Android Key Management @Droidcon London 2014
-
Upload
consulthinkspa -
Category
Mobile
-
view
1.091 -
download
1
description
Transcript of Android Key Management @Droidcon London 2014
AndroidKey ManagementRoberto Piccirillo ([email protected])Roberto Gassirà ([email protected])
Droidcon London 2014
AndroidKey Management Droidcon London 2014
Roberto Piccirillo
● Senior Security Analyst - Mobile Security Lab○ Vulnerability Assessment (IT, Mobile Application)○ Hijacking Mobile Data Connection
■ BlackHat Europe 2009■ DeepSec Vienna 2009■ HITB Amsterdam 2010
○ Android Secure Development
● GDG Rome Lab
@robpicone
AndroidKey Management Droidcon London 2014
Roberto Gassirà
● Senior Security Analyst - Mobile Security Lab○ Vulnerability Assessment (IT, Mobile Application)○ Hijacking Mobile Data Connection
■ BlackHat Europe 2009■ DeepSec Vienna 2009■ HITB Amsterdam 2010
○ Android Secure Development
● GDG Rome Lab
@robgas
AndroidKey Management Droidcon London 2014
Android Key Management: Agenda
● Mobile Application Cryptography
● Key Management and CryptoSystem
● Crypto in Android
● Symmetric Encryption
● Symmetric Key Management
● Asymmetric key: Encryption/Digital Signature
● Keychain e AndroidKeyStore
AndroidKey Management Droidcon London 2014
Mobile Application Cryptography
➢ Exchange data securely:
➢ Protect Data:○ Sensitive Data
○ Backup on /sdcard
AndroidKey Management Droidcon London 2014
Key Management
"Key management is the management of cryptographic keys in a cryptosystem."
AndroidKey Management Droidcon London 2014
CryptoSystem
"refers to a suite of algorithms needed to implement a particular form of encryption and decryption"
● Two types of encryption:○ Symmetric Key Algorithms
■ Identical key for encryption/decryption
■ AES, Blowfish, DES, Triple DES
○ Asymmetric Key Algorithms■ Pair of keys (public/private) for
encryption/decryption■ RSA, DSA, ECDSA
AndroidKey Management Droidcon London 2014
Symmetric Key Algorithms: Ciphers
● Two types of ciphers:○ Block: Process entire blocks of fixed-length
groups of bits at a time (padding may be required)
○ Stream: Process single bit at a time(no padding)
● Block Cipher modes of operation:○ ECB: each block encrypted independently○ CBC, CFB, OFB: (feedback mode) each block
is encrypted combined with the previous encrypted block (starting from an IV)
○ CTR: each block xored with the encrypted successive values of a counter ( starting from a nonce)
ECB
CBC
AndroidKey Management Droidcon London 2014
Crypto in Android
● Framework based on JCA ( Java Cryptography Architecture)
● Provides API for:● Encryption/Decryption● Message digests (hashes) ● Key management● Secure random number generation
● API implemented by Cryptographic Service "Provider"
● "Dynamic" Provider:
javax.crypto.*java.security.*
AndroidKey Management Droidcon London 2014
Default Providers
➢ From the beginning○ Bouncy Castle (Customized):
■ Some services and API removed■ Varies between Android versions■ Fixed only in the latest versions
○ Crypto (Apache Harmony)■ Few basic services■ Only for backward compatibility
➢ From Android 4.0○ AndroidOpenSSL:
■ OpenSSL JNI■ Performance Improved■ Vulnerable to Heartbleed in 4.1.1
AndroidKey Management Droidcon London 2014
➢ Spongy Castle (SC)○ Repackage of Bouncy Castle○ Supports more cryptographic options○ Not vulnerable to the Heartbleed Bug○ Up-to-date
➢ GPS Dynamic Security Provider○ Available from Play Services 5.0○ Based on OpenSSL ( No Heartbleed)○ Rapid delivery of security patches○ Vendor independent !!!
