This page contains information about the features of Keystore in Android 6.0.
Keystore provides the following categories of operations:
Protocol elements, such as purpose, mode and padding, as well as access control constraints, must be specified when keys are generated or imported and are permanently bound to the key, ensuring the key cannot be used in any other way.
In addition to the list above, there is one more service that Keymaster implementations must provide but which is not exposed as an API: Random number generation. This is used internally for generation of keys, Initialization Vectors (IVs), random padding and other elements of secure protocols that require randomness.
All implementations must provide:
KM_PAD_RSA_PSS)
KM_PAD_RSA_PKCS1_1_5_SIGN)
KM_PAD_RSA_OAEP)
KM_PAD_RSA_PKCS1_1_5_ENCRYPT)
KM_PAD_NONE and KM_PAD_PKCS7 must
be supported for CBC and ECB modes. With no padding, CBC or ECB mode
encryption must fail if the input isn't a multiple of the block size.
SHA1 and the other members of the SHA2 family (SHA-224, SHA384 and SHA512) are strongly recommended, but not required. Keystore will provide them in software if the hardware Keymaster implementation doesn't provide them.
Some primitives are also recommended for interoperability with other systems:
Hardware-based keys that can never be extracted from the device don't provide much security if an attacker can use them at will (though they're more secure than keys which can be exfiltrated). Thus, it's crucial that Keystore enforce access controls.
Access controls are defined as an "authorization list" of tag/value pairs. Authorization tags are 32-bit integers and the values are a variety of types. Some tags may be repeated to specify multiple values. Whether a tag may be repeated is specified in the documentation for the tag. When a key is created, the caller specifies an authorization list. The Keymaster implementation underlying Keystore will modify the list to specify some additional information, such as whether the key has rollback protection, and return a "final" authorization list, encoded into the returned key blob. Any attempt to use the key for any cryptographic operation must fail if the final authorization list is modified.
The set of possible tags is defined in the enumeration keymaster_authorization_tag_t and
the set must be permanently fixed (though it can be extended).
Names are prefixed with KM_TAG_. The top
four bits of tag IDs are used to indicate the type.
Possible types include:
KM_ENUM: Many tags' values are defined in enumerations. For example, the possible
values of KM_TAG_PURPOSE are defined in enum keymaster_purpose_t.
KM_ENUM_REP: Same as KM_ENUM, except that the tag may
be repeated in an authorization list. Repetition
indicates multiple authorized values. For example, an encryption key will
likely have KM_PURPOSE_ENCRYPT and KM_PURPOSE_DECRYPT.
KM_UINT: 32-bit unsigned integers. Example: KM_TAG_KEY_SIZE
KM_UINT_REP: Same as KM_UINT, except that the tag may be
repeated in an authorization list. Repetition indicates multiple authorized values.
KM_ULONG: 64-bit unsigned integers. Example: KM_TAG_RSA_PUBLIC_EXPONENT
KM_ULONG_REP: Same as KM_ULONG, except that the tag may be
repeated in an authorization list. Repetition
indicates multiple authorized values.
KM_DATE: Date/time values, expressed as milliseconds since January 1, 1970.
Example: KM_TAG_PRIVKEY_EXPIRE_DATETIME
KM_BOOL: True or false. A tag of type KM_BOOL is assumed
to be "false" if the tag is not present and "true" if present. Example: KM_TAG_ROLLBACK_RESISTANT
KM_BIGNUM: Arbitrary-length integers, expressed as a byte array
in big-endian order. Example: KM_TAG_RSA_PUBLIC_EXPONENT
KM_BYTES: A sequence of bytes. Example: KM_TAG_ROOT_OF_TRUST
Not all secure hardware will implement the same features. To support a variety of approaches, Keymaster 1.0 distinguishes between secure and non-secure world access control enforcement, which we call hardware and software enforcement, respectively.
Implementations are required to:
The API mechanism for declaring hardware-enforced authorizations is in the
keymaster_key_characteristics_t structure. It divides the
authorization list into two sub-lists, hw_enforced and
sw_enforced. The secure hardware is responsible for placing the
appropriate values in each, based on what it can enforce.
