym and a Sym encryption]

  • RSA [Asym]
  • Blowfish [Sym]
double-beep
  • 5,031
  • 17
  • 33
  • 41
Yugal Jindle
  • 44,057
  • 43
  • 129
  • 197
  • 1
    "Is PG a viable solution computation power wise?" This surely depends on what kind of throughput you are aiming for. – Oliver Charlesworth Jan 02 '12 at 21:19
  • you are not providing enough information... RSA for example is part of SSL but because of computational reasons (and others) it is only used during the negotiation phase to establish a secret session key which in turn is used for symmetric encryption... this would be ok... but if you plan to use RSA itself to encrypt/decrypt lots of data then that might be too much (this is not really platform dependent but device/HW related)... – Yahia Jan 02 '12 at 21:22
  • I mean by that : Can a mobile processor stand PGP, delivering seamless experience on a mobile phone ? – Yugal Jindle Jan 02 '12 at 21:23
  • I said that under `PGP`, I will use `RSA`. By that I mean, PGP uses Asym encryption only to encrypt data hash and the key. So, its really small string that gets encrypted with Asym encryption (RSA in my case) during PGP. – Yugal Jindle Jan 02 '12 at 21:25

2 Answers2

2

It should be noted that mobile devices perform asymmetric cryptography negotiations on a regular basis. After all that is the power behind SSL. Maybe at some point 20 years ago resource usage with cryptography was a concern, but today they are very light weight functions by comparison. Blowfish is very old, it was replaced by two-fish about a decade ago and three-fish is aviable but hasn't been finalized so it shouldn't be used. Use AES-256, perferably with GCM mode, because it is more diffcult to botch that implamentation. You should read up on modes of operation because even a very strong cipher can be very weak if you use the wrong mode (such as ECB).

In any case you should be performing useability testing on your own. Really this question is a symptom of a much more serious problem, and that is software testing and useability testing in general. If you tested the speed of this function you would know it wasn't a problem. If you are not testing your applications you will be producing very low quality software.

rook
  • 66,304
  • 38
  • 162
  • 239
0

Yes mobile hardware can handle it or else we couldn't use SSL in the web browser if it couldn't. SSL uses asymmetric encryption just like PGP.

chubbsondubs
  • 37,646
  • 24
  • 106
  • 138