The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,497 other followers

Some links on keystore, encryption and decryption on Android

Posted by jpluimers on 2019/02/06

For my link archive:

 

Basically:

  • storing encrypted data plus IV in preferences is OK
  • store the symmetric encryption key (for instance an AES one) in the keystore for the application
  • likely a salt is also needed, then store the salt with the IV and encrypted data

–jeroen

Presumptions:

  • The keystore of a specific application UUID is only accessible by only that application UUID when the device has been unlocked by the user
  • The keystore saves credentials in a secure way
  • It is OK to save both the encrypted data and associated IV

Approach (plain data is “hashed application PIN”, encrypted data is “encrypted hashed application PIN”:

  1. store a symmetric AES key in the application key store
  2. after entering application PIN:
    1. hash the application PIN
    2. use the hashed application PIN to to enter the application
    3. from the keystore, obtain the symmetric AES key
    4. create a cipher based on the AES key
    5. use the cipher to obtain an IV, and to encrypt the hashed application PIN
    6. store the encrypted hashed application PIN and IV both in the application preferences
  3. when needing to enter the application, present the user to either enter the application PIN again or proof that they can pass the device unlock sequence (using an unlock activity)
    1. if the user provided the application PIN, then:
      1. hash the application PIN
      2. try to enter the application with the hashed application PIN
    2. proved the device unlock, then:
      1. from the preferences, obtain the IV and encrypted hashed application PIN
      2. from the keystore, obtain the symmetric AES key
      3. create a cipher based on the AES key
      4. decrypt the encrypted hashed application PIN using the cipher and the IV into the hashed application PIN
      5. try to enter the application with the hashed application PIN

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

 
%d bloggers like this: