The Android N operating system version will no longer use the Crypto provider and the SHA1PRNG algorithm, Google announced.
Google’s plan to modify the key derivation function (KDF) in Android is triggered by the company’s attempt to improve the cryptography features of the platform. Developers with applications that derive keys using the SHA1PRNG algorithm from the Crypto provider need to be looking for another key derivation function and possibly re-encrypt data, Sergio Giro, software engineer, Google, says.
Giro explains that the Java Cryptography Architecture employed by Android allows developers to create an instance of a class like a cipher, or a pseudo-random number generator, using different calls. However, while Google doesn’t recommend specifying the provider, there are calls to the Java Cryptography Extension (JCE) APIs that specify it, and many apps rely on the “Crypto” provider for an anti-pattern of key derivation.
According to Giro, the provider only offered an implementation of the SHA1PRNG algorithm for instances of SecureRandom, and this algorithm is not cryptographically strong. In fact, researchers have demonstrated that the “random” sequence, considered in binary form, is inclined towards returning 0s, and this worsens depending on the seed.
“As a result, in Android N we are deprecating the implementation of the SHA1PRNG algorithm and the Crypto provider altogether,” Giro says. “A common but incorrect usage of this provider was to derive keys for encryption by using a password as a seed. The implementation of SHA1PRNG had a bug that made it deterministic if setSeed() was called before obtaining output,” he adds.
The bug consists of deriving the key from a password that is used as seed, and then using the ‘random’ output bytes for the key. However, ‘random’ in this context would be ‘predictable and cryptographically weak’, Giro notes. Next, the key is used for the encryption and decryption of data.
The engineer says that there are different ways to derive keys correctly, and even offers a full example of that. For developers looking to transition data easier if they have data encrypted with an insecure key, an example app is available, with a helper class specifically created for such situations. “You can then re-encrypt your data with a securely derived key as explained above, and live a happy life ever after,” Giro notes.
To ensure that applications continue to work, Google is keeping the Crypto provider in the Android SDK version 23, for Marshmallow and earlier operating system iterations. However, developers are advised to move away from the provider, as it will be completely deleted from the SDK in the future.
“Because many parts of the system assume the existence of a SHA1PRNG algorithm, when an instance of SHA1PRNG is requested and the provider is not specified we return an instance of OpenSSLRandom, which is a strong source of random numbers derived from OpenSSL,” Google’s engineer also explains.
The deprecation of the Crypto provider is yet another step Google is making toward improved user data security in Android, after it announced that full device encryption was mandatory for new devices in Android Marshmallow. Earlier this year, the company revealed that it was performing 400 million Android security scans daily to ensure the safety of its users.