Android Key Management Roberto Piccirillo ([email protected]) Roberto Gassirà ([email protected]) Droidcon London 2014 

Android Key Management Droidcon London 2014 Roberto Piccirillo ● Senior Security Analyst - Mobile Security Lab ○ Vulnerability Assessment (IT, Mobile Application) ○ Hijacking Mobile Data Connection ■ BlackHat Europe 2009 ■ DeepSec Vienna 2009 ■ HITB Amsterdam 2010 ○ Android Secure Development ● GDG Rome Lab @robpicone 

Android Key Management Droidcon London 2014 Roberto Gassirà ● Senior Security Analyst - Mobile Security Lab ○ Vulnerability Assessment (IT, Mobile Application) ○ Hijacking Mobile Data Connection ■ BlackHat Europe 2009 ■ DeepSec Vienna 2009 ■ HITB Amsterdam 2010 ○ Android Secure Development ● GDG Rome Lab @robgas 

Android Key Management Droidcon London 2014 Android Key Management: Agenda ● Mobile Application Cryptography ● Key Management and CryptoSystem ● Crypto in Android ● Symmetric Encryption ● Symmetric Key Management ● Asymmetric key: Encryption/Digital Signature ● Keychain e AndroidKeyStore 

Android Key Management Droidcon London 2014 Mobile Application Cryptography ➢ Exchange data securely: ➢ Protect Data: ○ Sensitive Data ○ Backups on /sdcard 

Android Key Management Droidcon London 2014 Key Management "Key management is the management of cryptographic keys in a cryptosystem." 

Android Key Management Droidcon London 2014 CryptoSystem "refers to a suite of algorithms needed to implement a particular form of encryption and decryption" ● Two types of encryption: ○ Symmetric Key Algorithms ■ Identical key for encryption/decryption ■ AES, Blowfish, DES, Triple DES ○ Asymmetric Key Algorithms ■ Pair of keys (public/private) for encryption/decryption ■ RSA, DSA, ECDSA 

Android Key Management Droidcon London 2014 Symmetric Key Algorithms: Ciphers ● Two types of ciphers: ○ Block: Process entire blocks of fixed-length groups of bits at a time (padding may be required) ○ Stream: Process single bit at a time(no padding) ● Block Cipher modes of operation: ○ ECB: each block encrypted independently ○ CBC, CFB, OFB: (feedback mode) each block is encrypted combined with the previous encrypted block (starting from an IV) ○ CTR: each block xored with the encrypted successive values of a counter ( starting from a nonce) ECB CBC 

Android Key Management Droidcon London 2014 Crypto in Android ● Framework based on JCA ( Java Cryptography Architecture) ● Provides API for: ● Encryption/Decryption ● Message digests (hashes) ● Key management ● Secure random number generation ● API implemented by Cryptographic Service "Provider" ● "Dynamic" Provider: javax.crypto.* java.security.* 

Android Key Management Droidcon London 2014 Default Providers ➢ From the beginning ○ Bouncy Castle (Customized): ■ Some services and API removed ■ Varies between Android versions ■ Fixed only in the latest versions ○ Crypto (Apache Harmony) ■ Few basic services ■ Only for backward compatibility ➢ From Android 4.0 ○ AndroidOpenSSL: ■ OpenSSL JNI ■ Performance Improved ■ Vulnerable to Heartbleed in 4.1.1 

Android Key Management Droidcon London 2014 ➢ Spongy Castle (SC) ○ Repackage of Bouncy Castle ○ Supports more cryptographic options ○ Not vulnerable to the Heartbleed Bug ○ Up-to-date ➢ GPS Dynamic Security Provider ○ Available from Play Services 5.0 ○ Based on OpenSSL ( No Heartbleed) ○ Rapid delivery of security patches ○ Vendor independent !!! Dynamic Providers 

Android Key Management Droidcon London 2014 Cipher Benchmarks Run on Google Nexus 5 Android 4.4.4 CBC CTR 

Android Key Management Droidcon London 2014 Cipher Class Secret Key Specification Cipher getInstance Cipher Init Cipher Final 

