1

I'm implementing SCA (Strong Customer Authentication) on Android. There are 3 factors on SCA which are following:

  1. Something you know (customer's 6 digit passCode)
  2. Something you have (device secure hardware)
  3. Something you are (biometrics)

So for this, I need to generate public&private keys which is protected by customer's 6 digit passcode. "AndroidKeyStore" can protect public private keys with device-owner's lock-screen credentials but I need to protect it with my user's passCode on my app.

val keyStore = KeyStore.getInstance("AndroidKeyStore")
keyStore.load(null, passCode.toCharArray())

But, "AndroidKeyStore" does not support password. ( Is there any workaround to implement it with AndroidKeyStore? ) Following exception is thrown:

    Caused by: java.lang.IllegalArgumentException: password not supported
        at android.security.keystore.AndroidKeyStoreSpi.engineLoad(AndroidKeyStoreSpi.java:1031)
        at java.security.KeyStore.load(KeyStore.java:1484)

If there is no way to use "AndroidKeyStore" direction, I need to change my path to the custom keystore.

val keyStore = KeyStore.getInstance(KeyStore.getDefaultType())
keyStore.load(null)

val keyPairGenerator: KeyPairGenerator = KeyPairGenerator.getInstance(
    KeyProperties.KEY_ALGORITHM_EC,
)
val parameterSpec = ECGenParameterSpec("secp256r1")
keyPairGenerator.initialize(parameterSpec)
val keyPair = keyPairGenerator.generateKeyPair()

val passwordProtection = KeyStore.PasswordProtection(passCode.toCharArray())

keyStore.setEntry(
    ALIAS_PUBLIC_KEY, 
    KeyStore.SecretKeyEntry(SecretKeySpec(
        keyPair.public.encoded, 
        ALGORITHM_ELLIPTIC_CURVE
    )), 
    passwordProtection
)
keyStore.setEntry(
    ALIAS_PRIVATE_KEY,
    KeyStore.SecretKeyEntry(SecretKeySpec(
        keyPair.private.encoded, 
        ALGORITHM_ELLIPTIC_CURVE
    )),
    passwordProtection
)
keyStore.store(getOutputStream(), passCode.toCharArray())

So, I generated custom keystore with customer's passcode on PasswordProtection and I stored it in my app's data directory. After that, I generated public&private keys and put them on custom keystore. But I can not put this private key on secure hardware on Android.

The question is, how to implement proper SCA on Android with user's passCode with/without using "AndroidKeyStore" ?

okarakose
  • 3,692
  • 5
  • 24
  • 44
  • So [`setIsStrongBoxBacked()`](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setIsStrongBoxBacked(boolean)) is not usable on custom `KeyStore`? – Victor Paléologue Sep 15 '22 at 13:30
  • I'm putting generated keyPair to the custom keyStore and custom keystore is just a file on my app's data directory. So I think setIsStrongBoxBacked not an option here – okarakose Sep 15 '22 at 17:58
  • @okarakose Did you find any workaround to use AndroidKeyStore with a password? – Mohsen Einhesari Feb 06 '23 at 12:11
  • @MohsenEinhesari unfortunately no, there is no way to use AndroidKeyStore with a password – okarakose Feb 22 '23 at 20:45

0 Answers0