All geek questions in one place

How to save password on Android

I am looking to understand the Google keystore for storing passwords on a device. ( https://developer.android.com/training/articles/keystore.html )

This article says: "Use the Keystore Android provider to allow a single application to store its own credentials that only the application can access." This is exactly what I want.

So, I think this will work like this: 1) I will create an RSA key

2) Store PrivateKey in KeyStore

3) Store PublicKey in some SharePrefs

4) Encrypt password using PublicKey

5) Encrypt the password using PrivateKey.

However, I think I'm misunderstanding something, because this article does not show

1) How to save PrivateKey in KeyStore (I do not see API showing how the keystore added the key)

2) Does not show how to decrypt data using PrivateKey

Baby, why this article says "Use PrivateKey in KeyStore to create a signature on some data." What does it mean to create a signature on some data ??? (I want to decrypt data using PrivateKey). And why does he want to verify the "signature previously made by PrivateKey".

So, I got lost at this moment ... this article started me in the right place, but then towards the end I got confused about what she was trying to achieve.

Can anyone suggest that what I'm trying to do makes any sense? Or should I just keep the public and private key in my own db? (there is not much security there, but its the best I can do with the given requirement of storing the password on the device).

Thank you very much

Rgds !!!!

+6
source share
1 answer

I quote this line from the section Using Internal Storage http://developer.android.com/training/articles/security-tips.html By default, files created on the internal storage are available only for your application. This protection is implemented by Android and is sufficient for most applications.

Now about encryption: Keystore API handles data encryption. And the keys are used for secure communication, not for storing a password. Passwords are usually irreversible hashes or cards. And it does not require decryption, but it requires only compliance.

For example: for communication, if you send data encrypted by the other party involved in the communication, you need to know what data is necessary for decryption. Therefore, if you sent the message "Hello I'm Crypted", you need to know that you sent the message "Hello I'm Crypted" as a message.

For a password, if you enter some passphrase or passkey, it must be mapped to a stored copy. For example, if "pass123" is your password, which is stored as "rdi # $$ +! @ / B", then when you enter the password, when the process checks the algorithm, it must match the stored value and you are authenticated, no generation is required "pass123".

So, for your application, you can use some kind of mechanism (which generates an almost unique and irreversible hash) to generate a unique key / hash when entering a password, and then save it in your application data.

+2
source

Source: https://habr.com/ru/post/987237/

More articles:


All Articles