best practices for encryption in android

Similar documents
Dashlane Security Whitepaper

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Chapter 17. Transport-Level Security

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Salesforce1 Mobile Security Guide

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

Sync Security and Privacy Brief

Client Server Registration Protocol

The Misuse of RC4 in Microsoft Word and Excel

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)


Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Usable Crypto: Introducing minilock. Nadim Kobeissi HOPE X, NYC, 2014

Topics in Network Security

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Security Protocols/Standards

Symmetric and Public-key Crypto Due April , 11:59PM

Analyzing the Security Schemes of Various Cloud Storage Services

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

The Security Behind Sticky Password

CS 161 Computer Security Spring 2010 Paxson/Wagner MT2

Cryptography: Motivation. Data Structures and Algorithms Cryptography. Secret Writing Methods. Many areas have sensitive information, e.g.

IronKey Data Encryption Methods

1.2 Using the GPG Gen key Command

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

CS 758: Cryptography / Network Security

IPsec Details 1 / 43. IPsec Details

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Thick Client Application Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Internet Banking System Web Application Penetration Test Report

Midterm 2 exam solutions. Please do not read or discuss these solutions in the exam room while others are still taking the exam.

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

SecureDoc Disk Encryption Cryptographic Engine

Password Manager with 3-Step Authentication System

Web Security Considerations

SENSE Security overview 2014

Is Your SSL Website and Mobile App Really Secure?

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

DataTrust Backup Software. Whitepaper Data Security. Version 6.8

DFW Backup Software. Whitepaper Data Security

Storing Encrypted Plain Text Files Using Google Android

Key Management Interoperability Protocol (KMIP)

Chapter 7 Transport-Level Security

White Paper: Multi-Factor Authentication Platform

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

Network Security - ISA 656 Security

A Perfect CRIME? TIME Will Tell. Tal Be ery, Web research TL

Vulnerabilità dei protocolli SSL/TLS

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

MOTOROLA MESSAGING SERVER SERVER AND MOTOROLA MYMAIL DESKTOP PLUS MODULE OVERVIEW. Security Policy REV 1.3, 10/2002

SSL/TLS: The Ugly Truth

Adobe Systems Software Ireland Ltd

Wireless security (WEP) b Overview

Three attacks in SSL protocol and their solutions

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Overview/Questions. What is Cryptography? The Caesar Shift Cipher. CS101 Lecture 21: Overview of Cryptography

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Discovering passwords in the memory

CS5008: Internet Computing

Network Security Essentials Chapter 5

FileCloud Security FAQ

Transport Level Security

Final Year Project Interim Report

Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology

Lecture 9: Application of Cryptography

How To Fix A Username Enumeration On A Vpn On A Pc Or Ipv (Vpn) On A Password Protected Ipv 2 (Vvv) On An Ipv 3 (Vp) On Pc Or Password Protected (V

Security in Android apps

ELPBack Online Backup Whitepaper Data Security Version 5.5.x Jun 2008 Protecting Tomorrow with yesterday ELPBack Offsite Backup Whitepaper Data

POODLE. Yoshiaki Kasahara Kyushu University 2015/3/3 APAN 39th in Fukuoka 1

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

1. a. Define the properties of a one-way hash function. (6 marks)

Transport Layer Security Protocols

CSE/EE 461 Lecture 23

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

LogMeIn Rescue Architecture

Michael Seltzer COMP 116: Security Final Paper. Client Side Encryption in the Web Browser Mentor: Ming Chow

ICOM 5018 Network Security and Cryptography

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

What Are Certificates?

PLATFORM ENCRYPTlON ARCHlTECTURE. How to protect sensitive data without locking up business functionality.

Blaze Vault Online Backup. Whitepaper Data Security

How To Encrypt Data With Encryption

Message Authentication Codes

Keep Yourself Safe from the Prying Eyes of Hackers and Snoopers!

