Differences

This shows you the differences between two versions of the page.

Link to this comparison view

smd:laboratoare:08 [2019/03/06 15:02]
adriana.draghici removed
smd:laboratoare:08 [2021/05/13 19:51] (current)
adriana.draghici [Lab 8 - Cryptography 2]
Line 1: Line 1:
-===== Lab 08. Secure Protocols ​=====+====== Lab 8 - Cryptography 2 ======
  
 +===== Objectives =====
 +   * Protect the app's APK using signing
 +   * Use Android'​s KeyStore to generate and store cryptographic keys and use them to sign an app
 +   * Verify message integrity using HMAC (hash-based message authentication code)
 +     * generate HMAC to sign a message
 +     * verify HMAC to check that the received message was not modified
  
-=== Task 1 - Fetch web page through HTTPS (3p) ===+===== Application signing =====
  
-Create ​an application ​that downloads ​web page through HTTPSThe activity includes an EditText, a Button and a TextView. The user introduces an URL and clicks on the button to obtain ​the contents of the web page+If you want to install ​an application ​on Android, the //apk// must be digitally signed with certificateFor examplewhen you test your application on the emulator, Android Studio signs the apk with debug certificate. The first time when you run or [[https://​developer.android.com/​studio/​publish/​app-signing#​debug-mode|debug a project in Android Studio]], a debug keystore ​and certificate is automatically created using the Android SDK tools in **$HOME/​.android/​debug.keystore**. Also the keystore is initialized and the key password is set.  
 +  
 +As a security measure the debug certificate needs to be used only for testing and for debug builds. This certificate is not secure for using on app stores.
  
-Steps: +For later runs/debugs Android Studio automatically stores ​the debug signing configuration so that we do not need to enter it every time we launch ​the app. The signing configuration contains the keystore location //​$HOME/​.android/​debug.keystore//​//keystore password//, //key name// and //key password//. This debug signing configuration used at run/debug is not available ​for editing. You can create a signing config ​for your release builds.
-  * When the Button is clicked, check network connectivity through ​the **ConnectivityManager** +
-  * Thenperform network operations in an **AsyncTask** +
-  * Use **HttpsURLConnection** ​for performing HTTPS GET requests +
-  * Get associated **InputStream** ​for receiving the reply +
-  * The reply is displayed in the TextView+
  
-HintSee task 1 from lab 3 and adapt it to use **HttpsURLConnection**.+Steps for generating and uploading key and keystore: 
 +  - Go to **Build > Generate Signed Bundle/​APK** 
 +  - Select **APK** 
 +  - Under Key store path choose **Create new** 
 +  - Complete the fields ​and then continue with the signing steps below 
 +   
 +From here we continue ​to sign the app with the key stored in the newly created keystore. You can skip the first two steps if you are already in the window at the 3rd step: 
 +  - **Build -> Generate Signed Bundle/APK** 
 +  - In the **Generate Signed Bundle/​APK** choose **APK** 
 +  - The app module should be selected if not choose it or choose a module from the drop down 
 +  - Enter the path to your keystore, the alias for the key and the passwords for keystore and key 
 +  - Enter destination folder for the signed app, enter the release build type, choose the flavor 
 +  - Choose the [[https://​source.android.com/​security/​apksigning#​v2|APK Signature version]] your app to support - v2 for Android 7.0+ 
 +  - Finish
  
-Test using different HTTPS URLS (e.q. https://www.google.com/). Then test with different subdomains from https://badssl.com/ (with valid and invalid certificates).+For more details on application signing and distribution check [[https://developer.android.com/studio/publish/app-signing|App Signing]]
  
-Resources: ​ 
-  * https://​developer.android.com/​training/​basics/​network-ops/​connecting.html 
-  * https://​developer.android.com/​training/​articles/​security-ssl.html 
  
-=== Task 2 - Display system trust store (3p) ===+===== Tasks =====
  
-The Android system includes a system (default) trust store, which includes a list of trusted Certificate Authorities (CAs). 
  
-Modify ​the previous ​application ​in order to display the system trust store using **TrustManager**.  ​+==== Task 1 - Sign the application ​(3p) ====
  
-Steps: +In this task will see how Android applications are signed:
-  * Obtain an instance of **TrustManagerFactory** and initialize it +
-  * Obtain an instance of the first **TrustManager** (**X509TrustManager**) +
-  * Display information about each trust anchor (**X509Certificate**)+
  
-Resources: ​ +  * Create a new application (with an empty activity). ​ 
-  * http://​nelenkov.blogspot.ro/​2011/​12/​using-custom-certificate-trust-store-on.html+  * Using the steps presented in the lab create a key and keystore and generate the signed APK of the application 
 +  * Use adb tool to install the APK.
  
