consulthink @ gdg meets u - l'aquila2014 - codelab: android security -il key management

Android Security Key Management

Roberto Piccirillo (r.piccirillo@mseclab.com) Roberto Gassirà (r.gassira@mseclab.com)

Roberto Piccirillo

● Senior Security Analyst - Mobile Security Lab ○ Vulnerability Assessment (IT, Mobile Application) ○ Hijacking Mobile Data Connection

■ BlackHat Europe 2009 ■ DeepSec Vienna 2009 ■ HITB Amsterdam 2010

○ Android Secure Development

@robpicone

Roberto Gassirà

● Senior Security Analyst - Mobile Security Lab ○ Vulnerability Assessment (IT, Mobile Application) ○ Hijacking Mobile Data Connection

■ BlackHat Europe 2009 ■ DeepSec Vienna 2009 ■ HITB Amsterdam 2010

○ Android Secure Development

● IpTrack Developer

@robgas

Agenda

● Cryptography in Mobile Application

● CryptoSystem

● Crypto in Android

● Symmetric Encryption

● Symmetric Key Management

● Keychain e AndroidKeyStore

● Tipologie di AndroidKeyStore

Requirements

● A computer

● Eclipse with ADT Plugin 22.3.0

● SDK Android 4.4 ( API 19 rev 2)

● Android SDK Build-tools 19

Cryptography in Mobile Applications

● Protect data ○ Sensitive data ○ Data on /sdcard ○ Cryptographic material

● Exchange data securely ○ Documents ○ Mail ○ SMS ○ Session Keys

● Digital Signature ○ Documents ○ Mail

Key Management

"Key management is the management of cryptographic keys in a cryptosystem."

CryptoSystem

"refers to a suite of algorithms needed to implement a particular form of encryption and decryption"

● ● Two types of encryption:

○ Symmetric Key Algorithms ■ Identical encryption key for

encryption/decryption ■ AES, Blowfish, DES, Triple DES

○ Asymmetric Key Algorithms

■ Different key for encryption/decryption

■ RSA, DSA, ECDSA

Ciphers

● Two types of ciphers: ○ Block: Process entire blocks of fixed-length

groups of bits at a time ( padding may be required)

○ Stream: Process single byte at a time ( no padding )

● Block Cipher modes of operation ○ ECB: each block encrypted independently ○ CBC, CFB, OFB: the previous block of

output is used to alter the input blocks before applying the encryption algorithm starting from a IV ( initialization vector )

Crypto in Android

● Based on JCA ( Java Cryptographic Architecture) provides API for: ● Encryption/Decryption ● Digital signatures ● Message digests (hashes) ● Key management ● Secure random number

generation

● “Provider” Architecture with CSP

● Bouncy Castle is Android default CSP

Bouncy Castle Android Version

● Customized: ○ Some services and API removed

● Varies between Android versions ● Fixed only in the latest versions

● Solution: Spongy Castle

● Repackage of Bouncy Castle ● Supports more cryptographic options ● Up-to-date ● Not vulnerable to the Heartbleed Bug

(CVE-2014-0160)

Set Spongy Castle

● Include Libs:

● Enable at Application Level:

GC overhead limit exceeded

● Solution: modify eclipse.ini with: -Xms256m

-Xmx1024m -XX:MaxPermSize=1024m

Step 1 Enabling SpongyCastle

https://github.com/mseclab/gdgmeetsu2014-symmetric-demo-step1.git

Import Project from https://github.com/mseclab

https://github.com/mseclab/droidconit2014-symmetric-demo-step3.git

The project cannot be built...

Cipher Object

Secret Key Specification

Cipher getInstance

Cipher Init

Cipher Final

SecretKey Specification

javax.crypto.spec.SecretKeySpec

● SecretKeySpec specifies a key for a specific algorithm

SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");

Topic of this workshop

Cryptographic Algorithm

Cipher GetInstance

javax.crypto.Cipher

● Provides access to implementations of cryptographic ciphers

for encryption and decryption

Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding”,“SC”);

Trasformation (describes set of operation to perform): • algorithm/mode/padding • algorithm

Provider ( SpongyCastle )

Cipher Init

javax.crypto.Cipher

● Initializes the cipher instance with the specified operational

mode, key and algorithm parameters.

cipher.init(Cipher.DECRYPT_MODE, keySpec, new IvParameterSpec(iv));

Operational Mode: • ENCRYPT_MODE • DECRYPT_MODE • WRAP_MODE • UNWRAP_MODE

SecretKeySpec Specify Cipher Algorithm parameters

( IV for CBC )

Cipher Final

javax.crypto.Cipher

● Finishes a multi-part transformation (encryption or decryption)

byte[] encryptedText = cipher.doFinal(clearText.getBytes());

Encrypted Text in byte

ClearText in bytes

Step 2 Encryption Example

SecureRandom

java.security.SecureRandom

● Cryptographically secure pseudo-random number generator

SecureRandom secureRandom = new SecureRandom();

Default constructor uses the most cryptographically

strong provider available

● Seeding SecureRandom is dangerous: ○ Not Secure ○ Output may change

Some SecureRandom Thoughts...

● Android security team discovered a JCA improper PRNG initialization in August 2013

● Applications invoking system-provided OpenSSL PRNG without explicit initialization are also affected

● Key Generation, Signing or Random Number Generation not receiving cryptographically strong values

● Developer must explicitly initialize the PRNG

PRNGFixes.apply()

KeyGenerator keyGenerator = KeyGenerator.getInstance("AES”,“SC”); keyGenerator.init(outputKeyLength, secureRandom); SecretKey key = keyGenerator.generateKey();

Generate Secret Key

javax.crypto.KeyGenerator

● Symmetric cryptographic keys generator API

Specify Key Size

Algorithm and Provider

Key to use in Cipher.init()

Key Management: Store on device

● Protected by Android Filesystem Isolation ● Plain File ● SharedPreferences ● Keystore File (BKS, JKS)

● More secure with Phone Encryption

● Store safely ○ MODE_PRIVATE flag ○ Use only internal storage

/data/data/app_package

Key Management: Store on device

● Device Rooted?

Step 3 Rooted device demo

Key Management: Store in App

● Uses static keys or device specific information at run-time (IMEI, mac address, ANDROID_ID)

● Android app can be easily reversed ( live demo )

● Hide with Code obfuscation

● Security by Obscurity is never a good idea...

Key Management: Store in App

● unzip: APK -> DEX

● dex2jar: DEX -> JAR

● JD-GUI: JAR -> Source

Reversing Demo

Key Management: PBKDF2

● Password Based Key Derivation Function (PKCS#5) ● Variable length password in input ● Fixed length key in output

● User interaction required

● Params:

○ Password ○ Pseudorandom Function ○ Salt ○ Number of iteration ○ Key Size

KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt, NUM_OF_ITERATIONS, KEY_SIZE); SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(PBE_ALGORITHM); encKey = secretKeyFactory.generateSecret(keySpec);

Key Management: PBKDF2

javax.crypto.spec.PBEKeySpec

● PBE Key specification and generation

A good PBE algorithm is PBKDF2WithHmacSHA1

User Password

N. >= 1000

SecretKeyFactory factory; if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) // Use compatibility key factory -- only uses lower 8-bits of passphrase chars factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1And8bit"); else if (Build.VERSION.SDK_INT >= 10) // Traditional key factory. Will use lower 8-bits of passphrase chars on // older Android versions (API level 18 and lower) and all available bits // on KitKat and newer (API level 19 and higher) factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); else // FIX for Android 8,9 factory = SecretKeyFactory.getInstance("PBEWITHSHAAND128BITAES-CBC-BC");

SecretKeyFactory API in Android 4.4

Step 4 PBE Example

Key Management: Other solutions

● Store on server side ● Internet connection required ● Use trusted and protected connections (HTTPS, Certificate

Pinning)

● Store on external device

○ NFC Java Card (NXP J3A081) ○ Smartcard ○ USB PenDrive ○ MicroSD with secure storage

● AndroidKeyStore???

Asymmetric Algorithms

● Public/Private Key ○ Public Key -> encrypt/verify signature ○ Private Key -> decrypt/sign

● Advantages: ○ Public Key distribution is not dangerous

● Disadvantages: ○ Computationally expensive

● Usually used with PKI (Public Key Infrastructure for digital

certificates)

Public-key Applications

● Can classify uses into 3 categories: ○ Encryption/Decryption (provides confidentiality)

○ Digital Signatures (provides authentication and Integrity)

○ Key Exchange (of session keys)

● Some algorithms are suitable for all uses (RSA), others are specific to one

PKCS for Asymmetric Algorithms

● PKCS is a group of public-key cryptography standards published by RSA Security Inc

● PKCS#1 (v.2.1) ○ RSA Cryptography Standard

● PKCS#3 (v.1.4) ○ Diffie-Hellman Key Agreement Standard

● PKCS#8 (v.1.2) ○ Private-Key Information Syntax Standard

● PKCS#10 (v.1.7) ○ Certification Request Standard

● PKCS#12 (v.1.0) ○ Personal Information Exchange Syntax Standard

Android: RSA

KeyPairGenerator kpg = KeyPairGenerator.getIstance(”RSA");

Java.security.KeyPairGenerator

● KeyPairGenerator is an engine capable of generating public/private keys with specified algorithms

Cryptographic Algorithm

Available Providers for RSA Algorithm

KeyPairGenerator.getInstance(”RSA”,”SEC_PROVIDERS”);

● Different security providers could be used (could

change for different OS versions)

“AndroidOpenSSL” “BC” “AndroidKeyStrore”

Version 1.0 Version 1.49 Version 1.0

● KeySize – 1024,2048,4096 bits

KeyPairGenerator: Initialization and Randomness

KeyPairGenerator kpg = KeyPairGenerator.initialize(2048);

● KeyPairGenerator initialization with the key size

Key Size

KeyPairGenerator: Initialization and Randomness

KeyPairGenerator kpg = KeyPairGenerator.initialize(2048,sr);

Java.security.KeyPairGenerator, Java.security.SecureRandom

● KeyPairGenerator initialization with a

SecureRandom

SecureRandom sr = new SecureRandom();

Generating RSA Key

Java.security.KeyPair

● KeyPair is a container for a public/private key

generated by the KeyPairGenerator

KeyPair keypair = kpg.genKeyPair()

● We can retrieve public/private keys from KeyPair

Key public_key = kaypair.getPublic();

Key private_key = kaypair.getPrivate();

Using RSA Keys: cipher example

Javax.crypto.Cipher

● Cipher provides access to implementation of

cryptography ciphers for encryption and decryption

Cipher cipher = Cipher.getInstance(“RSA”,”SEC_PROVIDER);

Transformation “AndroidOpenSSL” “BC” “AndroidKeyStrore”

Using RSA Key: cipher example

Javax.crypto.Cipher

● Encryption

cipher.init(Cipher.ENCRYPT_MODE,public_key);

● Decryption

byte[] encrypted_data= cipher.doFinal(“GDG-Meets-U2014”.getBytes());

cipher.init(Cipher.DECRYPT_MODE,private_key); byte[] decrypted_data= cipher.doFinal(cipherd_data);

Parameters of RSA Keys

java.security.KeyFactory, java.security.spec,

● Retrieve RSA Key parameters using KeyFactory

RSAPublicKeySpec rsa_public = keyfactory.getKeySpec(keypair.getPublic(), RSAPublicKeySpec.class);

RSAPrivateKeySpec rsa_private = keyfactory.getKeySpec(keypair.getPrivate(), RSAPrivateKeySpec.class);

Extract Parameters of RSA Keys

Java.security.spec.RSAPublicKeySpec, java.security.spec.RSAPrivateKeySpec

● Retrieved parameters can be stored

BigInteger m = rsa_public.getModulus(); BigInteger e = rsa_public.getPublicExponent(); BigInteger d = rsa_private.getPrivateExponent();

Is Private

Step 1 RSA Keys Generaration

https://github.com/mseclab/gdgmeetsu2014_asymmetric_demo.git

AndroidKeyStore

● Custom Java Security Provider available from Android 4.3

version and beyond

● An App can generate and save private keys

● Keys are private for each App

● 2048-bit key size (4.3), 1024-2048-4096-bit key size (4.4) can be stored

● ECDSA support added from Android 4.4

Key Management Evolution

API LEVEL 14 API LEVEL 18

Global Level: KeyChain ( Public API ) App Level: KeyStore ( Closed API )

Global Level Only: Default TrustStore cacerts.bks (ROOTED device)

Global Level: KeyChain ( Public API ) App Level and per User Level: AndroidKeyStore ( Public API )

AndroidKeyStore Storage

● Two kinds of storage

○ Hardware-backed (Nexus 7, Nexus 4, Nexus 5 :-) with OS >= 4.3) ○ Secure Element ○ TPM ○ TrustZone

○ Software only (Other devices with

OS >= 4.3)

Type of Storage

import android.security.KeyChain;

if (KeyChain.isBoundKeyAlgorithm("RSA")) // Hardware-Backed else // Software Only

Certificate parameters Context cx = getActivity(); String pkg = cx.getPackageName(); Calendar notBefore = Calendar.getInstance(); Calendar notAfter = Calendar.getInstance(); notAfter.add(1, Calendar.YEAR);

import android.security.KeyPairGeneratorSpec.Builder; Builder builder = new KeyPairGeneratorSpec.Builder(cx); builder.setAlias(“DEVKEY1”); String infocert = String.format("CN=%s, OU=%s", “DEVKEY1”, pkg); builder.setSubject(new X500Principal(infocert)); builder.setSerialNumber(BigInteger.ONE); builder.setStartDate(notBefore.getTime()); builder.setEndDate(notAfter.getTime());

KeyPairGeneratorSpec spec = builder.build();

Times parameters

Self-Signed X.509 ● Common Name (CN) ● Subject (OU) ● Serial Number

Generate certificate

ALIAS to index the certificate

Generating Public/Private keys

KeyPairGenerator kpGenerator;

kpGenerator = KeyPairGenerator .getInstance("RSA", "AndroidKeyStore");

kpGenerator.initialize(spec);

KeyPair kp; kp = kpGenerator.generateKeyPair();

Engine to generate Public/Private key

Init Engine with: ● RSA Algorithm ● Provider: AndroidKeyStore

Init Engine with certificate parameters

After generation, the keys will be stored into AndroidKeyStore and will be accessible by ALIAS

● Generating Private/Public key

AndroidKeyStore Initialization

keyStore = KeyStore.getInstance("AndroidKeyStore");

keyStore.load(null);

Now we have the KeyStore reference that will be used to access to the Private/Public key by the ALIAS

Should be used if there is an InputStream to load (for example the name of imported KeyStore). If not

used the App will crash

Get a reference to the AndroidKeyStore

Step 2 AndroidKeyStore Gen Keys

RSA Digital Signature

● Digital Signature ○ Authentication, Non-Repudiation and Integrity ○ RSA Private key to Sign ○ RSA Public Key to Verify

KeyStore.Entry entry = ks.getEntry(“DEVKEY1”, null); byte[] data = “GDG-Meets-U 2014!”.getBytes(); Signature s = Signature.getInstance(“SHA256withRSA”); s.initSign(((KeyStore.PrivateKeyEntry) entry).getPrivateKey()); s.update(data); byte[] signature = s.sign(); String result = null; result = Base64.encodeToString(signature, Base64.DEFAULT);

Access to Private/Public key identified by ALIAS

Algorithm choice

Private key to sign

Signature and Base64 encoding

Verify RSA Digital Signature

byte[] data = input.getBytes(); byte[] signature; signature = Base64.decode(signatureStr, Base64.DEFAULT);

KeyStore.Entry entry = ks.getEntry(“DEVKEY1”, null);

Signature s = Signature.getInstance("SHA256withRSA");

s.initVerify(((KeyStore.PrivateKeyEntry) entry).getCertificate()); s.update(data); boolean valid = s.verify(signature);

Base64 decoding

Access to the Private/Public key identified by ALIAS==DEVKEY1

Algorithm choice

Public Key in certificate to verify signature

TRUE == Verified FALSE== Not Verified

Step 3 AndroidKeyStore Sign/Verify

RSA Encryption ● Encryption

○ Confidentiality ○ RSA Public key to Encrypt ○ RSA Private key to Decrypt

PublicKey publicKeyEnc = ((KeyStore.PrivateKeyEntry) entry) .getCertificate().getPublicKey(); String textToEncrypt = new String(”GDG-Meet-U-2014"); byte[] textToEncryptToByte = textToEncrypt.getBytes(); Cipher encCipher = null; byte[] encryptedText = null;

encCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); encCipher.init(Cipher.ENCRYPT_MODE, publicKeyEnc);

encryptedText = encCipher.doFinal(textToEncryptToByte);

