![CRYPTO DETAILS -- SECURE BOX
• byte[] SecureBox.encrypt(theirPublicKey,sharedSecret, header,payload)
• byte[] SecureBox.decrypt(ourPrivateKey, sharedSecret, header, encryptedPayload)
• Key agreement: ECDH with NIST P-256/secp256r1
• Key derivation: HKDF
• Encryption: AES-GCM
byte[] randNonce = genRandomNonce();
byte[] keyingMaterial = concat(dhSecret, sharedSecret);
SecretKey encryptionKey = hkdfDeriveKey(keyingMaterial, HKDF_SALT, hkdfInfo);
byte[] ciphertext = aesGcmEncrypt(encryptionKey, randNonce, payload, header);
9](https://image.slidesharecdn.com/android-recoverable-keystore-191214141531/85/Android-Recoverable-Keystore-10-320.jpg)
Android Recoverable Keystore
- 2. AGENDA • ANDROID KEYSTORE • RECOVERABLE KEYSTORE • IMPLEMENTATION • WHO USES IT? • SUMMARY 1
- 3. ANDROID KEYSTORE QUICK INTRO • PROTECTS KEYS WITH HARDWARE • IMPLEMENTED USING TEE OR HARDWARE (TITAN CHIP ON PIXELS) • KEYS ARE NOT EXPORTABLE • INTEGRATES WITH LOCK SCREEN AND BIOMETRICS • KEYS MIGHT REQUIRE AUTHENTICATION TO USE • PROVIDES KEY ATTESTATION • VERIFIABLE INFO ABOUT DEVICE THAT GENERATED KEY 2
- 5. RECOVERABLE KEYSTORE? • RECOVERABLE == EXPORTABLE? • IS THIS SAFE? • WHY IS IT NEEDED? • 4
- 6. BRIEF SPECS • ONLY SYMMETRIC KEYS ARE SUPPORTED (AES) • LOCAL KEYS ARE WRAPPED USING AES-GCM PLATFORM KEY • KEYSTORE SNAPSHOTS ENCRYPTED WITH CLOUD PUBLIC KEY AND KEY BASED ON PIN • AKA: ‘LOCK SCREEN KNOWLEDGE FACTOR’ (LSKF) • ONLY SYSTEM APPS CAN GENERATE AND RESTORE RECOVERABLE KEYS • REQUIRES RECOVER_KEYSTORE (SYSTEM|PRIVILEGED) PERMISSION • KEYS ARE BACKED UP TO GOOGLE CLOUD KEY VAULT SERVICE (CKV) • HTTPS://DEVELOPER.ANDROID.COM/ABOUT/VERSIONS/PIE/SECURITY/CKV-WHITEPAPER 5
- 10. CRYPTO DETAILS -- SECURE BOX • byte[] SecureBox.encrypt(theirPublicKey,sharedSecret, header,payload) • byte[] SecureBox.decrypt(ourPrivateKey, sharedSecret, header, encryptedPayload) • Key agreement: ECDH with NIST P-256/secp256r1 • Key derivation: HKDF • Encryption: AES-GCM byte[] randNonce = genRandomNonce(); byte[] keyingMaterial = concat(dhSecret, sharedSecret); SecretKey encryptionKey = hkdfDeriveKey(keyingMaterial, HKDF_SALT, hkdfInfo); byte[] ciphertext = aesGcmEncrypt(encryptionKey, randNonce, payload, header); 9
- 11. USERS OF RECOVERABLE KEYSTORE • CURRENTLY ONLY GOOGLE PLAY SERVICE (GMS) • HAS RECOVER_KEYSTORE PERMISSION • CAN KICK OFF KEYSTORE SNAPSHOT AND RECOVERY • GMS.AUTH.FOLSOM.START_RECOVERY • ACTION.RECOVERABLE_KEYSTORE_SNAPSHOT • PACKAGE COM.GOOGLE.ANDROID.GMS.AUTH.FOLSOM/* • FOLSOMGCMTASKCHIMERASERVICE • FOLSOMPUBLICKEYUPDATESERVICE • FOLSOMMODULEINITINTENTOPERATION • KEYSYNCINTENTOPERATION • KEYRECOVERYINTENTOPERATION 10
- 12. SUMMARY • ANDROID 9-10 HAVE RECOVERABLE KEYSTORE PROTECTED BY LOCKSCREEN PIN • CAN BE MIGRATED TO NEW DEVICE • LINKED TO GOOGLE ACCOUNT • ONLY SYMMETRIC KEYS SUPPORTED ATM • GOOGLE PLAY SERVICES ACTS AS A RECOVERY AGENT • RECOVERABLE KEY ALLOWS SECURE RECOVERY OF ARBITRARY DATA • FULL DEVICE BACKUP, ETC. 11
- 13. REFERENCES • INSIDER ATTACK RESISTANCE IN THE ANDROID ECOSYSTEM, ENIGMA 2019 • HTTPS://SECURITY.GOOGLEBLOG.COM/2018/10/GOOGLE-AND-ANDROID-HAVE-YOUR-BACK-BY.HTML • HTTPS://DEVELOPER.ANDROID.COM/GUIDE/TOPICS/DATA/BACKUP • HTTPS://WWW.NCCGROUP.TRUST/US/OUR-RESEARCH/ANDROID-CLOUD-BACKUPRESTORE/ 12