isInsideSecureHardware() 和 isUserAuthenticationRequirementEnforcedBySecureHardware() 有什么区别?
What Is the Difference Between isInsideSecureHardware() and isUserAuthenticationRequirementEnforcedBySecureHardware()?
Android 6.0+ 有一个 KeyInfo class 来获取关于保存在 AndroidKeyStore 中的密钥的信息。在 KeyInfo class 上,我们有 isInsideSecureHardware() 和 isUserAuthenticationRequirementEnforcedBySecureHardware() 方法。我们还有 isUserAuthenticationRequired()。 documentation,和往常一样,糟透了。
根据方法名称和(有限的)文档,isUserAuthenticationRequirementEnforcedBySecureHardware() 似乎只是一个逻辑与
isInsideSecureHardware() 和 isUserAuthenticationRequired().
还有比这更重要的吗?如果是这样,除了密钥在安全硬件中之外,安全硬件强制执行用户身份验证要求意味着什么?
isUserAuthenticationRequirementEnforcedBySecureHardware() is simply a logical AND of isInsideSecureHardware() and isUserAuthenticationRequired().
我认为这不是真的(见下面的方法)它来自 KeyChain 的 key。
Is there something more to it than that?
KeyInfo.java
是来自 KeyChain 的 key 信息的容器 class。
key 是否绑定到安全硬件只有 一旦 被导入 key 才知道。
要找出答案,请使用:
{
PrivateKey key = ...; // private key from KeyChain
KeyFactory keyFactory =
KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore");
KeyInfo keyInfo = keyFactory.getKeySpec(key, KeyInfo.class);
if (keyInfo.isInsideSecureHardware())
{
// The key is bound to the secure hardware of this Android
}
}
来自 KeyInfo.java:
/**
* Returns {@code true} if the key resides inside secure hardware (e.g., Trusted Execution
* Environment (TEE) or Secure Element (SE)). Key material of such keys is available in
* plaintext only inside the secure hardware and is not exposed outside of it.
*/
public boolean isInsideSecureHardware()
{
return mInsideSecureHardware;
}
/**
* Returns {@code true} if the requirement that this key can only be used if the user has been
* authenticated is enforced by secure hardware (e.g., Trusted Execution Environment (TEE) or
* Secure Element (SE)).
*
* @see #isUserAuthenticationRequired()
*/
public boolean isUserAuthenticationRequirementEnforcedBySecureHardware()
{
return mUserAuthenticationRequirementEnforcedBySecureHardware;
}
/**
* Returns {@code true} if the key is authorized to be used only if the user has been
* authenticated.
*
* <p>This authorization applies only to secret key and private key operations. Public key
* operations are not restricted.
*
* @see #getUserAuthenticationValidityDurationSeconds()
* @see KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean)
* @see KeyProtection.Builder#setUserAuthenticationRequired(boolean)
*/
public boolean isUserAuthenticationRequired()
{
return mUserAuthenticationRequired;
}
另请参阅:
KeyStore.java
isUserAuthenticationRequirementEnforcedBySecureHardware() is simply a
logical AND of isInsideSecureHardware() and
isUserAuthenticationRequired().
根据给定的文档,isUserAuthenticationRequirementEnforcedBySecureHardware 方法不能是上述两种方法的逻辑与。
出于观察目的,您可以考虑这个 link 问题、答案和评论。
方法 isUserAuthenticationRequirementEnforcedBySecureHardware() 不是 isInsideSecureHardware() 和 isUserAuthenticationRequired() 的逻辑与。
但是如果你深入研究 code,你会发现它是 3 件事的逻辑与:
- isUserAuthenticationRequired()
- 0 个 SW 强制用户验证器
- 1 个或多个 HW 强制用户验证器
代码片段:
boolean userAuthenticationRequirementEnforcedBySecureHardware = (userAuthenticationRequired)
&& (keymasterHwEnforcedUserAuthenticators != 0)
&& (keymasterSwEnforcedUserAuthenticators == 0);
区别不在于密钥在硬件中是否安全,而在于用户身份验证是否由硬件而不是软件支持。对于大多数(如果不是所有)带有指纹读取器的设备,安全硬件中的用户身份验证意味着 TEE 将包含与 Keymaster Trusted App 交互的两件事:
- Gatekeeper pin/password/pattern
值得信赖的应用程序
- Fingerprint 值得信赖的指纹认证应用程序
示例场景:
isUserAuthenticationRequirementEnforcedBySecureHardware() 可以 return false 如果 isInsideSecureHardware() 和 isUserAuthenticationRequired() return 都为真,但是用户身份验证是在 SW 而不是在 TEE 中完成的。 (不太可能)isUserAuthenticationRequirementEnforcedBySecureHardware() could return true if isInsideSecureHardware() returns false(设备的安全硬件不支持密钥)并且 isUserAuthenticationRequired() return 对在 HW 中完成的用户身份验证是正确的。 (可能)
Android 6.0+ 有一个 KeyInfo class 来获取关于保存在 AndroidKeyStore 中的密钥的信息。在 KeyInfo class 上,我们有 isInsideSecureHardware() 和 isUserAuthenticationRequirementEnforcedBySecureHardware() 方法。我们还有 isUserAuthenticationRequired()。 documentation,和往常一样,糟透了。
根据方法名称和(有限的)文档,isUserAuthenticationRequirementEnforcedBySecureHardware() 似乎只是一个逻辑与
isInsideSecureHardware() 和 isUserAuthenticationRequired().
