Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.1k views
in Technique[技术] by (71.8m points)

security - In Android, how to ensure that Private Key is stored inside secure hardware

KeyInfo's isInsideSecureHardware-method's return value seems to depend on device model, os version, and some other random factors.

For example when using Sony xperia z5 compact with older os version isInsideSecureHardware() could return true for some time and then suddenly start returning false for the same Private Key. With the latest os version (32.2.A.0.224) it seems to return only false. Huawei Nexus 6P returns always true.

Is there a way to make sure that the key is stored in secure hardware?

Here is my current code:

KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore");
keyPairGenerator.initialize(new KeyGenParameterSpec.Builder(KEY_NAME, KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT)
                                    .setUserAuthenticationRequired(true)
                                    .setBlockModes(KeyProperties.BLOCK_MODE_ECB)
                                    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
                                    .build());
KeyPair keyPair = keyPairGenerator.generateKeyPair();
// Check that private key is inside secure hardware
KeyFactory factory = KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore");
KeyInfo keyInfo = factory.getKeySpec(key, KeyInfo.class);
boolean secure = keyInfo.isInsideSecureHardware(); //  this usually returns false

Thanks!

Edit: In sony support forum there is a topic about the same problem: https://talk.sonymobile.com/t5/Android-development/hardware-backed-keystore/td-p/1154124

It was mentioned that following warning is printed to logs:

W keystore: Primary keymaster device failed to generate key, falling back to SW.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

According to the Android API, the only way to verify it is to first create the key then look at the information to ensure it is hardware-backed.

Looking at the specs for the phone, it was originally released on Lollipop. That was before the official Marshmallow Fingerprint API/hardware specs and manufacturers were doing their own thing. This article mentions the device you are using specifically (http://blog.elcomsoft.com/2016/06/fingerprint-unlock-security-ios-vs-google-android-part-ii/). I am wondering if whether the true values you were getting back were incorrect and then due to your O/S upgrade it fixed the logic (or broke it?). The O/S upgrade version you mention contains "1 April 2016 Google security patches"

I have a few questions:

  1. What does isUserAuthenticationRequirementEnforcedBySecureHardware() return on your device now? Is the value consistent? If it's false that could tell you that the fingerprint reader is not considered secure (or there is an O/S defect)

  2. What does older OS version mean, exactly? Lollipop? Have you tried resetting to factory defaults?


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...