Dynamic Providers
AndroidKey Management Droidcon London 2014
Cipher Benchmarks
Run on Google Nexus 5 Android 4.4.4
CBC CTR
AndroidKey Management Droidcon London 2014
Cipher Class
Secret Key Specification
Cipher getInstance
Cipher Init
Cipher Final
AndroidKey Management Droidcon London 2014
SecretKey Specification
javax.crypto.spec.SecretKeySpec
● SecretKeySpec specifies a key for a specific algorithm
SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");
Encryption/Decryption Key
Cryptographic Algorithm
AndroidKey Management Droidcon London 2014
Cipher GetInstance
javax.crypto.Cipher
● Create cryptographic cipher
Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding”,“SC”);
Transformation (describes set of operation to perform):
• algorithm/mode/padding• algorithm
Provider( SpongyCastle )
AndroidKey Management Droidcon London 2014
Cipher Init
javax.crypto.Cipher
● Initializes the cipher instance with the specified operational mode, key and algorithm parameters.
cipher.init(Cipher.DECRYPT_MODE, keySpec, new IvParameterSpec(iv));
Operational Mode:• ENCRYPT_MODE• DECRYPT_MODE• WRAP_MODE• UNWRAP_MODE
SecretKeySpec Specify Cipher Algorithm parameters
( IV for CBC )
AndroidKey Management Droidcon London 2014
Cipher Final
javax.crypto.Cipher
● Complete a multi-part transformation (encryption or decryption)
byte[] encryptedText = cipher.doFinal(clearText.getBytes());
EncryptedText in byte
ClearText in bytes
AndroidKey Management Droidcon London 2014
Key Generation: SecureRandom
java.security.SecureRandom
● Cryptographically secure pseudo-random number generator
SecureRandom secureRandom = new SecureRandom();
Default constructor uses the most cryptographically
strong provider available
● Seeding SecureRandom is dangerous:○ Not Secure○ Output may change
AndroidKey Management Droidcon London 2014
Some SecureRandom Thoughts...
● Android security team discovered in August 2013 an improper PRNG initialization for default OpenSSL provider
● Applications invoking system-provided OpenSSL PRNG without explicit initialization are also affected
● Key Generation, Signing or Random Number Generation not receiving cryptographically strong values
● Developer must explicitly initialize the PRNG
PRNGFixes.apply()
http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html
AndroidKey Management Droidcon London 2014
KeyGenerator keyGenerator = KeyGenerator.getInstance("AES","SC");keyGenerator.init(outputKeyLength, secureRandom);
SecretKey key = keyGenerator.generateKey();
Generate Secret Key
javax.crypto.KeyGenerator
● Symmetric cryptographic keys generator
Specify Key Size
Algorithm and Provider
Key to use in Cipher.init()
AndroidKey Management Droidcon London 2014
Key Management: Store on device
● Protected by Android Filesystem Isolation● Plain File● SharedPreferences● Keystore File (BKS, JKS)
● More secure with Phone Encryption
● Store safely● MODE_PRIVATE flag● Use only internal storage
/data/data/app_package
AndroidKey Management Droidcon London 2014
Key Management: Store on device
➢ Device rooted?
○ Check at run-time...
AndroidKey Management Droidcon London 2014
Key Management: Store in App● Uses static keys or device specific information at run-time
(IMEI, mac address, ANDROID_ID)
● Android app can be easily reversed
● Hide with Code obfuscationREVERS
ING
AndroidKey Management Droidcon London 2014
Key Management: PBKDF2
● Password Based Key Derivation Function (PKCS#5)● Variable length password in input● Fixed length key in output
● User interaction required
● Params:○ Password○ Pseudorandom Function○ Salt○ Number of iteration○ Key Size
● Available with BC
AndroidKey Management Droidcon London 2014
KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt, NUM_OF_ITERATIONS, KEY_SIZE); SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(PBE_ALGORITHM); encKey = secretKeyFactory.generateSecret(keySpec);
Key Management: PBKDF2
javax.crypto.spec.PBEKeySpec
● PBE Key specification and generation
A good PBE algorithm isPBKDF2WithHmacSHA1
User Password
N. >= 1000
AndroidKey Management Droidcon London 2014
SecretKeyFactory factory;if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT)
// Use compatibility key factory -- only uses lower 8-bits of passphrase charsfactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1And8bit");
else if (Build.VERSION.SDK_INT >= 10)// Traditional key factory. Will use lower 8-bits of passphrase chars on
// older Android versions (API level 18 and lower) and all available bits // on KitKat and newer (API level 19 and higher) factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");else // FIX for Android 8,9
factory = SecretKeyFactory.getInstance("PBEWITHSHAAND128BITAES-CBC-BC");
SecretKeyFactory API in Android 4.4
AndroidKey Management Droidcon London 2014
Key Management: Other solutions
● Store on server side● Internet connection required● Use trusted and protected connections (HTTPS, Certificate
Pinning)
● Store on external device● NFC Java Card (NXP J3A081)● Smartcard● USB PenDrive● MicroSD with secure storage
● AndroidKeyStore???
