Tweet
Tweet

Slide 1

Slide 1 text

How to secure data in Android? “Security is the degree of resistance to, or protection from, harm” Yakiv Mospan http://www.yakivmospan.com/ Team Technologies

Slide 2

Slide 2 text

Overview What data you want to secure ? Encryption Encryption on Android Android Keystore Provider Security Utilitу

Slide 3

Slide 3 text

Overview What data you want to secure ? Encryption Encryption on Android Android Keystore Provider Security Utilitу

Slide 4

Slide 4 text

Overview What data you want to secure ? Encryption Encryption on Android Android Keystore Provider Security Utilitу

Slide 5

Slide 5 text

Overview What data you want to secure ? Encryption Encryption on Android Android Keystore Provider Security Utilitу

Slide 6

Slide 6 text

Overview What data you want to secure ? Encryption Encryption on Android Android Keystore Provider Security Utilitу

Slide 7

Slide 7 text

What data you want to secure ? Almost all of user related data.

Slide 8

Slide 8 text

Data Sensitive data personal life information, physical or mental health details, criminal or civil offences, private photos, private user documents, etc. Financial data accounts, transactions, reports, credit card information, etc. Credentials usernames, passwords, touch pincodes, fingerprint data, and all other stuff that can provide access to data above.

Slide 9

Slide 9 text

Data Sensitive data personal life information, physical or mental health details, criminal or civil offences, private photos, private user documents, etc. Financial data accounts, transactions, reports, credit card information, etc. Credentials usernames, passwords, touch pincodes, fingerprint data, and all other stuff that can provide access to data above.

Slide 10

Slide 10 text

Data Sensitive data personal life information, physical or mental health details, criminal or civil offences, private photos, private user documents, etc. Financial data accounts, transactions, reports, credit card information, etc. Credentials usernames, passwords, touch pincodes, fingerprint data, and all other stuff that can provide access to data above.

Slide 11

Slide 11 text

Security tips “In general, we recommend minimizing the frequency of asking for user credentials—to make phishing attacks more conspicuous, and less likely to be successful. Instead use an authorization token and refresh it.”

Slide 12

Slide 12 text

Security tips “Where possible, username and password should not be stored on the device. Instead, perform initial authentication using the username and password supplied by the user, and then use a short-lived, service- specific authorization token.”

Slide 13

Slide 13 text

Security tips “Try to avoid storing private user data as much as possible .”

Slide 14

Slide 14 text

Encryption Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that allows you to decrypt it. Unencrypted data is called plain text, encrypted data is referred to as cipher text.

Slide 15

Slide 15 text

How it works Plain text password Algorithm aes, rsa, des, etc. Key specific for algorithm Сipher text sh7aertscaasees...

Slide 16

Slide 16 text

How it works Plain text password Algorithm aes, rsa, des, etc. Key specific for algorithm Сipher text sh7aertscaasees...

Slide 17

Slide 17 text

How it works Plain text password Algorithm aes, rsa, des, etc. Key specific for algorithm Сipher text sh7aertscaasees...

Slide 18

Slide 18 text

Algorithm types Symmetric The oldest and best-known technique. The encryption key and the decryption key are the same. Asymmetric A modern branch of cryptography. also known as public-key cryptography in which the algorithms employ a pair of keys (a public key and a private key) and use a different component of the pair for different steps of the algorithm.

Slide 19

Slide 19 text

Algorithm types Symmetric The oldest and best-known technique. The encryption key and the decryption key are the same. Asymmetric A modern branch of cryptography. also known as public-key cryptography in which the algorithms employ a pair of keys (a public key and a private key) and use a different component of the pair for different steps of the algorithm.

Slide 20

Slide 20 text

Algorithm types Stream cipher A symmetric encryption algorithm that processes the data a bit or a byte at a time with a key resulting in a randomized ciphertext or plaintext. Block cipher Deterministic algorithm operating on fixed-length groups of bits, called blocks. Block ciphers are important elementary components in the design of many cryptographic protocols, and are widely used to implement encryption of bulk data.

Slide 21

Slide 21 text

Algorithm types Stream cipher A symmetric encryption algorithm that processes the data a bit or a byte at a time with a key resulting in a randomized ciphertext or plaintext. Block cipher Deterministic algorithm operating on fixed-length groups of bits, called blocks. Block ciphers are important elementary components in the design of many cryptographic protocols, and are widely used to implement encryption of bulk data.

Slide 22

Slide 22 text

Block cipher Modes A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block. Padding Block cipher works on units of a fixed size (known as a block size), but messages come in a variety of lengths. So some modes (namely ECB and CBC) require that the final block be padded before encryption. Initialization vector (IV) Block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.

Slide 23

Slide 23 text

Block cipher Modes A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block. Padding Block cipher works on units of a fixed size (known as a block size), but messages come in a variety of lengths. So some modes (namely ECB and CBC) require that the final block be padded before encryption. Initialization vector (IV) Block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.

Slide 24

Slide 24 text

Block cipher Modes A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block. Padding Block cipher works on units of a fixed size (known as a block size), but messages come in a variety of lengths. So some modes (namely ECB and CBC) require that the final block be padded before encryption. Initialization vector (IV) Block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.

Slide 25

Slide 25 text

Key types Secret key A single secret key which is used in conventional symmetric encryption which is used to encrypt and decrypt a message. Private key The secret component of a pair of cryptographic keys used for decryption in asymmetric cryptography. Public key The public component of a pair of cryptographic keys used for encryption in asymmetric cryptography.

Slide 26

Slide 26 text

Common algorithms RSA A public-key encryption algorithm and the standard for encrypting data sent over the internet. AES The Advanced Encryption Standard (AES) is the algorithm trusted as the standard by the U.S. Government and numerous organizations.

Slide 27

Slide 27 text

Common modes ECB Electronic Codebook, the simplest of the encryption modes. The message is divided into blocks, and each block is encrypted separately. CBC Cipher Block Chaining, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block.

Slide 28

Slide 28 text

Encryption on Android How to create key? How to use key? How to store key?

