During the creation of simple messaging android application that is to encrypt/decrypt messages and send them through internet, I decided to use RSA public/private key encryption. Question is how to store private key, so that even if phone is maliciously rooted, the key would stay safe? As far as I understood, KeyStore is used for certificates, and cannot be used for this? Should I encrypt private key as text file with AES? I have very little experience with security, so please feel free to correct my ideas, and give your opinion!
Kind Regards.
ssh/id_rsa and the public key is stored in ~/. ssh/id_rsa. pub . The private key should only be kept on your local system and should be encrypted using a passphrase that is at least as strong as any password you would normally use.
The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable.
A CA's private key should be stored in hardware-based protection, such as a Hardware Security Module (HSM). This provides tamper-resistant secure storage. A Private key for an end entity could be stored in a Trusted Platform Module (TPM) chip or a USB tamper-resistant security token.
RSA is a public-key or asymmetric crypto system. It uses a public key for encryption and a private key for decryption. Anyone can use the public key to encrypt a message but it can be decrypted only by the private key owner.
I think KeyStore could be suitable for your use. It is able to store RSA keys and encrypts them using AES so even with root access, they cannot be extracted without the password or bruteforcing.
There's a good post here about using KeyStore: http://nelenkov.blogspot.fr/2012/05/storing-application-secrets-in-androids.html
You can persist your RSA public/private key using SharedPreference on android. In order to keep your keys safe when the phone is maliciously rooted, you can do the following steps:
1: When you want to ecrypt any data generate a key pair.
2: Prompt the user for a password.
3: Use that password to generate a symmetric key to encrypt your private key.
4: You can encrypt your data using the public key and decrypt using private key.
5: You can keep a session for the password prompted in step 2. During that session, you can use the symmetric key(generated from password) to encrypt/decrypt the private key.
The following code snippet shows to how to store & fetch the public key
public void setPublicKey(PublicKey publicKey, String key, Context context) { byte[] pubKey = publicKey.getEncoded(); String pubKeyString = Base64.encodeBytes(pubKey); this.setString(key, pubKeyString, context); } public PublicKey getPublicKey(String key,Context context) { PublicKey pKey = null; try { String pubString = this.getString(key, context); if(pubString!=null) { byte[] binCpk = Base64.decode(pubString); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(binCpk); pKey = keyFactory.generatePublic(publicKeySpec); } }catch(Exception e){ } return pKey; }
The following code snippet shows how to store& fetch the private key.
public void setPrivateKey(PrivateKey privateKey, String key, Context context) { byte[] priKey = privateKey.getEncoded(); String priKeyString = Base64.encodeBytes(priKey); this.setString(key, priKeyString, context); } public PrivateKey getPrivateKey(String key, Context context) { PrivateKey privateKey = null; try { String privateString = this.getString(key, context); if(privateString!=null){ byte[] binCpk = Base64.decode(privateString); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); PKCS8EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(binCpk); privateKey = keyFactory.generatePrivate(privateKeySpec); } } catch(Exception e){ } return privateKey; }
None of the keystores (P12, JKS, AKS) in the file system can be secure enough to hold RSA private keys. Only SmartCard or secure tokens can provide high-level security. Read this book: "Android Security Internals". In this book you will find good description of Android Security and JCA providers.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With