Hello,
If KeyStore is having this issue, what could be the best approach to save
application data safely on device ? Is there any location which is even
protected from rooted user ?
On Tuesday, 23 September 2014 17:43:02 UTC+5:30, Yogesh Lanjekar wrote:
>
> Hi,
> I am currently working on android application which is based on
> Client-server architecture. For data security, I am using Public-Private
> key pair for data encryption and signing. I am using AndroidKeyStore for
> storing key pair. Below is the code to generate key pair :
>
>
> KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.
> Builder(
> mContext)
> .setAlias(mPrivateKeyAlias)
> .setSubject(new X500Principal("CN=" +
> mPrivateKeyAlias))
> .setSerialNumber(
> BigInteger.valueOf(System.
> currentTimeMillis()))
> .setStartDate(start.getTime())
> .setEndDate(end.getTime()).setKeySize(2048).build
> ();
>
>
> KeyPairGenerator kpGenerator = KeyPairGenerator.
> getInstance(
> "RSA",
> "AndroidKeyStore");
>
>
> kpGenerator.initialize(spec);
> // Key Pair will be saved in AndroidKeyStore
> KeyPair pair = kpGenerator.generateKeyPair();
>
>
>
> After executing this code, Keystore releated files (CERT and PKEY files)
> will be generated at '/data/misc/keystore/user_0/' directory.
> I am encrypting application sensitive data like auth-token and saving it
> to Shared Pref for security reasons.
>
> But now when user changes device password or pin, keystore files are
> getting deleted as Masterkey used for keystore encryption is generated
> using device credentials.
>
> Now to fix this issue, I tried to keep Public-Private key pair in RAM and
> when password gets changed. From onPasswordChanged(Context context, Intent
> intent) method of DeviceAdminReceiver, I am executing below code :
>
>
> KeyStore keyStore = KeyStore
> .getInstance("AndroidKeyStore");
> keyStore.load(null);
> keyStore.setKeyEntry(mPrivateKeyAlias, mPrivateKey.
> getPrivateKey(),
> null, new Certificate[] { mPrivateKey.getCertificate()
> });
>
>
> But, after this code only CERT file gets created at
> '/data/misc/keystore/user_0/' directory and while decryption using private
> key, giving some invalid signature error.
>
> Also, I have shared my public key with server, encrypted data with private
> key, so creating new key pair would not be better solution.
>
> So, how I can retain my public private key pair after device password
> change ? If there is no work around, what is the exact use of
> AndroidKeyStore? Where can I use it ?
>
> Please help me.
>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
