This section discusses how to use the Android Keystore to save sensitive information such as passwords, and how to encrypt and decrypt data.
Before we get started, let’s clear up some basics. Keystore stores sensitive data as well as passwords, and is implemented in a way that makes it difficult for hackers or malicious programs to break the information.
With the Android keystore system, you can store encryption keys in containers, making it harder to extract them from the device. Once the keys are in the keystore, they can be used for encryption operations, while the key material remains unexportable. In addition, it provides restrictions on when and how the key can be used, such as requiring user authentication to use the key, or limiting it to use only in certain encryption modes.
An application can only edit, save, and retrieve its own keys. The concept is simple, but powerful. The App can generate or receive a public-private key pair and store it in the Android Keystore system. A public key can be used to encrypt application data before it is placed in a specific folder, and a private key can be used to decrypt the data when needed.
If you just want to see the code, you can just click here.
For simplicity, I’ve written a demo that shows how to use the Android Keystore to save passwords, encrypt them, display the encryption form, and decrypt them.
I won’t write XML here, it’s all simple stuff, I’ll post all the code at the end of this article.
I’ve created two new class files here. One is EnCryptor and the other is Decryptor. It’s easy to know what it does by name.
Creating a new key
Before we start encoding, we need to name the alias of the encrypted/decrypted data. The name can be any string, but can’t be an empty string. The alias is the name of the key that is displayed in the Android Keystore generated.
First we need to get an instance of the Android KeyGenerator:
Here we set the encryption algorithm for the key generated using KeyGenerator to BE AES and we will save the key/data in the AndroidKeyStore.
Then we can use KeyGenParameterSpec. Builder to create KeyGenParameterSpec, passed to KeyGenerators init method.
What is KeyGenParameterSpec? Think of it as a parameter to the key we are generating. For example, we need to set a specific expiration time for the key.
KeyGenParameterSpec code:
First we pass an alias, which can be anything, and then we set the intent to encrypt or decrypt the data.
SetBlockMode ensures that only the specified block mode can be used to encrypt and decrypt data. Any other block mode will be rejected. You can see the different block modes here.
We use the “AES/GCM/NoPadding” transform algorithm and also need to set the padding type of KeyGenParameterSpec.
Encrypt the data
After the above, encrypting the data is very simple:
First we initialize the KeyGenerator with keyGenParameterSpec, after which we generate the SecretKey.
Now that we have the SecretKey, we can initialize the Cipher object, which will be the actual encryption. We need to set the Clipher encoding type:
We then have a reference to the Ciphers Initialization Vector (IV), which we can use for decryption. We use doFinal(textToEncrypt) to get the final encoding, and doFinal(textToEncrypt) returns the heaviest encrypted data.
decryption
Get KeyStore instance:
We use the keyStore to get our secret key. We also need a SecretKeyEntry:
The block mode set earlier in KeyGenParameterSpecs was keyproperties.block_mode_gCM, so this is the only mode used here to decrypt data.
We need to specify an authentication label length for GCMParameterSpec (128, 120, 112, 104, 96 in this case we can use the maximum 128) and use the IV used in the previous encryption process.
Get encrypted data:
Get decrypted data:
So that’s the whole process.
Source address: https://github.com/wutongke/KeyStoreDemo
Original address: https://medium.com/@josiassena/using-the-android-keystore-system-to-store-sensitive-information-3a56175a454b#.3lly5mk5i
Please pay attention to the public account Wutongke, and push the cutting-edge technology articles of mobile development every day:
