Geek Answers Handbook

Vaguely about how Android Encryption works

Ok, I'm working on an application, and I want to save the file to the user's SD card, but I want the file to be encrypted. I have researched several sites that use DES encryption to encrypt files and data, but I'm confused with something. All the examples I've seen use the following line:

SecretKey key = KeyGenerator.getInstance("DES").generateKey();

The problem that I am facing is that I get my key for encryption and obviously I need the same key for decryption. But this seems like a paradox, because if I save my key in a file or in a database, can someone get the key and decrypt my file? Maybe I'm missing something, but is there a way to generate a key using the provided missing phrase? And why does someone not want to use the passkey if they have to store the generated key in another place?

+4
source share
3 answers

I think there are two cases:

  • You trust the user - let the key depend on some input (password / passphrase). and encrypt / decrypt data with it.

  • You do not trust the user - then you have problems, you can confuse the encryption / decryption algorithm, but as long as the mechanism key + is stored on the device, you will have this problem.

This applies to both symmetric and asymmetric encryption.

+1
source

First of all, do not use DES. It has been destroyed since many years. Use AES instead.

The problem I am facing is that I get my key for encryption and obviously I need the same key for decryption.

If you use symmetric cryptography techniques, this is it. Otherwise, pay attention to asymmetric encryption .

But this seems like a paradox, because if I save my key in a file or in a database, someone cannot get the key and decrypt my file?

Yes, someone could do it.

 Maybe I am missing something, but is there a way to generate a key using a supplied pass phrase?

The key is not used using the passphrase. Usually you do the following:

  • key generation
  • encrypt a key generated using a symmetric key obtained from a passphrase

And why does someone not want to use the passkey if they have to store the generated key in another place?

There may be several reasons. For example, you can save the key on a removable device, and you just want to connect it to the computer to extract the key without entering a passphrase. The lack of a passphrase also has a drawback: the passphrase must be remembered, you can guess if it takes too long, maybe you will write it down (and this is the same, and then save it in a file)

EDIT:

to generate a password key, see PBKDF2 ( linked post ).

+1
source

Yes, you can use a passphrase for encryption.

But first, reset the DES. Use AES-128.

Receive a passphrase from the user and generate a hash using SHA-256 or SHA-512. Trim the hash to 128 bits for AES-128. Refer to this post.

Java AES and using my own key

Use salt when you can.

Regarding the storage of the password part. Store a hash, not a password. Thus, you can prevent an attacker from generating a key. Ask the user to enter a strong password. And do not forget that your salt must also be very strong.

So, in the end you save only the password hash. The password is not saved and the decryption key will not be saved (it will be generated at runtime)

Hope this helps.

0
source

More articles:


All Articles