Slide 29

Slide 29 text

Architecture Android builds on the Java Cryptography Architecture (JCA)

Slide 30

Slide 30 text

JCA APIs for digital signatures, message digests (hashes) APIs for certificates and certificate validation APIs for encryption (symmetric/asymmetric block/stream ciphers) APIs for key generation and management, and secure random number generation

Slide 31

Slide 31 text

JCA APIs for digital signatures, message digests (hashes) APIs for certificates and certificate validation APIs for encryption (symmetric/asymmetric block/stream ciphers) APIs for key generation and management, and secure random number generation

Slide 32

Slide 32 text

JCA APIs for digital signatures, message digests (hashes) APIs for certificates and certificate validation APIs for encryption (symmetric/asymmetric block/stream ciphers) APIs for key generation and management, and secure random number generation

Slide 33

Slide 33 text

JCA APIs for digital signatures, message digests (hashes) APIs for certificates and certificate validation APIs for encryption (symmetric/asymmetric block/stream ciphers) APIs for key generation and management, and secure random number generation

Slide 34

Slide 34 text

Provider Defines a set of extensible and implementation - independent API’s. New algorithms or behaviors can be supplied by adding new provider with its own API implementation.

Slide 35

Slide 35 text

Provider Defines a set of extensible and implementation - independent API’s. New algorithms or behaviors can be supplied by adding new provider with its own API implementation.

Slide 36

Slide 36 text

Provider // get all available providers Provider[] providers = Security. getProviders(); for (Provider provider : providers) { // get provider info String name = provider.getName(); String info = provider.getInfo(); double version = provider.getVersion(); // get all services that you can use with this provider Set services = provider.getServices(); for (Provider.Service service : services) { // get service info String type = service.getType(); String className = service.getClassName(); String algorithm = service.getAlgorithm(); } }

Slide 37

Slide 37 text

Provider // get all available providers Provider[] providers = Security. getProviders(); for (Provider provider : providers) { // get provider info String name = provider.getName(); String info = provider.getInfo(); double version = provider.getVersion(); // get all services that you can use with this provider Set services = provider.getServices(); for (Provider.Service service : services) { // get service info String type = service.getType(); String className = service.getClassName(); String algorithm = service.getAlgorithm(); } }

Slide 38

Slide 38 text

Provider // get all available providers Provider[] providers = Security. getProviders(); for (Provider provider : providers) { // get provider info String name = provider.getName(); String info = provider.getInfo(); double version = provider.getVersion(); // get all services that you can use with this provider Set services = provider.getServices(); for (Provider.Service service : services) { // get service info String type = service.getType(); String className = service.getClassName(); String algorithm = service.getAlgorithm(); } }

Slide 39

Slide 39 text

Provider // get all available providers Provider[] providers = Security. getProviders(); for (Provider provider : providers) { // get provider info String name = provider.getName(); String info = provider.getInfo(); double version = provider.getVersion(); // get all services that you can use with this provider Set services = provider.getServices(); for (Provider.Service service : services) { // get service info String type = service.getType(); String className = service.getClassName(); String algorithm = service.getAlgorithm(); } }

Slide 40

Slide 40 text

Provider // get all available providers Provider[] providers = Security. getProviders(); for (Provider provider : providers) { // get provider info String name = provider.getName(); String info = provider.getInfo(); double version = provider.getVersion(); // get all services that you can use with this provider Set services = provider.getServices(); for (Provider.Service service : services) { // get service info String type = service.getType(); String className = service.getClassName(); String algorithm = service.getAlgorithm(); } }

Slide 41

Slide 41 text

SecureRandom Generates cryptographically secure pseudo-random numbers. Used in various provider API’s.

Slide 42

Slide 42 text

SecureRandom SecureRandom secureRandom = new SecureRandom(); byte[] b = new byte[] { (byte) 1 }; secureRandom.setSeed(b); int output = secureRandom.nextInt();

Slide 43

Slide 43 text

SecureRandom SecureRandom secureRandom = new SecureRandom(); byte[] b = new byte[] { (byte) 1 }; secureRandom.setSeed(b); int output = secureRandom.nextInt(); Specifying a fixed seed will cause the instance to return a predictable sequence of numbers.

Slide 44

Slide 44 text

SecureRandom SecureRandom secureRandom = new SecureRandom(); byte[] output = new byte[16]; secureRandom.nextBytes(output);

Slide 45

Slide 45 text

KeyGenerator Provides the public API for generating symmetric cryptographic keys.

Slide 46

Slide 46 text

KeyGenerator // generate a 256-bit key final int keyLength = 256; // automatically seeded from system entropy. SecureRandom secureRandom = new SecureRandom(); KeyGenerator generator = KeyGenerator. getInstance("AES", "BC"); generator.init(keyLength, secureRandom); SecretKey key = generator.generateKey();

Slide 47

Slide 47 text

What provider to use KeyGenerator // generate a 256-bit key final int keyLength = 256; // automatically seeded from system entropy. SecureRandom secureRandom = new SecureRandom(); KeyGenerator generator = KeyGenerator. getInstance("AES", "BC"); generator.init(keyLength, secureRandom); SecretKey key = generator.generateKey(); What algorithm to use

Slide 48

Slide 48 text

KeyGenerator // generate a 256-bit key final int keyLength = 256; // automatically seeded from system entropy. SecureRandom secureRandom = new SecureRandom(); KeyGenerator generator = KeyGenerator. getInstance("AES"); generator.init(keyLength, secureRandom); SecretKey key = generator.generateKey(); Use first provider that has “AES” algorithm implementation

Slide 49

Slide 49 text

KeyGenerator // generate a 256-bit key final int keyLength = 256; // automatically seeded from system entropy. SecureRandom secureRandom = new SecureRandom(); KeyGenerator generator = KeyGenerator. getInstance("AES"); generator.init(keyLength, secureRandom); SecretKey key = generator.generateKey();

Slide 50

Slide 50 text

KeyGenerator // generate a 256-bit key final int keyLength = 256; KeyGenerator generator = KeyGenerator. getInstance("AES"); generator.init(keyLength); SecretKey key = generator.generateKey(); We can use engine default secure random instead

Slide 51

Slide 51 text

KeyGenerator // generate a 256-bit key final int keyLength = 256; KeyGenerator generator = KeyGenerator. getInstance("AES"); generator.init(keyLength); SecretKey key = generator.generateKey();

Slide 52

Slide 52 text

KeyPairGenerator An engine class which is capable of generating a private key and its related public key utilizing the algorithm it was initialized with.