Introweb Remote Backup Client for Mac OS X User Manual. Version 3.20

How To Attack A Block Cipher With A Key Key (Dk) And A Key (K) On A 2Dns) On An Ipa (Ipa) On The Ipa 2Ds (Ipb) On Pcode)

More effective protection for your access control system with end-to-end security

Installation and usage of SSL certificates: Your guide to getting it right

Message authentication and. digital signatures

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Data Storage on Mobile Devices Introduction to Computer Security Final Project

Transcription:

best practices for encryption in android SUBHEADER VALUE PROPOSTION STATEMENT GOES HERE developer.motorola.com/enterprise

WHITE PAPER BEST PRACTICES FOR ENCRYPTION IN ANDROID 2 introduction Android has featured commercial and government-grade encryption libraries from its earliest releases. The Androidtm encryption libraries make it possible for organizations to protect data on a mobile device with the highest level of security. The best data security practice is to not store corporate data on a mobile device, but sometimes this cannot be avoided (for example, if an app needs to keep working even when there is no data connection). There are numerous examples within the world of encryption where mistakes have compromised security goals. Some of the security libraries in the javax.crypto package have non-obvious APIs, and reference material can be thin and hard to find. This white paper draws together a number of best practices to use when designing Android apps that depend on encryption. This is not an exhaustive list. It is a starting point to raise awareness about the kinds of issues you need to consider when working with encryption software. step 1 step 2 step 3 Figure 1 Terminology of Encryption SECRET MEETING SECRET MEETING CIPHERTEXT Sender gives receiver a copy of the key they will use. Sender encrypts the plaintext to produce a ciphertext which she sends to her contact. Receiver gets the ciphertext and uses his copy of the key to decrypt it, revealing a copy of the plaintext. To review sample source code which implements this complete process, please refer to Using the Advanced Encryption Standard in Android Technical Article. http://developer.motorola.com/docs/using_the_advanced_encryption_standard_in_android/

WHITE PAPER BEST PRACTICES FOR ENCRYPTION IN ANDROID 3 best practices Encryption best practices fall into two categories - practices that relate to good security discipline generally, and practices that relate to software design and development. PRACTICES RELATING TO GOOD SECURITY DISCIPLINE GENERALLY: 1. Assume that anything stored on the device is vulnerable to reading by someone who has physical possession of the device. In particular, never store the plaintext secret key on the device. One way to avoid storing the secret key on the device is to generate the secret key whenever you need it, by deriving it from a human-friendly password supplied by prompting the user. This technique is described with sample code in the technical article at reference 4 below. Although encryption doesn t prevent an attacker from reading the encrypted bits from a file, it prevents him from seeing the decrypted data. Mobile Device Management consoles have the remote wipe feature because of the assumption that anything stored on the device can be read by someone who has the device (regardless of file permissions, user IDs, etc). 2. Use standard security algorithms to solve standard security problems. An example of failure to use standard algorithms is the Content Scramble System used to assert Digital Rights Management (DRM) on DVD movies. A proprietary algorithm was created for this application. Its flaws were revealed by reverse engineering, and it was broken within a couple of years. Shortly after that, it was separately discovered that errors in the design of the algorithm reduced the effective size of the key to only 16 bits. The reduced key made brute force attacks (trying every key in the key space) not just feasible, but trivial. A major factor behind the movie industry s promotion of Blu-ray video players is to greatly strengthen DRM controls (in addition to support for larger files and high definition formats). 3. The admonition to use standard security algorithms extends to using standard implementations of those algorithms. An example where this best practice was not followed concerned an early implementation of Unix. A replacement terminal login manager was written. This component is part of the security framework, and prompts for a username/password pair to check for authorized access. Unlike more secure versions of the component, this implementation checked that the username existed, before checking the password. If the username did not exist, there was no password to check against, and it immediately returned a failure. If the username did exist, the login manager would go on to check the password, which took a fractionally longer time. The slight difference in timing between password comparison and no password comparison was enough to leak information about whether a username was valid or not. For example, if you need to create an encrypted session between a client and a server, your first thought should be to design it as a web service using an HTTPS session, rather than designing a new protocol. HTTPS is a welltested and standard way to create and maintain a specialpurpose VPN connection between a browser and a web server. Don t implement security algorithms yourself. Use the libraries provided with the device. If you need an algorithm that does not come with the device, source it from an established security organization.

