Android Security Mechanisms (2)

Similar documents
Android Security Mechanisms

Android Security Mechanisms

T H R EAT S A R E H I D I N G I N E N C RY P T E D T R A F F I C O N YO U R N E T W O R K

T H R EAT S A R E H I D I N G I N E N C RY P T E D T R A F F I C O N YO U R N E T WO R K

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Android Services. Lecture 4. Operating Systems Practical. 26 October 2016

Fundamentals of Modern Cryptography

Lecture 1: Introduction to Public key cryptography

ST-Links. SpatialKit. Version 3.0.x. For ArcMap. ArcMap Extension for Directly Connecting to Spatial Databases. ST-Links Corporation.

Week 12: Hash Functions and MAC

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Dan Boneh. Introduction. Course Overview

Part I. System call overview. Secure Operating System Design and Implementation System Calls. Overview. Abstraction. Jon A. Solworth.

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.

Extending Dolev-Yao with Assertions

Homework 4 for Modular Arithmetic: The RSA Cipher

KEY DISTRIBUTION 1 /74

Hardware cryptographic support for IBM Z and IBM LinuxONE with Ubuntu Server

Quantum Wireless Sensor Networks

new interface and features

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

SDS developer guide. Develop distributed and parallel applications in Java. Nathanaël Cottin. version

Leveraging Web GIS: An Introduction to the ArcGIS portal

Verification of the TLS Handshake protocol

Foundations of Network and Computer Security

Socket Programming. Daniel Zappala. CS 360 Internet Programming Brigham Young University

A Small Subgroup Attack on Arazi s Key Agreement Protocol

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

Cryptography IV: Asymmetric Ciphers

Enforcing honesty of certification authorities: Tagged one-time signature schemes

Cryptographical Security in the Quantum Random Oracle Model

Quantum Computing: it s the end of the world as we know it? Giesecke+Devrient Munich, June 2018

Foundations of Network and Computer Security

Non- browser TLS Woes

Bob. Eve. Alice. Trent. Author: Bill Buchanan. Author: Prof Bill Buchanan

CPSC 467: Cryptography and Computer Security

Chapter 3 Cryptography

31 Dec '01 07 Jan '02 14 Jan '02 21 Jan '02 28 Jan '02 M T W T F S S M T W T F S S M T W T F S S M T W T F S S M T W T F S S

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Introduction to Information Security

Geodatabase Best Practices. Dave Crawford Erik Hoel

Introduction to Portal for ArcGIS. Hao LEE November 12, 2015

Remote Timing Attacks are Practical

CPSC 467: Cryptography and Computer Security

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

EUROPEAN MIDDLEWARE INITIATIVE

Public Key Algorithms

STRIBOB : Authenticated Encryption

Chapter 3 Cryptography

CS 3411 Systems Programming

K D A A M P L I F I E R S F I R M W A R E U S E R G U I D E

Public-Key Cryptosystems CHAPTER 4

Introduction to Portal for ArcGIS

Encryption: The RSA Public Key Cipher

Portal for ArcGIS: An Introduction. Catherine Hynes and Derek Law

ASYMMETRIC ENCRYPTION

Asymmetric Encryption

CRYPTOGRAPHY AND NUMBER THEORY

Statistical Attacks on Cookie Masking for RC4

From BASIS DD to Barista Application in Five Easy Steps

CPSC 467b: Cryptography and Computer Security

PKCS #1 v2.0 Amendment 1: Multi-Prime RSA

CPSC 467: Cryptography and Computer Security

Attack Graph Modeling and Generation

PI SERVER 2012 Do. More. Faster. Now! Copyr i g h t 2012 O S Is o f t, L L C. 1

Information Security in the Age of Quantum Technologies

From BASIS DD to Barista Application in Five Easy Steps

DEVELOPMENT AND IMPLEMENTATION OF A NEW WEB MAPPING SYSTEM ARCHITECTURE FOR ARCTIC REGION

IMPACT Improving Massachusetts Post-Acute Care Transfers

CPSC 467: Cryptography and Computer Security

HASH FUNCTIONS 1 /62

Improving Helios with Everlasting Privacy Towards the Public Denise Demirel, Jeroen van de Graaf, Roberto Araújo

Open spatial data infrastructure

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Implementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction

Securing the Web of Things

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

For the online procedure described here version 2.0 or later of the plug-in is required.

