android key management @droidcon london 2014
DESCRIPTION
The presentation will cover several aspects related to security issues concerning the “Key Management” for Android apps. In the first part of the presentation, various scenarios will be analyzed where it is necessary to protect the data used by an application, followed by a theoretical introduction of the possible techniques available for protecting data using symmetric and asymmetric key cryptosystems. The presentation will continue with the description and the implementation of some key management techniques used for storing securely encryption keys for symmetric algorithms, taking into account any interaction with the end user. The final part of the presentation will deal with the analysis of the tools provided by Android for the management of private keys and their certificates used in asymmetric algorithms, such as the KeyChain and the new “Android Key Store” , which is available from version 4.3.TRANSCRIPT
AndroidKey ManagementRoberto Piccirillo ([email protected])Roberto Gassirà ([email protected])
Droidcon London 2014
AndroidKey Management Droidcon London 2014
Roberto Piccirillo
● Senior Security Analyst - Mobile Security Lab○ Vulnerability Assessment (IT, Mobile Application)○ Hijacking Mobile Data Connection
■ BlackHat Europe 2009■ DeepSec Vienna 2009■ HITB Amsterdam 2010
○ Android Secure Development
● GDG Rome Lab
@robpicone
AndroidKey Management Droidcon London 2014
Roberto Gassirà
● Senior Security Analyst - Mobile Security Lab○ Vulnerability Assessment (IT, Mobile Application)○ Hijacking Mobile Data Connection
■ BlackHat Europe 2009■ DeepSec Vienna 2009■ HITB Amsterdam 2010
○ Android Secure Development
● GDG Rome Lab
@robgas
AndroidKey Management Droidcon London 2014
Android Key Management: Agenda
● Mobile Application Cryptography
● Key Management and CryptoSystem
● Crypto in Android
● Symmetric Encryption
● Symmetric Key Management
● Asymmetric key: Encryption/Digital Signature
● Keychain e AndroidKeyStore
AndroidKey Management Droidcon London 2014
Mobile Application Cryptography
➢ Exchange data securely:
➢ Protect Data:○ Sensitive Data
○ Backup on /sdcard
AndroidKey Management Droidcon London 2014
Key Management
"Key management is the management of cryptographic keys in a cryptosystem."
AndroidKey Management Droidcon London 2014
CryptoSystem
"refers to a suite of algorithms needed to implement a particular form of encryption and decryption"
● Two types of encryption:○ Symmetric Key Algorithms
■ Identical key for encryption/decryption
■ AES, Blowfish, DES, Triple DES
○ Asymmetric Key Algorithms■ Pair of keys (public/private) for
encryption/decryption■ RSA, DSA, ECDSA
AndroidKey Management Droidcon London 2014
Symmetric Key Algorithms: Ciphers
● Two types of ciphers:○ Block: Process entire blocks of fixed-length
groups of bits at a time (padding may be required)
○ Stream: Process single bit at a time(no padding)
● Block Cipher modes of operation:○ ECB: each block encrypted independently○ CBC, CFB, OFB: (feedback mode) each block
is encrypted combined with the previous encrypted block (starting from an IV)
○ CTR: each block xored with the encrypted successive values of a counter ( starting from a nonce)
ECB
CBC
AndroidKey Management Droidcon London 2014
Crypto in Android
● Framework based on JCA ( Java Cryptography Architecture)
● Provides API for:● Encryption/Decryption● Message digests (hashes) ● Key management● Secure random number generation
● API implemented by Cryptographic Service "Provider"
● "Dynamic" Provider:
javax.crypto.*java.security.*
AndroidKey Management Droidcon London 2014
Default Providers
➢ From the beginning○ Bouncy Castle (Customized):
■ Some services and API removed■ Varies between Android versions■ Fixed only in the latest versions
○ Crypto (Apache Harmony)■ Few basic services■ Only for backward compatibility
➢ From Android 4.0○ AndroidOpenSSL:
■ OpenSSL JNI■ Performance Improved■ Vulnerable to Heartbleed in 4.1.1
AndroidKey Management Droidcon London 2014
➢ Spongy Castle (SC)○ Repackage of Bouncy Castle○ Supports more cryptographic options○ Not vulnerable to the Heartbleed Bug○ Up-to-date
➢ GPS Dynamic Security Provider○ Available from Play Services 5.0○ Based on OpenSSL ( No Heartbleed)○ Rapid delivery of security patches○ Vendor independent !!!
