Sign here, please!

Transcript

1. SIGN HERE, PLEASE! ANA BAOTIĆ @abaotic

2. None
3. None

4. Present in
 54
 countries Over 22,300
 highly committed employees 6th


   largest software & services vendor in Europe 1,813
 m EUR sales revenues in 2016 176
 m EUR operating profit in 2016 1bln
 EUR market capitalization • Founded in 1991 • 6th largest software producer in Europe • Traded on the WSE, included in the WIG20 blue chip index • International presence ASSECO at a glance

5. CERTIFICATE @abaotic

6. CERTIFICATE Electronic document that proves ownership of a public key

   CERTIFICATE @abaotic

7. CERTIFICATE Electronic document that proves ownership of a public key

   X.509 - structure CERTIFICATE @abaotic

8. CERTIFICATE Electronic document that proves ownership of a public key

   X.509 - structure TLS, electronic signatures CERTIFICATE @abaotic

9. IDENTITY CERTIFICATE @abaotic

10. PUBLIC KEY CERTIFICATE = IDENTITY + + @abaotic

11. KEYS ASYMMETRIC CRYPTOGRAPHY @abaotic

12. KEYS ASYMMETRIC CRYPTOGRAPHY 13924097109571903750931790573190570913759031790579374037105973109570931750937109570… f(x) @abaotic

13. KEYS - ASYMMETRIC CRYPTOGRAPHY ▸ Private (owner) ▸ Public (shared)

    @abaotic

14. KEYS ▸ Private (owner) ▸ Decrypts messages ▸ Public (shared)

    ▸ Encrypts messages @abaotic

15. KEYS ▸ Private (owner) ▸ Decrypts messages ▸ Calculates signatures

    ▸ Public (shared) ▸ Encrypts messages ▸ Confirms signatures @abaotic

16. DIGITAL SIGNATURE ▸ authentication, non-repudiation and integrity DIGITAL SIGNATURE @abaotic

17. DIGITAL SIGNATURE ▸ authentication, non-repudiation and integrity ▸ Calculate a

    digest/hash of the message DIGITAL SIGNATURE @abaotic

18. DIGITAL SIGNATURE ▸ authentication, non-repudiation and integrity ▸ Calculate a

    digest/hash of the message ▸ Sender encrypts with private key DIGITAL SIGNATURE @abaotic

19. DIGITAL SIGNATURE ▸ authentication, non-repudiation and integrity ▸ Calculate a

    digest/hash of the message ▸ Sender encrypts with private key ▸ Recipient decrypts with public key DIGITAL SIGNATURE @abaotic

20. SIGNED BY CA CERTIFICATE = IDENTITY + PUBLIC KEY +

    + @abaotic

21. CERTIFICATE = IDENTITY + PUBLIC KEY + SIGNED BY CA

    + + @abaotic

22. CERTIFICATE AUTHORITY CA Trusted entity that issues digital certificates. @abaotic

23. CA CA CERTIFICATE ▸ Self-signed certificate ▸ Browsers, Android, OSX

    ▸ Comodo, IdenTrust, Symantec, GoDaddy, Let’s Encrypt ▸ Impact of updates! @abaotic

24. END CERTIFICATE

25. INTERMEDIATE CERTIFICATE

26. ROOT CERTIFICATE

27. CERTIFICATES CERTIFICATE CHAINS @abaotic

28. CA - DOMAIN VS EXTENDED VALIDATION @abaotic

29. CA SUBVERSION ▸ Primary risk key theft ▸ Scheme flawed

    ▸ HSM for key storage ▸ Offline @abaotic

30. TRUST ANDROID ▸ Unknown CA/Self-signed ▸ No intermediate cert on

    server @abaotic

31. SIGNING ANDROID APPLICATIONS @abaotic

32. SIGNING ANDROID APPLICATIONS ▸ Generate a key and keystore ▸

    Sign your application @abaotic

33. SIGNING ANDROID APPLICATIONS - NEW KEY STORE @abaotic

34. SIGNING ANDROID APPLICATIONS - SIGN THE APP @abaotic

35. SIGNING ANDROID APPLICATIONS - SIGN THE APP ALTERNATIVE ▸ keytool

    to generate a key ▸ zipalign to align unsigned apk ▸ jarsigner to sign aligned apk @abaotic

36. SIGN THE APK DECISIONS TO BE MADE ▸ Who will

    be responsible for the signing key? @abaotic

37. WE THE DEVELOPERS

38. WE THE DEVELOPERS EXPECTATIONS ▸ Application can be updated throughout

    its lifetime @abaotic

39. WE THE DEVELOPERS PREREQUISITES ▸ Signing key must be safe

    ▸ Signing key must be accessible @abaotic

40. WE THE DEVELOPERS REALITY ▸ People spill coffee ▸ People

    switch companies @abaotic

41. WE THE DEVELOPERS REALITY NIGHTMARE signingConfigs { release { storeFile

    file("/not_where_you_think_it_is/ks.jks") storePassword "password" keyAlias "my-alias" keyPassword "password" } } @abaotic

42. GOOGLE PLAY APP SIGNING https://goo.gl/3aCBeC

43. GOOGLE PLAY APP SIGNING DECISION IS PERMANENT @abaotic

44. GOOGLE PLAY APP SIGNING NEW APPS ▸ Create upload key

    and sign apk ▸ Google Play App Signing ->Accept ▸ Upload signed apk ▸ Register app signing key! @abaotic

