#Locked krysteel strongbox android#
In the case of Android, this means that compromising the Android OS (or its kernel) would not result in compromising the processes running in the TEE.Īndroid phones have been equipped with TEEs for some time now, and it is common that the biometric sensors of the phone (e.g. More precisely, a TEE runs its own OS, and communicates with the “main” OS only through a “restricted” interface (generally a shared memory region which both OS’s use to exchange data). If you already know them, you can skip it and go directly to the “conclusion”.Ī trusted execution environment ( TEE) is a secure area of a main processor. Note: short detour to explain the concepts of SE and TEE. Ok, but… What is a TEE? And a Secure Element? It turns out, I was lucky enough to get an answer:
#Locked krysteel strongbox for android#
Reading through the officials docs did not answer the question, so I decided to ask directly to the people at Google responsible for Android Security. So… what is the difference between a key generated using the new StrongBox API (more precisely, by calling (true)) and a key generated with the “old” API but that is still “hardware-backed” (i.e., which returns truewhen KeyInfo.isInsideSecureHardware() is called)? The Answer The Questionīut… haven’t we had the “hardware-backed” KeyStore implementation for a several Android releases already? Looking into the docs, we see that KeyInfo.isInsideSecureHardware() has been around since API level 23 (that is, Marshmallow - or, for what it’s worth, 3 major releases of Android ago). Additional mechanisms to resist package tampering and unauthorized sideloading of apps. Supported devices running Android 9 (API level 28) or higher installed can have a StrongBox Keymaster, an implementation of the Keymaster HAL that resides in a hardware security module. Okay, so… “StrongBox Keystore APIs”, huh? The provided link brings you to the Android KeyStore documentation, with a section that reads as follows: With Android 9, apps can now take advantage of StrongBox KeyStore APIs to generate and store their private keys in Titan M.
You can read more about the Titan M chips in this blog post by Google.Īn interesting bit of information that can be read in there is the following: verify the integrity of the images that are loaded at system’s boot or to verify your lock screen passcode. It turns out that the new phones from Google are equipped with a security-dedicated chip, called Titan M, which is used by the OS (and lower level components) to e.g. Together with the announcement of the Pixel 3 and 3 XL phones came a bunch of other announcements, one of them being the “Titan” security chips.
Android KeyStore: what is the difference between “StrongBox” and “hardware-backed” keys?
0 kommentar(er)
