Login/Register
AndroidKeyStore wiped out after device password change
Asked Answered
Solved androidsecuritykeystoreandroid-keystoredata-security
P

1

7

I am currently working on android application which is based on Client-server architecture. For data security, I am using Public-Private key pair for data encryption and signing. I am using AndroidKeyStore for storing key pair. Below is the code to generate key pair:

KeyPairGeneratorSpec spec = new KeyPairGeneratorSpec.Builder(
        mContext)
        .setAlias(mPrivateKeyAlias) 
        .setSubject(new X500Principal("CN=" + mPrivateKeyAlias))
        .setSerialNumber(
                BigInteger.valueOf(System.currentTimeMillis()))
        .setStartDate(start.getTime())
        .setEndDate(end.getTime()).setKeySize(2048).build();

KeyPairGenerator kpGenerator = KeyPairGenerator.getInstance(
        "RSA",
        "AndroidKeyStore");

kpGenerator.initialize(spec);
// Key Pair will be saved in AndroidKeyStore
KeyPair pair = kpGenerator.generateKeyPair();

After executing this code, Keystore releated files (CERT and PKEY files) will be generated at '/data/misc/keystore/user_0/' directory. I am encrypting application sensitive data like auth-token and saving it to Shared Pref for security reasons.

But now when user changes device password or pin, keystore files are getting deleted as Masterkey used for keystore encryption is generated using device credentials.

Now to fix this issue, I tried to keep Public-Private key pair in RAM and when password gets changed. From onPasswordChanged(Context context, Intent intent) method of DeviceAdminReceiver, I am executing below code : 

KeyStore keyStore = KeyStore
        .getInstance("AndroidKeyStore");
keyStore.load(null);
keyStore.setKeyEntry(mPrivateKeyAlias, mPrivateKey.getPrivateKey(),
        null, new Certificate[] { mPrivateKey.getCertificate() });

But, after this code only CERT file gets created at '/data/misc/keystore/user_0/' directory and while decryption using private key, giving some invalid signature error.

Also, I have shared my public key with server, encrypted data with private key, so creating new key pair would not be better solution.

So, how I can retain my public private key pair after device password change ? If there is no work around, what is the exact use of AndroidKeyStore? Where can I use it ?

Pawsner answered 22/9, 2014 at 6:41 Comment(3)
Hey. I just wrote a post about this stuff systemdotrun.blogspot.co.uk/2015/02/…Ehrman
@Dori's link is dead, here's the updated url doridori.github.io/android-security-the-forgetful-keystore/…Roxanneroxburgh
Thx :) I am writing a quick overview to the KeyStore at present also github.com/doridori/Android-Security-Reference/blob/master/api/…Ehrman
P
6

This issue has been fixed by Google in Android 5.0 (Lollipop) release. But, for previous versions of Android, you will have to live with this issue. :(

Pawsner answered 18/3, 2015 at 7:50 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.