如何在android中安全地存储加密密钥？ [英] how to securely store encryption keys in android?

问题描述

我想知道如何在Android中安全地存储加密密钥？保护加密和密钥的最佳方案是什么？

I want to know how to securely store encryption key in Android? What is the best scenario to protect encryption and secrete keys?

推荐答案

根据您的评论，您需要使用本地密钥为当前Android版本和旧版本加密数据

From your comments, you need to encrypt data using a local key for current Android versions and the old ones

Android Keystore 旨在生成和保护你的钥匙。但它不适用于低于18的API级别，并且在API级别23之前它有一些限制。

Android Keystore is designed to generate and protect your keys. But it is not available for API level below 18 and it has some limitations until API level 23.

您将需要一个随机对称加密密钥，例如AES。 AES密钥用于加密和解密数据。我将总结您根据Android API级别安全生成和存储它的选项。

You will need a random symmetric encryption key, for example AES. The AES key is used to encrypt and decrypt you data. I'm going to summarize your options to generate and store it safely depending on Android API level.

• API等级< 18：Android Keystore不存在。向用户请求密码，从密码中获取加密密钥，缺点是您需要在应用程序启动时提示输入密码。加密密钥不存储在设备中。每次使用密码启动应用程序时都会计算

• API Level < 18: Android Keystore not present. Request a password to the user, derive an encryption key from the password, The drawback is that you need to prompt for the password when application starts. The encryption key it is not stored in the device. It is calculated each time when the application is started using the password

API级别> = 18< 23：不支持AES的Android密钥库即可。使用默认加密提供程序（不使用AndroidKeystore）生成随机AES密钥。在Android Keystore中生成RSA密钥对，并使用RSA公钥加密AES密钥。将加密的AES密钥存储到Android SharedPreferences中。应用程序启动时，使用RSA私钥解密AES密钥

API Level >=18 <23: Android Keystore available without AES support. Generate a random AES key using the default cryptographic provider (not using AndroidKeystore). Generate a RSA key pair into Android Keystore, and encrypt the AES key using RSA public key. Store encrypted AES key into Android SharedPreferences. When application starts, decrypt the AES key using RSA private key

API级别> = 23：支持AES的Android密钥库。使用Android Keystore生成随机AES密钥。您可以直接使用它。

API Level >=23: Android Keystore available with AES support. Generate a random AES key using into Android Keystore. You can use it directly.

要加密，可以使用 AES / CBC / PKCS7Padding 算法。它还需要一个随机初始化向量（IV）来加密您的数据，但它可以是公开的。

To encrypt to can use AES/CBC/PKCS7Padding algorithm. It requires also a random initialization vector (IV) to encrypt your data, but it can be public.

替代方案：

• API级别> 14：Android密钥链：KeyChain是一个系统范围的凭据存储。您可以使用可供应用程序使用的私钥安装证书。使用预安装的密钥加密/解密您的AES密钥，如上面的第二种情况所示。

• API level >14: Android Key Chain: KeyChain is a system-wide credential storage. You can install certificates with private keys that can be used by applications. Use a preinstalled key to encrypt/decrypt your AES key as shown in the second case above.

外部令牌：受保护的密钥没有存储在设备中。您可以使用包含私钥/公钥对的外部令牌，该令牌允许您加密AES密钥。可以使用蓝牙或NFC接收令牌

External token: The protected keys are not stored in the device. You can use an external token containing a private/public key pair that allows you to encrypt the AES key. The token can be accesed using bluetooth or NFC

这篇关于如何在android中安全地存储加密密钥？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！