Android Key Management @Droidcon London 2014

AndroidKey ManagementRoberto Piccirillo (r.piccirillo@mseclab.com)Roberto Gassirà (r.gassira@mseclab.com)

Droidcon London 2014

AndroidKey Management Droidcon London 2014

Roberto Piccirillo

● Senior Security Analyst - Mobile Security Lab○ Vulnerability Assessment (IT, Mobile Application)○ Hijacking Mobile Data Connection

■ BlackHat Europe 2009■ DeepSec Vienna 2009■ HITB Amsterdam 2010

○ Android Secure Development

● GDG Rome Lab

@robpicone

Roberto Gassirà

● Senior Security Analyst - Mobile Security Lab○ Vulnerability Assessment (IT, Mobile Application)○ Hijacking Mobile Data Connection

■ BlackHat Europe 2009■ DeepSec Vienna 2009■ HITB Amsterdam 2010

○ Android Secure Development

● GDG Rome Lab

@robgas

Android Key Management: Agenda

● Mobile Application Cryptography

● Key Management and CryptoSystem

● Crypto in Android

● Symmetric Encryption

● Symmetric Key Management

● Asymmetric key: Encryption/Digital Signature

● Keychain e AndroidKeyStore

Mobile Application Cryptography

➢ Exchange data securely:

➢ Protect Data:○ Sensitive Data

○ Backup on /sdcard

Key Management

"Key management is the management of cryptographic keys in a cryptosystem."

CryptoSystem

"refers to a suite of algorithms needed to implement a particular form of encryption and decryption"

● Two types of encryption:○ Symmetric Key Algorithms

■ Identical key for encryption/decryption

■ AES, Blowfish, DES, Triple DES

○ Asymmetric Key Algorithms■ Pair of keys (public/private) for

encryption/decryption■ RSA, DSA, ECDSA

Symmetric Key Algorithms: Ciphers

● Two types of ciphers:○ Block: Process entire blocks of fixed-length

groups of bits at a time (padding may be required)

○ Stream: Process single bit at a time(no padding)

● Block Cipher modes of operation:○ ECB: each block encrypted independently○ CBC, CFB, OFB: (feedback mode) each block

is encrypted combined with the previous encrypted block (starting from an IV)

○ CTR: each block xored with the encrypted successive values of a counter ( starting from a nonce)

Crypto in Android

● Framework based on JCA ( Java Cryptography Architecture)

● Provides API for:● Encryption/Decryption● Message digests (hashes) ● Key management● Secure random number generation

● API implemented by Cryptographic Service "Provider"

● "Dynamic" Provider:

javax.crypto.*java.security.*

Default Providers

➢ From the beginning○ Bouncy Castle (Customized):

■ Some services and API removed■ Varies between Android versions■ Fixed only in the latest versions

○ Crypto (Apache Harmony)■ Few basic services■ Only for backward compatibility

➢ From Android 4.0○ AndroidOpenSSL:

■ OpenSSL JNI■ Performance Improved■ Vulnerable to Heartbleed in 4.1.1

➢ Spongy Castle (SC)○ Repackage of Bouncy Castle○ Supports more cryptographic options○ Not vulnerable to the Heartbleed Bug○ Up-to-date

➢ GPS Dynamic Security Provider○ Available from Play Services 5.0○ Based on OpenSSL ( No Heartbleed)○ Rapid delivery of security patches○ Vendor independent !!!