In addition, Keystore implements software-based enforcement of all authorizations, whether they're enforced by the secure hardware or not.
For example, consider a TrustZone-based implementation that does not support
key expiration. A key with an expiration date may still be created. That key's
authorization list will include the tag
KM_TAG_ORIGINATION_EXPIRE_DATETIME with the expiration date. A
request to Keystore for the key characteristics will find this tag in the
sw_enforced list and the secure hardware will not enforce the
expiration requirement. However, attempts to use the key after expiration will
be rejected by Keystore.
If the device is then upgraded with secure hardware that does support
expiration, then a request for key characteristics will find
KM_TAG_ORIGINATION_EXPIRE_DATETIME in the hw_enforced
list, and attempts to use the key after expiration will fail even if the
keystore is somehow subverted or bypassed.
The following tags are used to define the cryptographic characteristics of
operations using the associated key: KM_TAG_ALGORITHM, KM_TAG_KEY_SIZE,
KM_TAG_BLOCK_MODE, KM_TAG_PADDING, KM_TAG_CALLER_NONCE, and KM_TAG_DIGEST
KM_TAG_PADDING, KM_TAG_DIGEST, and KM_PAD_BLOCK_MODE
are repeatable, meaning that multiple values may be associated with a single
key, and the value to be used will be specified at operation time.
Keys have an associated set of purposes, expressed as one or more authorization
entries with tag KM_TAG_PURPOSE, which defines how they can be used. The purposes are:
KM_PURPOSE_ENCRYPT
KM_PURPOSE_DECRYPT
KM_PURPOSE_SIGN
KM_PURPOSE_VERIFY
Any key can have any subset of these purposes. Note that some combinations create security problems. For example, an RSA key that can be used to both encrypt and to sign allows an attacker who can convince the system to decrypt arbitrary data to generate signatures.
Keymaster supports export of public keys only, in X.509 format, and import of:
To ensure that imported keys can be distinguished from securely-generated
keys, KM_TAG_ORIGIN is included in the appropriate key
authorization list. For example, if a key
was generated in secure hardware, KM_TAG_ORIGIN with
value KM_ORIGIN_GENERATED will be found in
the hw_enforced list of the key characteristics, while a key
that was imported into secure
hardware will have the value KM_ORIGIN_IMPORTED.
Secure Keymaster implementations do not implement user authentication, but depend on other trusted apps which do. For the interface that must be implemented by these apps, see the Gatekeeper page.
User authentication requirements are specified via two sets of tags. The first set indicate which user can use the key:
KM_TAG_ALL_USERS indicates the key is usable by all users. If
present, KM_TAG_USER_ID and KM_TAG_SECURE_USER_ID must not be present.
KM_TAG_USER_ID has a numeric value specifying the ID of the authorized user.
Note that this
is the Android user ID (for multi-user), not the application UID, and it is
enforced by non-secure software only. If present, KM_TAG_ALL_USERS must not be present.
KM_TAG_SECURE_USER_ID has a 64-bit numeric value specifying the secure user ID
that must be provided
in a secure authentication token to unlock use of the key. If repeated, the key
may be used if any of the values is provided in a secure authentication token.
The second set indicate whether and when the user must be authenticated. If
neither of these tags is present, but KM_TAG_SECURE_USER_ID is, authentication is
required for every use of the key.
KM_NO_AUTHENTICATION_REQUIRED indicates no user authentication is required, though
the key still may only be
used by apps running as the user(s) specified by KM_TAG_USER_ID.
KM_TAG_AUTH_TIMEOUT is a numeric value specifying, in seconds, how fresh the user
authentication
must be to authorize key usage. This applies only to private/secret key
operations. Public key operations don't require authentication. Timeouts do not
cross reboots; after a reboot, all keys are "never authenticated." The timeout
may be set to a large value to indicate that authentication is required once
per boot (2^32 seconds is ~136 years; presumably Android devices are rebooted
more often than that).
Client binding, the association of a key with a particular client
application, is done via an optional client ID and some optional client data
(KM_TAG_APPLICATION_ID and KM_TAG_APPLICATION_DATA,
respectively). Keystore treats these values as opaque blobs, only ensuring that
the same blobs presented during key generation/import are presented for every
use and are byte-for-byte identical. The client binding data is not returned by
Keymaster. The caller must know it in order to use the key.
