MobileID InApp hardware-protected keys

Page contents

• Introduction
• How do hardware-protected keys work?
  • Activation
  • Authentication
• Supported devices
• Configuration options
• Further reading

Introduction

In addition to dynamically generated software keys, you can use hardware-protected keys to strengthen proof-of-possession and maximise device security.

When using this feature, the probability that an attacker will be able to obtain the keys that are stored in the secure hardware on a device, and hence use them outside the device without breaking the device on a hardware level, is very low.

How do hardware-protected keys work?

Hardware-protected keys are stored in hardware, typically on a trusted execution environment (TEE) or trusted platform module (TPM) and will never leave the hardware. As a result, all operations that require the private key are performed in the secure hardware on the device.

Even a rooted device still protects the hardware keys from extraction, and cloning of a key can not be performed on a rooted device. It is therefore very unlikely that an attacker is able to steal a key stored in the secure hardware and use it outside the device.

Activation

The usual flow for activation of a hardware-protected key is as follows:

1. The Encap SDK generates a key pair in the secure hardware.
2. The secure hardware returns the public hardware (HW) key to the Encap SDK.
3. The Encap SDK returns this key to the Encap server over the secure channel in the finish activation request.
4. The Encap server stores the public HW key on the registration, and this key will be used to verify all future authentications.

Authentication

For a device that is activated with HW keys, an additional security check will be executed for each authentication. The sequence is as follows:

1. The Encap SDK will sign the authentication challenge, received from the Encap server in the start authentication request, with the hardware-protected private key.
2. The signed challenge is passed back to the Encap server in the finish authentication request over the secure channel.
3. The signed challenge is verified on the server side with the HW public key.

Supported devices

Hardware-protected keys are supported on

• Android 6 (most devices)
• Android 7 or later (all devices)
• iOS 10 or later (devices with Secure Enclave (opens new window))

Devices that do not support hardware-protected keys will only use software keys.

Configuration options

Support for hardware-protected keys is enabled by default. We offer two different validation strategies, SUPPORTED (default) and RISK_PARAMS. With both strategies, the hardware signature is validated on the Encap server.

• With SUPPORTED, the operation will fail if the hardware signature is invalid.
• With RISK_PARAMS, the operation will not fail if the hardware signature is invalid but will return the hw_key_client_status and hw_key_server_result risk attributes, to enable you to evaluate the result and take action.

Contact Signicat at support@signicat.com if you would like us to make configuration changes to your MobileID InApp hardware-protected keys.

Further reading

• MobileID InApp overview
• Mobile app-initiated operations via OIDC
• Mobile app-initiated operations: URL construction
• Mobile app-initiated operations: Finalise operation
• Backend-initiated operations via OIDC
• Backend-initiated operations: URL construction
• Backend-initiated operations: Finalise operation
• MobileID InApp upgrade guide
• MobileID InApp release notes