Hardware-backed Keystore

最新推荐文章于 2024-03-27 00:24:35 发布
最新推荐文章于 2024-03-27 00:24:35 发布
阅读量331 收藏
点赞数
文章标签: 移动开发

Hardware-backed Keystore

The availability of a trusted execution environment in a system on a chip (SoC) offers an opportunity for Android devices to provide hardware-backed, strong security services to the Android OS, to platform services, and even to third-party apps.

Keystore has been significantly enhanced in Android 6.0 with the addition of symmetric cryptographic primitives, AES and HMAC, and the addition of an access control system for hardware-backed keys. Access controls are specified during key generation and enforced for the lifetime of the key. Keys can be restricted to be usable only after the user has authenticated, and only for specified purposes or with specified cryptographic parameters. For more information, please see the Implementer's Reference.

Before Android 6.0, Android already had a simple, hardware-backed crypto services API, provided by versions 0.2 and 0.3 of the Keymaster Hardware Abstraction Layer (HAL). Keystore provided digital signing and verification operations, plus generation and import of asymmetric signing key pairs. This is already implemented on many devices, but there are many security goals that cannot easily be achieved with only a signature API. Keystore in Android 6.0 extends the Keystore API to provide a broader range of capabilities.

Goals

The goal of the Android 6.0 Keystore API and the underlying Keymaster 1.0 HAL is to provide a basic but adequate set of cryptographic primitives to allow the implementation of protocols using access-controlled, hardware-backed keys.

In addition to expanding the range of cryptographic primitives, Keystore in Android 6.0 adds the following:

  • A usage control scheme to allow key usage to be limited, to mitigate the risk of security compromise due to misuse of keys
  • An access control scheme to enable restriction of keys to specified users, clients, and a defined time range

Architecture

The Keymaster HAL is an OEM-provided, dynamically-loadable library used by the Keystore service to provide hardware-backed cryptographic services. HAL implementations must not perform any sensitive operations in user space, or even in kernel space. Sensitive operations are delegated to a secure processor reached through some kernel interface. The resulting architecture looks like the following:

Figure 1. Access to Keymaster

Within an Android device, the "client" of the Keymaster HAL consists of multiple layers (e.g. app, framework, Keystore daemon), but that can be ignored for the purposes of this document. This means that the described Keymaster HAL API is low-level, used by platform-internal components, and not exposed to app developers. The higher-level API, for API level 23, is described on the Android Developer site.

The purpose of the Keymaster HAL is not to implement the security-sensitive algorithms but only to marshal and unmarshal requests to the secure world. The wire format is implementation-defined.

Compatibility with previous versions

The Keymaster v1.0 HAL is completely incompatible with the previously-released HALs, e.g. Keymaster v0.2 and v0.3. To facilitate interoperability on pre-Marshmallow devices that launched with the older Keymaster HALs, Keystore provides an adapter that implements the 1.0 HAL with calls to the existing hardware library. The result cannot provide the full range of functionality in the 1.0 HAL. In particular, it will only support RSA and ECDSA algorithms, and all of the key authorization enforcement will be performed by the adapter, in the non-secure world.

