CODEWITHSUNDEEP
androidcryptographyandroid-keystoreelliptic-curve
falsetto
falsetto

Reputation: 789

EC on Android 5

I read in this article: Generate elliptic curve KeyPair via KeyStore on API Level <23 that there is a possibility to use elliptic curves on Android 5. According to this:

Prior to API Level 23, EC keys can be generated using KeyPairGenerator of algorithm "RSA" initialized KeyPairGeneratorSpec whose key type is set to "EC" using setKeyType(String). EC curve name cannot be specified using this method -- a NIST P-curve is automatically chosen based on the requested key size.

I can use RSA and then set key type as EC. Is there any differences between those two approaches? Will it be finnaly the same when I use RSA with EC as key type and EC?

Upvotes: 2

Views: 984

Answers (1)

Maarten Bodewes
Maarten Bodewes

Reputation: 93998

EC key pairs are completely incompatible with RSA.

There is only one type of EC key for these specific curves (although there are different representations of the same point when encoded). The ones for ECDH (key agreement) / ECIES and ECDSA are exactly the same as well.

So if an EC key is generated for "RSA" key pair generator you can be pretty sure that it is identical spec-wise to the one generated for the "EC" one. Simply test by performing EC signature generation / verification or - slightly more complex - key agreement.

You can possibly test by creating your own deterministic SecureRandom implementation and require the EC implementation to use that. This is also because the EC key pair generation doesn't have as many choices as the RSA key pair generator, so the algorithm implementations are likely to be the same. So if you start with the same values then it is likely that it produces identical key pairs. Then you could compare public key values or use one public key to verify a signature from the other private key.

It may be that the the underlying implementation ignores the SecureRandom as given though, if the Android key store cannot handle it.

I don't have these Android versions here though.

Note that the given method of generating an EC key can be thought of to be a hack. And since Android 5 / API 22 is from 5 years back, you can ask yourself if you want to still support those versions.

Alternatively you can generate the EC key pairs completely in software using Bouncy Castle, but the Android key store is then not involved to keep your keys secure.

Upvotes: 1

Related Questions