Android Key Management

Android
Key Management
Roberto Piccirillo ([email protected])
Roberto Gassirà ([email protected])
Droidcon
London 2014

View Slide

Android
Key Management Droidcon London 2014
Roberto Piccirillo
● Senior Security Analyst - Mobile Security Lab
○ Vulnerability Assessment (IT, Mobile Application)
○ Hijacking Mobile Data Connection
■ BlackHat Europe 2009
■ DeepSec Vienna 2009
■ HITB Amsterdam 2010
○ Android Secure Development
● GDG Rome Lab
@robpicone

View Slide

Android
Roberto Gassirà
● Senior Security Analyst - Mobile Security Lab
○ Vulnerability Assessment (IT, Mobile Application)
○ Hijacking Mobile Data Connection
■ BlackHat Europe 2009
■ DeepSec Vienna 2009
■ HITB Amsterdam 2010
○ Android Secure Development
● GDG Rome Lab
@robgas

View Slide

Android
Android Key Management: Agenda
● Mobile Application Cryptography
● Key Management and CryptoSystem
● Crypto in Android
● Symmetric Encryption
● Symmetric Key Management
● Asymmetric key: Encryption/Digital Signature
● Keychain e AndroidKeyStore

View Slide

Android
Mobile Application Cryptography
➢ Exchange data securely:
➢ Protect Data:
○ Sensitive Data
○ Backups on /sdcard

View Slide

Android
Key Management
"Key management is the management of cryptographic keys in a
cryptosystem."

View Slide

Android
CryptoSystem
"refers to a suite of algorithms needed to implement a particular
form of encryption and decryption"
● Two types of encryption:
○ Symmetric Key Algorithms
■ Identical key for
encryption/decryption
■ AES, Blowfish, DES, Triple DES
○ Asymmetric Key Algorithms
■ Pair of keys (public/private) for
encryption/decryption
■ RSA, DSA, ECDSA

View Slide

Android
Symmetric Key Algorithms: Ciphers
● Two types of ciphers:
○ Block: Process entire blocks of fixed-length
groups of bits at a time (padding may be
required)
○ Stream: Process single bit at a time(no
padding)
● Block Cipher modes of operation:
○ ECB: each block encrypted independently
○ CBC, CFB, OFB: (feedback mode) each block
is encrypted combined with the previous
encrypted block (starting from an IV)
○ CTR: each block xored with the encrypted
successive values of a counter ( starting
from a nonce)
ECB
CBC

View Slide

Android
Crypto in Android
● Framework based on JCA ( Java
Cryptography Architecture)
● Provides API for:
● Encryption/Decryption
● Message digests (hashes)
● Key management
● Secure random number generation
● API implemented by Cryptographic
Service "Provider"
● "Dynamic" Provider:
javax.crypto.*
java.security.*

View Slide

Android
Default Providers
➢ From the beginning
○ Bouncy Castle (Customized):
■ Some services and API removed
■ Varies between Android versions
■ Fixed only in the latest versions
○ Crypto (Apache Harmony)
■ Few basic services
■ Only for backward compatibility
➢ From Android 4.0
○ AndroidOpenSSL:
■ OpenSSL JNI
■ Performance Improved
■ Vulnerable to Heartbleed in 4.1.1

View Slide

Android
➢ Spongy Castle (SC)
○ Repackage of Bouncy Castle
○ Supports more cryptographic options
○ Not vulnerable to the Heartbleed Bug
○ Up-to-date
➢ GPS Dynamic Security Provider
○ Available from Play Services 5.0
○ Based on OpenSSL ( No Heartbleed)
○ Rapid delivery of security patches
○ Vendor independent !!!
Dynamic Providers

View Slide

Android
Cipher Benchmarks
Run on Google Nexus 5 Android 4.4.4
CBC CTR

View Slide

Android
Cipher Class
Secret Key Specification
Cipher getInstance
Cipher Init
Cipher Final

View Slide

Android
SecretKey Specification
javax.crypto.spec.SecretKeySpec
● SecretKeySpec specifies a key for a specific algorithm
SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");
Encryption/Decryption
Key
Cryptographic Algorithm

