Using Android Supported KeyStore
I want to use KeyStore with Android hardware support, but I'm concerned about security and usability. From what I've read here , the KeyStore is cleared when the user changes the device lock if setEncryptionRequired () is not specified. For ease of use, it looks like this needs to be done, otherwise all hardware keys will be removed after the device is locked.
However, I also read here that the hardware keys are not actually stored in TEE, but rather are stored as a key files in / data / misc / keystore / user _0 / encrypted with a special device key that is stored in TEE. Since changing the device lock erases the KeyStore, it appears that the specific device key is derived from the device lock.
For security reasons, it makes sense to encrypt the keyfile, otherwise any root user will be able to read the keyfiles and retrieve the private key, since they apparently need to be clear in them.
So I'm kind of a dilemma. For ease of use, I must omit setEncryptionRequired (), but for security, I must set setEncryptionRequired ().
Finally, is it possible to import the private key into a hardware supported KeyStore using setKeyEntry ()? I can do this without error, but I'm not sure if they are supported by the hardware.
Do I understand correctly?
source to share
setEncryptionRequired()
was deprecated in Android 6.0 (Marshmallow) and never executed very hard. Android KeyStore security relies on TEE, not password.
The blog post you linked to is out of date, at least on devices running Android 6.0 or newer. On these devices, you shouldn't use setEncryptionRequired (), and your keys won't be deleted until your app is removed (or a factory reset is done, or your app removes them). Your keys will be securely wrapped with private keys that never leave TEE. In fact, your keys will never leave TEE in clear text. When you use your keys, the data is transferred to the TEE along with the encrypted key. TEE expands the key then processes and returns encrypted / signed / whatever data.
Yes, you can import secret keys using setKeyEntry (). If you want to make sure your key is protected by hardware, use KeyInfo.isInsideSecureHardware()
. For example (this is from the documentation) :
PrivateKey key = ...; // Android KeyStore key
KeyFactory factory = KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore");
KeyInfo keyInfo;
boolean isHardwareBacked = false;
try {
keyInfo = factory.getKeySpec(key, KeyInfo.class);
isHardwareBacked = keyInfo.isInsideSecureHardware();
} catch (InvalidKeySpecException e) {
// Not an Android KeyStore key.
}
source to share