Android Security Key Management DroidCon Italy – Torino – February 2014 Cryptography in Mobile Applications ● Protect data ○ Sensitive data ○ Data on /sdcard ○ Cryptographic material ● Exchange data securely ○ Documents ○ Mail ○ SMS ○ Session Keys ● Digital Signature ○ Documents ○ Mail
Android Security Key Management DroidCon Italy – Torino – February 2014 Key Management "Key management is the management of cryptographic keys in a cryptosystem."
Android Security Key Management DroidCon Italy – Torino – February 2014 CryptoSystem ● "refers to a suite of algorithms needed to implement a particular form of encryption and decryption" ● Two types of encryption: ○ Symmetric Key Algorithms ■ Identical encryption key for encryption/decryption ■ AES, Blowfish, DES, Triple DES ○ Asymmetric Key Algorithms ■ Different key for encryption/decryption ■ RSA, DSA, ECDSA
Android Security Key Management DroidCon Italy – Torino – February 2014 Ciphers ● Two types of ciphers: ○ Block: Process entire blocks of fixed-length groups of bits at a time ( padding may be required) ○ Stream: Process single byte at a time ( no padding ) ● Block Cipher modes of operation ○ ECB: each block encrypted independently ○ CBC, CFB, OFB: the previous block of output is used to alter the input blocks before applying the encryption algorithm starting from a IV ( initialization vector )
Android Security Key Management DroidCon Italy – Torino – February 2014 Crypto in Android ● Based on JCA ( Java Cryptographic Architecture) provides API for: ● Encryption/Decryption ● Digital signatures ● Message digests (hashes) ● Key management ● Secure random number generation ● “Provider” Architecture with CSP ● Bouncy Castle is Android default CSP
Android Security Key Management DroidCon Italy – Torino – February 2014 Bouncy Castle Android Version ● Customized: ○ Some services and API removed ● Varies between Android versions ● Fixed only in the latest versions ● Solution: Spongy Castle ● Repackage of Bouncy Castle ● Supports more cryptographic options ● Up-to-date
Android Security Key Management DroidCon Italy – Torino – February 2014 SecretKey Specification javax.crypto.spec.SecretKeySpec ● SecretKeySpec specifies a key for a specific algorithm SecretKeySpec skeySpec = new SecretKeySpec(key, "AES"); Topic of this workshop Cryptographic Algorithm
Android Security Key Management DroidCon Italy – Torino – February 2014 Cipher GetInstance javax.crypto.Cipher ● Provides access to implementations of cryptographic ciphers for encryption and decryption Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding”,“SC”); Trasformation (describes set of operation to perform): • algorithm/mode/padding • algorithm Provider ( SpongyCastle )
Android Security Key Management DroidCon Italy – Torino – February 2014 Cipher Final javax.crypto.Cipher ● Finishes a multi-part transformation (encryption or decryption) byte[] encryptedText = cipher.doFinal(clearText.getBytes()); Encrypted Text in byte ClearText in bytes
Android Security Key Management DroidCon Italy – Torino – February 2014 SecureRandom java.security.SecureRandom ● Cryptographically secure pseudo-random number generator SecureRandom secureRandom = new SecureRandom(); Default constructor uses the most cryptographically strong provider available ● Seeding SecureRandom is dangerous: ○ Not Secure ○ Output may change
Android Security Key Management DroidCon Italy – Torino – February 2014 Some SecureRandom Thoughts... ● Android security team discovered a JCA improper PRNG initialization in August 2013 ● Applications invoking system-provided OpenSSL PRNG without explicit initialization are also affected ● Key Generation, Signing or Random Number Generation not receiving cryptographically strong values ● Developer must explicitly initialize the PRNG PRNGFixes.apply()
Android Security Key Management DroidCon Italy – Torino – February 2014 Key Management: Store on device ● Protected by Android Filesystem Isolation ● Plain File ● SharedPreferences ● Keystore File (BKS, JKS) ● More secure with Phone Encryption ● Store safely ○ MODE_PRIVATE flag ○ Use only internal storage /data/data/app_package
Android Security Key Management DroidCon Italy – Torino – February 2014 Key Management: Store in App ● Uses static keys or device specific information at run-time (IMEI, mac address, ANDROID_ID) ● Android app can be easily reversed ( live demo ) ● Hide with Code obfuscation ● Security by Obscurity is never a good idea...