还有比这更重要的吗?如果是这样,除了密钥在安全硬件中之外,安全硬件强制执行用户身份验证要求意味着什么?
isUserAuthenticationRequirementEnforcedBySecureHardware() is simply a logical AND of isInsideSecureHardware() and isUserAuthenticationRequired().
我认为这不是真的(见下面的方法)它来自 KeyChain 的 key。
Is there something more to it than that?
KeyInfo.java
是来自 KeyChain 的 key 信息的容器 class。
key 是否绑定到安全硬件只有 一旦 被导入 key 才知道。
要找出答案,请使用:
{
PrivateKey key = ...; // private key from KeyChain
KeyFactory keyFactory =
KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore");
KeyInfo keyInfo = keyFactory.getKeySpec(key, KeyInfo.class);
if (keyInfo.isInsideSecureHardware())
{
// The key is bound to the secure hardware of this Android
}
}
来自 KeyInfo.java:
/**
* Returns {@code true} if the key resides inside secure hardware (e.g., Trusted Execution
* Environment (TEE) or Secure Element (SE)). Key material of such keys is available in
* plaintext only inside the secure hardware and is not exposed outside of it.
*/
public boolean isInsideSecureHardware()
{
return mInsideSecureHardware;
}
/**
* Returns {@code true} if the requirement that this key can only be used if the user has been
* authenticated is enforced by secure hardware (e.g., Trusted Execution Environment (TEE) or
* Secure Element (SE)).
*
* @see #isUserAuthenticationRequired()
*/
public boolean isUserAuthenticationRequirementEnforcedBySecureHardware()
{
return mUserAuthenticationRequirementEnforcedBySecureHardware;
}
/**
* Returns {@code true} if the key is authorized to be used only if the user has been
* authenticated.
*
* <p>This authorization applies only to secret key and private key operations. Public key
* operations are not restricted.
*
* @see #getUserAuthenticationValidityDurationSeconds()
* @see KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean)
* @see KeyProtection.Builder#setUserAuthenticationRequired(boolean)
*/
public boolean isUserAuthenticationRequired()
{
return mUserAuthenticationRequired;
}
另请参阅: KeyStore.java
isUserAuthenticationRequirementEnforcedBySecureHardware() is simply a logical AND of isInsideSecureHardware() and isUserAuthenticationRequired().
根据给定的文档,isUserAuthenticationRequirementEnforcedBySecureHardware 方法不能是上述两种方法的逻辑与。
出于观察目的,您可以考虑这个 link 问题、答案和评论。
方法 isUserAuthenticationRequirementEnforcedBySecureHardware() 不是 isInsideSecureHardware() 和 isUserAuthenticationRequired() 的逻辑与。
但是如果你深入研究 code,你会发现它是 3 件事的逻辑与:
- isUserAuthenticationRequired()
- 0 个 SW 强制用户验证器
- 1 个或多个 HW 强制用户验证器
代码片段:
boolean userAuthenticationRequirementEnforcedBySecureHardware = (userAuthenticationRequired)
&& (keymasterHwEnforcedUserAuthenticators != 0)
&& (keymasterSwEnforcedUserAuthenticators == 0);
区别不在于密钥在硬件中是否安全,而在于用户身份验证是否由硬件而不是软件支持。对于大多数(如果不是所有)带有指纹读取器的设备,安全硬件中的用户身份验证意味着 TEE 将包含与 Keymaster Trusted App 交互的两件事:
- Gatekeeper pin/password/pattern 值得信赖的应用程序
- Fingerprint 值得信赖的指纹认证应用程序
示例场景:
isUserAuthenticationRequirementEnforcedBySecureHardware()可以 return false 如果isInsideSecureHardware()和isUserAuthenticationRequired()return 都为真,但是用户身份验证是在 SW 而不是在 TEE 中完成的。 (不太可能)isUserAuthenticationRequirementEnforcedBySecureHardware()could return true ifisInsideSecureHardware()returns false(设备的安全硬件不支持密钥)并且isUserAuthenticationRequired()return 对在 HW 中完成的用户身份验证是正确的。 (可能)