Dynamic Providers
AndroidKey Management Droidcon London 2014
Cipher Benchmarks
Run on Google Nexus 5 Android 4.4.4
CBC CTR
AndroidKey Management Droidcon London 2014
Cipher Class
Secret Key Specification
Cipher getInstance
Cipher Init
Cipher Final
AndroidKey Management Droidcon London 2014
SecretKey Specification
javax.crypto.spec.SecretKeySpec
● SecretKeySpec specifies a key for a specific algorithm
SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");
Encryption/Decryption Key
Cryptographic Algorithm
AndroidKey Management Droidcon London 2014
Cipher GetInstance
javax.crypto.Cipher
● Create cryptographic cipher
Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding”,“SC”);
Transformation (describes set of operation to perform):
• algorithm/mode/padding• algorithm
Provider( SpongyCastle )
AndroidKey Management Droidcon London 2014
Cipher Init
javax.crypto.Cipher
● Initializes the cipher instance with the specified operational mode, key and algorithm parameters.
cipher.init(Cipher.DECRYPT_MODE, keySpec, new IvParameterSpec(iv));
Operational Mode:• ENCRYPT_MODE• DECRYPT_MODE• WRAP_MODE• UNWRAP_MODE
SecretKeySpec Specify Cipher Algorithm parameters
( IV for CBC )
AndroidKey Management Droidcon London 2014
Cipher Final
javax.crypto.Cipher
● Complete a multi-part transformation (encryption or decryption)
byte[] encryptedText = cipher.doFinal(clearText.getBytes());
EncryptedText in byte
ClearText in bytes
AndroidKey Management Droidcon London 2014
Key Generation: SecureRandom
java.security.SecureRandom
● Cryptographically secure pseudo-random number generator
SecureRandom secureRandom = new SecureRandom();
Default constructor uses the most cryptographically
strong provider available
● Seeding SecureRandom is dangerous:○ Not Secure○ Output may change
AndroidKey Management Droidcon London 2014
Some SecureRandom Thoughts...
● Android security team discovered in August 2013 an improper PRNG initialization for default OpenSSL provider
● Applications invoking system-provided OpenSSL PRNG without explicit initialization are also affected
● Key Generation, Signing or Random Number Generation not receiving cryptographically strong values
● Developer must explicitly initialize the PRNG
PRNGFixes.apply()
http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html
AndroidKey Management Droidcon London 2014
KeyGenerator keyGenerator = KeyGenerator.getInstance("AES","SC");keyGenerator.init(outputKeyLength, secureRandom);
SecretKey key = keyGenerator.generateKey();
Generate Secret Key
javax.crypto.KeyGenerator
● Symmetric cryptographic keys generator
Specify Key Size
Algorithm and Provider
Key to use in Cipher.init()
AndroidKey Management Droidcon London 2014
Key Management: Store on device
● Protected by Android Filesystem Isolation● Plain File● SharedPreferences● Keystore File (BKS, JKS)
● More secure with Phone Encryption
● Store safely● MODE_PRIVATE flag● Use only internal storage
/data/data/app_package
AndroidKey Management Droidcon London 2014
Key Management: Store on device
➢ Device rooted?
○ Check at run-time...
AndroidKey Management Droidcon London 2014
Key Management: Store in App● Uses static keys or device specific information at run-time
(IMEI, mac address, ANDROID_ID)
● Android app can be easily reversed
● Hide with Code obfuscationREVERS
ING
AndroidKey Management Droidcon London 2014
Key Management: PBKDF2
● Password Based Key Derivation Function (PKCS#5)● Variable length password in input● Fixed length key in output
● User interaction required
● Params:○ Password○ Pseudorandom Function○ Salt○ Number of iteration○ Key Size
● Available with BC
AndroidKey Management Droidcon London 2014
KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt, NUM_OF_ITERATIONS, KEY_SIZE); SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(PBE_ALGORITHM); encKey = secretKeyFactory.generateSecret(keySpec);
Key Management: PBKDF2
javax.crypto.spec.PBEKeySpec
● PBE Key specification and generation
A good PBE algorithm isPBKDF2WithHmacSHA1
User Password
N. >= 1000
AndroidKey Management Droidcon London 2014
SecretKeyFactory factory;if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT)
// Use compatibility key factory -- only uses lower 8-bits of passphrase charsfactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1And8bit");
else if (Build.VERSION.SDK_INT >= 10)// Traditional key factory. Will use lower 8-bits of passphrase chars on
// older Android versions (API level 18 and lower) and all available bits // on KitKat and newer (API level 19 and higher) factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");else // FIX for Android 8,9
factory = SecretKeyFactory.getInstance("PBEWITHSHAAND128BITAES-CBC-BC");
SecretKeyFactory API in Android 4.4
AndroidKey Management Droidcon London 2014
Key Management: Other solutions
● Store on server side● Internet connection required● Use trusted and protected connections (HTTPS, Certificate
Pinning)
● Store on external device● NFC Java Card (NXP J3A081)● Smartcard● USB PenDrive● MicroSD with secure storage
● AndroidKeyStore???
