androidsqlciphersqlcipher-android

Using secret key with sqlcipher

I'm using sqlcipher to store data from my app and I'm having trouble firstly, generating a secret key and secondly storing in keystore.

Btw, needs to be without user interaction like described in android docs

Here is how I'm attempting to generate the secret,

KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(128);
SecretKey key = keyGen.generateKey();

Here, is where I'm setting up the sqldatabase

SQLiteDatabase db = SQLiteDatabase.openOrCreateDatabase(databaseFile, "password_string", null);

So the question, how do I use the secret in the password string? As at the moment, I can only get the secret as a byte array.

Solution

  • Please find below utilities for using AES to encrypt/decrypt. You can use the secret key to encrypt/decrypt your password. However, I will not recommend this, since you have to store your secret key also and the problem is still there, how can you save your secret key securely? In this case, a common practice is to using a hash function: SHA-256, MD5... to hash your password and store it. Later, when you want to check whether users enter a correct password, just hash whatever they enter and compare with the value you stored.

    private static int BLOCKS = 128;

  public static byte[] encryptAES(String seed, String cleartext)
      throws Exception {
    byte[] rawKey = getRawKey(seed.getBytes("UTF8"));
    SecretKeySpec skeySpec = new SecretKeySpec(rawKey, "AES");
    Cipher cipher = Cipher.getInstance("AES");
    cipher.init(Cipher.ENCRYPT_MODE, skeySpec);
    return cipher.doFinal(cleartext.getBytes("UTF8"));
  }

  public static byte[] decryptAES(String seed, byte[] data) throws Exception {
    byte[] rawKey = getRawKey(seed.getBytes("UTF8"));
    SecretKeySpec skeySpec = new SecretKeySpec(rawKey, "AES");
    Cipher cipher = Cipher.getInstance("AES");
    cipher.init(Cipher.DECRYPT_MODE, skeySpec);
    return cipher.doFinal(data);
  }

  private static byte[] getRawKey(byte[] seed) throws Exception {
    KeyGenerator kgen = KeyGenerator.getInstance("AES");
    SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
    sr.setSeed(seed);
    kgen.init(BLOCKS, sr); // 192 and 256 bits may not be available
    SecretKey skey = kgen.generateKey();
    byte[] raw = skey.getEncoded();
    return raw;
  }