weixin_34309543
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
【Android安全】Google Hardware-backed Keystore | SafetyNet | 远程证明Remote Attestation
Juruo@Security
01-18 2624
【Android安全】Google Hardware-backed Keystore | SafetyNet | 远程证明Remote Attestation | Key Attestation
keytool - Key and Certificate Management Tool
ku1989的专栏
04-17 1448
keytool - Key and Certificate Management Tool Manages a keystore (database) of private keys and their associated X.509 certificate chains authenticating the corresponding public keys. Also manages ce
Android密钥库(AndroidKeyStore)使用
最新发布
Silicon_Valley
03-27 4788
Android 提供了特定于 Android 平台的 KeyStore 实现,称为 AndroidKeyStore,它提供了更高级的安全功能,如硬件支持、密钥链随机生成等。提示:正常我们需要对加密的数据进行本地存储,上述加密数据是ByteArray,字节数组不太适合本地存储,因此我们可以通过Base64将ByteArray数据转换为字符串进行保存,取出数据之时再做Base64解码。:可以使用 KeyStore 来存储和管理双因素身份验证所需的密钥和证书,用于提高身份验证的安全性。它接受一个字符串参数。
Android KeyStore流程
楼中望月
01-02 8947
文章目录一、Keystore二、Keystore架构及接口函数1. Keystore组件架构2. IKeymasterDevice.hal中的几个重要接口函数2.1 begin函数2.2 update函数2.3 finish函数2.4 abort函数3. Keymaster TA4. 对称密码函数API三、从Keystore到Keymaster的完整分析1. cts问题2. 代码流程分析2.1 模块调用关系2.2 代码分析 一、Keystore keystore主要是对密钥库的控制操作,包括密钥的生
Android 免密支付+Keystore体系
qq_37451521的博客
04-03 658
首先我们要实现这个功能需要确认几个问题 1.如何创建一个Keystore并保证其唯一性 2.如何设置KeyProtection 3.如何把密钥也就是密码放到安卓Keystore里面 4.如何通过指纹获取到Keystore里面存储的密码 5.当指纹变更之后如何失效 6. secret key的作用,对称加密 7.指纹验证通过之后如何获取到存储在Android Keystore里面密文 这个问题可以分...
todo-backed
03-27
"todo-backed"是一个基于JavaScript的项目,主要关注的是前端开发中的待办事项管理应用程序的实现。这个项目可能是一个简单的Web应用,它使用了常见的前端开发技术来构建一个交互式的待办事项列表。让我们深入探讨...
webpack-typescript-backed
03-30
8. **实际项目结构**:`webpack-typescript-backed-master` 压缩包可能包含了项目的基本结构,如 `src` 目录存放源码,`dist` 目录是编译后的输出,以及 `package.json` 文件管理项目依赖。 9. **测试**:在 ...
AI-Backed-Retards
03-22
【标题】"AI-Backed-Retards" 这个标题可能是指在某些情况下,人工智能技术可能会导致系统或过程出现意想不到的延迟问题。这可能是由于算法优化不足、计算资源限制或者与其他系统的集成问题所造成的。在AI应用中,...
luv2codeshop-backed
03-27
8. **版本控制**:项目文件名为luv2codeshop-backed-master,表明它是从某个版本控制系统(如Git)的master分支克隆下来的,因此项目中可能存在.git目录,用于版本管理和协同开发。 9. **单元测试和集成测试**:...
buffer-backed-object:JavaScript中的缓冲区支持对象
03-19
npm i -S buffer-backed-object为什么?网络工作者使用,通常需要考虑postMessage() (或确切地说是postMessage()的性能。尽管,但它有时仍会成为瓶颈,尤其是在负载较大的情况下。 及其的克隆速度非常快(甚至可以...
Android 7.0 Keyguard流程分析
热门推荐
水清无鱼,心清无悔,天地人事,唯心而已
01-16 1万+
在android 6.0 上Keyguard作为了SystemUI的一个库文件被引用,所以编译的时候不会出现Keyguard.apk这个文件,Keyguard也伴随着SystemUI的启动而启动,其中最重要的一个文件就是KeyguardViewMediator,这个文件负责SystemUI与Keyguard的交互,我们来看一下这个文件的启动。
Android gatekeeper的原理介绍和代码导读
baron-周贺贺-代码改变世界ctw
07-31 4914
(service) frameworks/base/services/core/java/com/android/server/locksettings/ LockSettingsService.java LockSettingsStorage.java PasswordSlotManager.java SyntheticPasswordCrypto.java recoverablekeystore LockSettingsShellCommand.java LockSettin
Android密钥证书管理相关介绍
doomvsjing的博客
06-09 1万+
深入理解Android之Java Security第一部分 http://blog.csdn.net/innost/article/details/44081147 Android的数字证书安装过程概述 http://blog.chinaunix.net/uid-26017891-id-4115659.html Android导入.cer数字证书 http://blog.sina.co
Android keystore/Keymaster的代码导读
baron-周贺贺-代码改变世界ctw
08-05 6230
1、先上架构图: 2、keyMaster Hal接口 (system/keymaster/include/keymaster/android_keymaster.h) class AndroidKeymaster { public: AndroidKeymaster(KeymasterContext* context, size_t operation_table_size); virtual ~AndroidKeymaster(); AndroidKeymaster(Andr
Authentication
weixin_33918114的博客
04-20 193
Authentication Overview Android 6.0 introduces the concept of user-authentication-gated cryptographic keys. To achieve this, two key components need to work together. First is the cryptographic ke...
AndroidKeystore 基础使用
weixin_39948196的博客
08-06 1544
暂缓
Android读取系统属性详解
allen_xu_2012_new的博客
05-31 2344
Android 系统属性主要有两种:SettingsProvider 和 SystemProperties。
Encryption
thinkinwm的专栏
02-18 3402
http://source.android.com/devices/tech/security/encryption/ Encryption IN THIS DOCUMENT What is encryption? Encryption is the process of encoding user data on an Androi
jetpack使用_使用Robolectric测试Jetpack安全性
weixin_26739079的博客
08-22 357
jetpack使用When updating my Android caching library, layercache, with built-in support for the new Jetpack SecurityEncryptedSharedPreferences I started to write unit tests using Robolectric, but soon ca...
解决ORA-00257
08-27
ORA-00257错误是由于Oracle数据库的归档日志满了导致的。要解决这个问题,可以采取以下几个步骤: 1. 首先,确认归档日志的使用情况。你可以通过查询v$flash_recovery_area_usage视图来获取有关归档日志使用情况的信息。如果归档日志的使用量超过了可用空间的80%,则需要清理归档日志。 2. 清理归档日志。你可以使用RMAN工具或者手动删除过期的归档日志来释放空间。如果使用RMAN,可以运行以下命令:DELETE ARCHIVELOG UNTIL TIME 'sysdate-7' BACKED UP 1 TIMES TO DISK; 这个命令将删除一周前的已备份的归档日志。如果你使用手动删除归档日志,请确保你备份了这些归档日志,并且在删除之前先将它们标记为已备份。 3. 增加归档日志的存储空间。如果你发现归档日志频繁满了,可以考虑增加归档日志的存储空间。你可以通过修改参数LOG_ARCHIVE_DEST_n来指定归档日志的存储位置,或者增加归档日志的存储空间。 总结起来,解决ORA-00257错误的步骤包括确认归档日志的使用情况,清理过期的归档日志以释放空间,并且可以考虑增加归档日志的存储空间。<span class="em">1</span><span class="em">2</span><span class="em">3</span> #### 引用[.reference_title] - *1* [Oracle归档日志写满(ora-00257)了怎么办](https://download.csdn.net/download/weixin_38710781/12830263)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v93^chatsearchT3_2"}}] [.reference_item style="max-width: 33.333333333333336%"] - *2* [ORA-00257: 归档程序错误 Oracle归档报错处理方式](https://blog.csdn.net/zl61347338/article/details/123202527)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v93^chatsearchT3_2"}}] [.reference_item style="max-width: 33.333333333333336%"] - *3* [ORA-00257: Archiver error. Connect AS SYSDBA only until resolved错误解决](https://blog.csdn.net/Paulangsky/article/details/127518046)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v93^chatsearchT3_2"}}] [.reference_item style="max-width: 33.333333333333336%"] [ .reference_list ]
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值