Tuesday, May 24, 2016

Changes to the SecretFactory API in Android 4.4


Posted by Trevor Johns, Android Developer Relations tm

In order to encrypt data, you need two things: some data to encrypt and an encryption . The encryption is typically a 128- or 256-bit integer. However, most people would rather use a short passphrase instd of a remembering a 78-digit , so Android provides a way to erate an encryption from ASCII text inside of javax.crypto.SecretFactory.

Beginning with Android 4.4 KitKat, we’ve made a subtle change to the behavior of SecretFactory. This change may brk some appliions that use symmetric encryption and meet all of the following conditions:


Use SecretFactory to erate symmetric , and
Use PBKDF2WithHmacSHA1 as their eration aorithm for SecretFactory, and
Allow Uni input for passphrases


Specifically, PBKDF2WithHmacSHA1 only looks at the lower 8 bits of Java characters in passphrases on devices running Android 4.3 or below. Beginning with Android 4.4, we have changed this implementation to use all available bits in Uni characters, in compliance with recommendations in PCKS #5.

Users using only ASCII characters in passphrases will see no difference. However, passphrases using higher-order Uni characters will result in a different being erated on devices running Android 4.4 and later.

For backward compatibility, we have added a new eration aorithm which preserves the old behavior: PBKDF2WithHmacSHA1And8bit. Appliions that need to preserve compatibility with older platform versions (pre API 19) and meet the conditions above can make use of this :

import android.os.Build;

SecretFactory factory;
if (Build.VERSION.SDK_INT >= Build.VERSION_.KITKAT) {
// Use compatibility factory -- only uses lower 8-bits of passphrase chars
factory = SecretFactory.getInstance("PBKDF2WithHmacSHA1And8bit");
} else {
// Traditional factory. Will use lower 8-bits of passphrase chars on
// older Android versions (API level 18 and lower) and all available bits
// on KitKat and newer (API level 19 and higher).
factory = SecretFactory.getInstance("PBKDF2WithHmacSHA1");
}
Join the discussion on



+Android Developers

No comments:

Post a Comment