Secure data in Android — Encryption

This article is a part of “Secure data in Android” series:

1. Encryption
2. Encryption in Android (Part 1)
3. Encryption in Android (Part 2)
4. Encrypting Large Data
5. Initialization Vector
6. Key Invalidation
7. Fingerprint
8. Confirm Credentials

Those describes the “Secure data in Android” workshop topics. Sample application with full code snippets is available on GitHub.

Table of Contents

• Encryption
• Algorithm Types
• Modes & Paddings
• Key Types
• Whats Next
• Security Tips

Encryption

The most effective way to achieve data security. And in this article series, we will mostly focus on it.

To read an encrypted data, you must have access to a secret key or password that allows you to decrypt it. Unencrypted data is called plain data (plain text), encrypted data is referred to as cipher data (cipher text).

In overall encryption works as following:

You have plain data, that could be some sensitive information (such as personal life information, physical or mental health details, criminal or civil offenses, private photos, private user documents, etc.), financial information (such as accounts, transactions, reports, credit card information, etc.) and of course credentials (usernames, passwords, touch pin-codes, fingerprint data, and all other stuff that can provide access to data above).

Then, basing on some algorithm, you will create a special key and will use it to create cipher data.

For example, a simple algorithm — change every symbol in word with something. And a key — something is equal to next symbol from alphabet:

Algorithm: change every symbol in word with something
Key: something is equal to next symbol from alphabet
Plain Data (Input): "Hello World"
Cipher Data (Output): "ifmmp xpsme" 
Symbol Mask:
h -> i
e -> f
l -> m
o -> p
w -> x
r -> s
d -> e

Of course everything works vice versa, if you have a cipher data, you know the algorithm and have a key, you will get original plain data with ease.

Algorithm Types

Above, we saw a very basic example of encryption. Nowadays algorithms are more complex and are separated on Symmetric and Asymmetric (there’s also a Hash Functions, that do not require a key and will be not reviewed in this article).

Symmetric — the oldest and best-known technique. The encryption key and the decryption key are the same. Also it is generally categorized as being either Stream Cipher or Block cipher.

The most common Symmetric AES — the Advanced Encryption Standard (AES) is the algorithm trusted as the standard by the U.S. Government and numerous organizations.

Asymmetric — a modern branch of cryptography. Also known as public-key cryptography in which the algorithms employ a pair of keys (a public key and a private key) and use a different component of the pair for different steps of the algorithm.

The most common Asymmetric algorithm is RSA — a public-key encryption algorithm and the standard for encrypting data sent over the internet.

Stream cipher — a symmetric encryption algorithm that processes the data a bit or a byte at a time with a key resulting in a randomized cipher data or plain data.

Block cipher — deterministic algorithm operating on fixed-length groups of bits, called blocks. Block ciphers are important elementary components in the design of many cryptographic protocols, and are widely used to implement encryption of bulk data.

Modes & Paddings

Block cipher has different Modes and Paddings that increases it protection level.

Modes — a mode of operation describes how to repeatedly apply a cipher’s single-block operation to securely transform amounts of data larger than a block.

Padding — block cipher works on units of a fixed size (known as a block size), but messages come in a variety of lengths. So some modes (namely ECB and CBC) require that the final block be padded before encryption.

Most common modes are :

ECB — Electronic Codebook, the simplest of the encryption modes. The message is divided into blocks, and each block is encrypted separately.

CBC — Cipher Block Chaining, each cipher data block depends on all plain data blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block.

But simply because algorithm is not symmetric does not mean it can not have modes and paddings. Thats, for instance, RSA algorithm can be used with ECB mode and PKCS1Padding.

Key Types

There are three key types: Secret key, Private key and Public key.

Secret key — a single secret key which is used in conventional symmetric encryption to encrypt and decrypt a message.

Private key — the secret component of a pair of cryptographic keys used for decryption in asymmetric cryptography.

Public key — The public component of a pair of cryptographic keys used for encryption in asymmetric cryptography.

Together Public and Private keys forms a public-private cryptographic Key Pair.

Whats Next

In next “Encryption in Android (Part 1)” article from “Secure data in Android” series we will learn that:

Android builds on the Java Cryptography Architecture (JCA), that provides API for digital signatures, certificates, encryption, keys generation and management…

Security tips

In general, we recommend minimizing the frequency of asking for user credentials — to make phishing attacks more conspicuous, and less likely to be successful. Instead use an authorization token and refresh it.

Where possible, username and password should not be stored on the device. Instead, perform initial authentication using the username and password supplied by the user, and then use a short-lived, service-specific authorization token.

“Try to avoid storing private user data as much as possible .”

More about encryption you can learn at:

• Gary C. Kessler
• Coursera
• Stack Exchange