Slide 53

Slide 53 text

KeyPairGenerator // generate a 1024-bit key final int keyLength = 1024; KeyPairGenerator generator = KeyPairGenerator. getInstance("RSA"); generator.initialize(keyLength); KeyPair keyPair= generator.generateKeyPair(); PublicKey publicKey = keyPair.getPublic(); PrivateKey privateKey = keyPair.getPrivate();

Slide 54

Slide 54 text

KeyPairGenerator // generate a 1024-bit key final int keyLength = 1024; KeyPairGenerator generator = KeyPairGenerator. getInstance("RSA"); generator.initialize(keyLength); KeyPair keyPair= generator.generateKeyPair(); PublicKey publicKey = keyPair.getPublic(); PrivateKey privateKey = keyPair.getPrivate(); Key for encryption Key for decryption

Slide 55

Slide 55 text

Cipher Provides access to implementations of cryptographic ciphers for encryption and decryption. To get instance of Cipher, you need to specify transformation Transformation specifies an operation (or a set of operations) as a string in the form: "algorithm/mode/padding" or "algorithm".

Slide 56

Slide 56 text

Cipher Provides access to implementations of cryptographic ciphers for encryption and decryption. To get instance of Cipher, you need to specify transformation Transformation specifies an operation (or a set of operations) as a string in the form: "algorithm/mode/padding" or "algorithm".

Slide 57

Slide 57 text

Cipher Provides access to implementations of cryptographic ciphers for encryption and decryption. To get instance of Cipher, you need to specify transformation Transformation specifies an operation (or a set of operations) as a string in the form: "algorithm/mode/padding" or "algorithm".

Slide 58

Slide 58 text

Encryption String plainText = ...; Key key = ...; Cipher cipher = Cipher. getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] plainData = plainText.getBytes( UTF_8); byte[] cipherData = decode(cipher, plainData); String cipherText = Base64. encodeToString(cipherData, Base64.DEFAULT); Text for encryption SecretKey or PublicKey

Slide 59

Slide 59 text

Encryption String plainText = ...; Key key = ...; Cipher cipher = Cipher. getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] plainData = plainText.getBytes( UTF_8); byte[] cipherData = decode(cipher, plainData); String cipherText = Base64. encodeToString(cipherData, Base64.DEFAULT); Provider default Mode and Padding are used

Slide 60

Slide 60 text

Encryption String plainText = ...; Key key = ...; Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding" ); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] plainData = plainText.getBytes( UTF_8); byte[] cipherData = decode(cipher, plainData); String cipherText = Base64. encodeToString(cipherData, Base64.DEFAULT); Full transformation

Slide 61

Slide 61 text

Encryption String plainText = ...; Key key = ...; Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding"); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] plainData = plainText.getBytes( UTF_8); byte[] cipherData = decode(cipher, plainData); String cipherText = Base64. encodeToString(cipherData, Base64.DEFAULT); Initialize cipher for encryption

Slide 62

Slide 62 text

Encryption String plainText = ...; Key key = ...; Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding"); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] plainData = plainText.getBytes( UTF_8); byte[] cipherData = decode(cipher, plainData); String cipherText = Base64. encodeToString(cipherData, Base64.DEFAULT); Encrypts data

Slide 63

Slide 63 text

Encryption String plainText = ...; Key key = ...; Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding" ); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] plainData = plainText.getBytes( UTF_8); byte[] cipherData = decode(cipher, plainData); String cipherText = Base64. encodeToString(cipherData, Base64.DEFAULT);

Slide 64

Slide 64 text

Decryption String cipherText = ...; Key key = ...; Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding"); cipher.init(Cipher.DECRYPT_MODE, key); byte[] cipherData = Base64. decode(cipherText, Base64.DEFAULT); byte[] plainData = decode(cipher, cipherData); String plainText = new String(decodedData, UTF_8); Encrypted text SecretKey or PrivateKey

Slide 65

Slide 65 text

Decryption String cipherText = ...; Key key = ...; Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding" ); cipher.init(Cipher.DECRYPT_MODE, key); byte[] cipherData = Base64. decode(cipherText, Base64.DEFAULT); byte[] plainData = decode(cipher, cipherData); String plainText = new String(decodedData, UTF_8); Initialize cipher for decryption

Slide 66

Slide 66 text

Decryption String cipherText = ...; Key key = ...; Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding"); cipher.init(Cipher.DECRYPT_MODE, key); byte[] cipherData = Base64. decode(cipherText, Base64.DEFAULT); byte[] plainData = decode(cipher, cipherData); String plainText = new String(decodedData, UTF_8); Decrypts data

Slide 67

Slide 67 text

Decryption String cipherText = ...; Key key = ...; Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding" ); cipher.init(Cipher.DECRYPT_MODE, key); byte[] cipherData = Base64. decode(cipherText, Base64.DEFAULT); byte[] plainData = decode(cipher, cipherData); String plainText = new String(decodedData, UTF_8);

Slide 68

Slide 68 text

decode(cipher, data) ByteArrayOutputStream baos = new ByteArrayOutputStream(); CipherOutputStream output = new CipherOutputStream(baos, cipher); output.write(data); output.close(); return baos.toByteArray();

Slide 69

Slide 69 text

KeyStore Database with a well secured mechanism of data protection, that is used to save, get and remove keys.

Slide 70

Slide 70 text

Create String defaultType = KeyStore. getDefaultType(); KeyStore keyStore = KeyStore. getInstance(defaultType); keyStore.load(null); Get default keystore provider

Slide 71

Slide 71 text

Create String defaultType = KeyStore. getDefaultType(); KeyStore keyStore = KeyStore. getInstance(defaultType); keyStore.load(null); Initializes empty keystore

Slide 72

Slide 72 text

Create Context context = ...; String keystoreName = ...; String keystorePassword = ...; File keystoreFile = new File(context.getCacheDir(), keystoreName); String defaultType = KeyStore. getDefaultType(); KeyStore keyStore = KeyStore. getInstance(defaultType); if (!keystoreFile.exists()) { keyStore.load(null); } else { keyStore.load(new FileInputStream(keystoreFile), keystorePassword); }