AndroidKey Management Droidcon London 2014
Asymmetric Algorithms
● Public/Private Key○ Public Key -> encrypt/verify signature ○ Private Key -> decrypt/sign
● Advantages:○ Public Key distribution is not dangerous
● Disadvantages:○ Computationally expensive
● Usually used with PKI (Public Key Infrastructure for digital certificates)
AndroidKey Management Droidcon London 2014
Public-key Applications
● Can classify uses into 3 categories:
○ Encryption/Decryption (provides Confidentiality)
○ Digital Signatures (provides Authentication and Integrity)
○ Key Exchange (of Session Keys)
● Some algorithms are suitable for all uses (RSA), others are specific to one
AndroidKey Management Droidcon London 2014
PKCS for Asymmetric Algorithms
● PKCS is a group of public-key cryptography standards published by RSA Security Inc
● PKCS#1 (v.2.1)○ RSA Cryptography Standard
● PKCS#3 (v.1.4)○ Diffie-Hellman Key Agreement Standard
● PKCS#8 (v.1.2)○ Private-Key Information Syntax Standard
● PKCS#10 (v.1.7)○ Certification Request Standard
● PKCS#12 (v.1.0)○ Personal Information Exchange Syntax Standard
AndroidKey Management Droidcon London 2014
Android: RSA
KeyPairGenerator kpg = KeyPairGenerator.getIstance(”RSA");
Java.security.KeyPairGenerator
● KeyPairGenerator is an engine capable of generating public/private keys with specified algorithms
Cryptographic Algorithm
AndroidKey Management Droidcon London 2014
Available Providers for RSA Algorithm
KeyPairGenerator.getInstance(”RSA”,”SEC_PROVIDERS”);
Java.security.KeyPairGenerator
● Different security providers could be used (could change for different OS versions)
“AndroidOpenSSL”“BC”“AndroidKeyStore”“GmsCore_OpenSSL”
Version 1.0Version 1.49Version 1.0
AndroidKey Management Droidcon London 2014
● KeySize – 1024,2048,4096 bits
KeyPairGenerator: Initialization and Randomness
KeyPairGenerator kpg = KeyPairGenerator.initialize(2048);
Key Size
Java.security.KeyPairGenerator
● KeyPairGenerator initialization with the key size
AndroidKey Management Droidcon London 2014
KeyPairGenerator: Initialization and Randomness
KeyPairGenerator kpg = KeyPairGenerator.initialize(2048,sr);
Java.security.KeyPairGenerator, Java.security.SecureRandom
● KeyPairGenerator initialization with a SecureRandom
SecureRandom sr = new SecureRandom();
AndroidKey Management Droidcon London 2014
Generating RSA Key
Java.security.KeyPair
● KeyPair is a container for a public/private key generated by the KeyPairGenerator
KeyPair keypair = kpg.genKeyPair()
● We can retrieve public/private keys from KeyPair
Key public_key = kaypair.getPublic();
Key private_key = kaypair.getPrivate();
AndroidKey Management Droidcon London 2014
Using RSA Keys: cipher example
Javax.crypto.Cipher
● Cipher provides access to implementation of cryptography ciphers for encryption and decryption
Cipher cipher = Cipher.getInstance(“RSA”,”SEC_PROVIDER);
Transformation“AndroidOpenSSL”“BC”“AndroidKeyStore”“GmsCore_OpenSSL”
AndroidKey Management Droidcon London 2014
Using RSA Key: cipher example
Javax.crypto.Cipher
● Encryption
cipher.init(Cipher.ENCRYPT_MODE,public_key);
● Decryption
byte[] encrypted_data=cipher.doFinal(“DroidconUK-2014”.getBytes());
cipher.init(Cipher.DECRYPT_MODE,private_key);
byte[] decrypted_data=cipher.doFinal(cipherd_data);
AndroidKey Management Droidcon London 2014
Parameters of RSA Keys
java.security.KeyFactory, java.security.spec,
● Retrieve RSA Key parameters using KeyFactory
RSAPublicKeySpec rsa_public= keyfactory.getKeySpec(keypair.getPublic(),
RSAPublicKeySpec.class);
RSAPrivateKeySpec rsa_private = keyfactory.getKeySpec(keypair.getPrivate(),
