Thanks. I've some other questions: According to this paper: http://www.cs.kun.nl/~erikpoll/publications/AndroidSecureStorage.pdf private key material in a hardware-backed keystore is NOT stored in the TEE, but rather stored encrypted on the device file system in /data/misc/keystore/user_0/<UID>_USRPKEY_<alias>, encrypted by the device master key that resides within TEE. Is the device master key derived from the device lock screen credentials, or is it some hard coded value that is set during device manufacture? If I omit KeyPairGenerator.setEncryptionRequired(), presumably encrypted is disabled, and the key material is independent of the device lock screen credentials, i.e. a change in device lock screen credentials does NOT wipe the KeyStore. I've verified this to be true on a few Android L/M devices. However, does this mean that /data/misc/keystore/user_0/<UID>_USRPKEY_<alias> now contains the private key in clear? Does this mean that any app/user that has access to it will now have the private key? I've tried reading this file on a rooted Android L device, and indeed the file does not seem to be encrypted, as it contains some data with a few interspersed areas of zeroes. I'm unsure of how to extract the private key from this file though.
On Friday, March 3, 2017 at 2:37:26 AM UTC+8, Alex Klyubin wrote: > > This works only API Level 23 (Android Marshmallow) and higher. > > On Wed, Mar 1, 2017 at 6:35 PM galapogos <[email protected] <javascript:>> > wrote: > >> Thanks, but does this work only on Android M onward, or is it downward >> compatible down to Android 4.3, when hardware-backed credential storage was >> first officially supported? It seems like KeyGenParameterSpec was first >> introduced in API Level 23 (Android M). I need something that works with >> older Android versions. >> >> >> On Wednesday, March 1, 2017 at 1:01:54 AM UTC+8, Alex Klyubin wrote: >> >>> See AES and HMAC key example in >>> https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.html >>> . >>> >>> On Mon, Feb 27, 2017 at 11:19 PM galapogos <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> I'm trying to create symmetric keys and storing some encrypted data in >>>> Android's hardware-backed KeyStore. I understand this is supported from >>>> Android 4.3. There are several examples for KeyPair generation/storage, >>>> but >>>> nothing on symmetric keys. Also, on >>>> https://developer.android.com/training/articles/keystore.html it seems >>>> that all the AES/KeyGenerator algorithms are supported only on API level >>>> 23+ (Marshmallow). >>>> >>>> Is it possible to create symmetric keys and store encrypted data in >>>> hardware-backed KeyStore? If so, how? >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Android Security Discussions" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> Visit this group at >>>> https://groups.google.com/group/android-security-discuss. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <javascript:>. >> Visit this group at >> https://groups.google.com/group/android-security-discuss. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
