Android: Check if Key is in Secure Hardware

Question

For my application, I create an AES key and want to check whether said key is stored inside the Secure Hardware. I googled and found an example for RSA, but figured it shouldn't matter. Below is the RSA example I found:

final KeyGenerator keyGenerator = KeyGenerator
        .getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");

final KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder("key_alias",
        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
        .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
        .build();

keyGenerator.init(keyGenParameterSpec);
final SecretKey secretKey = keyGenerator.generateKey();

final Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);

KeyFactory keyFactory = KeyFactory.getInstance(secretKey.getAlgorithm(), "AndroidKeyStore");
KeyInfo keyInfo = keyFactory.getKeySpec(secretKey, KeyInfo.class);
keyInfo.isInsideSecureHardware();

However, the very first line returns a no such algorithm: AES for provider AndroidKeyStore exception. But shouldn't it be possible to check if an AES key is inside the secure hardware for AES as well?

Theoretically I could use asymmetric encryption, since it is only a small snippet of data I want to en/decrypt but I would still prefer if I could use symmetric encryption.

Do you guys have an idea?

Edit: Added further implementation details.

Hi Alex. Did you try "AndroidKeyStoreBCWorkaround" as the second argument to getInstance? Also, what is the exact value of secretKey.getAlgorithm()? — Elletlar, Sep 03 '20 at 15:50
I want to use a `AES/GCM/NoPadding` key. Interestingly enough, `AndroidKeyStoreBCWorkaround` trips the exeception in the key generation. — Alex, Sep 03 '20 at 16:01
This post has a little more detail about Google's workaround: [AndroidKeystore NoSuchAlgorithm exception](https://stackoverflow.com/questions/36111452/androidkeystore-nosuchalgorithm-exception) — Elletlar, Sep 03 '20 at 16:13
Thx, but I still seem to have some issues with the workaround. When I try to create the cipher at the first line and pass `cipher.getProvider()` as second argument to `KeyGenerator.getInstance(...)` the line `keyGenerator.init(...)` throws an `Unknown param type: android.security.keystore.KeyGenParameterSpec` exception. — Alex, Sep 04 '20 at 07:36
I am not sure. Let's see if someone more knowledge answers. The only other thing I can offer: [Using Android keyStore to Encrypt Strings](https://stackoverflow.com/questions/27320610/how-can-i-use-the-android-keystore-to-securely-store-arbitrary-strings/59067594#59067594). It is not the same as what you are doing. But I know this code works because I refactored it recently. — Elletlar, Sep 04 '20 at 11:29

score 0 · Accepted Answer · answered Sep 07 '20 at 08:25

In order to get KeyInfo for a symmetric key, the following code is needed:

SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(secretKey.getAlgorithm(), "AndroidKeyStore");
KeyInfo keyInfo = (KeyInfo) secretKeyFactory.getKeySpec(secretKey, KeyInfo.class);

Android: Check if Key is in Secure Hardware

1 Answers1