Android

This article discusses several open-source implementations of the HKDF scheme for Android. Since HKDF is a relatively simple algorithm, it allows for a good case study of cryptographic code. The primary audience are applied cryptographers and software engineers working on protocols. Key derivation functions (KDFs) are an important building block for practical protocols. They take as input the input keying material (IKM), an optional salt, and a context string (info). Their output is a pseudorandom key of specified length. For most variants we can assume that the resulting key material is indistinguishable from random which makes it easily usable as input for other cryptographic algorithms. Below is a typical example. ...

This article describes how to add a CLI module to an existing Android Studio project that generates an executable .jar archive. The primary audience are software engineers working on Android. When developing for Android – or other mobile platforms – the change-to-effect latency can be often quite high due to the involved compilation and cross-device communication. The regular unit tests get around this by executing in a VM on the host machine. However, they can be inflexible when it comes to incorporating larger (binary) assets to test against. Also, they do not lend themself to facilitate long fuzzing session or interactive usage. ...

This article discusses the support for elliptic curves on Android. Its primary audience are engineers implementing or maintaining cryptographic protocols on Android. It hopefully also shows up as a helpful result when searching for error messages. During a recent cryptography project on Android, I found that only few Elliptic Curves are supported by the built-in key pair generator. The typical error messages I got were along the line of java.security.InvalidAlgorithmParameterException: unknown curve name. Neither the official documentation nor any other online resource has a helpful list of the curves that I could use. Therefore, I decided to do a quick inventory and summarize the results here. In many places I link directly to the underlying source code. I hope this post helps next engineer to better understand exceptions like the following one: ...

This article explains why password hashing is important and how to do it properly on Android. The primary audience are software engineers working with passwords. Password hashing or password-based key derivation takes a password from the user as input and generates key material as output. This is a helpful thing because many people struggle to memorize 256-bit encryption keys. The standard procedure is to pass the user password through the password hashing function, and then use the derived key for cryptographic operations. These operations can be symmetrical encryption/decryption of files or the generation of login tokens. ...