View Slide

Android
Cipher GetInstance
javax.crypto.Cipher
● Create cryptographic cipher
Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding”,“SC”);
Transformation
(describes set of operation to
perform):
• algorithm/mode/padding
• algorithm
Provider
( SpongyCastle )

View Slide

Android
Cipher Init
javax.crypto.Cipher
● Initializes the cipher instance with the specified operational
mode, key and algorithm parameters.
cipher.init(Cipher.DECRYPT_MODE, keySpec,
new IvParameterSpec(iv));
Operational Mode:
• ENCRYPT_MODE
• DECRYPT_MODE
• WRAP_MODE
• UNWRAP_MODE
SecretKeySpec Specify Cipher
Algorithm parameters
( IV for CBC )

View Slide

Android
Cipher Final
javax.crypto.Cipher
● Complete a multi-part transformation (encryption or
decryption)
byte[] encryptedText = cipher.doFinal(clearText.getBytes());
Encrypted
Text in byte
ClearText in
bytes

View Slide

Android
Key Generation: SecureRandom
java.security.SecureRandom
● Cryptographically secure pseudo-random number generator
SecureRandom secureRandom = new SecureRandom();
Default constructor uses the
most cryptographically
strong provider available
● Seeding
SecureRandom is
dangerous:
○ Not Secure
○ Output may change

View Slide

Android
Some SecureRandom Thoughts...
● Android security team discovered in August 2013 an improper
PRNG initialization for default OpenSSL provider
● Applications invoking system-provided OpenSSL PRNG without
explicit initialization are also affected
● Key Generation, Signing or Random Number Generation not
receiving cryptographically strong values
● Developer must explicitly initialize the PRNG
PRNGFixes.apply()
http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html

View Slide

Android
KeyGenerator keyGenerator = KeyGenerator.getInstance("AES","SC");
keyGenerator.init(outputKeyLength, secureRandom);
SecretKey key = keyGenerator.generateKey();
Generate Secret Key
javax.crypto.KeyGenerator
● Symmetric cryptographic keys generator
Specify Key Size
Algorithm
and Provider
Key to use in Cipher.init()

View Slide

Android
Key Management: Store on device
● Protected by Android Filesystem Isolation
● Plain File
● SharedPreferences
● Keystore File (BKS, JKS)
● More secure with Phone Encryption
● Store safely
● MODE_PRIVATE flag
● Use only internal storage
/data/data/app_package

View Slide

Android
Key Management: Store on device
➢ Device rooted?
○ Check at run-time...

View Slide

Android
Key Management: Store in App
● Uses static keys or device specific information at run-time
(IMEI, mac address, ANDROID_ID)
● Android app can be easily reversed
● Hide with Code obfuscation
REVERSING

View Slide

Android
Key Management: PBKDF2
● Password Based Key Derivation Function (PKCS#5)
● Variable length password in input
● Fixed length key in output
● User interaction required
● Params:
○ Password
○ Pseudorandom Function
○ Salt
○ Number of iteration
○ Key Size
● Available with BC

View Slide

Android
KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt,
NUM_OF_ITERATIONS, KEY_SIZE);
SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance
(PBE_ALGORITHM);
encKey = secretKeyFactory.generateSecret(keySpec);
Key Management: PBKDF2
javax.crypto.spec.PBEKeySpec
● PBE Key specification and generation
A good PBE algorithm is
PBKDF2WithHmacSHA1
User
Password
N. >= 1000

View Slide

Android
SecretKeyFactory factory;
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT)
// Use compatibility key factory -- only uses lower 8-bits of passphrase chars
factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1And8bit");
else if (Build.VERSION.SDK_INT >= 10)
// Traditional key factory. Will use lower 8-bits of passphrase chars on
// older Android versions (API level 18 and lower) and all available bits
// on KitKat and newer (API level 19 and higher)
factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
else // FIX for Android 8,9
factory = SecretKeyFactory.getInstance("PBEWITHSHAAND128BITAES-CBC-BC");
SecretKeyFactory API in Android 4.4

View Slide

Android
Key Management: Other solutions
● Store on server side
● Internet connection required
● Use trusted and protected connections (HTTPS, Certificate
Pinning)
● Store on external device
● NFC Java Card (NXP J3A081)
● Smartcard
● USB PenDrive
● MicroSD with secure storage
● AndroidKeyStore???