NET 311D INFORMATION SECURITY

Senior astrophysics Lab 2: Evolution of a 1 M star

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Elliptic Curves and an Application in Cryptography

Cryptographic Solutions for Data Integrity in the Cloud

THE SPATIAL DATA SERVER BASED ON OPEN GIS STANDARDS IN HETEROGENEOUS DISTRIBUTED ENVIRONMENT

NOKIS - Information Infrastructure for the North and Baltic Sea

Foundations of Network and Computer Security

Configuring LDAP Authentication in iway Service Manager

Concurrent HTTP Proxy Server. CS425 - Computer Networks Vaibhav Nagar(14785)

GPS Mapping with Esri s Collector App. What We ll Cover

Data Aggregation with InfraWorks and ArcGIS for Visualization, Analysis, and Planning

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

M o n i t o r i n g O c e a n C o l o u r P y t h o n p r o c e d u r e f o r d o w n l o a d

CPSC 467b: Cryptography and Computer Security

RSA Encryption. Computer Science 52. Encryption: A Quick Overview. Spring Semester, 2017

Elliptic Curves and Cryptography

A Spatial Data Infrastructure for Landslides and Floods in Italy

CPSA and Formal Security Goals

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

A Control Flow Integrity Based Trust Model. Ge Zhu Akhilesh Tyagi Iowa State University

Transcription:

Android Security Mechanisms (2) Lecture 9 Operating Systems Practical 14 December 2016 This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/. OSP Android Security Mechanisms (2), Lecture 9 1/33

SSL/TLS JSSE Android JSSE Providers Bibliography OSP Android Security Mechanisms (2), Lecture 9 2/33

Outline SSL/TLS JSSE Android JSSE Providers Bibliography OSP Android Security Mechanisms (2), Lecture 9 3/33

Secure Communication Cryptographic providers for securing communication Recommendation: standardized security protocols Secure Sockets Layer (SSL) and Transport Layer Security (TLS) SSL is the predecesor of TLS OSP Android Security Mechanisms (2), Lecture 9 4/33

SSL/TLS Secure point-to-point communication protocols Authentication, message confidentiality and integrity for communication over TCP/IP Combination of symmetric and asymmetric encryption for confidentiality and integrity Public key certificates for authentication OSP Android Security Mechanisms (2), Lecture 9 5/33

Cipher Suite Cipher suite = set of algorithms for key agreement, authentication, integrity protection and encryption Client sends SSL version and list of cipher suites Client and server negotiate common cipher suite OSP Android Security Mechanisms (2), Lecture 9 6/33

Authentication and Encryption Authenticate through certificates Usually only server authentication Client authentication is also supported Compute shared symmetric key Secure communication using symmetric encryption & key OSP Android Security Mechanisms (2), Lecture 9 7/33

Public Key Certificates Binding an identity to a public key X.509 certificates Signature algorithm Validity Subject DN Issuer DN OSP Android Security Mechanisms (2), Lecture 9 8/33

Direct Trust SSL client communicates with a small number of servers Set of trusted server certificates = trust anchors Can be self-signed A server is trusted if it s certificate is part of the set Good control over trusted server Hard to update server key and certificate OSP Android Security Mechanisms (2), Lecture 9 9/33

Private CAs Private Certificate Authority (CA) -> trust anchor Signs server certificate Client trusts any certificate issued by the CA Easy to update server key and certificate Single point of failure OSP Android Security Mechanisms (2), Lecture 9 10/33

Public CAs Public Certificate Authorities (CAs) -> trust anchors Client configured with a set of trust anchors Web browsers - more than 100 CAs OSP Android Security Mechanisms (2), Lecture 9 11/33

Outline SSL/TLS JSSE Android JSSE Providers Bibliography OSP Android Security Mechanisms (2), Lecture 9 12/33

Java Secure Socket Extension (JSSE) Android provides support for SSL/TLS through JSSE javax.net and javax.net.ssl Provides: SSL client and server sockets Socket factories SSLEngine - producing and consuming SSL streams SSLContext - creates socket factories and engines KeyManager, TrustManager and factories HttpsURLConnection OSP Android Security Mechanisms (2), Lecture 9 13/33

JSSE Classes Source: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/jsserefguide.html OSP Android Security Mechanisms (2), Lecture 9 14/33