Android Key Management Droidcon London 2014 SecretKey Specification javax.crypto.spec.SecretKeySpec ● SecretKeySpec specifies a key for a specific algorithm SecretKeySpec skeySpec = new SecretKeySpec(key, "AES"); Encryption/Decryption Key Cryptographic Algorithm 

Android Key Management Droidcon London 2014 Cipher GetInstance javax.crypto.Cipher ● Create cryptographic cipher Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding”,“SC”); Transformation (describes set of operation to perform): • algorithm/mode/padding • algorithm Provider ( SpongyCastle ) 

Android Key Management Droidcon London 2014 Cipher Init javax.crypto.Cipher ● Initializes the cipher instance with the specified operational mode, key and algorithm parameters. cipher.init(Cipher.DECRYPT_MODE, keySpec, new IvParameterSpec(iv)); Operational Mode: • ENCRYPT_MODE • DECRYPT_MODE • WRAP_MODE • UNWRAP_MODE SecretKeySpec Specify Cipher Algorithm parameters ( IV for CBC ) 

Android Key Management Droidcon London 2014 Cipher Final javax.crypto.Cipher ● Complete a multi-part transformation (encryption or decryption) byte[] encryptedText = cipher.doFinal(clearText.getBytes()); Encrypted Text in byte ClearText in bytes 

Android Key Management Droidcon London 2014 Key Generation: SecureRandom java.security.SecureRandom ● Cryptographically secure pseudo-random number generator SecureRandom secureRandom = new SecureRandom(); Default constructor uses the most cryptographically strong provider available ● Seeding SecureRandom is dangerous: ○ Not Secure ○ Output may change 

Android Key Management Droidcon London 2014 Some SecureRandom Thoughts... ● Android security team discovered in August 2013 an improper PRNG initialization for default OpenSSL provider ● Applications invoking system-provided OpenSSL PRNG without explicit initialization are also affected ● Key Generation, Signing or Random Number Generation not receiving cryptographically strong values ● Developer must explicitly initialize the PRNG PRNGFixes.apply() http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html 

Android Key Management Droidcon London 2014 KeyGenerator keyGenerator = KeyGenerator.getInstance("AES","SC"); keyGenerator.init(outputKeyLength, secureRandom); SecretKey key = keyGenerator.generateKey(); Generate Secret Key javax.crypto.KeyGenerator ● Symmetric cryptographic keys generator Specify Key Size Algorithm and Provider Key to use in Cipher.init() 

Android Key Management Droidcon London 2014 Key Management: Store on device ● Protected by Android Filesystem Isolation ● Plain File ● SharedPreferences ● Keystore File (BKS, JKS) ● More secure with Phone Encryption ● Store safely ● MODE_PRIVATE flag ● Use only internal storage /data/data/app_package 

Android Key Management Droidcon London 2014 Key Management: Store on device ➢ Device rooted? ○ Check at run-time... 

Android Key Management Droidcon London 2014 Key Management: Store in App ● Uses static keys or device specific information at run-time (IMEI, mac address, ANDROID_ID) ● Android app can be easily reversed ● Hide with Code obfuscation REVERSING 

Android Key Management Droidcon London 2014 Key Management: PBKDF2 ● Password Based Key Derivation Function (PKCS#5) ● Variable length password in input ● Fixed length key in output ● User interaction required ● Params: ○ Password ○ Pseudorandom Function ○ Salt ○ Number of iteration ○ Key Size ● Available with BC 

Android Key Management Droidcon London 2014 KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt, NUM_OF_ITERATIONS, KEY_SIZE); SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance (PBE_ALGORITHM); encKey = secretKeyFactory.generateSecret(keySpec); Key Management: PBKDF2 javax.crypto.spec.PBEKeySpec ● PBE Key specification and generation A good PBE algorithm is PBKDF2WithHmacSHA1 User Password N. >= 1000 

Android Key Management Droidcon London 2014 SecretKeyFactory factory; if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) // Use compatibility key factory -- only uses lower 8-bits of passphrase chars factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1And8bit"); else if (Build.VERSION.SDK_INT >= 10) // Traditional key factory. Will use lower 8-bits of passphrase chars on // older Android versions (API level 18 and lower) and all available bits // on KitKat and newer (API level 19 and higher) factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); else // FIX for Android 8,9 factory = SecretKeyFactory.getInstance("PBEWITHSHAAND128BITAES-CBC-BC"); SecretKeyFactory API in Android 4.4 

Android Key Management Droidcon London 2014 Key Management: Other solutions ● Store on server side ● Internet connection required ● Use trusted and protected connections (HTTPS, Certificate Pinning) ● Store on external device ● NFC Java Card (NXP J3A081) ● Smartcard ● USB PenDrive ● MicroSD with secure storage ● AndroidKeyStore??? 