Slide 73

Slide 73 text

Create Context context = ...; String keystoreName = ...; String keystorePassword = ...; File keystoreFile = new File(context.getCacheDir(), keystoreName); String defaultType = KeyStore. getDefaultType(); KeyStore keyStore = KeyStore. getInstance(defaultType); if (!keystoreFile.exists()) { keyStore.load(null); } else { keyStore.load(new FileInputStream(keystoreFile), keystorePassword); } Keystore location

Slide 74

Slide 74 text

Create Context context = ...; String keystoreName = ...; String keystorePassword = ...; File keystoreFile = new File(context.getCacheDir(), keystoreName); String defaultType = KeyStore. getDefaultType(); KeyStore keyStore = KeyStore. getInstance(defaultType); if (!keystoreFile.exists()) { keyStore.load(null); } else { keyStore.load(new FileInputStream(keystoreFile), keystorePassword); } Load keystore from file

Slide 75

Slide 75 text

Create Context context = ...; String keystoreName = ...; String keystorePassword = ...; File keystoreFile = new File(context.getCacheDir(), keystoreName); String defaultType = KeyStore. getDefaultType(); KeyStore keyStore = KeyStore. getInstance(defaultType); if (!keystoreFile.exists()) { keyStore.load(null); } else { keyStore.load(new FileInputStream(keystoreFile), keystorePassword); }

Slide 76

Slide 76 text

Save Symmetric String storePassword = ...; File keystoreFile = ...; KeyStore keyStore = createKeyStore(); SecretKey key = createSymmetricKey(); String keyAlias= ...; String keyPassword = ...; SecretKeyEntry keyEntry = new SecretKeyEntry(key); keyStore.setEntry(keyAlias, keyEntry, new PasswordProtection(keyPassword)); keyStore.store(new FileOutputStream(keystoreFile), storePassword); Key entry password for given alias Keystore entry “key”

Slide 77

Slide 77 text

Save Symmetric String storePassword = ...; File keystoreFile = ...; KeyStore keyStore = createKeyStore(); SecretKey key = createSymmetricKey(); String keyAlias= ...; String keyPassword = ...; SecretKeyEntry keyEntry = new SecretKeyEntry(key); keyStore.setEntry(keyAlias, keyEntry, new PasswordProtection(keyPassword)); keyStore.store(new FileOutputStream(keystoreFile), storePassword); Create and add new entry to keystore

Slide 78

Slide 78 text

Save Symmetric String storePassword = ...; File keystoreFile = ...; KeyStore keyStore = createKeyStore(); SecretKey key = createSymmetricKey(); String keyAlias= ...; String keyPassword = ...; SecretKeyEntry keyEntry = new SecretKeyEntry(key); keyStore.setEntry(keyAlias, keyEntry, new PasswordProtection(keyPassword)); keyStore.store(new FileOutputStream(keystoreFile), storePassword); Write new added key entry to keystore

Slide 79

Slide 79 text

Save Symmetric String storePassword = ...; File keystoreFile = ...; KeyStore keyStore = createKeyStore(); SecretKey key = createSymmetricKey(); String keyAlias= ...; String keyPassword = ...; SecretKeyEntry keyEntry = new SecretKeyEntry(key); keyStore.setEntry(keyAlias, keyEntry, new PasswordProtection(keyPassword)); keyStore.store(new FileOutputStream(keystoreFile), storePassword);

Slide 80

Slide 80 text

Save Asymmetric KeyPair keyPair = createAsymmetricKey(); PrivateKey key = keyPair.getPrivate(); X509Certificate certificate = createCertificate(keyPair); KeyStore keyStore = createKeyStore(); keyStore.setKeyEntry(keyAlias, key, keyPassword, new Certificate[]{certificate}); keyStore.store(new FileOutputStream(keystoreFile), storePassword); We need to generate public certificate for private key

Slide 81

Slide 81 text

Save Asymmetric KeyPair keyPair = createAsymmetricKey(); PrivateKey key = keyPair.getPrivate(); X509Certificate certificate = createCertificate(keyPair); KeyStore keyStore = createKeyStore(); keyStore.setKeyEntry(keyAlias, key, keyPassword, new Certificate[]{certificate}); keyStore.store(new FileOutputStream(keystoreFile), storePassword); Add new key entry to keystore with public certificate

Slide 82

Slide 82 text

Save Asymmetric KeyPair keyPair = createAsymmetricKey(); PrivateKey key = keyPair.getPrivate(); X509Certificate certificate = createCertificate(keyPair); KeyStore keyStore = createKeyStore(); keyStore.setKeyEntry(keyAlias, key, keyPassword, new Certificate[]{certificate}); keyStore.store(new FileOutputStream(keystoreFile), storePassword);

Slide 83

Slide 83 text

Certificate There is no public API to generate self signed Certificate programmatically Use Bouncy Castle library to generate Certificate compile 'org.bouncycastle:bcprov-jdk15on:$bouncycastle_version' You also can load you Certificate from a file

Slide 84

Slide 84 text

Certificate There is no public API to generate self signed Certificate programmatically Use Bouncy Castle library to generate Certificate compile 'org.bouncycastle:bcprov-jdk15on:$bouncycastle_version' You also can load you Certificate from a file

Slide 85

Slide 85 text

Certificate There is no public API to generate self signed Certificate programmatically Use Bouncy Castle library to generate Certificate compile 'org.bouncycastle:bcprov-jdk15on:$bouncycastle_version' You also can load you Certificate from a file

Slide 86

Slide 86 text

createCertificate(keyPair) Calendar start = Calendar. getInstance(); Calendar end = Calendar. getInstance(); end.add(Calendar.YEAR, 1); PublicKey publicKey = keyPair.getPublic(); PrivateKey privateKey = keyPair.getPrivate(); X500Principal principal = new X500Principal("CN=" + alias + " CA"); X509V3CertificateGenerator gen = new X509V3CertificateGenerator(); gen.setPublicKey(publicKey); gen.setSerialNumber(BigInteger .ONE); gen.setSubjectDN(principal); gen.setIssuerDN(principal); gen.setNotBefore(start.getTime()); gen.setNotAfter(end.getTime()); gen.setSignatureAlgorithm("SHA256WithRSAEncryption"); return gen.generate(privateKey, "BC");

