CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

Slides:



Advertisements
Similar presentations
Why Eve & Mallory Love Android
Advertisements

An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities Vasant Tendulkar NC State University William.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Introduction to PKI, Certificates & Public Key Cryptography Erwan Lemonnier.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Cryptography and Network Security Chapter 17
FIT3105 Smart card based authentication and identity management Lecture 4.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Chapter 5 Cryptography Protecting principals communication in systems.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
May 21, 2002Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Chapter 8 Web Security.
Feb 19, 2002Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.
SSL Technology Overview and Troubleshooting Tips.
Cryptography 101 Frank Hecker
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
JSSE API University of Palestine Eng. Wisam Zaqoot April 2010.
CS 255 – Cryptography & Computer Security Programming Project 2 – Winter 04 Priyank Patel
CSCI 6962: Server-side Design and Programming
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Web Security : Secure Socket Layer Secure Electronic Transaction.
Types of Electronic Infection
Module 9: Fundamentals of Securing Network Communication.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
Public Key Encryption.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
Can SSL and TOR be intercepted? Secure Socket Layer.
By Sandeep Gadi 12/20/  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
TCS Internal Security. 2 TCS Internal Objective Objective :  Android Platform Security Architecture.
Mar 18, 2003Mårten Trolin1 Agenda Parts that need to be secured Card authentication Key management.
1 Authentication Celia Li Computer Science and Engineering York University.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
Web Security CS-431.
Web Applications Security Cryptography 1
Cryptography and Network Security
Presented by Hussein Almulla
Cryptography and Network Security
Outline Using cryptography in networks IPSec SSL and TLS.
Cryptography and Network Security
Presentation transcript:

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University

Why Cryptography Programming? Mobile devices store tremendous amount of personal and financial data Mobile apps access the data over the Internet Mobile devices are easier to get lost or stolen Websites vs. Mobile apps E.g. On desktop use amazon.com (website) to shop, on mobile devices use Amazon app to shop

Android’s Storage Options Internal Storage vs. External Storage Internal storage is only accessible by the apps Not safe if device is rooted. Bugs External storage (SD card) is world-readable Full Disk Encryption (FDE) Provide protection when device is lost or rooted Has performance issues and not turned on by default Use encryption for sensitive data!

Android’s Crypto Library Android’s SDK includes JCE (Java Cryptography Extension) Symmetric Key, Public Key Ciphers PBE (Password Based Encryption) Hash Functions MAC and Digital Signatures Random Number Generation Android’s SDK includes additional Java library that supports SSL X.509 certificate

Common Mistakes in Cipher Programming - PBE What is PBE? Password Based Encryption Use password as the key for symmetric key ciphers Problems with PBE Passwords are usually not strong Not random enough They are not long enough Needs padding Other problems Using constant IV Using ECB mode instead of stronger CBC mode Storing password in the source code

An example of secure implementation of PBE Use password based key derivation functions (PBKDF) Use password and salt as input Salt to protection against rainbow table Hash function or MAC to output encryption key Run above function times Make password cracking very very slow Weak passwords are still vulnerable Use strong ciphers Use random IV Use strong mode CBC

Common Mistakes in Cipher Programming - SSL What is SSL (Secure Socket Layer)? Secure transport layer communication between client-server. Based on public key cipher. Server sends digital certificate to client for authentication and key exchange. MITM (Man-In-The-Middle) attacks are the biggest threat to SSL More vulnerable on public wi-fi or public Ethernet. MITM intercepts digital certificates and replaces with another one. If client fails to detect this fake certificate, attacker can obtain all traffic.

Common Mistakes in Cipher Programming - SSL Must authenticate digital certificates Web Browsers authenticate the certificate Check if it is signed by a trusted certificate authority (CA) Check if the subject of the certificate is the same as the hostname Check if it has expired Mobile apps have to verify the digital certificate Some mobile apps simply skip verification

Common Mistakes in Cipher Programming - SSL Two ways Android use SSL HttpsURLConnection Applicable to web traffic Digital certificate verification is done by the library. Also does hostname verification Good for certificates signed by trusted CAs SSLSocket Applicable to non-web or web traffic Verification is not done by this library

Self-Signed Digital Certificates A lot of mobile apps use self-signed digital certificates Digital certificate signed by trusted CA are expensive Easy to create using OpenSSL Free Not a big problem for mobile apps compared to websites that use self-signed certificates Why? Studies show that A lot of apps on Google Play store do not verify certificates Bad verification that simply accepts all certificates Self-signed digital certificate can be secure if programmed correctly

An example of secure implementation of verification Let HttpsURLConnection to trust the self-signed CA Steps: (from Android) Load CA’s digital certificate into the app Create a KeyStore that contains the self-signed CA Create a TrustManager and initialize it with KeyStore Create SSLContext that uses TrustManager Let HttpsURLConnection to use SSLContext

Hostname Verification If the hostname of a URL is different from the the subject name in the digital certificate, hostname verification will fail Mobile apps needs to override HostnameVerifier to accept the mismatching certificate

SecureAddressBook: Hands-on Lab Based on Derek Bana’s Youtube tutorial Changes made to the original program Address book is saved to a Internet server instead of local SQLite database Address book is accessed with web service API calls Server accepts both clear text requests and SSL requests Server’s Digital Certificate is provided Login activity is added Username and password are sent to server for authentication Has option to ‘save password’ Password is saved in SQLite database in clear text

SecureAddressBook: Hands-on Lab Goals Secure the client-server communication with SSL Encrypt the passwords before saving them to the SQLite database

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.