RSAPrivateKeySpec.class);
AndroidKey Management Droidcon London 2014
Extract Parameters of RSA Keys
Java.security.spec.RSAPublicKeySpec, java.security.spec.RSAPrivateKeySpec
● Retrieved parameters can be stored
BigInteger m = rsa_public.getModulus();
BigInteger e = rsa_public.getPublicExponent();
BigInteger d = rsa_private.getPrivateExponent();
Is Private
AndroidKey Management Droidcon London 2014
AndroidKeyStore
● Custom Java Security Provider available from Android 4.3 version and beyond
● An App can generate and save private keys
● Keys are private for each App
● 2048-bit key size (4.3), 1024-2048-4096-bit key size (4.4) can be stored
● ECDSA support added from Android 4.4
AndroidKey Management Droidcon London 2014
Key Management Evolution
API LEVEL 14 API LEVEL 18
Global Level:KeyChain( Public API )
App Level:KeyStore( Closed API )
Global Level Only:
Default TrustStorecacerts.bks
(ROOTED device)
Global Level:KeyChain( Public API )
App Level and per User Level:AndroidKeyStore( Public API )
AndroidKey Management Droidcon London 2014
AndroidKeyStore Storage
● Two kinds of storage
○ Hardware-backed (Nexus 7, Nexus 4, Nexus 5 :-) with OS >= 4.3)○ Secure Element ○ TPM○ TrustZone
○ Software only (Other devices with OS >= 4.3)
AndroidKey Management Droidcon London 2014
Type of Storage
import android.security.KeyChain;
if (KeyChain.isBoundKeyAlgorithm("RSA")) // Hardware-Backed else // Software Only
AndroidKey Management Droidcon London 2014
Certificate parameters
Context cx = getActivity();
String pkg = cx.getPackageName();
Calendar notBefore = Calendar.getInstance();
Calendar notAfter = Calendar.getInstance();
notAfter.add(1, Calendar.YEAR);
import android.security.KeyPairGeneratorSpec.Builder;
Builder builder = new KeyPairGeneratorSpec.Builder(cx);
builder.setAlias(“DEVKEY1”);
String infocert = String.format("CN=%s, OU=%s", “DEVKEY1”, pkg);
builder.setSubject(new X500Principal(infocert));
builder.setSerialNumber(BigInteger.ONE);
builder.setStartDate(notBefore.getTime());
builder.setEndDate(notAfter.getTime());
KeyPairGeneratorSpec spec = builder.build();
Time parameters
Self-Signed X.509● Common Name(CN)● Subject(OU)● Serial Number
Generate certificate
ALIAS to index the certificate
AndroidKey Management Droidcon London 2014
Generating Public/Private keys
KeyPairGenerator kpGenerator;
kpGenerator = KeyPairGenerator
.getInstance("RSA", "AndroidKeyStore");
kpGenerator.initialize(spec);
KeyPair kp;
kp = kpGenerator.generateKeyPair();
Engine to generate Public/Private key
Init Engine with:● RSA Algorithm● Provider: AndroidKeyStore
Init Engine with certificate parameters
After generation, the keys will be stored into AndroidKeyStore and will be accessible by ALIAS
● Generating Private/Public key
AndroidKey Management Droidcon London 2014
AndroidKeyStore Initialization
keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);
Now we have the KeyStore reference that will be used to access to the Private/Public key by the ALIAS
Should be used if there is an InputStream to load (for example the name of imported KeyStore). If not
used the App will crash
Get a reference to the AndroidKeyStore
AndroidKey Management Droidcon London 2014
RSA Encryption
● Encryption○ Confidentiality ○ RSA Public key to Encrypt○ RSA Private key to Decrypt
KeyStore.Entry entry = keyStore.getEntry(“DEVKEY1”, null);
PublicKey publicKeyEnc = ((KeyStore.PrivateKeyEntry) entry)
.getCertificate().getPublicKey();
String textToEncrypt = new String(”DroidconUK-2014");
Cipher encCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
encCipher.init(Cipher.ENCRYPT_MODE, publicKeyEnc);
