Android Security – Primer: Symmetric and Asymmetric cryptography

This post is only going to be a recap of cryptography, types of keys, and the important concepts that are needed to be kept in mind. This post would neither talk about any advanced topics, not go into much details. 

This post is meant for beginners.

Cryptography

The objective of cryptography is to secure the communication or messages between two parties, so that any adversary(malicious) party cannot read or tamper the original communication.

“Encryption” is a process of taking a message, scrambling it’s content so that in only certain people can look at this message.

This is done by using a key (secret) and an algorithm, which the adversary doesn’t have access to. The original message (plaintext) is transformed (encrypted) to ciphertext (gibberish for the adversary) by the sender before actually transmitting it. The recipient decrypts the ciphertext by using the same set of “key” and the “algorithm” to extract the original message.

Symmetric cryptography

In symmetric cryptography, there’s only 1 shared secret key which is used to encrypt and decrypt messages. Both parties need to know the secret key to be able to communicate with each other.

In this case, if your secret key is compromised, hackers can easily decrypt your messages. However, on Android, if you are using the Android Keystore system to generate secret keys, you can be sure that the key cannot be extracted and used outside the system.

Asymmetric cryptography

In asymmetric cryptography, you have a pair of keys. A public key, which can be shared freely with everyone, and a private key which is meant to be kept private with one party.

A message that is encrypted with a public key, can only be decrypted by the corresponding private key. The public and the private key are mathematically linked, but the private key cannot be derived from the public key.

In this case, the private key always needs to be secured on the system that generates the keys. It could be your server, or a client. 

On Android, to keep your private key safe, you should always use the Android Keystore system, which will not allow anyone to extract the private key.

Asymmetric encryption

Which one should you choose?

  • If the purpose of encryption is to store data locally on a single system, you can use symmetric encryption. For example, storing usernames, tokens and passwords of a used on your Android app.
  • If the purpose of encryption is to transmit encrypted data between 2 parties, you should use asymmetric encryption. For example, you want to send an encrypted message between your server and a client and prevent man-in-the-middle-attack (MITM).

Leave a Reply

Your email address will not be published. Required fields are marked *