Slide 87

Slide 87 text

createCertificate(keyPair) Calendar start = Calendar. getInstance(); Calendar end = Calendar. getInstance(); end.add(Calendar.YEAR, 1); PublicKey publicKey = keyPair.getPublic(); PrivateKey privateKey = keyPair.getPrivate(); X500Principal principal = new X500Principal("CN=" + alias + " CA"); X509V3CertificateGenerator gen = new X509V3CertificateGenerator(); gen.setPublicKey(publicKey); gen.setSerialNumber(BigInteger.ONE); gen.setSubjectDN(principal); gen.setIssuerDN(principal); gen.setNotBefore(start.getTime()); gen.setNotAfter(end.getTime()); gen.setSignatureAlgorithm("SHA256WithRSAEncryption"); return gen.generate(privateKey, "BC"); Describes the entity associated with the public key

Slide 88

Slide 88 text

createCertificate(keyPair) Calendar start = Calendar. getInstance(); Calendar end = Calendar. getInstance(); end.add(Calendar.YEAR, 1); PublicKey publicKey = keyPair.getPublic(); PrivateKey privateKey = keyPair.getPrivate(); X500Principal principal = new X500Principal("CN=" + alias + " CA"); X509V3CertificateGenerator gen = new X509V3CertificateGenerator(); gen.setPublicKey(publicKey); gen.setSerialNumber(BigInteger.ONE); gen.setSubjectDN(principal); gen.setIssuerDN(principal); gen.setNotBefore(start.getTime()); gen.setNotAfter(end.getTime()); gen.setSignatureAlgorithm("SHA256WithRSAEncryption"); return gen.generate(privateKey, "BC"); Time interval Certificate is valid on

Slide 89

Slide 89 text

createCertificate(keyPair) Calendar start = Calendar. getInstance(); Calendar end = Calendar. getInstance(); end.add(Calendar.YEAR, 1); PublicKey publicKey = keyPair.getPublic(); PrivateKey privateKey = keyPair.getPrivate(); X500Principal principal = new X500Principal("CN=" + alias + " CA"); X509V3CertificateGenerator gen = new X509V3CertificateGenerator(); gen.setPublicKey(publicKey); gen.setSerialNumber(BigInteger.ONE); gen.setSubjectDN(principal); gen.setIssuerDN(principal); gen.setNotBefore(start.getTime()); gen.setNotAfter(end.getTime()); gen.setSignatureAlgorithm( "SHA256WithRSAEncryption" ); return gen.generate(privateKey, "BC"); Algorithm to sign certificate with

Slide 90

Slide 90 text

createCertificate(keyPair) Calendar start = Calendar. getInstance(); Calendar end = Calendar. getInstance(); end.add(Calendar.YEAR, 1); PublicKey publicKey = keyPair.getPublic(); PrivateKey privateKey = keyPair.getPrivate(); X500Principal principal = new X500Principal("CN=" + alias + " CA"); X509V3CertificateGenerator gen = new X509V3CertificateGenerator(); gen.setPublicKey(publicKey); gen.setSerialNumber(BigInteger.ONE); gen.setSubjectDN(principal); gen.setIssuerDN(principal); gen.setNotBefore(start.getTime()); gen.setNotAfter(end.getTime()); gen.setSignatureAlgorithm("SHA256WithRSAEncryption"); return gen.generate(privateKey, "BC"); Required by Bouncy Castle library

Slide 91

Slide 91 text

createCertificate(keyPair) Calendar start = Calendar. getInstance(); Calendar end = Calendar. getInstance(); end.add(Calendar.YEAR, 1); PublicKey publicKey = keyPair.getPublic(); PrivateKey privateKey = keyPair.getPrivate(); X500Principal principal = new X500Principal("CN=" + alias + " CA"); X509V3CertificateGenerator gen = new X509V3CertificateGenerator(); gen.setPublicKey(publicKey); gen.setSerialNumber(BigInteger .ONE); gen.setSubjectDN(principal); gen.setIssuerDN(principal); gen.setNotBefore(start.getTime()); gen.setNotAfter(end.getTime()); gen.setSignatureAlgorithm( "SHA256WithRSAEncryption" ); return gen.generate(privateKey, "BC");

Slide 92

Slide 92 text

Load Certificate CertificateFactory fc = CertificateFactory. getInstance("X.509"); InputStream is = new FileInputStream("certificate.cer"); X509Certificate cert = (X509Certificate) fc.generateCertificate(is);

Slide 93

Slide 93 text

Has key KeyStore keyStore = createKeyStore(); boolean result = keyStore.isKeyEntry(alias);

Slide 94

Slide 94 text

Get symmetric key KeyStore keyStore = createKeyStore(); SecretKey key = (SecretKey) keyStore.getKey(alias, password);

Slide 95

Slide 95 text

Get asymmetric key KeyStore keyStore = createDefaultKeyStore(); PasswordProtection protection = new PasswordProtection(password); PrivateKeyEntry entry = (PrivateKeyEntry) keyStore.getEntry( alias, protection); if(entry != null) { PublicKey publicKey = entry.getCertificate().getPublicKey() KeyPair keyPair = new KeyPair(publicKey, entry.getPrivateKey()); }

Slide 96

Slide 96 text

Delete key KeyStore keyStore = createKeyStore(); keyStore.deleteEntry(alias);

Slide 97

Slide 97 text

Android Keystore Provider Lets an individual app to store its own credentials, that only the app itself can access.

Slide 98

Slide 98 text

Provider Added in 18 API level Uses system keystore (more secure) Asymmetric keys available from 18 API Generates self signed certificate for you Google used the same Bouncy Castle library. They did copy sources but have made them private Symmetric keys available from 23 API

Slide 99

Slide 99 text

Provider Added in 18 API level Uses system keystore (more secure) Asymmetric keys available from 18 API Generates self signed certificate for you Google used the same Bouncy Castle library. They did copy sources but have made them private Symmetric keys available from 23 API

Slide 100

Slide 100 text

Provider Added in 18 API level Uses system keystore (more secure) Asymmetric keys available from 18 API Generates self signed certificate for you Google used the same Bouncy Castle library. They did copy sources but have made them private Symmetric keys available from 23 API

Slide 101

Slide 101 text

Provider Added in 18 API level Uses system keystore (more secure) Asymmetric keys available from 18 API Generates self signed certificate for you Google used the same Bouncy Castle library. They did copy sources but have made them private Symmetric keys available from 23 API