-=== Task Use a custom trust store (4p) ===+==== Task Signing configuration ​(3p====
  
-The previous application ​will not be able to fetch web pages on server with certificate that is issued by an unknown CAFor example: ​https://untrusted-root.badssl.com/, which uses  certificate which is not trusted by Android ​by defaultExtend ​the application ​in order to be able to access this URL, by loading ​and using a custom trust store.+In this task will create ​signing configuration for different build types. 
 +  - Create ​release signing configuration with the data from Task 1[[https://developer.android.com/studio/​publish/​app-signing#​sign-auto|Auto sign]] 
 +  - Build a release version when pressing Run. Check **Build** -> **Select Build Variant** view from Android ​Studio. 
 +  - Create a release signing configuration using a new key.   
 +  - Sign the application ​wth the new release config ​and use adb to install the signed apkYou should install the new signed apk on top of the one from item #2. What happens with the application?​
  
-Steps: 
-  * Save website certificate from your browser 
-  * Put the certificate in **res/​raw/​** 
-  * Load trusted CAs from file 
-  * Create a **KeyStore** object and insert the trusted CAs 
-  * Obtain an instance of **TrustManagerFactory** and initialize it 
-  * Obtain an instance of **SSLContext** and initialize it 
-  * Create an **URL** object 
-  * Obtain an **HttpsURLConnection** 
-  * Configure the HttpsURLConnection to use the **SocketFactory** from the **SSLContext** 
-  * Read from an **InputStream** 
  
-Resources: ​ +==== Task 3 - Generate and Verify HMAC (4p) ==== 
-  * https://​developer.android.com/​training/articles/security-ssl.html+ 
 +<note tip> 
 +Hash-based message authentication code (HMAC) is a mechanism for verifying the authenticity and integrity of a message.  
 +You can compute it using a hashing crypto algorithm (e.g. SHA-2 family HMAC) and a secret symmetric key. In Android you can use the standard Java API (javax.crypto) for computing it. 
 +</​note>​ 
 + 
 +Add an activity to the project. Include an **EditText** and a **Button** in the first activity. When the user types a text and presses the button, it will send the text to the second activity through an intent (**putExtra**). In the second activity, get the message from the Intent and display it in the **TextView**.  
 + 
 +In the first activity generate a symmetric key using [[https://​developer.android.com/​reference/javax/crypto/​KeyGenerator|KeyGenerator]] for //​HmacSha256//​ algorithm. Save this key in a Singleton (that can be accessed from both activities). Then generate the HMAC of the text introduced by the user (using [[https://​developer.android.com/​reference/​javax/​crypto/​Mac.html|MAC]] with HmacSha256 algorithm) and send the HMAC along with the initial message (through the Intent). In the second activity, obtain the HMAC from the Intent, obtain the Singleton, get the symmetric key and recompute the HMAC. If the HMAC is valid (equal with the recomputed one), Display the message "Data is unmodified"​.  
 + 
 +Send the data and HMAC as byte arrays in the Intent. Use Arrays.equals() for byte arrays comparison. 
 + 
 +<code Java> 
 + ​String secret = "​secret";​ 
 + ​String message = "​important message";​ 
 + 
 + Mac sha256HMAC = Mac.getInstance("​HmacSHA256"​);​ 
 + ​SecretKeySpec secretKey = new SecretKeySpec(secret.getBytes(),"​HmacSHA256"​);​ 
 + ​sha256HMAC.init(secretkey);​ 
 + ​byte[] secretMessageBytes = sha256HMAC.doFinal(message.getBytes()) 
 +</​code>​ 
 + 
 + 
 + 
 + 
 +==== Useful Links ==== 
 +  * [[smd:​laboratoare:​07|Lab 7]] 
 +  * [[smd:​cursuri:​06|Lecture 6 - Cryptographic Providers Section]] 
 +  * [[https://​proandroiddev.com/​security-best-practices-symmetric-encryption-with-aes-in-java-7616beaaade9|Security Best Practices: Symmetric Encryption with AES in Java and Android]] 
  
  
  
smd/laboratoare/08.1551877376.txt.gz · Last modified: 2019/03/06 15:02 by adriana.draghici
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0