In my android application I need to securely store RSA, ECDH, AES and other keys. They will be encrypted/decrypted by using user-entered password. My options are: android keystore, bouncy castle UBER keystore, encrypt and store in shared preferences. Android key store is not an option as it does not encrypt keys with custom password. UBER seems to be good solution, however I have some problems storing my keys there, so I am thinking just to encrypt them wtih AES GCM and put in shared preferences, will this be less secure? Or maybe even more secure as AES GCM is better than Twofish which is used by bouncy castle?
Asked
Active
Viewed 500 times
1
-
Could you please explain what did you mean by "Android key store (...) does not encrypt keys with _custom_ password"? I've just stumbled upon [this](https://stackoverflow.com/questions/43891059/storing-keystore-password-for-certificate-pinning-in-android) where there's suggestion there's possibility to store keys secured by a password, but I don't know if we're on the same page here – Antek Nov 23 '17 at 14:47
1 Answers
0
Encrypting with AES-256 in GCM mode and then storing in shared preferences should be fine. AES-256 is part of the NSA Suite B specification, and is about as good as it gets right now for symmetric encryption. (https://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography) That link makes note of the fact that the NSA expects to issue a new Suite recommendation soon that addresses quantum attacks on crypto -- but no such attacks are anywhere near feasible in the near (3-5) year term.
Chris Greenlee
- 21
- 1