Slide 102

Slide 102 text

Provider Added in 18 API level Uses system keystore (more secure) Asymmetric keys available from 18 API Generates self signed certificate for you Google used the same Bouncy Castle library. They did copy sources but have made them private Symmetric keys available from 23 API

Slide 103

Slide 103 text

KeyPairGeneratorSpec 500Principal subject = ...; KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(context) .setAlias(alias) .setSerialNumber(serialNumber) .setSubject(subject) .setStartDate(startDate) .setEndDate(endDate) .build(); if(Build.VERSION.SDK_INT > Build.VERSION_CODES. JELLY_BEAN_MR2){ builder.setKeySize(keySize); } KeyPairGenerator generator = KeyPairGenerator. getInstance( "RSA", "AndroidKeyStore"); generator.initialize(spec); KeyPair keyPair= generator.generateKeyPair(); Setup key parameters Available only from 19 API

Slide 104

Slide 104 text

KeyPairGeneratorSpec 500Principal subject = ...; KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(context) .setAlias(alias) .setSerialNumber(serialNumber) .setSubject(subject) .setStartDate(startDate) .setEndDate(endDate) .build(); if(Build.VERSION.SDK_INT > Build.VERSION_CODES. JELLY_BEAN_MR2){ builder.setKeySize(keySize); } KeyPairGenerator generator = KeyPairGenerator. getInstance( "RSA", "AndroidKeyStore" ); generator.initialize(spec); KeyPair keyPair= generator.generateKeyPair(); Set Android Keystore Provider

Slide 105

Slide 105 text

KeyPairGeneratorSpec 500Principal subject = ...; KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(context) .setAlias(alias) .setSerialNumber(serialNumber) .setSubject(subject) .setStartDate(startDate) .setEndDate(endDate) .build(); if(Build.VERSION.SDK_INT > Build.VERSION_CODES. JELLY_BEAN_MR2){ builder.setKeySize(keySize); } KeyPairGenerator generator = KeyPairGenerator. getInstance( "RSA", "AndroidKeyStore"); generator.initialize(spec); KeyPair keyPair= generator.generateKeyPair(); Initialize generator with your key parameters

Slide 106

Slide 106 text

KeyPairGeneratorSpec 500Principal subject = ...; KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(context) .setAlias(alias) .setSerialNumber(serialNumber) .setSubject(subject) .setStartDate(startDate) .setEndDate(endDate) .build(); if(Build.VERSION.SDK_INT > Build.VERSION_CODES. JELLY_BEAN_MR2){ builder.setKeySize(keySize); } KeyPairGenerator generator = KeyPairGenerator. getInstance( "RSA", "AndroidKeyStore"); generator.initialize(spec); KeyPair keyPair= generator.generateKeyPair(); Creates and Saves new to to Android KeyStore

Slide 107

Slide 107 text

KeyPairGeneratorSpec 500Principal subject = ...; KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(context) .setAlias(alias) .setSerialNumber(serialNumber) .setSubject(subject) .setStartDate(startDate) .setEndDate(endDate) .build(); if(Build.VERSION.SDK_INT > Build.VERSION_CODES. JELLY_BEAN_MR2){ builder.setKeySize(keySize); } KeyPairGenerator generator = KeyPairGenerator. getInstance( "RSA", "AndroidKeyStore" ); generator.initialize(spec); KeyPair keyPair= generator.generateKeyPair();

Slide 108

Slide 108 text

KeyGenParameterSpec Added in 23 API level Used to create asymmetric and symmetric keys

Slide 109

Slide 109 text

KeyGenParameterSpec Added in 23 API level Used to create asymmetric and symmetric keys

Slide 110

Slide 110 text

KeyGenParameterSpec, Asymmetric int purposes = KeyProperties. PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT; Builder builder = new KeyGenParameterSpec.Builder(alias, purposes) .setKeySize(keySize) .setCertificateSerialNumber(serialNumber) .setCertificateSubject(subject) .setCertificateNotBefore(startDate) .setCertificateNotAfter(endDate) .setBlockModes("ECB") .setEncryptionPaddings( "PKCS1Padding"); KeyPairGeneratorSpec spec = builder.build();

Slide 111

Slide 111 text

KeyGenParameterSpec, Asymmetric int purposes = KeyProperties. PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT; Builder builder = new KeyGenParameterSpec.Builder( alias, purposes) .setKeySize(keySize) .setCertificateSerialNumber(serialNumber) .setCertificateSubject(subject) .setCertificateNotBefore(startDate) .setCertificateNotAfter(endDate) .setBlockModes("ECB") .setEncryptionPaddings("PKCS1Padding"); KeyPairGeneratorSpec spec = builder.build(); You will be able to use generated key only for those purposes

Slide 112

Slide 112 text

KeyGenParameterSpec, Asymmetric int purposes = KeyProperties. PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT; Builder builder = new KeyGenParameterSpec.Builder(alias, purposes) .setKeySize(keySize) .setCertificateSerialNumber(serialNumber) .setCertificateSubject(subject) .setCertificateNotBefore(startDate) .setCertificateNotAfter(endDate) .setBlockModes("ECB") .setEncryptionPaddings( "PKCS1Padding"); KeyPairGeneratorSpec spec = builder.build(); Use it to initialize KeyPairGenerator Mode and Padding will be required with Cipher

Slide 113

Slide 113 text

KeyGenParameterSpec, Symmetric int purposes = KeyProperties. PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT; Builder builder = new KeyGenParameterSpec.Builder( alias, purposes) .setKeySize(keySize) .setBlockModes("CBC") .setEncryptionPaddings( "PKCS7Padding"); KeyPairGeneratorSpec spec = builder.build(); KeyGenerator gen = KeyGenerator. getInstance("AES","AndroidKeyStore"); gen.init(spec); SecretKey key = gen.generateKey();

Slide 114

Slide 114 text

KeyGenParameterSpec, Symmetric int purposes = KeyProperties. PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT; Builder builder = new KeyGenParameterSpec.Builder(alias, purposes) .setKeySize(keySize) .setBlockModes("CBC") .setEncryptionPaddings("PKCS7Padding"); KeyPairGeneratorSpec spec = builder.build(); KeyGenerator gen = KeyGenerator. getInstance("AES","AndroidKeyStore"); gen.init(spec); SecretKey key = gen.generateKey();

