Google Git
Sign in
android / platform / docs / source.android.com / 6fcef5f72c8b2ea92f472b6335bc86408da97b33 / . / en / security / keystore / features.html
blob: 05da1744d8d395488d51903fb2e93b256fbbec26 [file] [log] [blame]
<html devsite>
<head>
<title>Features</title>
<meta name="project_path" value="/_project.yaml" />
<meta name="book_path" value="/_book.yaml" />
</head>
<body>
<!--
Copyright 2017 The Android Open Source Project
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<p>This page contains information about the cryptographic features of
<a href="index.html">Keystore</a> in Android 6.0 and above.</p>
<h2 id=cryptographic_primitives>Cryptographic primitives</h2>
<p>Keystore provides the following categories of operations:</p>
<ul>
<li>Key generation
<li>Import and export of asymmetric keys (no key wrapping)
<li>Import of raw symmetric keys (no key wrapping)
<li>Asymmetric encryption and decryption with appropriate padding modes
<li>Asymmetric signing and verification with digesting and appropriate padding
modes
<li>Symmetric encryption and decryption in appropriate modes, including an AEAD
mode
<li>Generation and verification of symmetric message authentication codes
</ul>
<p>Protocol elements, such as purpose, mode and padding, as well
as <a href="#key_access_control">access control constraints</a>,
are specified when keys are generated or imported and are permanently
bound to the key, ensuring the key cannot be used in any other way.</p>
<p>In addition to the list above, there is one more service that Keymaster
implementations provide, but which is not exposed as an API: Random number
generation. This is used internally for generation of keys, Initialization
Vectors (IVs), random padding and other elements of secure protocols that
require randomness.</p>
<h2 id="primitives">Necessary primitives</h2>
<p>All Keymaster implementations provide:</p>
<ul>
<li><a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)">RSA</a>
<ul>
<li>2048, 3072, and 4096-bit key support
<li>Support for public exponent F4 (2^16+1)
<li>Padding modes for RSA signing:
<ul>
<li>RSASSA-PSS (<code>KM_PAD_RSA_PSS</code>)
<li>RSASSA-PKCS1-v1_5 (<code>KM_PAD_RSA_PKCS1_1_5_SIGN</code>)
</ul>
<li>Digest modes for RSA signing:
<ul>
<li>SHA-256
</ul>
<li>Padding modes for RSA encryption/decryption:
<ul>
<li>Unpadded
<li>RSAES-OAEP (<code>KM_PAD_RSA_OAEP</code>)
<li>RSAES-PKCS1-v1_5 (<code>KM_PAD_RSA_PKCS1_1_5_ENCRYPT</code>)
</ul>
</ul>
<li><a href="http://en.wikipedia.org/wiki/Elliptic_Curve_DSA">ECDSA</a>
<ul>
<li>224, 256, 384, and 521-bit key support are supported, using the NIST P-224,
P-256, P-384, and P-521 curves, respectively
<li>Digest modes for ECDSA:
<ul>
<li>No digest (deprecated, will be removed in the future)</li>
<li>SHA-256</li>
</ul>
</ul>
<li><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES</a>
<ul>
<li>128 and 256-bit keys are supported
<li><a href="http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-block_chaining_.28CBC.29">CBC</a>,
CTR, ECB, and GCM. The GCM implementation does not allow the use of tags
smaller than 96 bits or nonce lengths other than 96 bits.
<li>Padding modes <code>KM_PAD_NONE</code> and <code>KM_PAD_PKCS7</code> is
supported for CBC and ECB modes. With no padding, CBC or ECB mode
encryption fails if the input isn't a multiple of the block size.
</ul>
<li><a href="http://en.wikipedia.org/wiki/Hash-based_message_authentication_code">HMAC</a>
<a href="http://en.wikipedia.org/wiki/SHA-2">SHA-256</a>, with any key size up
to at least 32 bytes.
</ul>
</ul>
<p>SHA1 and the other members of the SHA2 family (SHA-224, SHA384 and SHA512) are
strongly recommended for Keymaster implementations. Keystore provides them in software
if the hardware Keymaster implementation doesn't provide them.</p>
<p>Some primitives are also recommended for interoperability with other systems:</p>
<ul>
<li>Smaller key sizes for RSA
<li>Arbitrary public exponents for RSA
</ul>
<h2 id=key_access_control>Key access control</h2>
<p>Hardware-based keys that can never be extracted from the device don't provide
much security if an attacker can use them at will (though they're more secure
than keys which <em>can</em> be exfiltrated). Thus, it's crucial that Keystore
enforce access controls.</p>
<p>Access controls are defined as an "authorization list" of tag/value pairs.
Authorization tags are 32-bit integers and the values are a variety of types.