Dynamic Providers

Cipher Benchmarks

Run on Google Nexus 5 Android 4.4.4

CBC CTR

Cipher Class

Secret Key Specification

Cipher getInstance

Cipher Init

Cipher Final

SecretKey Specification

javax.crypto.spec.SecretKeySpec

● SecretKeySpec specifies a key for a specific algorithm

SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");

Encryption/Decryption Key

Cryptographic Algorithm

Cipher GetInstance

javax.crypto.Cipher

● Create cryptographic cipher

Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding”,“SC”);

Transformation (describes set of operation to perform):

• algorithm/mode/padding• algorithm

Provider( SpongyCastle )

Cipher Init

javax.crypto.Cipher

● Initializes the cipher instance with the specified operational mode, key and algorithm parameters.

cipher.init(Cipher.DECRYPT_MODE, keySpec, new IvParameterSpec(iv));

Operational Mode:• ENCRYPT_MODE• DECRYPT_MODE• WRAP_MODE• UNWRAP_MODE

SecretKeySpec Specify Cipher Algorithm parameters

( IV for CBC )

Cipher Final

javax.crypto.Cipher

● Complete a multi-part transformation (encryption or decryption)

byte[] encryptedText = cipher.doFinal(clearText.getBytes());

EncryptedText in byte

ClearText in bytes

Key Generation: SecureRandom

java.security.SecureRandom

● Cryptographically secure pseudo-random number generator

SecureRandom secureRandom = new SecureRandom();

Default constructor uses the most cryptographically

strong provider available

● Seeding SecureRandom is dangerous:○ Not Secure○ Output may change

Some SecureRandom Thoughts...

● Android security team discovered in August 2013 an improper PRNG initialization for default OpenSSL provider

● Applications invoking system-provided OpenSSL PRNG without explicit initialization are also affected

● Key Generation, Signing or Random Number Generation not receiving cryptographically strong values

● Developer must explicitly initialize the PRNG

PRNGFixes.apply()

http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html

KeyGenerator keyGenerator = KeyGenerator.getInstance("AES","SC");keyGenerator.init(outputKeyLength, secureRandom);

SecretKey key = keyGenerator.generateKey();

Generate Secret Key

javax.crypto.KeyGenerator

● Symmetric cryptographic keys generator

Specify Key Size

Algorithm and Provider

Key to use in Cipher.init()

Key Management: Store on device

● Protected by Android Filesystem Isolation● Plain File● SharedPreferences● Keystore File (BKS, JKS)

● More secure with Phone Encryption

● Store safely● MODE_PRIVATE flag● Use only internal storage

/data/data/app_package

Key Management: Store on device

➢ Device rooted?

○ Check at run-time...

Key Management: Store in App● Uses static keys or device specific information at run-time

(IMEI, mac address, ANDROID_ID)

● Android app can be easily reversed

● Hide with Code obfuscationREVERS

Key Management: PBKDF2

● Password Based Key Derivation Function (PKCS#5)● Variable length password in input● Fixed length key in output

● User interaction required

● Params:○ Password○ Pseudorandom Function○ Salt○ Number of iteration○ Key Size

● Available with BC

KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt, NUM_OF_ITERATIONS, KEY_SIZE); SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(PBE_ALGORITHM); encKey = secretKeyFactory.generateSecret(keySpec);

Key Management: PBKDF2

javax.crypto.spec.PBEKeySpec

● PBE Key specification and generation

A good PBE algorithm isPBKDF2WithHmacSHA1

User Password

N. >= 1000

SecretKeyFactory factory;if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT)

// Use compatibility key factory -- only uses lower 8-bits of passphrase charsfactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1And8bit");

else if (Build.VERSION.SDK_INT >= 10)// Traditional key factory. Will use lower 8-bits of passphrase chars on

// older Android versions (API level 18 and lower) and all available bits // on KitKat and newer (API level 19 and higher) factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");else // FIX for Android 8,9

factory = SecretKeyFactory.getInstance("PBEWITHSHAAND128BITAES-CBC-BC");

SecretKeyFactory API in Android 4.4

Key Management: Other solutions

● Store on server side● Internet connection required● Use trusted and protected connections (HTTPS, Certificate

Pinning)

● Store on external device● NFC Java Card (NXP J3A081)● Smartcard● USB PenDrive● MicroSD with secure storage

● AndroidKeyStore???