WHITE PAPER BEST PRACTICES FOR ENCRYPTION IN ANDROID 4 4. Be very careful when designing systems that use encryption. It is easy to make small mistakes which degrade or even eliminate the security measures. PRACTICES RELATING TO SOFTWARE DESIGN AND DEVELOPMENT: 5. Avoid the use of Java s String class. Everything relating to holding plaintexts, encrypting, decrypting, salts, initialization vectors, seeds, passwords and keys should be done with char arrays or byte arrays. Oracle s Java documentation explains why: Depending on your system requirements, you should request a security professional to review your design and approach. Objects of type String are immutable, i.e., there are no methods defined that allow you to change (overwrite) or zero out the contents of a String after usage. This feature makes String objects unsuitable for storing security sensitive information such as user passwords. You should always collect and store security sensitive information in a char array instead. As a practical matter, Android s EditText field has Strings assigned into it at various points in the implementation. So you cannot follow this best practice and use an Android EditText component to collect a password or plaintext. The string you get back from EditText may remain visible to a process that can dump your memory including interned Strings at some later point. Java solves the problem in its Swing GUI library by having a JPasswordField method that returns a char array, not a String. char [ ] getpassword(); One Android solution is to create a new View based on android.graphics.canvas, with a key listener for accepting individual characters and assembling them into a char[ ]. 6. The UTF-8 character encoding specified for Android restricts the valid values of bytes. The encoding allows up to 4 bytes for a character, in theory supporting 4.2 billion different values, but UTF-8 only has 1.1 million different characters. So the effective keyspace is a lot smaller than the theoretical keyspace. You really have to use high quality key generation algorithms when you use password-based encryption. Android Input Method Editors also make extensive use of Strings, and are thus open to the same vulnerability (postexecution memory dump harvesting of involuntarilyretained interned Strings). Android s character encoding can be problematic in other ways, too. The character encoding used when converting a String into individual bytes is always UTF-8 in Android, but varies among J2SE implementations. Therefore whenever you construct a String, or you get the individual bytes representing a string with String.getBytes(), you should specify the character set to use in translation. If you forget to do this, your code will compile, but fail to work correctly when ported to a J2SE implementation that uses a non-utf-8 character set.

WHITE PAPER BEST PRACTICES FOR ENCRYPTION IN ANDROID 5 7. Use unpredictable Initialization Vectors. Some block cipher modes require an Initialization Vector (IV). The IV is picked at random at the beginning of the encryption process, and it is there to introduce additional randomness into the ciphertext. The IV is typically transmitted to the recipient in a plaintext header prepended to the ciphertext. A different IV must be used for each message. It s acceptable for an attacker to know what IV was used for a particular For example, the use of low message, but the attacker must not be able to predict the IV that will be used in a order digits from the system future message. clock to provide a random The requirement for an unpredictable IV was also overlooked in SSL/TLS prior to number is a common novice version 1.1. In those widespread early versions, the last block of the ciphertext for mistake. If the attacker is on message n was used as the IV for message n+1. The IV was thus completely predictable to an eavesdropper. In summer 2011, this was the basis of a chosen plain- the same machine (generally assumed), he has perfect text man-in-the-middle attack on SSL (a theoretical attack by a couple of security foreknowledge of the values researchers, not an actual onslaught by career criminals). The penetration was coming from the system styled the BEAST attack, for Browser Exploit Against SSL/TLS. You can read clock. more about it in reference 5 below. web browser attacker web server Figure 2 A Man-in-the-middle attack 8. Do not use any message key indefinitely. Keep a count of messages sent using this key and replace each key when it approaches the limit. After sending 2^48 AES blocks with CBC, the probability of decryption shifts too much in favor of an attacker. You must change the key at this point. DES and 3DES require a key change after just 2^16 blocks. This is one of the reasons why AES has

