Storing RSA Private Key Android

Question

During the creation of simple messaging android application that is to encrypt/decrypt messages and send them through internet, I decided to use RSA public/private key encryption. Question is how to store private key, so that even if phone is maliciously rooted, the key would stay safe? As far as I understood, KeyStore is used for certificates, and cannot be used for this? Should I encrypt private key as text file with AES? I have very little experience with security, so please feel free to correct my ideas, and give your opinion!

Kind Regards.

Answer 1

I think KeyStore could be suitable for your use. It is able to store RSA keys and encrypts them using AES so even with root access, they cannot be extracted without the password or bruteforcing.

There's a good post here about using KeyStore: http://nelenkov.blogspot.fr/2012/05/storing-application-secrets-in-androids.html

Answer 2

You can persist your RSA public/private key using SharedPreference on android. In order to keep your keys safe when the phone is maliciously rooted, you can do the following steps:

1: When you want to ecrypt any data generate a key pair.
2: Prompt the user for a password.
3: Use that password to generate a symmetric key to encrypt your private key.
4: You can encrypt your data using the public key and decrypt using private key.
5: You can keep a session for the password prompted in step 2. During that session, you can use the symmetric key(generated from password) to encrypt/decrypt the private key.

The following code snippet shows to how to store & fetch the public key

public void setPublicKey(PublicKey publicKey, String key, Context context) {      byte[] pubKey = publicKey.getEncoded();     String pubKeyString = Base64.encodeBytes(pubKey);     this.setString(key, pubKeyString, context); }  public PublicKey getPublicKey(String key,Context context) {      PublicKey pKey = null;     try {          String pubString = this.getString(key, context);          if(pubString!=null) {             byte[] binCpk = Base64.decode(pubString);             KeyFactory keyFactory = KeyFactory.getInstance("RSA");             X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(binCpk);             pKey = keyFactory.generatePublic(publicKeySpec);         }         }catch(Exception e){     }     return pKey; } 

The following code snippet shows how to store& fetch the private key.

public void setPrivateKey(PrivateKey privateKey, String key, Context context) {      byte[] priKey = privateKey.getEncoded();     String priKeyString = Base64.encodeBytes(priKey);     this.setString(key, priKeyString, context); }  public PrivateKey getPrivateKey(String key, Context context) {      PrivateKey privateKey = null;      try {         String privateString = this.getString(key, context);         if(privateString!=null){             byte[] binCpk = Base64.decode(privateString);             KeyFactory keyFactory = KeyFactory.getInstance("RSA");             PKCS8EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(binCpk);             privateKey = keyFactory.generatePrivate(privateKeySpec);         }     }      catch(Exception e){     }     return privateKey; } 

Answer 3

None of the keystores (P12, JKS, AKS) in the file system can be secure enough to hold RSA private keys. Only SmartCard or secure tokens can provide high-level security. Read this book: "Android Security Internals". In this book you will find good description of Android Security and JCA providers.