卸载应用程序时，密钥库条目会丢失吗？ [英] Are KeyStore entries lost when the application is uninstalled?

问题描述

我在Android密钥存储区中生成了一个非对称密钥对，如下所示：
我使用公共密钥进行对称密钥包装并将包装的密钥存储到文件中。当我尝试使用私钥解开对称密钥时，我能够在该实例中这样做。重新安装我的应用程序后，我无法获得带有别名的密钥库条目。

I am generating an Asymmetric key pair in the Android key store as below: I have used the public key for symmetric key wrapping and storing the wrapped key to a file. When I try to unwrap symmetric key using the private key, I am able to do so within that instance. Once my application is re-installed, I am unable to get the key store entry with the alias.

KeyPairGenerator kpg = KeyPairGenerator.getInstance(
    KeyProperties.KEY_ALGORITHM_RSA,
    "AndroidKeyStore"
);

kpg.initialize(new KeyGenParameterSpec.Builder(
        Constants.KEY_STORE_ALIAS_NAME,
        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT
    )
    .setKeySize(Constants.ASYMMETRIC_KEY_LENGTH)
    .setBlockModes(KeyProperties.BLOCK_MODE_ECB)
    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
    .build()
);

keyPair =  kpg.generateKeyPair();

// Code for accessing the key store entry to un wrap the symmetric key
KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
ks.load(null);
KeyStore.Entry entry = ks.getEntry(Constants.KEY_STORE_ALIAS_NAME, null);
PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();

推荐答案

存储在 Android Keystore 是不可提取的。这是一项安全措施

Keys stored in Android Keystore are non-extractable. It is a security measure

安全功能

Android Keystore系统可保护密钥材料免受未经授权的使用。首先，Android密钥库通过防止从应用程序流程和整个Android设备中提取密钥材料，减轻了Android设备外部密钥材料的未授权使用。其次，Android KeyStore通过使应用程序指定其密钥的授权使用，然后在应用程序的流程之外实施这些限制来缓解对Android设备上密钥材料的未授权使用。

Android Keystore system protects key material from unauthorized use. Firstly, Android Keystore mitigates unauthorized use of key material outside of the Android device by preventing extraction of the key material from application processes and from the Android device as a whole. Secondly, Android KeyStore mitigates unauthorized use of key material on the Android device by making apps specify authorized uses of their keys and then enforcing these restrictions outside of the apps' processes

这意味着密钥不能以任何方式成为Android备份服务的一部分。卸载应用程序后，它允许将应用程序数据存储在云中。请参见 HowBackupWorks 。

This means that the keys can not be part of the Android backup service in any way. It allows to store application data on the cloud once the application is uninstalled. See HowBackupWorks.

私钥可能会被提取并存储在云中，甚至在卸载应用程序后仍保留在设备中，这将带来严重的安全风险

It would be a serious security risk that private keys could be extracted and stored in cloud or even that they remain stored in the device when the application has been uninstalled

如果您需要使用一个不依赖于重新安装的加密密钥，您可以使用密钥派生算法从用户密码生成对称密钥

If you need to use an encryption key that does not depend on the reinstallation, you could generate a symmetric key from a user passphrase using a key derivation algorithm

这篇关于卸载应用程序时，密钥库条目会丢失吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！