Differences
This shows you the differences between two versions of the page.
|
smd:laboratoare:08 [2021/04/29 12:59] alexandru.chirvase [Application signing] |
smd:laboratoare:08 [2021/05/13 19:51] (current) adriana.draghici [Lab 8 - Cryptography 2] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Lab 8 - Cryptography 2 ====== | ====== Lab 8 - Cryptography 2 ====== | ||
| - | <note important>This page hasn't been updated yet for the 2021 semester and may contain outdated information</note> | ||
| ===== Objectives ===== | ===== Objectives ===== | ||
| * Protect the app's APK using signing | * Protect the app's APK using signing | ||
| * Use Android's KeyStore to generate and store cryptographic keys and use them to sign an app | * Use Android's KeyStore to generate and store cryptographic keys and use them to sign an app | ||
| - | * Verify message integrity using HMAC(hash-based message authentication code) | + | * Verify message integrity using HMAC (hash-based message authentication code) |
| * generate HMAC to sign a message | * generate HMAC to sign a message | ||
| * verify HMAC to check that the received message was not modified | * verify HMAC to check that the received message was not modified | ||
| Line 11: | Line 10: | ||
| ===== Application signing ===== | ===== Application signing ===== | ||
| - | If you want to install an application on Android, the //apk// must be digitally signed with a certificate. For example, when you test your application on the emulator, Android Studio signs the apk with a debug certificate. The first time when you run or [[https://developer.android.com/studio/publish/app-signing#debug-mode|debug a project in Android Studio]], a debug keystore and certificate is automatically created using the Android SDK tools in **$HOME/.android/debug.keystore**. Also the keystore is initialized and the key password are set. | + | If you want to install an application on Android, the //apk// must be digitally signed with a certificate. For example, when you test your application on the emulator, Android Studio signs the apk with a debug certificate. The first time when you run or [[https://developer.android.com/studio/publish/app-signing#debug-mode|debug a project in Android Studio]], a debug keystore and certificate is automatically created using the Android SDK tools in **$HOME/.android/debug.keystore**. Also the keystore is initialized and the key password is set. |
| As a security measure the debug certificate needs to be used only for testing and for debug builds. This certificate is not secure for using on app stores. | As a security measure the debug certificate needs to be used only for testing and for debug builds. This certificate is not secure for using on app stores. | ||
| Line 56: | Line 55: | ||
| ==== Task 3 - Generate and Verify HMAC (4p) ==== | ==== Task 3 - Generate and Verify HMAC (4p) ==== | ||
| + | |||
| + | <note tip> | ||
| + | Hash-based message authentication code (HMAC) is a mechanism for verifying the authenticity and integrity of a message. | ||
| + | You can compute it using a hashing crypto algorithm (e.g. SHA-2 family HMAC) and a secret symmetric key. In Android you can use the standard Java API (javax.crypto) for computing it. | ||
| + | </note> | ||
| Add an activity to the project. Include an **EditText** and a **Button** in the first activity. When the user types a text and presses the button, it will send the text to the second activity through an intent (**putExtra**). In the second activity, get the message from the Intent and display it in the **TextView**. | Add an activity to the project. Include an **EditText** and a **Button** in the first activity. When the user types a text and presses the button, it will send the text to the second activity through an intent (**putExtra**). In the second activity, get the message from the Intent and display it in the **TextView**. | ||
| Line 61: | Line 65: | ||
| In the first activity generate a symmetric key using [[https://developer.android.com/reference/javax/crypto/KeyGenerator|KeyGenerator]] for //HmacSha256// algorithm. Save this key in a Singleton (that can be accessed from both activities). Then generate the HMAC of the text introduced by the user (using [[https://developer.android.com/reference/javax/crypto/Mac.html|MAC]] with HmacSha256 algorithm) and send the HMAC along with the initial message (through the Intent). In the second activity, obtain the HMAC from the Intent, obtain the Singleton, get the symmetric key and recompute the HMAC. If the HMAC is valid (equal with the recomputed one), Display the message "Data is unmodified". | In the first activity generate a symmetric key using [[https://developer.android.com/reference/javax/crypto/KeyGenerator|KeyGenerator]] for //HmacSha256// algorithm. Save this key in a Singleton (that can be accessed from both activities). Then generate the HMAC of the text introduced by the user (using [[https://developer.android.com/reference/javax/crypto/Mac.html|MAC]] with HmacSha256 algorithm) and send the HMAC along with the initial message (through the Intent). In the second activity, obtain the HMAC from the Intent, obtain the Singleton, get the symmetric key and recompute the HMAC. If the HMAC is valid (equal with the recomputed one), Display the message "Data is unmodified". | ||
| - | <note important>Send data and HMAC as byte arrays in the Intent. Use Arrays.equals() for byte arrays comparison.</note> | + | Send the data and HMAC as byte arrays in the Intent. Use Arrays.equals() for byte arrays comparison. |
| + | |||
| + | <code Java> | ||
| + | String secret = "secret"; | ||
| + | String message = "important message"; | ||
| + | |||
| + | Mac sha256HMAC = Mac.getInstance("HmacSHA256"); | ||
| + | SecretKeySpec secretKey = new SecretKeySpec(secret.getBytes(),"HmacSHA256"); | ||
| + | sha256HMAC.init(secretkey); | ||
| + | byte[] secretMessageBytes = sha256HMAC.doFinal(message.getBytes()) | ||
| + | </code> | ||
| + | |||
| + | |||
| ==== Useful Links ==== | ==== Useful Links ==== | ||