View Slide

Android
Asymmetric Algorithms
● Public/Private Key
○ Public Key -> encrypt/verify signature
○ Private Key -> decrypt/sign
● Advantages:
○ Public Key distribution is not dangerous
● Disadvantages:
○ Computationally expensive
● Usually used with PKI (Public Key Infrastructure for digital
certificates)

View Slide

Android
Public-key Applications
● Can classify uses into 3 categories:
○ Encryption/Decryption (provides Confidentiality)
○ Digital Signatures (provides Authentication and Integrity)
○ Key Exchange (of Session Keys)
● Some algorithms are suitable for all uses (RSA),
others are specific to one

View Slide

Android
PKCS for Asymmetric Algorithms
● PKCS is a group of public-key cryptography
standards published by RSA Security Inc
● PKCS#1 (v.2.1)
○ RSA Cryptography Standard
● PKCS#3 (v.1.4)
○ Diffie-Hellman Key Agreement Standard
● PKCS#8 (v.1.2)
○ Private-Key Information Syntax Standard
● PKCS#10 (v.1.7)
○ Certification Request Standard
● PKCS#12 (v.1.0)
○ Personal Information Exchange Syntax Standard

View Slide

Android
Android: RSA
KeyPairGenerator kpg =
KeyPairGenerator.getIstance(”RSA");
Java.security.KeyPairGenerator
● KeyPairGenerator is an engine capable of
generating public/private keys with specified
algorithms
Cryptographic Algorithm

View Slide

Android
Available Providers for RSA Algorithm
KeyPairGenerator.getInstance(”RSA”,”SEC_PROVIDERS”);
● Different security providers could be used (could
change for different OS versions)
“AndroidOpenSSL”
“BC”
“AndroidKeyStore”
“GmsCore_OpenSSL”
Version 1.0
Version 1.49
Version 1.0

View Slide

Android
● KeySize – 1024,2048,4096 bits
KeyPairGenerator: Initialization and
Randomness
KeyPairGenerator.initialize(2048);
Key Size
● KeyPairGenerator initialization with the key size

View Slide

Android
KeyPairGenerator: Initialization and
Randomness
KeyPairGenerator.initialize(2048,sr);
Java.security.KeyPairGenerator, Java.security.SecureRandom
● KeyPairGenerator initialization with a
SecureRandom
SecureRandom sr = new SecureRandom();

View Slide

Android
Generating RSA Key
Java.security.KeyPair
● KeyPair is a container for a public/private key
generated by the KeyPairGenerator
KeyPair keypair = kpg.genKeyPair()
● We can retrieve public/private keys from KeyPair
Key public_key = kaypair.getPublic();
Key private_key = kaypair.getPrivate();

View Slide

Android
Using RSA Keys: cipher example
Javax.crypto.Cipher
● Cipher provides access to implementation of
cryptography ciphers for encryption and decryption
Cipher cipher = Cipher.getInstance(“RSA”,”SEC_PROVIDER);
Transformation
“AndroidOpenSSL”
“BC”
“AndroidKeyStore”
“GmsCore_OpenSSL”

View Slide

Android
Using RSA Key: cipher example
Javax.crypto.Cipher
● Encryption
cipher.init(Cipher.ENCRYPT_MODE,public_key);
● Decryption
byte[] encrypted_data=
cipher.doFinal(“DroidconUK-2014”.getBytes());
cipher.init(Cipher.DECRYPT_MODE,private_key);
byte[] decrypted_data=
cipher.doFinal(cipherd_data);

