Sign here, please!

Transcript

1. SIGN HERE, PLEASE! ANA BAOTIĆ @abaotic

2. None
3. None

4. Present in
 54
 countries Over 22,300
 highly committed employees 6th


   largest software & services vendor in Europe 1,813
 m EUR sales revenues in 2016 176
 m EUR operating profit in 2016 1bln
 EUR market capitalization • Founded in 1991 • 6th largest software producer in Europe • Traded on the WSE, included in the WIG20 blue chip index • International presence ASSECO at a glance

5. CERTIFICATE

6. CERTIFICATE Electronic document that proves ownership of a public key

   X.509 - structure TLS/SSL, electronic signatures CERTIFICATE

7. IDENTITY CERTIFICATE

8. PUBLIC KEY CERTIFICATE = IDENTITY + +

9. SIGNED BY CA CERTIFICATE = IDENTITY + PUBLIC KEY +

   +

10. KEYS ASYMMETRIC CRYPTOGRAPHY

11. KEYS ▸ Private (owner) ▸ Decrypts messages ▸ Calculates signatures

    ▸ Public (shared) ▸ Encrypts messages ▸ Confirms signatures

12. DIGITAL SIGNATURE ▸ Calculate a digest/hash of the message ▸

    Sender encrypts with private key ▸ Recipient decrypts with public key DIGITAL SIGNATURE

13. CERTIFICATE = IDENTITY + PUBLIC KEY + SIGNED BY CA

    + +

14. CERTIFICATE AUTHORITY CA Trusted entity that issues digital certificates.

15. CA CA CERTIFICATE ▸ Self-signed certificate ▸ Browsers, Android, OSX

    ▸ Comodo, IdenTrust, Symantec, GoDaddy, Let’s Encrypt ▸ Impact of updates!

16. CA - DOMAIN VS EXTENDED VALIDATION

17. END CERTIFICATE

18. INTERMEDIATE CERTIFICATE

19. ROOT CERTIFICATE

20. CERTIFICATES CERTIFICATE CHAINS

21. CA SUBVERSION ▸ Primary risk key theft ▸ Scheme flawed

    ▸ HSM for key storage ▸ Offline

22. TRUST ANDROID ▸ Unknown CA ▸ Self-signed ▸ No intermediate

    cert on server

23. SIGNING ANDROID APPLICATIONS

24. SIGNING ANDROID APPLICATIONS ▸ Generate a key and keystore ▸

    Sign your application

25. SIGNING ANDROID APPLICATIONS - NEW KEY STORE

26. SIGNING ANDROID APPLICATIONS - SIGN THE APP

27. SIGNING ANDROID APPLICATIONS - SIGN THE APP ALTERNATIVE ▸ keytool

    to generate a key ▸ zipalign to align unsigned apk ▸ jarsigner to sign aligned apk

28. SIGN THE APK DECISIONS TO BE MADE ▸ Who will

    be responsible for the signing key?

29. WE THE DEVELOPERS

30. WE THE DEVELOPERS EXPECTATIONS ▸ Application can be updated throughout

    its lifetime

31. WE THE DEVELOPERS PREREQUISITES ▸ Signing key must be safe

    ▸ Signing key must be accessible

32. WE THE DEVELOPERS REALITY ▸ People spill coffee ▸ People

    switch companies

33. WE THE DEVELOPERS REALITY NIGHTMARE signingConfigs { release { storeFile

    file("/not_where_you_think_it_is/ks.jks") storePassword "password" keyAlias "my-alias" keyPassword "password" } }

34. GOOGLE PLAY APP SIGNING https://goo.gl/3aCBeC

35. GOOGLE PLAY APP SIGNING DECISION IS PERMANENT

36. GOOGLE PLAY APP SIGNING NEW APPS ▸ Create upload key

    and sign apk ▸ Google Play App Signing ->Accept ▸ Upload signed apk ▸ Register app signing key!

37. GOOGLE PLAY APP SIGNING EXISTING APPS ▸ Opt-in ▸ Submit

    signing key to Google and ▸ Create upload key ▸ Update keystores ▸ Continue signing with upload key

38. WE THE DEVELOPERS MITIGATION ▸ Upload key lost/compromised?

39. SIGN THE APK DECISIONS TO BE MADE ▸ Who will

    be responsible for the signing key? ▸ Applicable to all modules/applications/flavours?

40. SIGN THE APK PROS AND CONS ▸ Modularity ▸ Permission

    based sharing ▸ update-able ▸ Single point of failure
41. None

42. ANDROID KEYSTORE SYSTEM

43. ANDROID KEYSTORE SYSTEM The Android Keystore system safeguards your cryptographic

    keys from extraction. ANDROID KEYSTORE SYSTEM

44. STORAGE SHOULD I KEEP SENSITIVE DATA IN MY APP?

45. ANDROID KEYSTORE SYSTEM EXTRACTION PREVENTION ▸ System process in charge

    of cryptographic operations ▸ Key material bound to TEE, SE

46. ANDROID KEYSTORE SYSTEM KEY USE AUTHORIZATIONS ▸ Once defined, immutable

    ▸ Cryptography ▸ Temporal validity interval ▸ User authentication

47. ANDROID KEYSTORE SYSTEM UTILITY METHODS ▸ KeyInfo.isInsideSecurityHardware() ▸ KeyInfo.isUserAuthenticationRequirementEnforcedBySecureHardware()

48. ANDROID KEYSTORE SYSTEM KEYCHAIN VS ANDROID KEYSTORE PROVIDER ▸ System-wide

    credentials ▸ System provided UI ▸ App-specific credentials ▸ No interaction ▸ AndroidKeystore API 18

49. KEY PAIR ENTRY IN KEYSTORE KeyPairGenerator kpg = KeyPairGenerator.getInstance( KeyProperties.KEY_ALGORITHM_EC,

    "AndroidKeyStore"); kpg.initialize(new KeyGenParameterSpec.Builder( alias, KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) .build()); KeyPair kp = kpg.generateKeyPair();

50. KEY PAIR ENTRY IN KEYSTORE KeyPairGenerator kpg = KeyPairGenerator.getInstance( KeyProperties.KEY_ALGORITHM_EC,

    "AndroidKeyStore"); kpg.initialize(new KeyGenParameterSpec.Builder( alias, KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) .build()); KeyPair kp = kpg.generateKeyPair();

51. KEY PAIR ENTRY IN KEYSTORE KeyPairGenerator kpg = KeyPairGenerator.getInstance( KeyProperties.KEY_ALGORITHM_EC,

    "AndroidKeystore"); kpg.initialize(new KeyGenParameterSpec.Builder( alias, KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) .build()); KeyPair kp = kpg.generateKeyPair();

52. LISTING ENTRIES KeyStore ks = KeyStore.getInstance("AndroidKeyStore"); ks.load(null); Enumeration<String> aliases =

    ks.aliases();

53. LISTING ENTRIES KeyStore ks = KeyStore.getInstance("AndroidKeyStore"); ks.load(null); Enumeration<String> aliases =

    ks.aliases();

54. SIGNING DATA Signature s = Signature.getInstance("SHA256withECDSA"); s.initSign(((PrivateKeyEntry) entry).getPrivateKey()); s.update(data); byte[]

    signature = s.sign();

55. SIGNING DATA Signature s = Signature.getInstance("SHA256withECDSA"); s.initSign(((PrivateKeyEntry) entry).getPrivateKey()); s.update(data); byte[]

    signature = s.sign();

56. VERIFYING SIGNATURES Signature s = Signature.getInstance("SHA256withECDSA"); s.initVerify(((PrivateKeyEntry) entry).getCertificate()); s.update(data); boolean

    valid = s.verify(signature);

57. VERIFYING SIGNATURES Signature s = Signature.getInstance("SHA256withECDSA"); s.initVerify(((PrivateKeyEntry) entry).getCertificate()); s.update(data); boolean

    valid = s.verify(signature);

58. KEY ATTESTATION KEY ATTESTATION ▸ Is a key stored in

    hardware-backed keystore ▸ Small number of devices API 24+

59. TEXT

60. FRAGMENTATION ANDROID P(ANCAKE?) ▸ Key rotation ▸ StrongBox Keymaster (HSM)

    ▸ …

61. GOOGLE TRANSPARENCY REPORT https://transparencyreport.google.com/

62. QUALYS CHECK YOUR DOMAIN (NOW!) https://www.ssllabs.com/ssltest/analyze.html

63. THANK YOU! Q&A