Some tags may be repeated to specify multiple values. Whether a tag may be
repeated is specified in the <a href="/security/keystore/tags">documentation
for the tag</a>. When a key is created,
the caller specifies an authorization list. The Keymaster implementation
underlying Keystore modifies the list to specify some additional information,
such as whether the key has rollback protection, and return a "final"
authorization list, encoded into the returned key blob. Any attempt to use the
key for any cryptographic operation fails if the final authorization list is
modified.</p>
<p>The set of possible tags is defined in the enumeration
<code>keymaster_authorization_tag_t</code> and
is permanently fixed (though it can be extended).
Names are prefixed with <code>KM_TAG_</code>. The top
four bits of tag IDs are used to indicate the type.</p>
<p>Possible types include:</p>
<p><strong><code>KM_ENUM</code>:</strong> Many tags' values are defined in
enumerations. For example, the possible values of <code>KM_TAG_PURPOSE</code>
are defined in enum <code>keymaster_purpose_t</code>.</p>
<p><strong><code>KM_ENUM_REP</code></strong>: Same as <code>KM_ENUM</code>,
except that the tag may be repeated in an authorization list. Repetition
indicates multiple authorized values. For example, an encryption key
likely has <code>KM_PURPOSE_ENCRYPT</code> and <code>KM_PURPOSE_DECRYPT</code>.</p>
<p><strong><code>KM_UINT</code>:</strong> 32-bit unsigned integers. Example:
<code>KM_TAG_KEY_SIZE</code></p>
<p><strong><code>KM_UINT_REP</code></strong>: Same as <code>KM_UINT</code>,
except that the tag may be repeated in an authorization list. Repetition
indicates multiple authorized values.</p>
<p><strong><code>KM_ULONG</code></strong>: 64-bit unsigned integers. Example:
<code>KM_TAG_RSA_PUBLIC_EXPONENT</code></p>
<p><strong><code>KM_ULONG_REP</code></strong>: Same as <code>KM_ULONG</code>,
except that the tag may be repeated in an authorization list. Repetition
indicates multiple authorized values.</p>
<p><strong><code>KM_DATE</code></strong>: Date/time values, expressed as
milliseconds since January 1, 1970.
Example: <code>KM_TAG_PRIVKEY_EXPIRE_DATETIME</code></p>
<p><strong><code>KM_BOOL</code></strong>: True or false. A tag of type
<code>KM_BOOL</code> is assumed to be "false" if the tag is not present and
"true" if present. Example: <code>KM_TAG_ROLLBACK_RESISTANT</code></p>
<p><strong><code>KM_BIGNUM</code></strong>: Arbitrary-length integers,
expressed as a byte array in big-endian order. Example:
<code>KM_TAG_RSA_PUBLIC_EXPONENT</code></p>
<p><strong><code>KM_BYTES</code></strong>: A sequence of bytes. Example:
<code>KM_TAG_ROOT_OF_TRUST</code></p>
<h3 id=hardware_vs_software_enforcement>Hardware vs. software enforcement</h3>
<p>Not all secure hardware implementations contain the same features. To support
a variety of approaches, Keymaster distinguishes between secure and non-secure
world access control enforcement, or hardware and software
enforcement, respectively.</p>
<p>All implementations:</p>
<ul>
<li>Enforce exact matching (not enforcement) of all authorizations.
Authorization lists in key blobs exactly match the authorizations
returned during key generation, including ordering. Any mismatch causes an
error diagnostic.
<li>Declare the authorizations whose semantic values are enforced.
</ul>
<p>The API mechanism for declaring hardware-enforced authorizations is in the
<code>keymaster_key_characteristics_t</code> structure. It divides the
authorization list into two sub-lists, <code>hw_enforced</code> and
<code>sw_enforced</code>. The secure hardware is responsible for placing the
appropriate values in each, based on what it can enforce.</p>
<p>In addition, Keystore implements software-based enforcement of <em>all</em>
authorizations, whether they're enforced by the secure hardware or not.</p>
<p>For example, consider a TrustZone-based implementation that does not support
key expiration. A key with an expiration date may still be created. That key's
authorization list will include the tag
<code>KM_TAG_ORIGINATION_EXPIRE_DATETIME</code> with the expiration date. A
request to Keystore for the key characteristics will find this tag in the
<code>sw_enforced</code> list and the secure hardware will not enforce the
expiration requirement. However, attempts to use the key after expiration will
be rejected by Keystore.</p>
<p>If the device is then upgraded with secure hardware that does support
expiration, then a request for key characteristics will find
<code>KM_TAG_ORIGINATION_EXPIRE_DATETIME</code> in the <code>hw_enforced</code>
list, and attempts to use the key after expiration will fail even if the
keystore is somehow subverted or bypassed.</p>
<p>For more information about determining whether keys are hardware-backed,
see <a href="/security/keystore/attestation">Key attestation</a>.
<h3 id=cryptographic_message_construction_authorizations>Cryptographic message construction authorizations</h3>
<p>The following tags are used to define the cryptographic characteristics of
operations using the associated key: <code>KM_TAG_ALGORITHM</code>,
<code>KM_TAG_KEY_SIZE</code>, <code>KM_TAG_BLOCK_MODE</code>,
<code>KM_TAG_PADDING</code>, <code>KM_TAG_CALLER_NONCE</code>,
and <code>KM_TAG_DIGEST</code></p>
<p><code>KM_TAG_PADDING</code>, <code>KM_TAG_DIGEST</code>,
and <code>KM_PAD_BLOCK_MODE</code> are repeatable, meaning that multiple values
may be associated with a single key, and the value to be used is specified at
operation time.</p>
<h3 id=purpose>Purpose</h3>
<p>Keys have an associated set of purposes, expressed as one or more authorization
entries with tag <code>KM_TAG_PURPOSE</code>, which defines how they can be used.
The purposes are:</p>
<ul>
<li><code>KM_PURPOSE_ENCRYPT</code>
<li><code>KM_PURPOSE_DECRYPT</code>
<li><code>KM_PURPOSE_SIGN</code>
<li><code>KM_PURPOSE_VERIFY</code>
</ul>
<p>Any key can have any subset of these purposes. Note that some combinations
create security problems. For example, an RSA key that can be used to both
encrypt and to sign allows an attacker who can convince the system to decrypt
arbitrary data to generate signatures.</p>
<h3 id=import_and_export>Import and export</h3>
<p>Keymaster supports export of public keys only, in X.509 format, and import of:</p>
<ul>
<li>Public and private key pairs in DER-encoded PKCS#8 format, without
password-based encryption, and
<li>Symmetric keys as raw bytes
</ul>
<p>To ensure that imported keys can be distinguished from securely-generated
keys, <code>KM_TAG_ORIGIN</code> is included in the appropriate key
authorization list. For example, if a key
was generated in secure hardware, <code>KM_TAG_ORIGIN</code> with
value <code>KM_ORIGIN_GENERATED</code> will be found in
the <code>hw_enforced</code> list of the key characteristics, while a key
that was imported into secure
hardware will have the value <code>KM_ORIGIN_IMPORTED</code>.</p>
<h3 id=user_authentication>User authentication</h3>
<p>Secure Keymaster implementations do not implement user authentication, but
depend on other trusted apps which do. For the interface that these apps
implement, see the <a href="/security/authentication/gatekeeper">Gatekeeper page</a>.</p>
<p>User authentication requirements are specified via two sets of tags. The first
set indicate which user can use the key:</p>
<ul>
<li><code>KM_TAG_ALL_USERS</code> indicates the key is usable by all users. If
present, <code>KM_TAG_USER_ID</code> and <code>KM_TAG_USER_SECURE_ID</code> is
not present.</li>
<li><code>KM_TAG_USER_ID</code> has a numeric value specifying the ID of the
authorized user. Note that this is the Android user ID (for multi-user), not
the application UID, and it is enforced by non-secure software only. If
present, <code>KM_TAG_ALL_USERS</code> is not present.</li>
<li><code>KM_TAG_USER_SECURE_ID</code> has a 64-bit numeric value specifying
the secure user ID that is provided in a secure authentication token to
unlock use of the key. If repeated, the key may be used if any of the values
is provided in a secure authentication token.</li>
</ul>
<p>The second set indicates whether and when the user needs to be authenticated.
If neither of these tags is present, but <code>KM_TAG_USER_SECURE_ID</code> is,
authentication is required for every use of the key.</p>
<ul>
<li><code>KM_NO_AUTHENTICATION_REQUIRED</code> indicates no user
authentication is required, though the key still may only be used by apps
running as the user(s) specified by <code>KM_TAG_USER_ID</code>.</li>
<li><code>KM_TAG_AUTH_TIMEOUT</code> is a numeric value specifying, in
seconds, how fresh the user authentication needs to be to authorize key usage.
This applies only to private/secret key operations. Public key operations
don't require authentication. Timeouts do not cross reboots; after a reboot,
all keys are "never authenticated." The timeout may be set to a large value to
indicate that authentication is required once per boot (2^32 seconds is ~136
years; presumably Android devices are rebooted more often than that).</li>
</ul>
<h3 id=client_binding>Client binding</h3>
<p>Client binding, the association of a key with a particular client
application, is done via an optional client ID and some optional client data
(<code>KM_TAG_APPLICATION_ID</code> and <code>KM_TAG_APPLICATION_DATA</code>,
respectively). Keystore treats these values as opaque blobs, only ensuring that
the same blobs presented during key generation/import are presented for every
use and are byte-for-byte identical. The client binding data is not returned by
Keymaster. The caller has to know it in order to use the key.</p>
<p>This feature is not exposed to applications.
