You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently Mozc depends on OpenSSL because Mozc has been using AES256 to encrypt
user data. However, depending on OpenSSL might not be a good option because:
1. OpenSSL is a gigantic library and supposed to be updated more frequently
than Mozc itself.
2. The license of OpenSSL is not compatible with at least GPL. This is not a
problem for Mozc itself, but could be an unpleasant obstacle if a developer
want to develop a derivative work of Mozc with combining other projects that
are licences under GPL.
3. Mozc has been using AES256 for a *casual* encryption of user data, rather
than a cryptographically critical functionality. To be honest, completely
stopping doing encryption is an option because a user can still be able to use
system-level encryption, which is more designed and tested well.
In r192, I removed dependency on OpenSSL by default. You can still use OpenSSL
by explicitly specifying GYP_DEFINES="use_legacy_encryptor=1" as of r192 but it
is supposed to be removed in future releases.
Original issue reported on code.google.com by yukawa@google.com on 17 May 2014 at 2:19
The text was updated successfully, but these errors were encountered:
tl;dr No behavioral change expected with this effort. User conversion history
is still obfuscated before and after r192 with the same algorithm (AES-256 in
CBC mode)
Long version:
What I did in r192 is basically a self-contained reinplementation of
AES-256-CBC and SHA1, which allows us not to depend on external libraries and
platform-dependent APIs such as OpenSSL (on OS X, Linux, and NaCl) and
javax.crypto.Cipher (on Android). Of course, reimplementing cryptographic
module is discouraged in general. However, given that mozc::Encryptor is
originally designed to be a part of *casual* obfuscation functionality rather
than a cryptographically critical feature, this is sort of acceptable to reduce
the maintainance cost.
Summary:
Until r192, mozc::Encryptor had depended on following modules.
- Windows: Crypt APIs.
- Mac: OpenSSL
- Linux: OpenSSL
- NaCl: OpenSSL
- Android: javax.crypto.Cipher
Since r192, mozc::Encryptor has depended on following modules.
- Windows: Crypt APIs (not for AES-256-CBC and SHA1 but for further OS-level data protection)
- Mac, Linux, NaCl, Android: None.
Reference:
https://code.google.com/p/mozc/wiki/DataEncryptionAndPasswordManagement
Original comment by yukawa@google.com on 29 May 2014 at 5:34
Changed title: Remove dependencies on external libraries and platform native APIs from mozc::Encryptor
Original issue reported on code.google.com by
yukawa@google.com
on 17 May 2014 at 2:19The text was updated successfully, but these errors were encountered: