Hi Yogesh, I would counsel against using the keystore for storing anything. Apart from (as you've found) deleting things[1] all the time, it also sometimes leaks your private keys to other apps[2].
I reported to that vulnerability to the Android security team in March (and sent a patch!). Aside from an initial acknowledgement, the security team don't reply to email, and it hasn't been fixed. The difference in security response between the Android team and Google itself is startling. Cheers, Joe [1]: https://code.google.com/p/android/issues/detail?id=61989 [2]: http://jbp.io/2014/04/07/android-keystore-leak/ On 23 September 2014 13:13, Yogesh Lanjekar <[email protected]> wrote: > Hi, > I am currently working on android application which is based on > Client-server architecture. For data security, I am using Public-Private key > pair for data encryption and signing. I am using AndroidKeyStore for storing > key pair. Below is the code to generate key pair : > > > KeyPairGeneratorSpec spec = new > KeyPairGeneratorSpec.Builder( > mContext) > .setAlias(mPrivateKeyAlias) > .setSubject(new X500Principal("CN=" + > mPrivateKeyAlias)) > .setSerialNumber( > > BigInteger.valueOf(System.currentTimeMillis())) > .setStartDate(start.getTime()) > .setEndDate(end.getTime()).setKeySize(2048).build(); > > > KeyPairGenerator kpGenerator = KeyPairGenerator.getInstance( > "RSA", > "AndroidKeyStore"); > > > kpGenerator.initialize(spec); > // Key Pair will be saved in AndroidKeyStore > KeyPair pair = kpGenerator.generateKeyPair(); > > > > After executing this code, Keystore releated files (CERT and PKEY files) > will be generated at '/data/misc/keystore/user_0/' directory. > I am encrypting application sensitive data like auth-token and saving it to > Shared Pref for security reasons. > > But now when user changes device password or pin, keystore files are getting > deleted as Masterkey used for keystore encryption is generated using device > credentials. > > Now to fix this issue, I tried to keep Public-Private key pair in RAM and > when password gets changed. From onPasswordChanged(Context context, Intent > intent) method of DeviceAdminReceiver, I am executing below code : > > > KeyStore keyStore = KeyStore > .getInstance("AndroidKeyStore"); > keyStore.load(null); > keyStore.setKeyEntry(mPrivateKeyAlias, > mPrivateKey.getPrivateKey(), > null, new Certificate[] { mPrivateKey.getCertificate() > }); > > > But, after this code only CERT file gets created at > '/data/misc/keystore/user_0/' directory and while decryption using private > key, giving some invalid signature error. > > Also, I have shared my public key with server, encrypted data with private > key, so creating new key pair would not be better solution. > > So, how I can retain my public private key pair after device password change > ? If there is no work around, what is the exact use of AndroidKeyStore? > Where can I use it ? > > Please help me. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