AndroidKey Management Droidcon London 2014
Asymmetric Algorithms
● Public/Private Key○ Public Key -> encrypt/verify signature ○ Private Key -> decrypt/sign
● Advantages:○ Public Key distribution is not dangerous
● Disadvantages:○ Computationally expensive
● Usually used with PKI (Public Key Infrastructure for digital certificates)
AndroidKey Management Droidcon London 2014
Public-key Applications
● Can classify uses into 3 categories:
○ Encryption/Decryption (provides Confidentiality)
○ Digital Signatures (provides Authentication and Integrity)
○ Key Exchange (of Session Keys)
● Some algorithms are suitable for all uses (RSA), others are specific to one
AndroidKey Management Droidcon London 2014
PKCS for Asymmetric Algorithms
● PKCS is a group of public-key cryptography standards published by RSA Security Inc
● PKCS#1 (v.2.1)○ RSA Cryptography Standard
● PKCS#3 (v.1.4)○ Diffie-Hellman Key Agreement Standard
● PKCS#8 (v.1.2)○ Private-Key Information Syntax Standard
● PKCS#10 (v.1.7)○ Certification Request Standard
● PKCS#12 (v.1.0)○ Personal Information Exchange Syntax Standard
AndroidKey Management Droidcon London 2014
Android: RSA
KeyPairGenerator kpg = KeyPairGenerator.getIstance(”RSA");
Java.security.KeyPairGenerator
● KeyPairGenerator is an engine capable of generating public/private keys with specified algorithms
Cryptographic Algorithm
AndroidKey Management Droidcon London 2014
Available Providers for RSA Algorithm
KeyPairGenerator.getInstance(”RSA”,”SEC_PROVIDERS”);
Java.security.KeyPairGenerator
● Different security providers could be used (could change for different OS versions)
“AndroidOpenSSL”“BC”“AndroidKeyStore”“GmsCore_OpenSSL”
Version 1.0Version 1.49Version 1.0
AndroidKey Management Droidcon London 2014
● KeySize – 1024,2048,4096 bits
KeyPairGenerator: Initialization and Randomness
KeyPairGenerator kpg = KeyPairGenerator.initialize(2048);
Key Size
Java.security.KeyPairGenerator
● KeyPairGenerator initialization with the key size
AndroidKey Management Droidcon London 2014
KeyPairGenerator: Initialization and Randomness
KeyPairGenerator kpg = KeyPairGenerator.initialize(2048,sr);
Java.security.KeyPairGenerator, Java.security.SecureRandom
● KeyPairGenerator initialization with a SecureRandom
SecureRandom sr = new SecureRandom();
AndroidKey Management Droidcon London 2014
Generating RSA Key
Java.security.KeyPair
● KeyPair is a container for a public/private key generated by the KeyPairGenerator
KeyPair keypair = kpg.genKeyPair()
● We can retrieve public/private keys from KeyPair
Key public_key = kaypair.getPublic();
Key private_key = kaypair.getPrivate();
AndroidKey Management Droidcon London 2014
Using RSA Keys: cipher example
Javax.crypto.Cipher
● Cipher provides access to implementation of cryptography ciphers for encryption and decryption
Cipher cipher = Cipher.getInstance(“RSA”,”SEC_PROVIDER);
Transformation“AndroidOpenSSL”“BC”“AndroidKeyStore”“GmsCore_OpenSSL”
AndroidKey Management Droidcon London 2014
Using RSA Key: cipher example
Javax.crypto.Cipher
● Encryption
cipher.init(Cipher.ENCRYPT_MODE,public_key);
● Decryption
byte[] encrypted_data=cipher.doFinal(“DroidconUK-2014”.getBytes());
cipher.init(Cipher.DECRYPT_MODE,private_key);
byte[] decrypted_data=cipher.doFinal(cipherd_data);
AndroidKey Management Droidcon London 2014
Parameters of RSA Keys
java.security.KeyFactory, java.security.spec,
● Retrieve RSA Key parameters using KeyFactory
RSAPublicKeySpec rsa_public= keyfactory.getKeySpec(keypair.getPublic(),
RSAPublicKeySpec.class);
RSAPrivateKeySpec rsa_private = keyfactory.getKeySpec(keypair.getPrivate(),