Access to Public key to encrypt

● Algorithm ● Encryption with Public

Ciphered

RSA Decryption

Cipher decCipher = null; byte[] plainTextByte = null;

decCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");

decCipher.init(Cipher.DECRYPT_MODE, ((KeyStore.PrivateKeyEntry) entry).getPrivateKey());

plainTextByte = decCipher.doFinal(ecryptedText);

String plainText = new String(plainTextByte);

Algorithm

Decryption with Private key

Plaintext

Step 4 AndroidKeyStore Enc/Dec

It is observed that...

● Different screen lock

● The choice of screen lock impactsthe keys

● If you change the screen lock the

keys are deleted

Expected behavior?

● The official documentation shows:

● The keys should ramain intact when the type of screen lock is changed by the user

Issue 61989 ...

Cryptographic material on devices

● Device with Storage “Hardware-backed”

● Device with Storage “Software-only”

KeyChain

● KeyChain ○ Accessible by any Application

● Typically used for corporate certificates

Example: Import Certificates

● Import .p12 certificates

Intent intent = KeyChain.createInstallIntent();

byte[] p12 = readFile(“CERTIFICATE_NAME.p12”); Intent.putExtra(KeyChain.EXTRA_PKCS12,p12);

Specify PKCS#12 Key to install

startActivity(intent);

The user will be prompted for the password

KeyChain.choosePrivateKeyAlias( Activity activity, KeyChainAliasCallBack response, String[] keyTypes, Principal[] issuers, String host, Int port, String Alias);

Example: Retrieve the key

● The KeyChainAliasCallback invoked when a user chooses a certificate/private key

@Override public void alias(String alias){ . . PrivateKey private_key = KeyChain. getPrivateKey(this,alias); . . X509Certificate[] chain = KeyChain. getCertificateChain(this,”Droidcon”); . PublicKey public_key = chain[0].getPublicKey(); }

Example: Retrieve and use the keys

● KeyChainAliasCallbak must implement the abstract method alias:

Private Key

Public Key

Step 5 KeyChain

References

● http://developer.android.com/about/versions/android-4.3.html#Security ● http://developer.android.com/reference/java/security/KeyStore.html ● http://en.wikipedia.org/wiki/Encryption ● http://en.wikipedia.org/wiki/Digital_signature ● http://nelenkov.blogspot.it/2013/08/credential-storage-enhancements-android-43.html ● http://nelenkov.blogspot.it/2012/05/storing-application-secrets-in-androids.html ● http://nelenkov.blogspot.it/2012/04/using-password-based-encryption-on.html ● http://nelenkov.blogspot.it/2011/11/ics-credential-storage-implementation.html ● http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.html ● http://android-developers.blogspot.it/2013/02/using-cryptography-to-store-

credentials.html ● http://www.bouncycastle.org/ ● http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html ● http://nelenkov.blogspot.it/2013/10/signing-email-with-nfc-smart-card.html ● http://en.wikipedia.org/wiki/PKCS ● http://developer.android.com/reference/android/security/KeyChain.html ● http://android-developers.blogspot.it/2013/12/changes-to-secretkeyfactory-api-in.html

Thank you Q&A www.mseclab.com www.consulthink.it

research@mseclab.com

goo.gl/TA8EA1

consulthink @ gdg meets u - l'aquila2014 - codelab: android security -il key management

Devices & Hardware

polymer codelab: before diving into polymer

computacion gdg

consulthink overview

meteor2015 codelab

consulthink at gdg dev fest rome 2013 android key management

gdg tekirdağ

amavata#dg02 gdg

gdg devfest galicia 2019 · los gdg de galicia son de las...

gdg santa catarina - experiencia gdg lima

gdg shikoku 2013

epa’s geodata gateway (gdg) - amazon s3 agenda •...

gdg lima girls

gdg wednesday

madhumeha kc041 gdg

googe app engine codelab marzia niccolai may 28-29, 2008

"it's time" - android wear codelab - gdg meetsu - l'aquila

opensocial codelab

gdg women no gdg summit brasil 2014

codelab - university of toronto

gdg devfest seoul 2017: codelab - time series analysis for...