Asymmetric Algorithms

● Public/Private Key○ Public Key -> encrypt/verify signature ○ Private Key -> decrypt/sign

● Advantages:○ Public Key distribution is not dangerous

● Disadvantages:○ Computationally expensive

● Usually used with PKI (Public Key Infrastructure for digital certificates)

Public-key Applications

● Can classify uses into 3 categories:

○ Encryption/Decryption (provides Confidentiality)

○ Digital Signatures (provides Authentication and Integrity)

○ Key Exchange (of Session Keys)

● Some algorithms are suitable for all uses (RSA), others are specific to one

PKCS for Asymmetric Algorithms

● PKCS is a group of public-key cryptography standards published by RSA Security Inc

● PKCS#1 (v.2.1)○ RSA Cryptography Standard

● PKCS#3 (v.1.4)○ Diffie-Hellman Key Agreement Standard

● PKCS#8 (v.1.2)○ Private-Key Information Syntax Standard

● PKCS#10 (v.1.7)○ Certification Request Standard

● PKCS#12 (v.1.0)○ Personal Information Exchange Syntax Standard

Android: RSA

KeyPairGenerator kpg = KeyPairGenerator.getIstance(”RSA");

Java.security.KeyPairGenerator

● KeyPairGenerator is an engine capable of generating public/private keys with specified algorithms

Cryptographic Algorithm

Available Providers for RSA Algorithm

KeyPairGenerator.getInstance(”RSA”,”SEC_PROVIDERS”);

● Different security providers could be used (could change for different OS versions)

“AndroidOpenSSL”“BC”“AndroidKeyStore”“GmsCore_OpenSSL”

Version 1.0Version 1.49Version 1.0

● KeySize – 1024,2048,4096 bits

KeyPairGenerator: Initialization and Randomness

KeyPairGenerator kpg = KeyPairGenerator.initialize(2048);

Key Size

● KeyPairGenerator initialization with the key size

KeyPairGenerator: Initialization and Randomness

KeyPairGenerator kpg = KeyPairGenerator.initialize(2048,sr);

Java.security.KeyPairGenerator, Java.security.SecureRandom

● KeyPairGenerator initialization with a SecureRandom

SecureRandom sr = new SecureRandom();

Generating RSA Key

Java.security.KeyPair

● KeyPair is a container for a public/private key generated by the KeyPairGenerator

KeyPair keypair = kpg.genKeyPair()

● We can retrieve public/private keys from KeyPair

Key public_key = kaypair.getPublic();

Key private_key = kaypair.getPrivate();

Using RSA Keys: cipher example

Javax.crypto.Cipher

● Cipher provides access to implementation of cryptography ciphers for encryption and decryption

Cipher cipher = Cipher.getInstance(“RSA”,”SEC_PROVIDER);

Transformation“AndroidOpenSSL”“BC”“AndroidKeyStore”“GmsCore_OpenSSL”

Using RSA Key: cipher example

Javax.crypto.Cipher

● Encryption

cipher.init(Cipher.ENCRYPT_MODE,public_key);

● Decryption

byte[] encrypted_data=cipher.doFinal(“DroidconUK-2014”.getBytes());

cipher.init(Cipher.DECRYPT_MODE,private_key);

byte[] decrypted_data=cipher.doFinal(cipherd_data);

Parameters of RSA Keys

java.security.KeyFactory, java.security.spec,

● Retrieve RSA Key parameters using KeyFactory

RSAPublicKeySpec rsa_public= keyfactory.getKeySpec(keypair.getPublic(),

RSAPublicKeySpec.class);

RSAPrivateKeySpec rsa_private = keyfactory.getKeySpec(keypair.getPrivate(),

RSAPrivateKeySpec.class);

Extract Parameters of RSA Keys

Java.security.spec.RSAPublicKeySpec, java.security.spec.RSAPrivateKeySpec

● Retrieved parameters can be stored

BigInteger m = rsa_public.getModulus();

BigInteger e = rsa_public.getPublicExponent();

BigInteger d = rsa_private.getPrivateExponent();