RSAPrivateKeySpec.class);
AndroidKey Management Droidcon London 2014
Extract Parameters of RSA Keys
Java.security.spec.RSAPublicKeySpec, java.security.spec.RSAPrivateKeySpec
● Retrieved parameters can be stored
BigInteger m = rsa_public.getModulus();
BigInteger e = rsa_public.getPublicExponent();
BigInteger d = rsa_private.getPrivateExponent();
Is Private
AndroidKey Management Droidcon London 2014
AndroidKeyStore
● Custom Java Security Provider available from Android 4.3 version and beyond
● An App can generate and save private keys
● Keys are private for each App
● 2048-bit key size (4.3), 1024-2048-4096-bit key size (4.4) can be stored
● ECDSA support added from Android 4.4
AndroidKey Management Droidcon London 2014
Key Management Evolution
API LEVEL 14 API LEVEL 18
Global Level:KeyChain( Public API )
App Level:KeyStore( Closed API )
Global Level Only:
Default TrustStorecacerts.bks
(ROOTED device)
Global Level:KeyChain( Public API )
App Level and per User Level:AndroidKeyStore( Public API )
AndroidKey Management Droidcon London 2014
AndroidKeyStore Storage
● Two kinds of storage
○ Hardware-backed (Nexus 7, Nexus 4, Nexus 5 :-) with OS >= 4.3)○ Secure Element ○ TPM○ TrustZone
○ Software only (Other devices with OS >= 4.3)
AndroidKey Management Droidcon London 2014
Type of Storage
import android.security.KeyChain;
if (KeyChain.isBoundKeyAlgorithm("RSA")) // Hardware-Backed else // Software Only
AndroidKey Management Droidcon London 2014
Certificate parameters
Context cx = getActivity();
String pkg = cx.getPackageName();
Calendar notBefore = Calendar.getInstance();
Calendar notAfter = Calendar.getInstance();
notAfter.add(1, Calendar.YEAR);
import android.security.KeyPairGeneratorSpec.Builder;
Builder builder = new KeyPairGeneratorSpec.Builder(cx);
builder.setAlias(“DEVKEY1”);
String infocert = String.format("CN=%s, OU=%s", “DEVKEY1”, pkg);
builder.setSubject(new X500Principal(infocert));
builder.setSerialNumber(BigInteger.ONE);
builder.setStartDate(notBefore.getTime());
builder.setEndDate(notAfter.getTime());
KeyPairGeneratorSpec spec = builder.build();
Time parameters
Self-Signed X.509● Common Name(CN)● Subject(OU)● Serial Number
Generate certificate
ALIAS to index the certificate
AndroidKey Management Droidcon London 2014
Generating Public/Private keys
KeyPairGenerator kpGenerator;
kpGenerator = KeyPairGenerator
.getInstance("RSA", "AndroidKeyStore");
kpGenerator.initialize(spec);
KeyPair kp;
kp = kpGenerator.generateKeyPair();
Engine to generate Public/Private key
Init Engine with:● RSA Algorithm● Provider: AndroidKeyStore
Init Engine with certificate parameters
After generation, the keys will be stored into AndroidKeyStore and will be accessible by ALIAS
● Generating Private/Public key
AndroidKey Management Droidcon London 2014
AndroidKeyStore Initialization
keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);
Now we have the KeyStore reference that will be used to access to the Private/Public key by the ALIAS
Should be used if there is an InputStream to load (for example the name of imported KeyStore). If not
used the App will crash
Get a reference to the AndroidKeyStore
AndroidKey Management Droidcon London 2014
RSA Encryption
● Encryption○ Confidentiality ○ RSA Public key to Encrypt○ RSA Private key to Decrypt
KeyStore.Entry entry = keyStore.getEntry(“DEVKEY1”, null);
PublicKey publicKeyEnc = ((KeyStore.PrivateKeyEntry) entry)
.getCertificate().getPublicKey();
String textToEncrypt = new String(”DroidconUK-2014");
Cipher encCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
encCipher.init(Cipher.ENCRYPT_MODE, publicKeyEnc);
