This article is the third part of the series, Storing data securely on Android. If you are new to this series or want to read the previous part, click here.
- Storing data securely on Android — Introduction
- Storing data securely on Android — KeyStore Symmetric
- Storing data securely on Android — KeyStore Asymmetric (you’re here)
- Storing data securely on Android — KeyStore Hybrid (soon)
- Storing data securely on Android — Key Derivation (soon)
In the previous article, we reviewed the keystore in Android, and then we talked about generating a symmetric key in keystore with a sample code. IV and its usage were introduced. We investigated encryption and decryption by exploring the code. Finally, a test method was given as a sample of using those functions.
What is the symmetric key problem?
For using a symmetric key in keystore, there is a limitation; you can use the symmetric key just from API ≥23. Android documentation mentions that you can support 62.6% of current Android devices by using API≥23. So what can we do for the rest of the users? One of the answers is using an Asymmetric key.
Generating an Asymmetric Key
In this section, we want to generate an RSA key in AndroidKeyStore with arbitrary alias. Later, we will use this key for encrypting or decrypting data.
This method takes alias as a parameter; it returns keystore entry if an alias exists before by using the containAlias method. Otherwise, it will generate an RSA key.
Because of using the asymmetric key, we should set a certificate for the public key. Above code determined the start date and end date of the certificate. Other items like the subject and the serial number can be filled with arbitrary data. For more information on these items, you can visit this page.
Now we can encrypt the data with the public key of the generated key we have saved.
For using this method, we should pass the cipherAlgorithm like RSA/ECB/PKCS1Padding, plainText, and key. This method returns the ciphertext.
Why are we using the ECB mode in an RSA?
I should notice that Java does not implement ECB with RSA cipher even when you use RSA/ECB/PKCS1Padding. Java only encrypts/decrypts a single block by using the RSA algorithm and ECB is one of the block cipher modes which is being used for ciphers like AES.
Now, we can decrypt the ciphertext with the private key of the generated key pair.
How to use?
For simplicity, I have put those functions into the AsymmetricUtil class and write test methods to verify its behavior. The AsymmetricUtil class is responsible for generating a key, data encryption, and data decryption.
As a sample, this is the result of using the above methods:
plain text = This is a sample text!
cipher text = tsoeQfve4A/bWggZW1p0XS+ABhgb8R8nDRHlONB3zTxDGub9b2LfB11qQgVUBqT6KcHllY8N317lA+yDZ8gEUPYPdmkihTzThvzsvvx6EjJXKpRpoTc33wLIF1RbpsulhbGaNE1tUHGuPOdwiiPy2GqTYUL8yWaJLhWIYyEhfUhV+qHJy3xTO94IA9hFornTTK/GFVS/lsvXGSLfq93ana1F/Pc5Vgerfg7cEDhTg+iVJROrqN7I17Wea09ttDjSht8ZSnpzZMM6HPu8JjZzyswCLj+D5TMWsrZPL4eY9RD0QVZ3Y5dD0zeRNJmAhKkQrZcUj5in0Ajsyu+Lmb6ZCA==
public key = MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9bWu4x54tKZrIPl7uw1qm1WMuYiH93Nhrwr8yHlRXMAhIoBIcN5y8QIOqqiyjnD26ZI0vNA64b2Is69CoOAxNA6GIRH7i4uGnLagUWl2s6KOM+KyhOlFCpB5/T5/9qBGfWDyGhtS6aqzW6b+vuiAOgzXsg1Yi8bBGKb5S4KY0gFWdxBniOABR8sM9S1WRM3Vg5paa4UotgPM8lR1jUuJrUFpXjz+yVgbVYBIIEDY89/WaQf2+dnkvITMdmPq51h5Aj14zl9GIowtvxhxxyDYRT3hkogV5WBa44DHIsSfUxG7V7B2xTwQaGVME0vR9WprvVrYcsVSg7a6kv8HfRRSxQIDAQAB
There is a big problem!
When you use asymmetric ciphers like RSA, your plain text can not be longer than your key size!
For example, in above code, we used RSA 1024, so when you use the above code and try to encrypt a long text or file which is larger than 1024 bits (256 bytes) you will get an exception in the encrypt method which is:
javax.crypto.IllegalBlockSizeException: input must be under 256 bytes
What should we do?
We can combine the symmetric and asymmetric ciphers to surmount the API level restriction and also input length limitation.
In cryptography, the hybrid cryptosystem is one which combines the convenience of an asymmetric cryptosystem with the efficiency of an asymmetric cryptosystem. We will discover hybrid crypto in the next article!
We reviewed the asymmetric crypto in Android, and then we talked about generating an asymmetric key in KeyStore with the sample code. We investigated the encryption and decryption by exploring the code. Finally, a test method was given as a sample of using those functions.
What is Next?
In the next article, I will talk about using the KeyStore with hybrid crypto, which uses both RSA and AES. The following article will cover the mentioned topic entirely with code in Kotlin ✌️.
Thank you for using your time to read this article. Feedback is always much appreciated.
Liked it? Clap 👏 to say “thanks!” and please share it to others. Don’t forget you can clap up to 50 times! ❤