45. GOOGLE PLAY APP SIGNING EXISTING APPS ▸ Opt-in ▸ Submit

    signing key to Google and ▸ Create upload key ▸ Update keystores ▸ Continue signing with upload key @abaotic

46. WE THE DEVELOPERS MITIGATION ▸ Upload key lost/compromised? @abaotic

47. SIGN THE APK DECISIONS TO BE MADE ▸ Who will

    be responsible for the signing key? ▸ Applicable to all modules/applications/flavours? @abaotic

48. SIGN THE APK PROS AND CONS ▸ Modularity ▸ Permission

    based sharing ▸ update-able ▸ Single point of failure @abaotic
49. None

50. ANDROID KEYSTORE SYSTEM @abaotic

51. ANDROID KEYSTORE SYSTEM The Android Keystore system safeguards your cryptographic

    keys from extraction. ANDROID KEYSTORE SYSTEM @abaotic

52. STORAGE SHOULD I KEEP SENSITIVE DATA IN MY APP? @abaotic

53. ANDROID KEYSTORE SYSTEM EXTRACTION PREVENTION ▸ System process in charge

    of cryptographic operations ▸ Key material bound to TEE, SE @abaotic

54. ANDROID KEYSTORE SYSTEM KEY USE AUTHORIZATIONS ▸ Once defined, immutable

    ▸ Cryptography ▸ Temporal validity interval ▸ User authentication @abaotic

55. ANDROID KEYSTORE SYSTEM UTILITY METHODS ▸ KeyInfo.isInsideSecurityHardware() ▸ KeyInfo.isUserAuthenticationRequirementEnforcedBySecureHardware() @abaotic

56. ANDROID KEYSTORE SYSTEM KEYCHAIN VS ANDROID KEYSTORE PROVIDER ▸ System-wide

    credentials ▸ System provided UI ▸ App-specific credentials ▸ No interaction ▸ AndroidKeystore API 18 @abaotic

57. KEY PAIR ENTRY IN KEYSTORE KeyPairGenerator kpg = KeyPairGenerator.getInstance( KeyProperties.KEY_ALGORITHM_EC,

    "AndroidKeyStore"); kpg.initialize(new KeyGenParameterSpec.Builder( alias, KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) .build()); KeyPair kp = kpg.generateKeyPair(); GENERATE KEYPAIR @abaotic

58. KEY PAIR ENTRY IN KEYSTORE KeyPairGenerator kpg = KeyPairGenerator.getInstance( KeyProperties.KEY_ALGORITHM_EC,

    "AndroidKeyStore"); kpg.initialize(new KeyGenParameterSpec.Builder( alias, KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) .build()); KeyPair kp = kpg.generateKeyPair(); GENERATE KEYPAIR @abaotic

59. KEY PAIR ENTRY IN KEYSTORE KeyPairGenerator kpg = KeyPairGenerator.getInstance( KeyProperties.KEY_ALGORITHM_EC,

    "AndroidKeystore"); kpg.initialize(new KeyGenParameterSpec.Builder( alias, KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) .build()); KeyPair kp = kpg.generateKeyPair(); GENERATE KEYPAIR @abaotic

60. LISTING ENTRIES KeyStore ks = KeyStore.getInstance("AndroidKeyStore"); ks.load(null); Enumeration<String> aliases =

    ks.aliases(); LIST ENTRIES @abaotic

61. LISTING ENTRIES KeyStore ks = KeyStore.getInstance("AndroidKeyStore"); ks.load(null); Enumeration<String> aliases =

    ks.aliases(); LIST ENTRIES @abaotic

62. SIGNING DATA Signature s = Signature.getInstance("SHA256withECDSA"); s.initSign(((PrivateKeyEntry) entry).getPrivateKey()); s.update(data); byte[]

    signature = s.sign(); SIGN DATA @abaotic

63. SIGNING DATA Signature s = Signature.getInstance("SHA256withECDSA"); s.initSign(((PrivateKeyEntry) entry).getPrivateKey()); s.update(data); byte[]

    signature = s.sign(); SIGN DATA @abaotic

64. VERIFYING SIGNATURES Signature s = Signature.getInstance("SHA256withECDSA"); s.initVerify(((PrivateKeyEntry) entry).getCertificate()); s.update(data); boolean

    valid = s.verify(signature); VERIFY SIGNATURES @abaotic

65. VERIFYING SIGNATURES Signature s = Signature.getInstance("SHA256withECDSA"); s.initVerify(((PrivateKeyEntry) entry).getCertificate()); s.update(data); boolean

    valid = s.verify(signature); VERIFY SIGNATURES @abaotic

66. KEY ATTESTATION KEY ATTESTATION ▸ Is a key stored in

    hardware-backed keystore ▸ Small number of devices API 24+ @abaotic

67. TEXT

68. FRAGMENTATION ANDROID P(ANCAKE?) ▸ Key rotation ▸ StrongBox Keymaster (HSM)

    ▸ … @abaotic

69. GOOGLE TRANSPARENCY REPORT https://transparencyreport.google.com/ @abaotic

70. QUALIS CHECK YOUR DOMAIN (NOW!) https://www.ssllabs.com/ssltest @abaotic

71. None

72. THANK YOU! Q&A @abaotic