byte[] encryptedText = encCipher.doFinal(byteTextToEncrypt);
Access to Public key to encrypt
● Algorithm● Encryption with
Public key
Ciphered
Access to keys identified by ALIAS
AndroidKey Management Droidcon London 2014
RSA Decryption
Cipher decCipher = null;
byte[] plainTextByte = null;
decCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
decCipher.init(Cipher.DECRYPT_MODE,
((KeyStore.PrivateKeyEntry) entry).getPrivateKey());
plainTextByte = decCipher.doFinal(byteEcryptedText);
String plainText = new String(plainTextByte);
Algorithm
Decryption with Private key
Plaintext
AndroidKey Management Droidcon London 2014
s.initVerify(((KeyStore.PrivateKeyEntry) entry).getCertificate());
s.update(data);
boolean valid = s.verify(signature);
RSA Digital Signature
● Digital Signature○ Authentication, Non-Repudiation and Integrity ○ RSA Private key to Sign○ RSA Public Key to Verify
KeyStore.Entry entry = keyStore.getEntry(“DEVKEY1”, null);
s.initSign(((KeyStore.PrivateKeyEntry) entry).getPrivateKey());
Access to Private/Public key identified by ALIAS
Private key to sign
Public Key in certificate to verify
signature
AndroidKey Management Droidcon London 2014
Issue 61989 …
AndroidKey Management Droidcon London 2014
KeyChain
● KeyChain○ Accessible by any Application
● Typically used for corporate certificates
AndroidKey Management Droidcon London 2014
Example: Import Certificates
● Import .p12 certificates
Intent intent = KeyChain.createInstallIntent();
byte[] p12 = readFile(“CERTIFICATE_NAME.p12”);
Intent.putExtra(KeyChain.EXTRA_PKCS12,p12);
Specify PKCS#12 Key to install
startActivity(intent);The user will be prompted for the password
AndroidKey Management Droidcon London 2014
KeyChain.choosePrivateKeyAlias(Activity activity,KeyChainAliasCallBack response,String[] keyTypes,Principal[] issuers,String host,Int port,String Alias);
Example: Retrieve the key
● The KeyChainAliasCallback invoked when a user chooses a certificate/private key
AndroidKey Management Droidcon London 2014
@Overridepublic void alias(String alias){
.
.PrivateKey private_key = KeyChain. getPrivateKey(this,alias);
.
.X509Certificate[] chain = KeyChain. getCertificateChain(this,”DroidconUK-2014”);
.PublicKey public_key = chain[0].getPublicKey();
}
Example: Retrieve and use the keys
Private Key
Public Key
● KeyChainAliasCallbak must implement the abstract method alias:
AndroidKey Management Droidcon London 2014
References● http://developer.android.com/about/versions/android-4.3.html#Security
● http://developer.android.com/reference/java/security/KeyStore.html
● http://en.wikipedia.org/wiki/Encryption
● http://en.wikipedia.org/wiki/Digital_signature
● http://nelenkov.blogspot.it/2013/08/credential-storage-enhancements-android-43.html
● http://nelenkov.blogspot.it/2012/05/storing-application-secrets-in-androids.html
● http://nelenkov.blogspot.it/2012/04/using-password-based-encryption-on.html
● http://nelenkov.blogspot.it/2011/11/ics-credential-storage-implementation.html
● http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.html
● http://android-developers.blogspot.it/2013/02/using-cryptography-to-store-credentials.html
● http://www.bouncycastle.org/
● http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html
● http://nelenkov.blogspot.it/2013/10/signing-email-with-nfc-smart-card.html
● http://en.wikipedia.org/wiki/PKCS
● http://developer.android.com/reference/android/security/KeyChain.html
● http://android-developers.blogspot.it/2013/12/changes-to-secretkeyfactory-api-in.html
AndroidKey Management Droidcon London 2014
Thank youQ&A
www.mseclab.comwww.consulthink.it