View Slide

Android
Parameters of RSA Keys
java.security.KeyFactory, java.security.spec,
● Retrieve RSA Key parameters using KeyFactory
RSAPublicKeySpec rsa_public= keyfactory.
getKeySpec(keypair.getPublic(),
RSAPublicKeySpec.class);
RSAPrivateKeySpec rsa_private = keyfactory.getKeySpec
(keypair.getPrivate(),
RSAPrivateKeySpec.class);

View Slide

Android
Extract Parameters of RSA Keys
Java.security.spec.RSAPublicKeySpec, java.security.spec.RSAPrivateKeySpec
● Retrieved parameters can be stored
BigInteger m = rsa_public.getModulus();
BigInteger e = rsa_public.getPublicExponent();
BigInteger d = rsa_private.getPrivateExponent();
Is Private

View Slide

Android
AndroidKeyStore
● Custom Java Security Provider available from Android 4.3
version and beyond
● An App can generate and save private keys
● Keys are private for each App
● 2048-bit key size (4.3), 1024-2048-4096-bit key size (4.4) can
be stored
● ECDSA support added from Android 4.4

View Slide

Android
Key Management Evolution
API LEVEL 14 API LEVEL 18
Global Level:
KeyChain
( Public API )
App Level:
KeyStore
( Closed API )
Global Level Only:
Default TrustStore
cacerts.bks
(ROOTED device)
Global Level:
KeyChain
( Public API )
App Level and per
User Level:
AndroidKeyStore
( Public API )

View Slide

Android
AndroidKeyStore Storage
● Two kinds of storage
○ Hardware-backed (Nexus 7, Nexus 4,
Nexus 5 :-) with OS >= 4.3)
○ Secure Element
○ TPM
○ TrustZone
○ Software only (Other devices with OS
>= 4.3)

View Slide

Android
Type of Storage
import android.security.KeyChain;
if (KeyChain.isBoundKeyAlgorithm("RSA"))
// Hardware-Backed
else
// Software Only

View Slide

Android
Certificate parameters
Context cx = getActivity();
String pkg = cx.getPackageName();
Calendar notBefore = Calendar.getInstance();
Calendar notAfter = Calendar.getInstance();
notAfter.add(1, Calendar.YEAR);
import android.security.KeyPairGeneratorSpec.Builder;
Builder builder = new KeyPairGeneratorSpec.Builder(cx);
builder.setAlias(“DEVKEY1”);
String infocert = String.format("CN=%s, OU=%s", “DEVKEY1”, pkg);
builder.setSubject(new X500Principal(infocert));
builder.setSerialNumber(BigInteger.ONE);
builder.setStartDate(notBefore.getTime());
builder.setEndDate(notAfter.getTime());
KeyPairGeneratorSpec spec = builder.build();
Time parameters
Self-Signed X.509
● Common Name(CN)
● Subject(OU)
● Serial Number
Generate certificate
ALIAS to index the
certificate

View Slide

Android
Generating Public/Private keys
KeyPairGenerator kpGenerator;
kpGenerator = KeyPairGenerator
.getInstance("RSA", "AndroidKeyStore");
kpGenerator.initialize(spec);
KeyPair kp;
kp = kpGenerator.generateKeyPair();
Engine to generate
Public/Private key
Init Engine with:
● RSA Algorithm
● Provider: AndroidKeyStore
Init Engine with certificate parameters
After generation, the keys will be stored into AndroidKeyStore and will be
accessible by ALIAS
● Generating Private/Public key

View Slide

Android
AndroidKeyStore Initialization
keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);
Now we have the KeyStore reference that will be used to
access to the Private/Public key by the ALIAS
Should be used if there is an InputStream to load
(for example the name of imported KeyStore). If not
used the App will crash
Get a reference to the AndroidKeyStore

View Slide

Android
RSA Encryption
● Encryption
○ Confidentiality
○ RSA Public key to Encrypt
○ RSA Private key to Decrypt
KeyStore.Entry entry = keyStore.getEntry(“DEVKEY1”, null);
PublicKey publicKeyEnc = ((KeyStore.PrivateKeyEntry) entry)
.getCertificate().getPublicKey();
String textToEncrypt = new String(”DroidconUK-2014");
Cipher encCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
encCipher.init(Cipher.ENCRYPT_MODE, publicKeyEnc);
byte[] encryptedText = encCipher.doFinal(byteTextToEncrypt);
Access to Public key to
encrypt
● Algorithm
● Encryption with
Public key
Ciphered
Access to keys identified
by ALIAS