WHITE PAPER BEST PRACTICES FOR ENCRYPTION IN ANDROID 6 a larger block size than older algorithms like DES or 3DES. AES allows you to encrypt significantly more data before you have to change the key. AES has another mode, known as counter mode, that lets you use the same key up to 2^64 times. Developers are gradually transitioning to this slightly more involved counter mode (it requires an additional parameter, known as a number used once, usually abbreviated to nonce). 9. The setseed() method of SecureRandom should only be used to generate predictable runs for testing. It has a common silent failure mode when misused. Class java.security.securerandom is used to generate cryptographically secure pseudo-random numbers. The class has a method setseed() that causes the instance to return a predictable sequence of numbers. DES uses a block size of 8 bytes and requires a key change after 2^16 blocks. So you can only send 65K * 8 bytes (0.5 MB) before a keychange. AES supports 2^48 * 16 bytes (4.5 billion MB) when using CBC mode, before a key change is needed. Many programmers assume from the name that calling setseed() always resets the internal state of the random number generator. In reality, once you have started to receive random numbers by calling nextbytes(), setseed() does not cause a reset. It uses the new seed to augment the randomness produced. The method would be more accurately named something like addmoreentropy(). The misapprehension makes it easy for careless programmers to pass the same arguments to setseed(), but later get an unexpectedly different key back from generatekey(). The use of setseed() outside of testing is generally an indication of faulty design or coding. To reliably generate a copy of a key starting from a password, you should use a PBE (password-based encryption) algorithm. Never use the user password itself as the seed to SecureRandom, as that makes brute force attacks too easy. Use the class java.security.securerandom to generate a seed number or an initialization vector. These seed values don t have to be kept secret, but you must remember them for future use with this message. conclusion As most software developers readily appreciate, the proper use of encryption in mobile software is both subtle and complex. We have reviewed a number of real world examples of flaws that transform a seemingly-secure system into a system which is not resistant to attack, or - even worse - which actively leaks data. The best practices advocated here do not comprise an exhaustive list, but are intended to convey the subtleties of the subject. For acceptable security, software developers are well advised to take college level encryption courses, and use an understanding of the material in their work.

join the motodev for enterprise program The MOTODEV for Enterprise program is designed to make it easy for you to get started developing Android applications for your company and to support you throughout the development lifecycle. As you begin to design mobile apps for your enterprise, you ll find a wealth of technical documentation, training and support for all aspects of Android development, including app security. To sign up for a free account, visit: developer.motorola.com/enterprise. REFERENCES 1. Handbook of Applied Cryptography: the public-spirited authors have made their work available as a free download from http://cacr.uwaterloo.ca/hac/, with a hardcover version available for purchase. Computer security professionals frequently refer to this book, though it does not cover techniques developed in the last decade (like AES). 2. A websearch for online cryptography class will provide many hits, including some free classes that are offered by top US universities. 3. See http://docs.oracle.com/javase/1.5.0/docs/guide/security/jce/jcerefguide.html#pbeex to review the admonition about use of Java Strings in cryptographic applications. 4. http://developer.motorola.com/docs/using_the_advanced_encryption_standard_in_android/ - a MOTODEV technical article walking through a coding example using encryption. 5. More details on the 2011 BEAST attack on SSL/TLS can be found at: http://blogs.cisco.com/security/beat-the-beast-with-tls/. developer.motorola.com/enterprise Screen images simulated, enhanced to show detail. MOTOROLA and the Stylized M Logo are registered trademarks of Motorola Trademark Holdings, LLC. Android is a trademark of Google, Inc. All other product and service names are the property of their respective owners. 2012 Motorola Mobility, Inc. All rights reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information