Android Key Management Droidcon London 2014 Asymmetric Algorithms ● Public/Private Key ○ Public Key -> encrypt/verify signature ○ Private Key -> decrypt/sign ● Advantages: ○ Public Key distribution is not dangerous ● Disadvantages: ○ Computationally expensive ● Usually used with PKI (Public Key Infrastructure for digital certificates) 

Android Key Management Droidcon London 2014 Public-key Applications ● Can classify uses into 3 categories: ○ Encryption/Decryption (provides Confidentiality) ○ Digital Signatures (provides Authentication and Integrity) ○ Key Exchange (of Session Keys) ● Some algorithms are suitable for all uses (RSA), others are specific to one 

Android Key Management Droidcon London 2014 PKCS for Asymmetric Algorithms ● PKCS is a group of public-key cryptography standards published by RSA Security Inc ● PKCS#1 (v.2.1) ○ RSA Cryptography Standard ● PKCS#3 (v.1.4) ○ Diffie-Hellman Key Agreement Standard ● PKCS#8 (v.1.2) ○ Private-Key Information Syntax Standard ● PKCS#10 (v.1.7) ○ Certification Request Standard ● PKCS#12 (v.1.0) ○ Personal Information Exchange Syntax Standard 

Android Key Management Droidcon London 2014 Android: RSA KeyPairGenerator kpg = KeyPairGenerator.getIstance(”RSA"); Java.security.KeyPairGenerator ● KeyPairGenerator is an engine capable of generating public/private keys with specified algorithms Cryptographic Algorithm 

Android Key Management Droidcon London 2014 Available Providers for RSA Algorithm KeyPairGenerator.getInstance(”RSA”,”SEC_PROVIDERS”); Java.security.KeyPairGenerator ● Different security providers could be used (could change for different OS versions) “AndroidOpenSSL” “BC” “AndroidKeyStore” “GmsCore_OpenSSL” Version 1.0 Version 1.49 Version 1.0 

Android Key Management Droidcon London 2014 ● KeySize – 1024,2048,4096 bits KeyPairGenerator: Initialization and Randomness KeyPairGenerator kpg = KeyPairGenerator.initialize(2048); Key Size Java.security.KeyPairGenerator ● KeyPairGenerator initialization with the key size 

Android Key Management Droidcon London 2014 KeyPairGenerator: Initialization and Randomness KeyPairGenerator kpg = KeyPairGenerator.initialize(2048,sr); Java.security.KeyPairGenerator, Java.security.SecureRandom ● KeyPairGenerator initialization with a SecureRandom SecureRandom sr = new SecureRandom(); 

Android Key Management Droidcon London 2014 Generating RSA Key Java.security.KeyPair ● KeyPair is a container for a public/private key generated by the KeyPairGenerator KeyPair keypair = kpg.genKeyPair() ● We can retrieve public/private keys from KeyPair Key public_key = kaypair.getPublic(); Key private_key = kaypair.getPrivate(); 

Android Key Management Droidcon London 2014 Using RSA Keys: cipher example Javax.crypto.Cipher ● Cipher provides access to implementation of cryptography ciphers for encryption and decryption Cipher cipher = Cipher.getInstance(“RSA”,”SEC_PROVIDER); Transformation “AndroidOpenSSL” “BC” “AndroidKeyStore” “GmsCore_OpenSSL” 

Android Key Management Droidcon London 2014 Using RSA Key: cipher example Javax.crypto.Cipher ● Encryption cipher.init(Cipher.ENCRYPT_MODE,public_key); ● Decryption byte[] encrypted_data= cipher.doFinal(“DroidconUK-2014”.getBytes()); cipher.init(Cipher.DECRYPT_MODE,private_key); byte[] decrypted_data= cipher.doFinal(cipherd_data); 