Slide 115

Slide 115 text

KeyGenParameterSpec, Symmetric int purposes = KeyProperties. PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT; Builder builder = new KeyGenParameterSpec.Builder(alias, purposes) .setKeySize(keySize) .setBlockModes("CBC") .setEncryptionPaddings( "PKCS7Padding"); KeyPairGeneratorSpec spec = builder.build(); KeyGenerator gen = KeyGenerator. getInstance("AES","AndroidKeyStore"); gen.init(spec); SecretKey key = gen.generateKey();

Slide 116

Slide 116 text

Symmetric Cipher Requires to provide IV Specification by default KeyGenParameterSpec.Builder.setRandomizedEncryptionRequired() Sets whether encryption using this key must be sufficiently randomized to produce different ciphertexts for the same plaintext every time. Crashes with IV Spec required exception even if it is set to false

Slide 117

Slide 117 text

Symmetric Cipher Requires to provide IV Specification by default KeyGenParameterSpec.Builder.setRandomizedEncryptionRequired() Sets whether encryption using this key must be sufficiently randomized to produce different ciphertexts for the same plaintext every time. Crashes with IV Spec required exception even if it is set to false

Slide 118

Slide 118 text

Symmetric Cipher Requires to provide IV Specification by default KeyGenParameterSpec.Builder.setRandomizedEncryptionRequired() Sets whether encryption using this key must be sufficiently randomized to produce different ciphertexts for the same plaintext every time. Crashes with IV Spec required exception even if it is set to false

Slide 119

Slide 119 text

Symmetric Encryption static final String IV_SEPARATOR = "]"; Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding" ); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] iv = cipher.getIV(); String ivString = Base64. encodeToString(iv, Base64.DEFAULT); String result = ivString + IV_SEPARATOR; ... result += cipherText;

Slide 120

Slide 120 text

Symmetric Encryption static final String IV_SEPARATOR = "]"; Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding"); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] iv = cipher.getIV(); String ivString = Base64. encodeToString(iv, Base64.DEFAULT); String result = ivString + IV_SEPARATOR; ... result += cipherText; Use automatically generated IV

Slide 121

Slide 121 text

Symmetric Encryption static final String IV_SEPARATOR = "]"; Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding"); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] iv = cipher.getIV(); String ivString = Base64. encodeToString(iv, Base64.DEFAULT); String result = ivString + IV_SEPARATOR; ... result += cipherText; Used to separe IV and ciphertext

Slide 122

Slide 122 text

Symmetric Encryption static final String IV_SEPARATOR = "]"; Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding"); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] iv = cipher.getIV(); String ivString = Base64. encodeToString(iv, Base64.DEFAULT); String result = ivString + IV_SEPARATOR; ... result += cipherText; Add IV to resulting ciphertext

Slide 123

Slide 123 text

Symmetric Decryption Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding"); String[] split = data.split( IV_SEPARATOR); String ivString = split [0]; cipherText= split[1]; IvParameterSpec ivSpec = new IvParameterSpec(Base64. decode(ivString, Base64.DEFAULT)); cipher.init(Cipher.DECRYPT_MODE, key, ivSpec); ... Parse ciphertext and IV

Slide 124

Slide 124 text

Symmetric Decryption Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding"); String[] split = data.split( IV_SEPARATOR); String ivString = split[0]; cipherText= split[1]; IvParameterSpec ivSpec = new IvParameterSpec(Base64. decode(ivString, Base64.DEFAULT)); cipher.init(Cipher.DECRYPT_MODE, key, ivSpec); ... Initialize cipher with IV

Slide 125

Slide 125 text

Symmetric Decryption Cipher cipher = Cipher. getInstance("AES/CBC/PKCS7Padding" ); String[] split = data.split( IV_SEPARATOR); String ivString = split [0]; cipherText= split[1]; IvParameterSpec ivSpec = new IvParameterSpec(Base64. decode(ivString, Base64.DEFAULT)); cipher.init(Cipher.DECRYPT_MODE, key, ivSpec); ...

Slide 126

Slide 126 text

Encrypt large data with RSA You can proceed as large data as key size specified for a RSA Key There are two options of how to do that 1. Create additional symmetric key. Encrypt your data with it. Then encrypt it with your public RSA key. Add encrypted key to encrypted data (the same way as we did with IV spec for example) 2. Use buffer to separate your data to chunks. And then proceed each chunk separately with RSA key. In the end merge chunks.

Slide 127

Slide 127 text

Encrypt large data with RSA You can proceed as large data as key size specified for a RSA Key There are two options of how to do that 1. Create additional symmetric key. Encrypt your data with it. Then encrypt it with your public RSA key. Add encrypted key to encrypted data (the same way as we did with IV spec for example) 2. Use buffer to separate your data to chunks. And then proceed each chunk separately with RSA key. In the end merge chunks.

Slide 128

Slide 128 text

Encrypt large data with RSA You can proceed as large data as key size specified for a RSA Key There are two options of how to do that 1. Create additional symmetric key. Encrypt your data with it. Then encrypt it with your public RSA key. Add encrypted key to encrypted data (the same way as we did with IV spec for example) 2. Use buffer to separate your data to chunks. And then proceed each chunk separately with RSA key. In the end merge chunks.

Slide 129

Slide 129 text

Encrypt large data with RSA You can proceed as large data as key size specified for a RSA Key There are two options of how to do that 1. Create additional symmetric key. Encrypt your data with it. Then encrypt it with your public RSA key. Add encrypted key to encrypted data (the same way as we did with IV spec for example) 2. Use buffer to separate your data to chunks. And then proceed each chunk separately with RSA key. In the end merge chunks.

Slide 130

Slide 130 text

KeyStore KeyStore keyStore = KeyStore. getInstance("AndroidKeyStore"); keyStore.load(null); // asymmetric key PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, null); PublicKey publicKey = keyStore.getCertificate(alias).getPublicKey(); // symmetric key SecretKey secretKey= (SecretKey) keyStore.getKey(alias, null); // delete key keyStore.deleteEntry(alias); // check if key exists boolean result = keyStore.isKeyEntry(alias); Don’t forget to set provider Just call load like this

Slide 131

Slide 131 text

KeyStore KeyStore keyStore = KeyStore. getInstance("AndroidKeyStore"); keyStore.load(null); // asymmetric key PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, null); PublicKey publicKey = keyStore.getCertificate(alias).getPublicKey(); // symmetric key SecretKey secretKey= (SecretKey) keyStore.getKey(alias, null); // delete key keyStore.deleteEntry(alias); // check if key exists boolean result = keyStore.isKeyEntry(alias);

Slide 132

Slide 132 text

Security Utility Manage key generation, key storing and encryption on different APIs of Android.

