Menu
KeyInfo's isInsideSecureHardware-method's return value seems to depend on device model, os version, and some other random factors.
For example when using Sony xperia z5 compact with older os version isInsideSecureHardware() could return true for some time and then suddenly start returning false for the same Private Key. With the latest os version (32.2.A.0.224) it seems to return only false. Huawei Nexus 6P returns always true.
Is there a way to make sure that the key is stored in secure hardware?
Here is my current code:
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore");
keyPairGenerator.initialize(new KeyGenParameterSpec.Builder(KEY_NAME, KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_ENCRYPT)
.setUserAuthenticationRequired(true)
.setBlockModes(KeyProperties.BLOCK_MODE_ECB)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
.build());
KeyPair keyPair = keyPairGenerator.generateKeyPair();
// Check that private key is inside secure hardware
KeyFactory factory = KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore");
KeyInfo keyInfo = factory.getKeySpec(key, KeyInfo.class);
boolean secure = keyInfo.isInsideSecureHardware(); // this usually returns false
Thanks!
Edit: In sony support forum there is a topic about the same problem: https://talk.sonymobile.com/t5/Android-development/hardware-backed-keystore/td-p/1154124
It was mentioned that following warning is printed to logs:
W keystore: Primary keymaster device failed to generate key, falling back to SW.
720
A public/private key RSA pair is generated, which is stored in the Android device's keystore and protected usually by the device PIN. An AES-based symmetric key is also generated, which is used to encrypt and decrypt the secrets.
The Android Keystore provides APIs to perform cryptographic operations within this trusted environment and receive the result. It was introduced in API 18 (Android 4.3). A strongbox backed Android Keystore is currently the most secure and recommended type of keystore.
AndroidKeystore is the Android Framework API and component used by apps to access Keystore functionality. It is implemented as an extension to the standard Java Cryptography Architecture APIs, and consists of Java code that runs in the app's own process space.
According to the Android API, the only way to verify it is to first create the key then look at the information to ensure it is hardware-backed.
Looking at the specs for the phone, it was originally released on Lollipop. That was before the official Marshmallow Fingerprint API/hardware specs and manufacturers were doing their own thing. This article mentions the device you are using specifically (http://blog.elcomsoft.com/2016/06/fingerprint-unlock-security-ios-vs-google-android-part-ii/). I am wondering if whether the true values you were getting back were incorrect and then due to your O/S upgrade it fixed the logic (or broke it?). The O/S upgrade version you mention contains "1 April 2016 Google security patches"
I have a few questions:
What does isUserAuthenticationRequirementEnforcedBySecureHardware() return on your device now? Is the value consistent? If it's false that could tell you that the fingerprint reader is not considered secure (or there is an O/S defect)
What does older OS version mean, exactly? Lollipop? Have you tried resetting to factory defaults?
172
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
