Can you clear up the text on isBoundKeyAlgorithm <http://developer.android.com/reference/android/security/KeyChain.html#isBoundKeyAlgorithm(java.lang.String)> (String <http://developer.android.com/reference/java/lang/String.html> algorithm)
Returns true if the current device's KeyChain binds any PrivateKey of the given algorithm to the device once imported or generated. This can be used to tell if there is special hardware support that can be used to bind keys to the device in a way that makes it non-exportable. Does this mean that the key bytes themselves (whether in memory or disk) are never to be returned outside of the privileged implementation (think tee or txe), or that the blob as stored on disk cant be copied from the orignating device to another device? On Wed, Mar 4, 2015 at 1:51 PM, Shawn Willden <[email protected]> wrote: > TZ implementations can and should make use of HW RNGs, though the existing > ones are closed source and I can't say what they actually do. > > On Wed, Mar 4, 2015 at 11:41 AM William Roberts <[email protected]> > wrote: > >> Ok, so just another sanity check. Is the TZ implementation purely >> software based, or does it make use of any rng's or anything like that for >> seeding the keygeneration, etc. >> >> On Tue, Mar 3, 2015 at 7:35 PM, Shawn Willden <[email protected]> >> wrote: >> >>> "Hardware-backed" means "in ARM TrustZone" on all existing devices. >>> Since TrustZone isn't separate hardware but a secure mode of the main CPU, >>> key generation should be almost exactly as fast as a software key, since >>> the only additional cost is the context switches in and out of secure mode. >>> If KeyChain.isAlgorithmSupported returns true for an algorithm, that means >>> that algorithm is supported in secure hardware (actually, TrustZone) on >>> your device. >>> >>> On Nexus 5, keystore.msm8974.so is the HAL module that talks to the >>> Qualcomm trusted OS. >>> >>> On Tue, Mar 3, 2015 at 8:25 PM William Roberts <[email protected]> >>> wrote: >>> >>>> Without rooting an image, is there a way to test if AKS is hardware >>>> backed? KeyChain.isKeyAlgorithmSupported("RSA")) returns true, but others >>>> suspect the generation times are too fast (1.2-1.7 seconds). >>>> >>>> On Kitkat Nexus 5, I see /system/lib/hw contains 2 keymaster >>>> implementations: >>>> >>>> keystore.default.so >>>> keystore.msm8974.so >>>> >>>> I initially was going to look at the memmap of keystored to see what >>>> was loaded. Any comments, much appreciated. >>>> >>>> Thanks. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Android Security Discussions" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to >>>> [email protected]. >>>> Visit this group at >>>> http://groups.google.com/group/android-security-discuss. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >> >> >> -- >> Respectfully, >> >> William C Roberts >> >> -- Respectfully, William C Roberts -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
