Hardware-protected keys

Page contents

• About hardware-protected keys
• How do hardware-protected keys work?
  • Activation
  • Authentication
• Supported devices
• Validation

About hardware-protected keys

In addition to dynamically generated software keys, you can use hardware-protected keys to strengthen proof-of-possession and maximise device security.

When using this feature, it is improbable that an attacker will be able to obtain the keys stored in the secure hardware on a device and then use them outside the device; without breaking the device on a hardware level.

How do hardware-protected keys work?

Hardware-protected keys are stored in hardware, typically on a trusted execution environment (TEE) or trusted platform module (TPM), and will never leave the hardware. As a result, all operations that require the private key are performed in the secure hardware on the device.

Even rooted devices safeguard the hardware-protected keys from extraction, as keys can not be cloned on a rooted device. It is therefore unlikely that an attacker would be able to steal a key stored in the secure hardware and use it outside of the device.

Activation

The usual flow for activation of a hardware-protected key is as follows:

1. The Encap SDK generates a key pair in the secure hardware.
2. The secure hardware returns the public hardware-protected key to the Encap SDK.
3. The Encap SDK returns this key to the Encap server over the secure channel in the finish activation request.
4. The Encap server stores the public hardware-protected key on the registration, and this key will be used to verify all future authentications.

Authentication

Devices activated with hardware-protected keys conduct an additional security check for every authentication. The sequence is as follows:

1. The Encap SDK will sign the authentication challenge, received from the Encap server in the start authentication request, with the hardware-protected private key.
2. The signed challenge is passed back to the Encap server in the finish authentication request over the secure channel.
3. The signed challenge is verified server-side with the hardware-protected public key.

Supported devices

Hardware-protected keys are supported on:

• Android 6 (most devices)
• Android 7 or later (all devices)
• iOS 10 or later (devices with Secure Enclave (opens new window))

Note

Devices that do not support hardware-protected keys will only use software keys.

Validation

Support for hardware-protected keys is enabled by default. The Encap server is used to validate the hardware signature.

Validation strategy	Description
SUPPORTED	The operation will fail if the hardware signature is invalid.

Note

The result of the hardware signature validation is always returned as a part of the following risk attributes:

• Hardware-protected key client statuses (hwKeyClientStatus)
• Hardware-protected key server results (hwKeyServerResult)