Reputation: 825
Java Security class and Providers
I'm having trouble understanding how certain parts of the Security class work.
I understand that calling getProviders() will return all of the providers available on the current Android device. What I'm having trouble understanding is how to make use of these providers' algorithms for encryption/decryption.
The Security class also has a setProperty() function. The documentation doesn't go into much detail about how this works, but it seems like I can set any made up property here with any value that I like. How would I actually check that a change took place on my device after setting a specific property?
If anybody could point me to a resource online that goes into detail on this topic I would appreciate it.
EDIT:
I'll be more specific. I'm trying to take advantage of a FIPS-compliant device. There is a specific property that needs to be set using the setProperty() method to enable "FIPS mode" on the device.
I'd like to figure out how I can confirm that the device is running in this mode after the property is set, and how I can utilize the available FIPS validated algorithms.
Upvotes: 2
Views: 409
Answers (2)
Reputation: 93968
If you want to make sure that a specific algorithm is used, you can specify the provider in the getInstance methods. Another option is to place the provider first in the list of installed providers. If you just want to use the provider for private and secret keys you can also put the provider in the end of the list and rely on delayed provider selection. This actually links the underlying CipherSpi during the initialization phase, after the compatibility of the key with the provider has been established.
With regards to the question in the edit, that depends on the provider. I don't think that there is anything specific in the security architecture to make sure FIPS mode is run. Instead, you should check if the Provider or the underlying implementation (PKCS#11?) has possibilities to log usage. Usually you need to authenticate before you can use private or secret keys on the token. If that is the case, not having to provide a password (using a call back) is a pretty good indication that the key isn't accessed.
Upvotes: 1
Reputation: 416
On your "encryption/decryption" request, if you are referring to store data in an encrypted/safe way in the device (i.e. data at rest, opposed to data on transit), I think https://developer.android.com/about/versions/android-4.3.html#Security - KeyStore is one good and apparently easy solution. That way you will follow the Android way, if you want to follow the standard Java way there are tutorials for that as well, but I discourage as the possibility of adding a mistake is very high. Crypto is kind of difficult for anyone...
For data in transit (i.e. network) you should rely only on HTTPs (or pure TLS if you use something different from HTTP - this hardly happens) rather than any ad hoc implementation, unless you really need an additional layer (i.e. a secret protocol you want to protect).
Upvotes: 1
Related Questions
- Crypto provider in JDK
- security for android classes
- Android encryption
- Android registering security provider
- Java - Cipher custom provider
- Java based encryption library for Android
- android security at lower api levels
- How to use cryptography in Java?
- Encryption on a Java based mobile
- Installing SunJCE on Android?