<h3 id=expiration>Expiration</h3>
<p>Keystore supports restricting key usage by date. Key start of validity and
key expirations can be associated with a key and Keymaster refuses to
perform key operations if the current date/time is outside of the valid
range. The key validity range is specified with the tags
<code>KM_TAG_ACTIVE_DATETIME</code>,
<code>KM_TAG_ORIGINATION_EXPIRE_DATETIME</code>, and
<code>KM_TAG_USAGE_EXPIRE_DATETIME</code>. The distinction between
"origination" and "usage" is based on whether the key is being used to
"originate" a new ciphertext/signature/etc., or to "use" an existing
ciphertext/signature/etc. Note that this distinction is not exposed to
applications.</p>
<p>The <code>KM_TAG_ACTIVE_DATETIME</code>,
<code>KM_TAG_ORIGINATION_EXPIRE_DATETIME</code>,
and <code>KM_TAG_USAGE_EXPIRE_DATETIME</code> tags are optional. If the tags
are absent, it is assumed that the key in
question can always be used to decrypt/verify messages.</p>
<p>Because wall-clock time is provided by the non-secure world, it's unlikely that
the expiration-related tags will be in the hardware-enforced list. Hardware
enforcement of expiry would require that the secure world somehow obtain
trusted time and data, for example via a challenge response protocol with a
trusted remote timeserver.</p>
<h3 id=root_of_trust_binding>Root of trust binding</h3>
<p>Keystore requires keys to be bound to a root of trust, which is a bitstring
provided to the Keymaster secure hardware during startup, preferably by the
bootloader. This bitstring is cryptographically bound to every key managed
by Keymaster.</p>
<p>The root of trust consists of the public key used to verify the signature on
the boot image and the lock state of the device. If the public key is changed to
allow a different system image to be used or if the lock state is changed, then
none of the Keymaster-protected keys created by the previous system are
usable, unless the previous root of trust is restored and a system that is
signed by that key is booted. The goal is to increase the value of the
software-enforced key access controls by making it impossible for an
attacker-installed operating system to use Keymaster keys.</p>
<h3 id=standalone_keys>Standalone keys</h3>
<p>Some Keymaster secure hardware may choose to store key material internally
and return handles rather than encrypted key material. Or there may be other
cases in which keys cannot be used until some other non-secure or secure world
system component is available. The Keymaster HAL allows the caller to
request that a key be "standalone," via the <code>KM_TAG_STANDALONE</code> tag,
meaning that no resources other than the blob and the running Keymaster system
are required. The tags associated with a key may be inspected to see whether a
key is standalone. At present, only two values are defined:</p>
<ul>
<li><code>KM_BLOB_STANDALONE</code>
<li><code>KM_BLOB_REQUIRES_FILE_SYSTEM</code>
</ul>
<p>This feature is not exposed to applications.
<h3 id=velocity>Velocity</h3>
<p>When it's created, the maximum usage velocity can be specified
with <code>KM_TAG_MIN_SECONDS_BETWEEN_OPS</code>.
TrustZone implementations refuse to perform cryptographic operations
with that key if an operation was performed less
than <code>KM_TAG_MIN_SECONDS_BETWEEN_OPS</code> seconds earlier.</p>
<p>The simple approach to implementing velocity limits is a table of key IDs and
last-use timestamps. This table will likely be of limited size, but
accommodates at least 16 entries. In the event that the table is full and no
entries may be updated or discarded, secure hardware implementations "fail
safe," preferring to refuse all velocity-limited key operations until one of the
entries expires. It is acceptable for all entries to expire upon reboot.</p>
<p>Keys can also be limited to <em>n</em> uses per boot with
<code>KM_TAG_MAX_USES_PER_BOOT</code>. This also requires a tracking table,
which accommodates at least four keys and also fails safe. Note that
applications will be unable to create per-boot limited keys. This feature
is not exposed through Keystore and is reserved for system operations.</p>
<p>This feature is not exposed to applications.</p>
<h3 id=random_number_generator_re-seeding>Random number generator re-seeding</h3>
<p>Because secure hardware generates random numbers for key material and
Initialization Vectors (IVs), and because hardware random number generators may
not always be fully trustworthy, the Keymaster HAL provides an interface to
allow the client to provide additional entropy which will be mixed into the
random numbers generated.</p>
<p>Use a hardware random-number generator as the primary seed source.
The seed data provided through the external API can't be the sole source
of randomness used for number generation. Further, the mixing operation used
needs to ensure that the random output is unpredictable if any one of the seed
sources is unpredictable.</p>
<p>This feature is not exposed to applications but is used by the framework,
which regularly provides additional entropy, retrieved from a Java SecureRandom
instance, to the secure hardware.
</body>
</html>