Login/Register
KeyStore vs KeyChain
Asked Answered
androidencryptionandroid-keystore
A

1

12

I have an app that generates a key for encryption/decryption and it is working just fine. I store my key in KeyStore and IV as first 12B in encrypted file saved on external storage. When I want to decrypt the file, I get the file from external storage (hence I get IV) and key from KeyStore, and I am able to get original content. My second application App2 can access file in external storage (hence it can get IV), but it can't get key from App1 KeyStore. I was reading about KeyChain and it says in official documentation it is not app private (Use the KeyChain API when you want system-wide credentials). Can I somehow store my key in this KeyChain or somewhere else so my App2 can get it (with some user approval or something similar). Here is the code I used to create and store key in App1.

 private static SecretKey createAndStoreKey() {
        KeyGenerator keyGen;
        try {
            // Generate 256-bit key
            keyGen = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, KEY_STORE_NAME);

            final KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(KEY_ALIAS,
                    KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
                    .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
                    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
                    .build();

            keyGen.init(keyGenParameterSpec);

            SecretKey secretKey = keyGen.generateKey();
            if(secretKey != null)
                return secretKey;
            else
                return null;
        }
        catch (NoSuchProviderException e){
            e.printStackTrace();
            return null;
        }
        catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
            return null;
        }
        catch (InvalidAlgorithmParameterException e){
            e.printStackTrace();
            return null;
        }
    }

Thank you all for the help.

Achromatism answered 15/2, 2018 at 13:14 Comment(8)
I think you're looking for Content Providers in order to share data between your applications securelyBrahmaputra
Thanks for your answer. The problem is my task requires using KeyStore and KeyChain. I have an implementation with content provider, but as I said I need to investigate these other options :SAchromatism
I think you should be able to share the Keystore's access by defining a sharedUserId in your apps manifest (you need also to sign the apps with the same certificate). But I haven't tried it and tbh it doesn't seem the best solution.Brahmaputra
Thank you for the idea. Do you know anything about storing keys in KeyChain, is it possible at all?Achromatism
No problem! And i'm sorry but no, I have no experience using KeyChain in Android so I can't answer that :\Brahmaputra
@Achromatism Were you able to find a way to store the key in Keychain? I am having the same use caseCrinkly
What is the difference between keychain and keystoreDespondent
@Despondent Check the answer from Anice here https://mcmap.net/q/921134/-keystore-vs-keychain, it should address your question.Predesignate
D
21

Use the KeyChain API when you want system-wide credentials. When an app requests the use of any credential through the KeyChain API, users get to choose, through a system-provided UI, which of the installed credentials an app can access. This allows several apps to use the same set of credentials with user consent.

Use the Android Keystore provider to let an individual app store its own credentials that only the app itself can access. This provides a way for apps to manage credentials that are usable only by itself while providing the same security benefits that the KeyChain API provides for system-wide credentials. This method requires no user interaction to select the credentials. refrence

Denumerable answered 14/5, 2019 at 12:6 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.