Android Key Management Droidcon London 2014 Parameters of RSA Keys java.security.KeyFactory, java.security.spec, ● Retrieve RSA Key parameters using KeyFactory RSAPublicKeySpec rsa_public= keyfactory. getKeySpec(keypair.getPublic(), RSAPublicKeySpec.class); RSAPrivateKeySpec rsa_private = keyfactory.getKeySpec (keypair.getPrivate(), RSAPrivateKeySpec.class); 

Android Key Management Droidcon London 2014 Extract Parameters of RSA Keys Java.security.spec.RSAPublicKeySpec, java.security.spec.RSAPrivateKeySpec ● Retrieved parameters can be stored BigInteger m = rsa_public.getModulus(); BigInteger e = rsa_public.getPublicExponent(); BigInteger d = rsa_private.getPrivateExponent(); Is Private 

Android Key Management Droidcon London 2014 AndroidKeyStore ● Custom Java Security Provider available from Android 4.3 version and beyond ● An App can generate and save private keys ● Keys are private for each App ● 2048-bit key size (4.3), 1024-2048-4096-bit key size (4.4) can be stored ● ECDSA support added from Android 4.4 

Android Key Management Droidcon London 2014 Key Management Evolution API LEVEL 14 API LEVEL 18 Global Level: KeyChain ( Public API ) App Level: KeyStore ( Closed API ) Global Level Only: Default TrustStore cacerts.bks (ROOTED device) Global Level: KeyChain ( Public API ) App Level and per User Level: AndroidKeyStore ( Public API ) 

Android Key Management Droidcon London 2014 AndroidKeyStore Storage ● Two kinds of storage ○ Hardware-backed (Nexus 7, Nexus 4, Nexus 5 :-) with OS >= 4.3) ○ Secure Element ○ TPM ○ TrustZone ○ Software only (Other devices with OS >= 4.3) 

Android Key Management Droidcon London 2014 Type of Storage import android.security.KeyChain; if (KeyChain.isBoundKeyAlgorithm("RSA")) // Hardware-Backed else // Software Only 

Android Key Management Droidcon London 2014 Certificate parameters Context cx = getActivity(); String pkg = cx.getPackageName(); Calendar notBefore = Calendar.getInstance(); Calendar notAfter = Calendar.getInstance(); notAfter.add(1, Calendar.YEAR); import android.security.KeyPairGeneratorSpec.Builder; Builder builder = new KeyPairGeneratorSpec.Builder(cx); builder.setAlias(“DEVKEY1”); String infocert = String.format("CN=%s, OU=%s", “DEVKEY1”, pkg); builder.setSubject(new X500Principal(infocert)); builder.setSerialNumber(BigInteger.ONE); builder.setStartDate(notBefore.getTime()); builder.setEndDate(notAfter.getTime()); KeyPairGeneratorSpec spec = builder.build(); Time parameters Self-Signed X.509 ● Common Name(CN) ● Subject(OU) ● Serial Number Generate certificate ALIAS to index the certificate 

Android Key Management Droidcon London 2014 Generating Public/Private keys KeyPairGenerator kpGenerator; kpGenerator = KeyPairGenerator .getInstance("RSA", "AndroidKeyStore"); kpGenerator.initialize(spec); KeyPair kp; kp = kpGenerator.generateKeyPair(); Engine to generate Public/Private key Init Engine with: ● RSA Algorithm ● Provider: AndroidKeyStore Init Engine with certificate parameters After generation, the keys will be stored into AndroidKeyStore and will be accessible by ALIAS ● Generating Private/Public key 

Android Key Management Droidcon London 2014 AndroidKeyStore Initialization keyStore = KeyStore.getInstance("AndroidKeyStore"); keyStore.load(null); Now we have the KeyStore reference that will be used to access to the Private/Public key by the ALIAS Should be used if there is an InputStream to load (for example the name of imported KeyStore). If not used the App will crash Get a reference to the AndroidKeyStore 

