Aug 14, 2016 I’m not going to get into the reasons why you should create a self sign certificate programmatically inside your android app. Security experts always tend. Copy the public key /tmp/idrsadroid.pub on your ssh server and add in to the /.ssh/authorizedkeys file: cat idrsadroid.pub /.ssh/authorizedkeys Copy the private key /tmp/idrsadroidto your phone and import it in your Password Store app through the settings. From OpenKeychain. Generate or import a GPG key as normal in OpenKeychain.
The integrity of the fingerprint authentication results is important to an application – it is how the application knows the identity of the user. It is theoretically possible for third-party malware to intercept and tamper with the results returned by the fingerprint scanner. This section will discuss one technique for preserving the validity of the fingerprint results.
FingerprintManager.CryptoObject is a wrapper around the Java cryptography APIs and is used by the
FingerprintManager to protect the integrity of the authentication request. Typically, a
Javax.Crypto.Cipher object is the mechanism for encrypting the results of the fingerprint scanner. The
Cipher object itself will use a key that is created by the application using the Android keystore APIs.
Advantages Of Private Key Encryption
To understand how these classes all work together, let's first look at the following code which demonstrates how to create a
CryptoObject, and then explain in more detail:
The sample code will create a new
Cipher for each
CryptoObject, using a key that was created by the application. The key is identified by the
KEY_NAME variable that was set in the beginning of the
CryptoObjectHelper class. The method
GetKey will try and retrieve the key using the Android Keystore APIs. If the key does not exist, then the method
CreateKey will create a new key for the application.
The cipher is instantiated with a call to
Cipher.GetInstance, taking a transformation (a string value that tells the cipher how to encrypt and decrypt data). The call to
Cipher.Init will complete the initialization of the cipher by providing a key from the application.
It is important to realize that there are some situations where Android may invalidate the key:
- A new fingerprint has been enrolled with the device.
- There are no fingerprints enrolled with the device.
- The user has disabled the screen lock.
- The user has changed the screen lock (the type of the screenlock or the PIN/pattern used).
When this happens,
Cipher.Init will throw a
KeyPermanentlyInvalidatedException. The above sample code will trap that exception, delete the key, and then create a new one.
The next section will discuss how to create the key and store it on the device.
Creating a Secret Key
CryptoObjectHelper class uses the Android
KeyGenerator to create a key and store it on the device. The
KeyGenerator class can create the key, but needs some meta-data about the type of key to create. This information is provided by an instance of the
KeyGenerator is instantiated using the
GetInstance factory method. The sample code uses the Advanced Encryption Standard (AES) as the encryption algorithm. AES will break the data up into blocks of a fixed size and encrypt each of those blocks.
KeyGenParameterSpec is created using the
KeyGenParameterSpec.Builder wraps the following information about the key that is to be created:
- The name of the key.
- The key must be valid for both encrypting and decrypting.
- In the sample code the
BLOCK_MODEis set to Cipher Block Chaining (
KeyProperties.BlockModeCbc), meaning that each block is XORed with the previous block (creating dependencies between each block).
CryptoObjectHelperuses Public Key Cryptography Standard #7 (PKCS7) to generate the bytes that will pad out the blocks to ensure that they are all of the same size.
SetUserAuthenticationRequired(true)means that user authentication is required before the key can be used.
KeyGenParameterSpec is created, it is used to initialize the
KeyGenerator, which will generate a key and securely store it on the device.
Using the CryptoObjectHelper
Now that the sample code has encapsulated much of the logic for creating a
CryptoWrapper into the
CryptoObjectHelper class, let's revisit the code from the start of this guide and use the
CryptoObjectHelper to create the Cipher and start a fingerprint scanner:
Now that we have seen how to create a
CryptoObject, lets move on to see how the
FingerprintManager.AuthenticationCallbacks are used to transfer the results of fingerprint scanner service to an Android application.
Generate Private Key Android
Generate a ssh key for your git repo
From the application
- Go to settings > Generate SSH key pair
- Select the key size (length)
- Set the passphrase (optional) and a comment (optional)
- Press Generate
- Press Copy to copy the public key and add it to your ssh server
From a terminal
- Generate the private and public key:
- Copy the public key
/tmp/id_rsa_droid.pubon your ssh server and add in to the
- Copy the private key
/tmp/id_rsa_droidto your phone and import it in your Password Store app through the settings.
- Generate or import a GPG key as normal in OpenKeychain
- Check if there is already an authentication sub-key by opening the relevant key, then navigating to the 'Advanced' menu > 'Subkeys' tab. The icon for authentication looks like an ID card.
- If necessary, generate a new authentication subkey by clicking the 'Edit' (pencil) button > 'Add' (blue plus), and selecting 'Authentication' for the usage. Click 'OK' then 'Save' (in the top right) if everything looks good.
- You may then obtain the public key by clicking one of the 'Share as SSH public key' buttons on the 'Share' tab. This is what you need to add to your
~/.ssh/authorized_keysfile, as a new line
- To log in using the private key, select 'OpenKeychain' as your authentication mode when cloning, then select your GPG key when prompted
Generate Private Key In Android App
Clone this wiki locally