This feature is not exposed to applications.
Keystore supports restricting key usage by date. Key start of validity and
key expirations can be associated with a key and Keymaster will refuse to
perform key operations if the current date/time is outside of the valid
range. The key validity range is specified with the tags
KM_TAG_ACTIVE_DATETIME,
KM_TAG_ORIGINATION_EXPIRE_DATETIME, and
KM_TAG_USAGE_EXPIRE_DATETIME. The distinction between
"origination" and "usage" is based on whether the key is being used to
"originate" a new ciphertext/signature/etc., or to "use" an existing
ciphertext/signature/etc. Note that this distinction is not exposed to
applications.
The KM_TAG_ACTIVE_DATETIME, KM_TAG_ORIGINATION_EXPIRE_DATETIME,
and KM_TAG_USAGE_EXPIRE_DATETIME tags are optional. If the tags are absent, it is
assumed that the key in
question can always be used to decrypt/verify messages.
Because wall-clock time is provided by the non-secure world, it's unlikely that the expiration-related tags will be in the hardware-enforced list. Hardware enforcement of expiry would require that the secure world somehow obtain trusted time and data, for example via a challenge response protocol with a trusted remote timeserver.
Keystore requires keys to be bound to a root of trust, which is a bitstring provided to the Keymaster secure hardware during startup, preferably by the bootloader. This bitstring must be cryptographically bound to every key managed by Keymaster.
The root of trust consists of the public key used to verify the signature on the boot image and the lock state of the device. If the public key is changed to allow a different system image to be used or if the lock state is changed, then none of the Keymaster-protected keys created by the previous system will be usable, unless the previous root of trust is restored and a system that is signed by that key is booted. The goal is to increase the value of the software-enforced key access controls by making it impossible for an attacker-installed operating system to use Keymaster keys.
Some Keymaster secure hardware may choose to store key material internally
and return handles rather than encrypted key material. Or there may be other
cases in which keys cannot be used until some other non-secure or secure world
system component is available. The Keymaster 1.0 HAL allows the caller to
request that a key be "standalone," via the KM_TAG_STANDALONE tag,
meaning that no resources other than the blob and the running Keymaster system
are required. The tags associated with a key may be inspected to see whether a
key is standalone. At present, only two values are defined:
KM_BLOB_STANDALONE
KM_BLOB_REQUIRES_FILE_SYSTEM
This feature is not exposed to applications.
When it's created, the maximum usage velocity can be specified
with KM_TAG_MIN_SECONDS_BETWEEN_OPS.
TrustZone implementations will refuse to perform cryptographic operations
with that key if an operation was performed less
than KM_TAG_MIN_SECONDS_BETWEEN_OPS seconds earlier.
The simple approach to implementing velocity limits is a table of key IDs and last-use timestamps. This table will likely be of limited size, but must accommodate at least 16 entries. In the event that the table is full and no entries may be updated or discarded, secure hardware implementations must "fail safe," preferring to refuse all velocity-limited key operations until one of the entries expires. It is acceptable for all entries to expire upon reboot.
Keys can also be limited to n uses per boot with
KM_TAG_MAX_USES_PER_BOOT. This also requires a tracking table,
which must accommodate at least four keys, and must also fail safe. Note that
applications will be unable to create per-boot limited keys. This feature will
not be exposed through Keystore and will be reserved for system operations.
This feature is not exposed to applications.
Because secure hardware must generate random numbers for key material and Initialization Vectors (IVs), and because hardware random number generators may not always be fully trustworthy, the Keymaster HAL provides an interface to allow the client to provide additional entropy which will be mixed into the random numbers generated.
A hardware random-number generator must be used as the primary seed source, and the seed data provided through the external API must not be the sole source of randomness used for number generation. Further, the mixing operation used must ensure that the random output is unpredictable if any one of the seed sources is unpredictable.
This feature is not exposed to applications but is used by the framework, which regularly provides additional entropy, retrieved from a Java SecureRandom instance, to the secure hardware.