Android Security Key Management DroidCon Italy – Torino – February 2014 Key Management: PBKDF2 ● Password Based Key Derivation Function (PKCS#5) ● Variable length password in input ● Fixed length key in output ● User interaction required ● Params: ○ Password ○ Pseudorandom Function ○ Salt ○ Number of iteration ○ Key Size
Android Security Key Management DroidCon Italy – Torino – February 2014 SecretKeyFactory factory; if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) { // Use compatibility key factory -- only uses lower 8-bits of passphrase chars factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1And8bit"); } else { // Traditional key factory. Will use lower 8-bits of passphrase chars on // older Android versions (API level 18 and lower) and all available bits // on KitKat and newer (API level 19 and higher). factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); } SecretKeyFactory API in Android 4.4
Android Security Key Management DroidCon Italy – Torino – February 2014 Key Management: Other solutions ● Store on server side ● Internet connection required ● Use trusted and protected connections (HTTPS, Certificate Pinning) ● Store on external device ○ NFC Java Card (NXP J3A081) ○ Smartcard ○ USB PenDrive ○ MicroSD with secure storage ● AndroidKeyStore???
Android Security Key Management DroidCon Italy – Torino – February 2014 Asymmetric Algorithms ● Public/Private Key ○ Public Key -> encrypt/verify signature ○ Private Key -> decrypt/sign ● Advantages: ○ Public Key distribution is not dangerous ● Disadvantages: ○ Computationally expensive ● Usually used with PKI (Public Key Infrastructure for digital certificates)
Android Security Key Management DroidCon Italy – Torino – February 2014 Public-key Applications ● Can classify uses into 3 categories: ○ Encryption/Decryption (provides confidentiality) ○ Digital Signatures (provides authentication and Integrity) ○ Key Exchange (of session keys) ● Some algorithms are suitable for all uses (RSA), others are specific to one
Android Security Key Management DroidCon Italy – Torino – February 2014 PKCS for Asymmetric Algorithms ● PKCS is a group of public-key cryptography standards published by RSA Security Inc ● PKCS#1 (v.2.1) ○ RSA Cryptography Standard ● PKCS#3 (v.1.4) ○ Diffie-Hellman Key Agreement Standard ● PKCS#8 (v.1.2) ○ Private-Key Information Syntax Standard ● PKCS#10 (v.1.7) ○ Certification Request Standard ● PKCS#12 (v.1.0) ○ Personal Information Exchange Syntax Standard
Android Security Key Management DroidCon Italy – Torino – February 2014 Available Providers for RSA Algorithm KeyPairGenerator.getInstance(”RSA”,”SEC_PROVIDERS”); Java.security.KeyPairGenerator ● Different security providers could be used (could change for different OS versions) “AndroidOpenSSL” “BC” “AndroidKeyStrore” Version 1.0 Version 1.49 Version 1.0
Android Security Key Management DroidCon Italy – Torino – February 2014 KeyPairGenerator: Initialization and Randomness KeyPairGenerator kpg = KeyPairGenerator.initialize(2048,sr); Java.security.KeyPairGenerator, Java.security.SecureRandom ● KeyPairGenerator initialization with a SecureRandom SecureRandom sr = new SecureRandom();
Android Security Key Management DroidCon Italy – Torino – February 2014 Generating RSA Key Java.security.KeyPair ● KeyPair is a container for a public/private key generated by the KeyPairGenerator KeyPair keypair = kpg.genKeyPair() ● We can retrieve public/private keys from KeyPair Key public_key = kaypair.getPublic(); Key private_key = kaypair.getPrivate();
Android Security Key Management DroidCon Italy – Torino – February 2014 Using RSA Keys: cipher example Javax.crypto.Cipher ● Cipher provides access to implementation of cryptography ciphers for encryption and decryption Cipher cipher = Cipher.getInstance(“RSA”,”SEC_PROVIDER); Transformation “AndroidOpenSSL” “BC” “AndroidKeyStrore”
Android Security Key Management DroidCon Italy – Torino – February 2014 Extract Parameters of RSA Keys Java.security.spec.RSAPublicKeySpec, java.security.spec.RSAPrivateKeySpec ● Retrieved parameters can be stored BigInteger m = rsa_public.getModulus(); BigInteger e = rsa_public.getPublicExponent(); BigInteger d = rsa_private.getPrivateExponent(); Is Private