Is Private

AndroidKeyStore

● Custom Java Security Provider available from Android 4.3 version and beyond

● An App can generate and save private keys

● Keys are private for each App

● 2048-bit key size (4.3), 1024-2048-4096-bit key size (4.4) can be stored

● ECDSA support added from Android 4.4

Key Management Evolution

API LEVEL 14 API LEVEL 18

Global Level:KeyChain( Public API )

App Level:KeyStore( Closed API )

Global Level Only:

Default TrustStorecacerts.bks

(ROOTED device)

Global Level:KeyChain( Public API )

App Level and per User Level:AndroidKeyStore( Public API )

AndroidKeyStore Storage

● Two kinds of storage

○ Hardware-backed (Nexus 7, Nexus 4, Nexus 5 :-) with OS >= 4.3)○ Secure Element ○ TPM○ TrustZone

○ Software only (Other devices with OS >= 4.3)

Type of Storage

import android.security.KeyChain;

if (KeyChain.isBoundKeyAlgorithm("RSA")) // Hardware-Backed else // Software Only

Certificate parameters

Context cx = getActivity();

String pkg = cx.getPackageName();

Calendar notBefore = Calendar.getInstance();

Calendar notAfter = Calendar.getInstance();

notAfter.add(1, Calendar.YEAR);

import android.security.KeyPairGeneratorSpec.Builder;

Builder builder = new KeyPairGeneratorSpec.Builder(cx);

builder.setAlias(“DEVKEY1”);

String infocert = String.format("CN=%s, OU=%s", “DEVKEY1”, pkg);

builder.setSubject(new X500Principal(infocert));

builder.setSerialNumber(BigInteger.ONE);

builder.setStartDate(notBefore.getTime());

builder.setEndDate(notAfter.getTime());

KeyPairGeneratorSpec spec = builder.build();

Time parameters

Self-Signed X.509● Common Name(CN)● Subject(OU)● Serial Number

Generate certificate

ALIAS to index the certificate

Generating Public/Private keys

KeyPairGenerator kpGenerator;

kpGenerator = KeyPairGenerator

.getInstance("RSA", "AndroidKeyStore");

kpGenerator.initialize(spec);

KeyPair kp;

kp = kpGenerator.generateKeyPair();

Engine to generate Public/Private key

Init Engine with:● RSA Algorithm● Provider: AndroidKeyStore

Init Engine with certificate parameters

After generation, the keys will be stored into AndroidKeyStore and will be accessible by ALIAS

● Generating Private/Public key

AndroidKeyStore Initialization

keyStore = KeyStore.getInstance("AndroidKeyStore");

keyStore.load(null);

Now we have the KeyStore reference that will be used to access to the Private/Public key by the ALIAS

Should be used if there is an InputStream to load (for example the name of imported KeyStore). If not

used the App will crash

Get a reference to the AndroidKeyStore

RSA Encryption

● Encryption○ Confidentiality ○ RSA Public key to Encrypt○ RSA Private key to Decrypt

KeyStore.Entry entry = keyStore.getEntry(“DEVKEY1”, null);

PublicKey publicKeyEnc = ((KeyStore.PrivateKeyEntry) entry)

.getCertificate().getPublicKey();

String textToEncrypt = new String(”DroidconUK-2014");

Cipher encCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");

encCipher.init(Cipher.ENCRYPT_MODE, publicKeyEnc);

byte[] encryptedText = encCipher.doFinal(byteTextToEncrypt);

Access to Public key to encrypt

● Algorithm● Encryption with

Public key

Ciphered

Access to keys identified by ALIAS

RSA Decryption

Cipher decCipher = null;

byte[] plainTextByte = null;

decCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");

decCipher.init(Cipher.DECRYPT_MODE,

((KeyStore.PrivateKeyEntry) entry).getPrivateKey());

plainTextByte = decCipher.doFinal(byteEcryptedText);

String plainText = new String(plainTextByte);

Algorithm

Decryption with Private key

Plaintext

s.initVerify(((KeyStore.PrivateKeyEntry) entry).getCertificate());

s.update(data);

boolean valid = s.verify(signature);