SSLSocket SSLSocket is created: Through SSLSocketFactory Accepting a connection on a SSLServerSocket SSLServerSocket created through SSLServerSocketFactory SSLEngine: Created by SSLContext I/O operations handled by the application OSP Android Security Mechanisms (2), Lecture 9 15/33

SSLContext SSL Context obtained in two ways 1. getdefault() method of SSLServerSocketFactory or SSLSocketFactory Default context initialized with default KeyManager, default TrustManager and secure random generator Key material from system properties OSP Android Security Mechanisms (2), Lecture 9 16/33

SSLContext 2. getinstance() static method of SSLContext Context initialized with array of KeyManager, array of TrustManager, secure random generator KeyManager obtained from KeyManagerFactory TrustManager obtained from TrustManagerFactory Factories initialized with KeyStore (key material) OSP Android Security Mechanisms (2), Lecture 9 17/33

SSLSession Established SSL connection -> SSLSession object Includes identities, cipher suites, etc. SSLSession used in multiple connections between same entities OSP Android Security Mechanisms (2), Lecture 9 18/33

TrustManager and KeyManager JSSE delegates trust decisions to TrustManager Delegates authentication key selection to KeyManager Each SSLSocket has access to them through SSLContext TrustManager has a set of trusted CA certificates (trust anchors) A certificate issued by a trusted CA is considered trustworthy OSP Android Security Mechanisms (2), Lecture 9 19/33

System Trust Store Default JSSE TrustManager initialized using the system trust store Major commercial and government CA certificates /system/etc/security/cacerts.bks TrustManagerFactory tmf = TrustManagerFactory. g e t I n s t a n c e ( TrustManagerFactory. g e t D e f a u l t A l g o r i t h m ( ) ) ; tmf. i n i t ( ( KeyStore ) n u l l ) ; TrustManager [ ] tms = tmf. gettrustmanagers ( ) ; X509TrustManager xtm = ( X509TrustManager ) tms [ 0 ] ; f o r ( X 5 0 9 C e r t i f i c a t e c e r t : xtm. g e t A c c e p t e d I s s u e r s ( ) ) { S t r i n g c e r t S t r = S : + c e r t. getsubjectdn ( ). getname ( ) + \ n I : + c e r t. g e t I s s u e r D N ( ). getname ( ) ; Log. d (TAG, c e r t S t r ) ; } OSP Android Security Mechanisms (2), Lecture 9 20/33

System Trust Store Until Android 4.0, A single file: /system/etc/security/cacerts.bks Read-only partition From Android 4.0 In addition, two directories /data/misc/keychain/cacerts-added /data/misc/keychain/cacerts-removed Modified only by the system user Add trust anchors through TrustedCertificateStore class OSP Android Security Mechanisms (2), Lecture 9 21/33

Validate Server Certificate TrustManagerFactory tmf = TrustManagerFactory. g e t I n s t a n c e ( X509 ) ; tmf. i n i t ( ( KeyStore ) n u l l ) ; TrustManager [ ] tms = tmf. gettrustmanagers ( ) ; X509TrustManager xtm = ( X509TrustManager ) tms [ 0 ] ; X 5 0 9 C e r t i f i c a t e [ ] c e r t C h a i n = { s e r v e r C e r t } ; xtm. c h e c k S e r v e r T r u s t e d ( c e r t C h a i n, RSA ) ; SSLSocket and HttpURLConnection perform similar validations OSP Android Security Mechanisms (2), Lecture 9 22/33

HttpURLConnection Preferred method for connecting to a HTTPS server Uses default SSLSocketFactory to create secure sockets Custom trust store or authentication keys setdefaultsslsocketfactory() or setsslsocketfactory() of HttpsURLConnection OSP Android Security Mechanisms (2), Lecture 9 23/33

Use your own Trust Store Use your own trust store instead of the system trust store Load trust store in a KeyStore object Obtain TrustManagerFactory and initialize it with trust store Load key material in KeyStore object (for client authentication) Obtain KeyManagerFactory and initailize it with key store Obtain SSLContext and initialize it with TrustManager and KeyManager Create URL and HttpURLConnection Associate SSLSocketFactory of SSLContext to HttpURLConnection OSP Android Security Mechanisms (2), Lecture 9 24/33