Slide 133

Slide 133 text

API Manage asymmetric and symmetric keys Cipher encryption and decryption RSA buffered encryption/decryption implementation Backward compatible

Slide 134

Slide 134 text

API Manage asymmetric and symmetric keys Cipher encryption and decryption RSA buffered encryption/decryption implementation Backward compatible

Slide 135

Slide 135 text

API Manage asymmetric and symmetric keys Cipher encryption and decryption RSA buffered encryption/decryption implementation Backward compatible

Slide 136

Slide 136 text

API Manage asymmetric and symmetric keys Cipher encryption and decryption RSA buffered encryption/decryption implementation Backward compatible

Slide 137

Slide 137 text

Compatibility Asymmetric keys On devices with API < 18, creates keystore file in local application cache. On devices with API >= 18, uses Android Keystore. Symmetric keys On devices with API < 23, creates keystore file in local application cache. On devices with API >= 18, uses Android Keystore.

Slide 138

Slide 138 text

Compatibility Asymmetric keys On devices with API < 18, creates keystore file in local application cache. On devices with API >= 18, uses Android Keystore. Symmetric keys On devices with API < 23, creates keystore file in local application cache. On devices with API >= 18, uses Android Keystore.

Slide 139

Slide 139 text

Example String alias = ...; char[] password = ...; // Create and save symmetric key Security.Store store = new Security.Store(getApplicationContext()); if (!store.hasKey(alias)) { SecretKey key = store.generateSymmetricKey(alias, password); } // Create and save asymmetric key KeyPair keyPair = store.generateAsymmetricKey(alias, password);

Slide 140

Slide 140 text

Example String alias = ...; char[] password = ...; // Create and save symmetric key Security.Store store = new Security.Store(getApplicationContext()); if (!store.hasKey(alias)) { SecretKey key = store.generateSymmetricKey(alias, password); } // Create and save asymmetric key KeyPair keyPair = store.generateAsymmetricKey(alias, password); Create and saves 256-bit AES key

Slide 141

Slide 141 text

Example String alias = ...; char[] password = ...; // Create and save symmetric key Security.Store store = new Security.Store(getApplicationContext()); if (!store.hasKey(alias)) { SecretKey key = store.generateSymmetricKey(alias, password); } // Create and save asymmetric key KeyPair keyPair = store.generateAsymmetricKey(alias, password); Create and saves 1024-bit RSA key

Slide 142

Slide 142 text

Example // Get symmetric key SecretKey key = store.getSymmetricKey(alias, password); // Encrypt/Decrypt data Security.Crypto crypto = new Security.Crypto(Security. TRANSFORMATION_SYMMETRIC); String text = "Sample text"; String encryptedData = crypto.encrypt(text, key); Log.i("Security", "Encrypted data: " + encryptedData); String decryptedData = crypto.decrypt(encryptedData, key); Log.i("Security", "Decrypted data: " + decryptedData);

Slide 143

Slide 143 text

Extended Usage KeyProps keyProps = new KeyProps.Builder() .setAlias(alias) .setPassword(password) .setKeySize(keysize) .setKeyType("RSA") .setSerialNumber(BigInteger. ONE) .setSubject(subject) .setStartDate(startDate) .setEndDate(end.Date) .setBlockModes("ECB") .setEncryptionPaddings( "PKCS1Padding") .setSignatureAlgorithm( "SHA256WithRSAEncryption" ) .build(); KeyPair keyPair = store.generateAsymmetricKey( keyProps);

Slide 144

Slide 144 text

Extended Usage // as specified for RSA/ECB/PKCS1Padding keys final int encryptionBlockSize = keysize / 8 - 11; final int decryptionBlockSize = keysize / 8; Security.Crypto crypto = new Security.Crypto( "RSA/ECB/PKCS1Padding" , encryptionBlockSize, decryptionBlockSize); String text = "Some very long text"; String encryptedData = crypto.encrypt(text, key, false); String decryptedData = crypto.decrypt(encryptedData, key, false);

Slide 145

Slide 145 text

Extended Usage // as specified for RSA/ECB/PKCS1Padding keys final int encryptionBlockSize = keysize / 8 - 11; final int decryptionBlockSize = keysize / 8; Security.Crypto crypto = new Security.Crypto( "RSA/ECB/PKCS1Padding", encryptionBlockSize, decryptionBlockSize); String text = "Some very long text"; String encryptedData = crypto.encrypt(text, key, false); String decryptedData = crypto.decrypt(encryptedData, key, false); Used for RSA buffering

Slide 146

Slide 146 text

Extended Usage // as specified for RSA/ECB/PKCS1Padding keys final int encryptionBlockSize = keysize / 8 - 11; final int decryptionBlockSize = keysize / 8; Security.Crypto crypto = new Security.Crypto( "RSA/ECB/PKCS1Padding", encryptionBlockSize, decryptionBlockSize); String text = "Some very long text"; String encryptedData = crypto.encrypt(text, key, false); String decryptedData = crypto.decrypt(encryptedData, key, false); Whenever to use IV

Slide 147

Slide 147 text

Readings There are always new things you can learn.

Slide 148

Slide 148 text

JCA Documentation http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html Java Algorithms http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#alg Android Keystore Documentation http://developer.android.com/training/articles/keystore.html Android Keystore Supported Algorithms http://developer.android.com/training/articles/keystore.html#SupportedAlgorithms

Slide 149

Slide 149 text

Nikolay Elenkov, Book Android Security Internals: An In-Depth Guide to Android's Security Architecture Nikolay Elenkov, Blog http://nelenkov.blogspot.com/

Slide 150

Slide 150 text

Security Utility, Gist https://github.com/yakivmospan/gists/tree/gh-pages/gists/utils/security Presentation slides https://speakerdeck.com/yakivmospan

Slide 151

Slide 151 text

Thank You! “Be together. Not the same.” Yakiv Mospan http://www.yakivmospan.com/ Team Technologies