RSA Digital Signature

● Digital Signature○ Authentication, Non-Repudiation and Integrity ○ RSA Private key to Sign○ RSA Public Key to Verify

KeyStore.Entry entry = keyStore.getEntry(“DEVKEY1”, null);

s.initSign(((KeyStore.PrivateKeyEntry) entry).getPrivateKey());

Access to Private/Public key identified by ALIAS

Private key to sign

Public Key in certificate to verify

signature

Issue 61989 …

KeyChain

● KeyChain○ Accessible by any Application

● Typically used for corporate certificates

Example: Import Certificates

● Import .p12 certificates

Intent intent = KeyChain.createInstallIntent();

byte[] p12 = readFile(“CERTIFICATE_NAME.p12”);

Intent.putExtra(KeyChain.EXTRA_PKCS12,p12);

Specify PKCS#12 Key to install

startActivity(intent);The user will be prompted for the password

KeyChain.choosePrivateKeyAlias(Activity activity,KeyChainAliasCallBack response,String[] keyTypes,Principal[] issuers,String host,Int port,String Alias);

Example: Retrieve the key

● The KeyChainAliasCallback invoked when a user chooses a certificate/private key

@Overridepublic void alias(String alias){

.PrivateKey private_key = KeyChain. getPrivateKey(this,alias);

.X509Certificate[] chain = KeyChain. getCertificateChain(this,”DroidconUK-2014”);

.PublicKey public_key = chain[0].getPublicKey();

Example: Retrieve and use the keys

Private Key

Public Key

● KeyChainAliasCallbak must implement the abstract method alias:

References● http://developer.android.com/about/versions/android-4.3.html#Security

● http://developer.android.com/reference/java/security/KeyStore.html

● http://en.wikipedia.org/wiki/Encryption

● http://en.wikipedia.org/wiki/Digital_signature

● http://nelenkov.blogspot.it/2013/08/credential-storage-enhancements-android-43.html

● http://nelenkov.blogspot.it/2012/05/storing-application-secrets-in-androids.html

● http://nelenkov.blogspot.it/2012/04/using-password-based-encryption-on.html

● http://nelenkov.blogspot.it/2011/11/ics-credential-storage-implementation.html

● http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.html

● http://android-developers.blogspot.it/2013/02/using-cryptography-to-store-credentials.html

● http://www.bouncycastle.org/

● http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html

● http://nelenkov.blogspot.it/2013/10/signing-email-with-nfc-smart-card.html

● http://en.wikipedia.org/wiki/PKCS

● http://developer.android.com/reference/android/security/KeyChain.html

● http://android-developers.blogspot.it/2013/12/changes-to-secretkeyfactory-api-in.html

Thank youQ&A

www.mseclab.comwww.consulthink.it

research@mseclab.com

Android Key Management @Droidcon London 2014

Mobile

Droidcon 2011: Android in Social Networks - Jens Mücke, XING

Android Accessibility - DroidCon Berlin 2015

Archos Android based connected home solution - DroidCon Paris 2014

Droidcon London 2013 - Coding for Android consoles

Introduction to open gl in android droidcon - slides

Open tok Android sdk - Droidcon

Droidcon Eastern Europe 2013 - Efficient REST client Android applications

Level Up Your Android Build -Droidcon Berlin 2015

DroidCon Spain - Custom Views on Android

Clean code on Android (Droidcon Dubai 2015)

Unit testing on Android (Droidcon Dubai 2015)

Making Money on Android - Droidcon London 2010

Droidcon London 2012 mini review

Geolocalización en Android - GPMESS en Droidcon Spain

Android for Healthcare - Droidcon London 2013

Android On Your Sleeve - DroidCon Montreal 2015

Droidcon it 2015: Android Lollipop for Enterprise

Mirror - Android UI on steroids: Droidcon Cracow 2014

Kill design specs @ Droidcon London 2014

Byte Code Manipulation for Android - Droidcon Paris 2014