On Mon, Dec 17, 2012 at 1:57 AM, Matthew Fleming <mgflem@gmail.com> wrote:
> Thanks very much. I had pretty much reached the same conclusion -- that I
> should just try switching to encryption/decryption rather than wrap/unwrap,
> and this works. I have included a complete example, below, which works on
> Android 4.2, 4.1, and presumably earlier versions.
Glad you got it working, but the wrap/unwrap code I posted works on 4.2, so
you are probably hitting some other bug(?). Can you share the full stack trace?
> Evidently there was some undocumented change.
That shouldn't be too hard to trace if we know exactly where it's failing.
>
> Here is the code which works, replacing wrap/unwrap with encrypt/decrypt.
> Unless you see anything wrong with this I think I'll just proceed on that
> basis:
The usual stuff: don't use a fixed salt (kind of defeats the purpose) and
use a larger number of iterations. On mobile you might have to balance
with performance, but 20 is just too low. Start with a 1000. For reference,
Android and iOS backup, etc. encryption uses iterations of the order
of 10,000.
Also prefer PBKDF2, rather than the not-quite standard
PBEWITHSHA256AND128BITAES-CBC-BC (based on PKCS#12
key derivation). The fact that it has SHA256 in it doesn't necessarily
make it better. It does however have the advantage that it generates
the IV based on your password and salt, so that you don't have to
save it separately.
Some related discussion (and code) here:
http://nelenkov.blogspot.com/2012/04/using-password-based-encryption-on.html
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
No comments:
Post a Comment