View Slide

Android
RSA Decryption
Cipher decCipher = null;
byte[] plainTextByte = null;
decCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
decCipher.init(Cipher.DECRYPT_MODE,
((KeyStore.PrivateKeyEntry) entry).getPrivateKey());
plainTextByte = decCipher.doFinal(byteEcryptedText);
String plainText = new String(plainTextByte);
Algorithm
Decryption with
Private key
Plaintext

View Slide

Android
s.initVerify(((KeyStore.PrivateKeyEntry) entry).getCertificate());
s.update(data);
boolean valid = s.verify(signature);
RSA Digital Signature
● Digital Signature
○ Authentication, Non-Repudiation and Integrity
○ RSA Private key to Sign
○ RSA Public Key to Verify
KeyStore.Entry entry = keyStore.getEntry(“DEVKEY1”, null);
s.initSign(((KeyStore.PrivateKeyEntry) entry).getPrivateKey());
Access to Private/Public key
identified by ALIAS
Private key to sign
Public Key in
certificate to verify
signature

View Slide

Android
Issue 61989 …

View Slide

Android
KeyChain
● KeyChain
○ Accessible by any Application
● Typically used for corporate certificates

View Slide

Android
Example: Import Certificates
● Import .p12 certificates
Intent intent = KeyChain.createInstallIntent();
byte[] p12 = readFile(“CERTIFICATE_NAME.p12”);
Intent.putExtra(KeyChain.EXTRA_PKCS12,p12);
Specify PKCS#12 Key to install
startActivity(intent);
The user will be prompted
for the password

View Slide

Android
KeyChain.choosePrivateKeyAlias(
Activity activity,
KeyChainAliasCallBack response,
String[] keyTypes,
Principal[] issuers,
String host,
Int port,
String Alias);
Example: Retrieve the key
● The KeyChainAliasCallback invoked when a user chooses a
certificate/private key

View Slide

Android
@Override
public void alias(String alias){
.
.
PrivateKey private_key = KeyChain.
getPrivateKey(this,alias);
.
.
X509Certificate[] chain = KeyChain.
getCertificateChain(this,”DroidconUK-2014”);
.
PublicKey public_key = chain[0].getPublicKey();
}
Example: Retrieve and use the keys
Private Key
Public Key
● KeyChainAliasCallbak must implement the abstract method
alias:

View Slide

Android
References
● http://developer.android.com/about/versions/android-4.3.html#Security
● http://developer.android.com/reference/java/security/KeyStore.html
● http://en.wikipedia.org/wiki/Encryption
● http://en.wikipedia.org/wiki/Digital_signature
● http://nelenkov.blogspot.it/2013/08/credential-storage-enhancements-android-43.
html
● http://nelenkov.blogspot.it/2012/05/storing-application-secrets-in-androids.html
● http://nelenkov.blogspot.it/2012/04/using-password-based-encryption-on.html
● http://nelenkov.blogspot.it/2011/11/ics-credential-storage-implementation.html
● http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.html
● http://android-developers.blogspot.it/2013/02/using-cryptography-to-store-
credentials.html
● http://www.bouncycastle.org/
● http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html
● http://nelenkov.blogspot.it/2013/10/signing-email-with-nfc-smart-card.html
● http://en.wikipedia.org/wiki/PKCS
● http://developer.android.com/reference/android/security/KeyChain.html
● http://android-developers.blogspot.it/2013/12/changes-to-secretkeyfactory-api-in.
html

View Slide

Android
Thank you
Q&A
www.mseclab.com
www.consulthink.it
[email protected]

View Slide

Android Key Management

Android Key Management

Mobile Security Lab

More Decks by Mobile Security Lab

Other Decks in Programming

Featured

Transcript