如何在Android中安全保存密钥 [英] How to save secret key securely in android

问题描述

我刚刚阅读了这篇文章 http://android-developers.blogspot.in/2013/02/using-cryptography-to-store-credentials.html ，在这里我学会了生成安全密钥.

I just read this article http://android-developers.blogspot.in/2013/02/using-cryptography-to-store-credentials.html where I learnt to generate security key.

我想知道如何安全地保存生成的密钥，这样即使手机植根，黑客也不会得到它.

I want to know how to save this generated key securely so hackers wont get this even phone is rooted.

如果我们保存此 SharedPreference ， Storage ，则黑客可以获得此信息.

If we save this SharedPreference, Storage then hacker can get this.

谢谢.

推荐答案

这是保持对敏感数据的访问的总体问题.总有一种解密方法，然后加密密钥可能会泄漏.

This is the overall problem with keeping access to the sensitive data. There is always a way to decrypt, then the encryption key might leak.

您可以使用 EncryptedPreferences 以加密方式存储简单数据.

You might use EncryptedPreferences to store simple data in an encrypted way.

但是，只要快速查看源代码，您就必须在应用程序init上传递密码.

However just a quick look into source code reveals, that you must pass a password on app init.

EncryptedPreferences encryptedPreferences = new EncryptedPreferences.Builder(this).withEncryptionPassword("password").build();

如果密码是硬编码的，这是安全漏洞.这不是首选方法.

This is security leak, if the password is hardcoded. This is not preferred method.

您可以利用您提供的链接并生成一次性垫子.

You might make use of the link you provided and generate a One-time pad.

public static SecretKey generateKey() throws NoSuchAlgorithmException {
    // Generate a 256-bit key
    final int outputKeyLength = 256;

    SecureRandom secureRandom = new SecureRandom();
    // Do *not* seed secureRandom! Automatically seeded from system entropy.
    KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
    keyGenerator.init(outputKeyLength, secureRandom);
    SecretKey key = keyGenerator.generateKey();
    return key;
}

当然要考虑理想情况，其中密钥生成函数在理想情况下是随机的.

Of course an ideal situation is taken into account, where the key generating function is ideally random.

在第一次启动应用程序时生成此密钥，并在我之前提供的链接库中使用它.

Generate this key on first application start and use it in the library, which link I provided before.

优势:对于每个应用程序安装，密钥都不同.这意味着，如果破解者知道密码的工作方式，只要他无法访问该设备的 SharedPreferences ，他仍然无法解密其他设备.

Advantage: the key is different for each application installation. That means if the cracker got to know the method how cipher works, he is still unable to decrypt other devices as long as he does not have an access to such device's SharedPreferences.

这篇关于如何在Android中安全保存密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！