byte[] encryptedText = encCipher.doFinal(byteTextToEncrypt);
Access to Public key to encrypt
● Algorithm● Encryption with
Public key
Ciphered
Access to keys identified by ALIAS
AndroidKey Management Droidcon London 2014
RSA Decryption
Cipher decCipher = null;
byte[] plainTextByte = null;
decCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
decCipher.init(Cipher.DECRYPT_MODE,
((KeyStore.PrivateKeyEntry) entry).getPrivateKey());
plainTextByte = decCipher.doFinal(byteEcryptedText);
String plainText = new String(plainTextByte);
Algorithm
Decryption with Private key
Plaintext
AndroidKey Management Droidcon London 2014
s.initVerify(((KeyStore.PrivateKeyEntry) entry).getCertificate());
s.update(data);
boolean valid = s.verify(signature);
RSA Digital Signature
● Digital Signature○ Authentication, Non-Repudiation and Integrity ○ RSA Private key to Sign○ RSA Public Key to Verify
KeyStore.Entry entry = keyStore.getEntry(“DEVKEY1”, null);
s.initSign(((KeyStore.PrivateKeyEntry) entry).getPrivateKey());
Access to Private/Public key identified by ALIAS
Private key to sign
Public Key in certificate to verify
signature
AndroidKey Management Droidcon London 2014
Issue 61989 …
AndroidKey Management Droidcon London 2014
KeyChain
● KeyChain○ Accessible by any Application
● Typically used for corporate certificates
AndroidKey Management Droidcon London 2014
Example: Import Certificates
● Import .p12 certificates
Intent intent = KeyChain.createInstallIntent();
byte[] p12 = readFile(“CERTIFICATE_NAME.p12”);
Intent.putExtra(KeyChain.EXTRA_PKCS12,p12);
Specify PKCS#12 Key to install
startActivity(intent);The user will be prompted for the password
AndroidKey Management Droidcon London 2014
KeyChain.choosePrivateKeyAlias(Activity activity,KeyChainAliasCallBack response,String[] keyTypes,Principal[] issuers,String host,Int port,String Alias);
Example: Retrieve the key
● The KeyChainAliasCallback invoked when a user chooses a certificate/private key
AndroidKey Management Droidcon London 2014
@Overridepublic void alias(String alias){
.
.PrivateKey private_key = KeyChain. getPrivateKey(this,alias);
.
.X509Certificate[] chain = KeyChain. getCertificateChain(this,”DroidconUK-2014”);
.PublicKey public_key = chain[0].getPublicKey();
}
Example: Retrieve and use the keys
Private Key
Public Key
● KeyChainAliasCallbak must implement the abstract method alias:
AndroidKey Management Droidcon London 2014
References● http://developer.android.com/about/versions/android-4.3.html#Security
● http://developer.android.com/reference/java/security/KeyStore.html
● http://en.wikipedia.org/wiki/Encryption
● http://en.wikipedia.org/wiki/Digital_signature
● http://nelenkov.blogspot.it/2013/08/credential-storage-enhancements-android-43.html
● http://nelenkov.blogspot.it/2012/05/storing-application-secrets-in-androids.html
● http://nelenkov.blogspot.it/2012/04/using-password-based-encryption-on.html
● http://nelenkov.blogspot.it/2011/11/ics-credential-storage-implementation.html
● http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.html
● http://android-developers.blogspot.it/2013/02/using-cryptography-to-store-credentials.html
● http://www.bouncycastle.org/
● http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html
● http://nelenkov.blogspot.it/2013/10/signing-email-with-nfc-smart-card.html
● http://en.wikipedia.org/wiki/PKCS
● http://developer.android.com/reference/android/security/KeyChain.html
● http://android-developers.blogspot.it/2013/12/changes-to-secretkeyfactory-api-in.html
AndroidKey Management Droidcon London 2014
Thank youQ&A
www.mseclab.comwww.consulthink.it