Android Security Key Management DroidCon Italy – Torino – February 2014 AndroidKeyStore ● Custom Java Security Provider available from Android 4.3 version and beyond ● An App can generate and save private keys ● Keys are private for each App ● 2048-bit key size (4.3), 1024-2048-4096-bit key size (4.4) can be stored ● ECDSA support added from Android 4.4
Android Security Key Management DroidCon Italy – Torino – February 2014 Key Management Evolution API LEVEL 14 API LEVEL 18 Global Level: KeyChain ( Public API ) App Level: KeyStore ( Closed API ) Global Level Only: Default TrustStore cacerts.bks (ROOTED device) Global Level: KeyChain ( Public API ) App Level and per User Level: AndroidKeyStore ( Public API )
Android Security Key Management DroidCon Italy – Torino – February 2014 AndroidKeyStore Storage ● Two kinds of storage ○ Hardware-backed (Nexus 7, Nexus 4, Nexus 5 :-) with OS >= 4.3) ○ Secure Element ○ TPM ○ TrustZone ○ Software only (Other devices with OS >= 4.3)
Android Security Key Management DroidCon Italy – Torino – February 2014 Type of Storage import android.security.KeyChain; if (KeyChain.isBoundKeyAlgorithm("RSA")) // Hardware-Backed else // Software Only
Android Security Key Management DroidCon Italy – Torino – February 2014 Generating Public/Private keys KeyPairGenerator kpGenerator; kpGenerator = KeyPairGenerator .getInstance("RSA", "AndroidKeyStore"); kpGenerator.initialize(spec); KeyPair kp; kp = kpGenerator.generateKeyPair(); Engine to generate Public/ Private key Init Engine with: ● RSA Algorithm ● Provider: AndroidKeyStore Init Engine with certificate parameters After generation, the keys will be stored into AndroidKeyStore and will be accessible by ALIAS ● Generating Private/Public key
Android Security Key Management DroidCon Italy – Torino – February 2014 keyStore = KeyStore.getInstance("AndroidKeyStore"); keyStore.load(null); Now we have the KeyStore reference that will be used to access to the Private/Public key by the ALIAS Should be used if there is an InputStream to load (for example the name of imported KeyStore). If not used the App will crash AndroidKeyStore Initialization Get a reference to the AndroidKeyStore
Android Security Key Management DroidCon Italy – Torino – February 2014 RSA Digital Signature ● Digital Signature ○ Authentication, Non-Repudiation and Integrity ○ RSA Private key to Sign ○ RSA Public Key to Verify KeyStore.Entry entry = ks.getEntry(“DEVKEY1”, null); byte[] data = “Droidcon Torino 2014!”.getBytes(); Signature s = Signature.getInstance(“SHA256withRSA”); s.initSign(((KeyStore.PrivateKeyEntry) entry).getPrivateKey()); s.update(data); byte[] signature = s.sign(); String result = null; result = Base64.encodeToString(signature, Base64.DEFAULT); Access to Private/Public key identified by ALIAS Algorithm choice Private key to sign Signature and Base64 encoding
Android Security Key Management DroidCon Italy – Torino – February 2014 It is observed that... ● Different screen lock ● The choice of screen lock impactsthe keys ● If you change the screen lock the keys are deleted
Android Security Key Management DroidCon Italy – Torino – February 2014 Expected behavior? ● The official documentation shows: ● The keys should ramain intact when the type of screen lock is changed by the user
Android Security Key Management DroidCon Italy – Torino – February 2014 Cryptographic material on devices ● Device with Storage “Hardware-backed” ● Device with Storage “Software-only”
Android Security Key Management DroidCon Italy – Torino – February 2014 KeyChain ● KeyChain ○ Accessible by any Application ● Typically used for corporate certificates
Android Security Key Management DroidCon Italy – Torino – February 2014 Example: Import Certificates ● Import .p12 certificates Intent intent = KeyChain.createInstallIntent(); byte[] p12 = readFile(“CERTIFICATE_NAME.p12”); Intent.putExtra(KeyChain.EXTRA_PKCS12,p12); Specify PKCS#12 Key to install startActivity(intent); The user will be prompted for the password
Android Security Key Management DroidCon Italy – Torino – February 2014 KeyChain.choosePrivateKeyAlias( Activity activity, KeyChainAliasCallBack response, String[] keyTypes, Principal[] issuers, String host, Int port, String Alias); Example: Retrieve the key ● The KeyChainAliasCallback invoked when a user chooses a certificate/private key