I agree that JCA/JCE is a limited crypto interface but since there are no standards for identifying the characteristics of a resource implementing crypto function it seems hard to make any breakthrough here. Provider names is better than nothing at least.
Anyway, since the Android team is (based on their silence on these topics) betting on the HTML <keygen> tag as the only mechanism for key-generation, Android will anyway be completely crippled with respect to secure key-storage making the provider thing a no-issue :-( I'm personally working on another path which is designed to make Android a competitor to smart cards: http://android-keystore-v2.webpki.org I recently received the following quite related link: http://www.nfc-forum.org/events/competition/2009_finalists Without much surprise, only one out of the 20 finalists came from the US. The reason for not being surprised is the fact that "devices" have been shunned by US banks for consumer authentication while it is a standard feature in the EU since more than a decade back. There is little point for Google advancing things beyond their home market; having worked for a major US computer security corporation, I know the drill :-) Anders ----- Original Message ----- From: "OK" <[email protected]> To: "Android Security Discussions" <[email protected]> Sent: Friday, May 01, 2009 23:31 Subject: [android-security-discuss] JCA/JCE Would like to get your inputs on the crypto provider interface. It looks to me that, this framework is pretty useless since it requires the developer know the specific crypto providers on the platform. If I have a hw-accelerated crypto provider on the platform say by company X then as a developer I can not benefit from the crypt acceleration or any other hw security feature seamlessly without explicitly specifying X as the provider. With all the various hw platforms this defeats the purpose and pretty much all this reverts to the default provider. I beleive this framework needs to be changed to emphasize the algorithms/interfaces rather than the providers. such as the CNG from msft. Any thoughts? PC