Android Key Management Droidcon London 2014 RSA Encryption ● Encryption ○ Confidentiality ○ RSA Public key to Encrypt ○ RSA Private key to Decrypt KeyStore.Entry entry = keyStore.getEntry(“DEVKEY1”, null); PublicKey publicKeyEnc = ((KeyStore.PrivateKeyEntry) entry) .getCertificate().getPublicKey(); String textToEncrypt = new String(”DroidconUK-2014"); Cipher encCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); encCipher.init(Cipher.ENCRYPT_MODE, publicKeyEnc); byte[] encryptedText = encCipher.doFinal(byteTextToEncrypt); Access to Public key to encrypt ● Algorithm ● Encryption with Public key Ciphered Access to keys identified by ALIAS 

Android Key Management Droidcon London 2014 RSA Decryption Cipher decCipher = null; byte[] plainTextByte = null; decCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); decCipher.init(Cipher.DECRYPT_MODE, ((KeyStore.PrivateKeyEntry) entry).getPrivateKey()); plainTextByte = decCipher.doFinal(byteEcryptedText); String plainText = new String(plainTextByte); Algorithm Decryption with Private key Plaintext 

Android Key Management Droidcon London 2014 s.initVerify(((KeyStore.PrivateKeyEntry) entry).getCertificate()); s.update(data); boolean valid = s.verify(signature); RSA Digital Signature ● Digital Signature ○ Authentication, Non-Repudiation and Integrity ○ RSA Private key to Sign ○ RSA Public Key to Verify KeyStore.Entry entry = keyStore.getEntry(“DEVKEY1”, null); s.initSign(((KeyStore.PrivateKeyEntry) entry).getPrivateKey()); Access to Private/Public key identified by ALIAS Private key to sign Public Key in certificate to verify signature 

Android Key Management Droidcon London 2014 Issue 61989 … 

Android Key Management Droidcon London 2014 KeyChain ● KeyChain ○ Accessible by any Application ● Typically used for corporate certificates 

Android Key Management Droidcon London 2014 Example: Import Certificates ● Import .p12 certificates Intent intent = KeyChain.createInstallIntent(); byte[] p12 = readFile(“CERTIFICATE_NAME.p12”); Intent.putExtra(KeyChain.EXTRA_PKCS12,p12); Specify PKCS#12 Key to install startActivity(intent); The user will be prompted for the password 

Android Key Management Droidcon London 2014 KeyChain.choosePrivateKeyAlias( Activity activity, KeyChainAliasCallBack response, String[] keyTypes, Principal[] issuers, String host, Int port, String Alias); Example: Retrieve the key ● The KeyChainAliasCallback invoked when a user chooses a certificate/private key 

Android Key Management Droidcon London 2014 @Override public void alias(String alias){ . . PrivateKey private_key = KeyChain. getPrivateKey(this,alias); . . X509Certificate[] chain = KeyChain. getCertificateChain(this,”DroidconUK-2014”); . PublicKey public_key = chain[0].getPublicKey(); } Example: Retrieve and use the keys Private Key Public Key ● KeyChainAliasCallbak must implement the abstract method alias: 

Android Key Management Droidcon London 2014 References ● http://developer.android.com/about/versions/android-4.3.html#Security ● http://developer.android.com/reference/java/security/KeyStore.html ● http://en.wikipedia.org/wiki/Encryption ● http://en.wikipedia.org/wiki/Digital_signature ● http://nelenkov.blogspot.it/2013/08/credential-storage-enhancements-android-43. html ● http://nelenkov.blogspot.it/2012/05/storing-application-secrets-in-androids.html ● http://nelenkov.blogspot.it/2012/04/using-password-based-encryption-on.html ● http://nelenkov.blogspot.it/2011/11/ics-credential-storage-implementation.html ● http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.html ● http://android-developers.blogspot.it/2013/02/using-cryptography-to-store- credentials.html ● http://www.bouncycastle.org/ ● http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html ● http://nelenkov.blogspot.it/2013/10/signing-email-with-nfc-smart-card.html ● http://en.wikipedia.org/wiki/PKCS ● http://developer.android.com/reference/android/security/KeyChain.html ● http://android-developers.blogspot.it/2013/12/changes-to-secretkeyfactory-api-in. html 

Android Key Management Droidcon London 2014 Thank you Q&A www.mseclab.com www.consulthink.it [email protected]