Use your own Trust Store KeyStore t r u s t S t o r e = l o a d T r u s t S t o r e ( ) ; KeyStore k e y S t o r e = l o a d K e y S t o r e ( ) ; TrustManagerFactory tmf = TrustManagerFactory. g e t I n s t a n c e ( TrustManagerFactory. g e t D e f a u l t A l g o r i t h m ( ) ) ; tmf. i n i t ( t r u s t S t o r e ) ; KeyManagerFactory kmf = KeyManagerFactory. g e t I n s t a n c e ( KeyManagerFactory. g e t D e f a u l t A l g o r i t h m ( ) ) ; kmf. i n i t ( k e y S t o r e, KEYSTORE PASSWORD. t o C h a r A r r a y ( ) ) ; SSLContext s s l C t x = SSLContext. g e t I n s t a n c e ( TLS ) ; s s l C t x. i n i t ( kmf. getkeymanagers ( ), tmf. g ettrustmanagers ( ), n u l l ) ; URL u r l = new URL( h t t p s : / / m y s e r v e r. com ) ; HttpsURLConnection u r l C o n n e c t i o n = ( HttpsURLConnection ) u r l u r l C o n n e c t i o n. s e t S S L S o c k e t F a c t o r y ( s s l C t x. g e t S o c k e t F a c t o r y ( ) ) ; OSP Android Security Mechanisms (2), Lecture 9 25/33

Use your own Trust Store Generate your trust store using Bouncy Castle and openssl in comand line Trust store file in /res/raw/ KeyStore l o c a l T r u s t S t o r e = KeyStore. g e t I n s t a n c e ( BKS ) ; I n p u t S t r e a m i n = g e t R e s o u r c e s ( ). openrawresource ( R. raw. m y t r u s t s t o r e ) ; l o c a l T r u s t S t o r e. l o a d ( in, TRUSTSTORE PASSWORD. t o C h a r A r r a y ( ) ) ; TrustManagerFactory tmf = TrustManagerFactory. g e t I n s t a n c e ( TrustManagerFactory. g e t D e f a u l t A l g o r i t h m ( ) ) ; tmf. i n i t ( l o c a l T r u s t S t o r e ) ; SSLContext s s l C t x = SSLContext. g e t I n s t a n c e ( TLS ) ; s s l C t x. i n i t ( n u l l, tmf. gettrustmanagers ( ), n u l l ) ; URL u r l = new URL( h t t p s : / / m y s e r v e r. com ) ; HttpsURLConnection u r l C o n n e c t i o n = ( HttpsURLConnection ) u r l u r l C o n n e c t i o n. s e t S S L S o c k e t F a c t o r y ( s s l C t x. g e t S o c k e t F a c t o r y ( ) ) ; OSP Android Security Mechanisms (2), Lecture 9 26/33

Outline SSL/TLS JSSE Android JSSE Providers Bibliography OSP Android Security Mechanisms (2), Lecture 9 27/33

Android JSSE Providers JSSE providers implement functionality for engine classes Trust managers, key managers, secure sockets, etc. Developers work with engine classes Android includes two JSSE providers: HarmonyJSSE AndroidOpenSSL OSP Android Security Mechanisms (2), Lecture 9 28/33

Harmony JSSE Implemented in Java Java sockets, JCA cryptographic classes SSLv3, TLSv1 Deprecated, not actively maintained OSP Android Security Mechanisms (2), Lecture 9 29/33

AndroidOpenSSL Calls to OpenSSL native library (JNI) TLSv1.1, TLSv1.2 Server Name Indication (SNI) SSL clients specify target hostname Server with multiple virtual hosts Used by default by HttpsURLConnection Both providers share KeyManager and TrustManager code Different SSL socket implementation OSP Android Security Mechanisms (2), Lecture 9 30/33

Outline SSL/TLS JSSE Android JSSE Providers Bibliography OSP Android Security Mechanisms (2), Lecture 9 31/33

Bibliography Android Security Internals, Nikolay Elenkov http://nelenkov.blogspot.ro/2011/12/ using-custom-certificate-trust-store-on.html https://github.com/nelenkov/custom-cert-https http://docs.oracle.com/javase/7/docs/technotes/ guides/security/jsse/jsserefguide.html OSP Android Security Mechanisms (2), Lecture 9 32/33

Keywords SSL/TLS Trust anchors Certificate Authority Trust store Java Secure Socket Extension SSLSocket HttpsURLConnection AndroidOpenSSL OSP Android Security Mechanisms (2), Lecture 9 33/33

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback