I'm writing both a server and an Android client application. The Android client sends measurements to the server. In order to ensure the data integrity, a digital signature is appended to each measurement.
Since I need everything to be Gson-compatible, storing the public key itself is not possible. I'm storing the G, P, Q and Y factors instead.
Here's a snippet from the request class:
public PublicKey getPublicKey() {
try {
DSAPublicKeySpec keySpec = new DSAPublicKeySpec(publicKeyY, publicKeyP,
publicKeyQ, publicKeyG);
KeyFactory fact = KeyFactory.getInstance("DSA");
PublicKey pubKey = fact.generatePublic(keySpec); // A
return pubKey;
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
public void setPublicKey(PublicKey publicKey) {
try {
KeyFactory fact = KeyFactory.getInstance("DSA");
DSAPublicKeySpec pub = fact.getKeySpec(publicKey, DSAPublicKeySpec.class); // B
publicKeyG = pub.getG();
publicKeyP = pub.getP();
publicKeyQ = pub.getQ();
publicKeyY = pub.getY();
} catch (Exception e) {
e.printStackTrace();
}
}
The constructor makes use of the setPublicKey-method. When I create such request on the client side and send it to the server, both result in an exception.
On the client:
java.lang.RuntimeException: not implemented yet DSA Public Key
y: 2f9286201b266f38d682e99814612f7d37c575d3a210de114bdf02092f4a835109f28a590cfc568bb6525d59b8275fe791f3ddf20e85df44fd2e8622289f6dbc27c73d31d1769feae19573df22a9ca8ef80a9f7230b0b4a2671cc03fdb2788b55b4e9a68a7a5a93a214cc5aa39ccb5155a13354870d45a38760a80fd34333073
class java.security.spec.DSAPublicKeySpec
at org.bouncycastle.jce.provider.JDKKeyFactory.engineGetKeySpec(JDKKeyFactory.java:148)
at java.security.KeyFactory.getKeySpec(KeyFactory.java:210)
Next thing in the stack trace points at the rule I marked as B
On the server:
java.lang.NullPointerException
at sun.security.provider.DSAPublicKey.<init>(DSAPublicKey.java:74)
at sun.security.provider.DSAPublicKeyImpl.<init>(DSAPublicKeyImpl.java:46)
at sun.security.provider.DSAKeyFactory.engineGeneratePublic(DSAKeyFactory.java:86)
at java.security.KeyFactory.generatePublic(KeyFactory.java:304)
at sensserve.protocol.StartSessionRequest.getPublicKey(StartSessionRequest.java:66)
Nextly pointing to the rule A.
I absolutely have no clue what I did wrong and what these messages mean. How can I solve these? Anyone who can tell me what I'm doing wrong?
Thanks a lot.
You should be able to store the public key in Base64 encoded from and still get valid JSON. You should be able to use DSAPublicKeySpec directly without calling getKeySpec() which apparently is not implemented in Bouncy Castle (Android's JCE provider). Not sure why you are getting NPE on the server, maybe wrong format. BTW, it will probably be easier if you are dealing with a single provider, so you might want to use Bouncy Castle on the server as well.
Related
I am trying to convert my private key string to a PrivateKey object in my Android application. I have read a lot of posts on StackOverflow about this topic, but I just can solve my issue.
I am using the following function to convert my key:
String privateKey = "MIGkAgEBBDCAHpFQ62QnGCEvYh/pE9QmR1C9aLcDItRbslbmhen/h1tt8AyMhskeenT+rAyyPhGgBwYFK4EEACKhZANiAAQLW5ZJePZzMIPAxMtZXkEWbDF0zo9f2n4+T1h/2sh/fviblc/VTyrv10GEtIi5qiOy85Pf1RRw8lE5IPUWpgu553SteKigiKLUPeNpbqmYZUkWGh3MLfVzLmx85ii2vMU=";
#Nullable
private static PrivateKey getKey(String key) {
try {
byte[] byteKey = Base64.decode(key.getBytes(), Base64.DEFAULT);
KeyFactory keyFactory = KeyFactory.getInstance("EC");
return keyFactory.generatePrivate(new PKCS8EncodedKeySpec(byteKey));
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
According to ASN.1 JavaScript decoder, I do have a valid private key.
Nonetheless, getKey() always fails with the following exception:
java.security.spec.InvalidKeySpecException: java.lang.RuntimeException: error:0c0000be:ASN.1 encoding routines:OPENSSL_internal:WRONG_TAG
I cannot make sense of this error message. Even after a lot of googling. Does anybody know, what I am doing wrong? Am I using the wrong key spec (though many of the answers here suggest the use of PKCS8EncodedKeySpec().
The private key you see in the code above was generated by jwt.io using an ES384 algorithm.
I need an end to encrypt different strings and related decryptions after user authenticate using fingerprint scanner.
Following this project (https://github.com/StylingAndroid/UserIdentity/tree/Part1) and changed "tryEncrypt" method like below:
private boolean tryEncrypt(Cipher cipher) {
try {
cipher.doFinal(SECRET_BYTES);
String one = "augusto";
String two = "test#gmail.com";
String three = "3333333331";
byte[] oneEnc = cipher.doFinal(one.getBytes());
byte[] twoEnc = cipher.doFinal(one.getBytes());
byte[] threeEnc = cipher.doFinal(one.getBytes());
Log.d("test", "oneEnc: " + Base64.encodeToString(oneEnc,0));
Log.d("test", "twoEnc: " + Base64.encodeToString(twoEnc,0));
Log.d("test", "threeEnc: " + Base64.encodeToString(threeEnc,0));
} catch (Exception e) {
e.printStackTrace();
return false;
}
return true;
}
I'm getting this error:
java.lang.IllegalStateException: IV has already been used. Reusing IV in encryption mode violates security best practices.
What is the correct way on how to do it?
Thanks
*******************UPDATE:*****************************
To help others to get solve this problem I used this library and worked like charm:
https://github.com/Mauin/RxFingerprint
You have a problem because your are using a single instance of the Cipher for multiple encryptions (dofinal). You are using a single vector initialization (IV).
Take a look on an option of how to initialize a cipher.
SecureRandom r = new SecureRandom();
byte[] ivBytes = new byte[16];
r.nextBytes(ivBytes);
cipher.init(Cipher.ENCRYPT_MODE, secretKey, new IvParameterSpec(ivBytes));
As you can see, you need to specify the initialization vector. The initialization vector can not be repeated to guarantee that the encryption works.
In your scenario, you probably gonna need to perform a new initialization.
*Ps: It's also possible to use the Cipher initialization without the IvParameterSpec. In this scenario, the class will generate one for you. However, I believe that you need to perform a initialization per DoFinal to guarantee some randomness.
To help others to get solve this problem I used this library that worked like charm:
https://github.com/Mauin/RxFingerprint
Following this blog, I'm using this code to create and store a KeyPair in Android KeyStore:
Context ctx = getApplicationContext();
Calendar notBefore = Calendar.getInstance();
Calendar notAfter = Calendar.getInstance();
notAfter.add(1, Calendar.YEAR);
KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(ctx).
setAlias(RSA_KEYS_ALIAS).setSubject(
new X500Principal(String.format("CN=%s, OU=%s",
getApplicationName(), ctx.getPackageName()))).
setSerialNumber(BigInteger.ONE).
setStartDate(notBefore.getTime()).setEndDate(notAfter.getTime()).build();
KeyPairGenerator kpGenerator;
try {
kpGenerator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
kpGenerator.initialize(spec);
kpGenerator.generateKeyPair();
} catch (Exception e) {
showException(e);
}
When I try to retrieve public key from the KeyStore using this code, a NullPointerException with the message chain == null is thrown.
public RSAPublicKey getRSAPublicKey() {
RSAPublicKey result = null;
try {
KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);
KeyStore.PrivateKeyEntry keyEntry =
(KeyStore.PrivateKeyEntry) keyStore.getEntry(RSA_KEYS_ALIAS, null); // --< exception is thrown here
result = (RSAPublicKey) keyEntry.getCertificate().getPublicKey();
}
} catch (Exception e) {
showException(e);
}
return result;
}
The same goes with the the code to retrieve private key.
Update:
I compared my code with Google BasicAndroidKeyStore sample. The mechanism to generate, store and retrieve the key pair in that sample is virtually the same to what I've implemented. I'm puzzled as to why this code has stopped functioning after a few months of perfectly working.
Any suggestions or hints would be appreciated.
Apparently names in Android KeyStore must be unique amongst all Apps. I had another app which used the same name for its keys. After changing the the common library used by both apps to create and and use keys to include package name in its key names, the problem went away...
In my case, I had multiple calls to obtain the KeyStore at nearly the same time. I had to create a single instance and refer to that if it existed, otherwise KeyStore.getInstance("AndroidKeyStore") returned null and raised an Exception.
To protect against multiple async requests causing a crash, use a stored instance from just one KeyStore.getInstance().
In my case, I was trying to get public key before generating it. (getRSAPublicKey() called before generateKeyPair())
i have a problem with RSA encryption and decryption. I'm developing in android and would like to outsource the RSA encryption and decryption. My source code worked well before i tried to outsource it.
I created a private key and public key and saved it as private.key and public.key. The error is a ClassNotFoundException caused by this method:
public Key getPrivateKey(){
try {
InputStream fis = activity.getResources().openRawResource(R.raw.private);
ObjectInputStream ois = new ObjectInputStream(fis);
Key RSAprivateKey = (Key)ois.readObject();
return RSAprivateKey;
}
catch (FileNotFoundException e) {
Log.e("FileNotFound","FileNotFound");
e.printStackTrace();
} catch (IOException e) {
Log.e("IOEXception","IOEXception");
e.printStackTrace();
} catch (ClassNotFoundException e) {
Log.e("ClassNotFound","ClassNotFound");
Log.e("Errro", "Error: "+ e.getMessage());
Log.e("error", e.toString());
e.printStackTrace();
}
return null;
}
I looked at the logcat and got this error message:
E/ClassNotFound(1205): ClassNotFound
03-19 13:54:52.176: E/Errro(1205): Error:
com.android.org.bouncycastle.jce.provider.JCERSAPrivateCrtKey
03-19 13:54:52.176: E/error(1205): java.lang.ClassNotFoundException:
com.android.org.bouncycastle.jce.provider.JCERSAPrivateCrtKey
I hope you understand my problem, because English is not my native language.
Edit: I found out that the problem is not caused by outsourcing the code. So i guess the topic can be marked as solved.
RSAPublicKey and RSAPrivateKey are interfaces. When you get a Key you actually receive an implementation by the cryptographic provider of this interface. These providers differ for different Java platforms (although, at least officially, Android/Dalvik isn't even a Java platform). So you should never expect serialization to work unless you are working on the same platform.
There are however ways to serialize public and private keys in Java; the Key interface contains the getEncoded() method which returns the most common binary encoding of the key. In the case of RSAPublicKey this is the PKCS#1 encoding within X5.09 SubjectKeyIdentifier. In the case of RSAPrivateKey this is the inner PKCS#8 encoding wrapped around the PKCS#1 defined structure. These can be represented using X509EncodedKeySpec and PKCS8EncodedKeySpec and converted back into keys using an RSA KeyFactory.
Note that the private key will not be encrypted if you call getEncoded. Normally you don't want to transport private keys at all, and if you do you should really encrypt them. You can do this using the Cipher.wrap and Cipher.unwrap methods.
I'm developing an Android app which based on a web-server. Users, who installed the app, should register on web, so they can login. When someone try to login I verify their information with API.
So I'm curious about persisting and encryption processes. Should I encrypt the values or just put them all to SharedPreferences? If encryption is needed what's the efficient way?
And last but not least, Is SharedPreferences enough in terms of security?
Thanks.
Encryption is easy, but the real question is with what key? If you hardcode the key in the app, or derive it from some known value, anyone with access to the device can easily decrypt those values. What you are achieving is merely obfuscation. Since Android doesn't have a public API to the system keystore, there is not much else you can do if you need to save the actual password. Unless of course you make the user input a password each time they start the app, which kind of defeats the purpose.
If you control both the server and the client, another approach is to use some form of token-based authentication and only save the token. Since tokens can expire and be revoked, the damage by someone getting hold of your token is much less, than exposing an actual password (which may be used on other sites as well).
Of course you should encrypt user settings like login, password or maybe email. I prefer SharedPreferences for storing, and yes it's enough in terms of security.
I've found this two method on StackOverflow, it's fair enough:
protected String encrypt( String value ) {
try {
final byte[] bytes = value!=null ? value.getBytes(UTF8) : new byte[0];
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
SecretKey key = keyFactory.generateSecret(new PBEKeySpec(SEKRIT));
Cipher pbeCipher = Cipher.getInstance("PBEWithMD5AndDES");
pbeCipher.init(Cipher.ENCRYPT_MODE, key, new PBEParameterSpec(Settings.Secure.getString(context.getContentResolver(),Settings.System.ANDROID_ID).getBytes(UTF8), 20));
return new String(Base64.encode(pbeCipher.doFinal(bytes), Base64.NO_WRAP),UTF8);
} catch( Exception e ) {
throw new RuntimeException(e);
}
}
protected String decrypt(String value){
try {
final byte[] bytes = value!=null ? Base64.decode(value,Base64.DEFAULT) : new byte[0];
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
SecretKey key = keyFactory.generateSecret(new PBEKeySpec(SEKRIT));
Cipher pbeCipher = Cipher.getInstance("PBEWithMD5AndDES");
pbeCipher.init(Cipher.DECRYPT_MODE, key, new PBEParameterSpec(Settings.Secure.getString(context.getContentResolver(),Settings.System.ANDROID_ID).getBytes(UTF8), 20));
return new String(pbeCipher.doFinal(bytes),UTF8);
} catch( Exception e) {
throw new RuntimeException(e);
}
}
Couldn't find link, if I found, I'll edit my answer.
Edit: I found the source, you may have a look at all discussion on here.