Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How is the Android keystore protected?

How does Android protect the keystore in 4.4 and beyond? How does it encrypt/decrypt it? Are there any good tutorials that describe the internals of how the keystore works on the device?

like image 819
Dan Largo Avatar asked Feb 06 '15 20:02

Dan Largo


1 Answers

The encryption/decryption of the keystore is handled by the keystore service, which in turn links with a Hardware Abstraction Layer module called "keymaster". The AOSP provides a sofware ("softkeymaster") implementation, but device vendors can offer support for hardware based protected storage, if available. On ARM architectures, this linked to the ARM "TrustZone".

The upper level layers remain entirely agnostic of the implementation: The keymaster HAL exports methods to generate or remove keypairs, sign data, etc, but does not actually provide exposure to any private keys.

Tutorial wise, there's nothing. But book-wise, there are two great books. The first is Nikolay Elenkov's "Android Security Internals". He also writes a blog, called Android Explorations, which describes (in several posts) the keystore in depth. The second is "Android Internals" by Jonathan Levin, which discusses the keystore daemon.

like image 155
Technologeeks Avatar answered Sep 30 '22 14:09

Technologeeks