Android has the concept of hardware backed security as TEE and in latest Android i.e., Android Pie devices can have a HSM (Strongbox).
1.What is the actual difference between TEE and HSM?
2.Does Android HSM can be used as a cryptography solution such as a Whitebox solution?
Trusted Execution Environment (TEE): This is a software-based construct that is implemented within the normal confines of the runtime context. It may use pure software, or it may use the CPU and specific opcodes (ie, Intel SGX or the ARM's TrustZone) in order to provide the "concept of hardware-backed security" [1]. It is a logical wall around the data, and you can trust it only so far as you trust [2] the implementation. At most, it might be NIST FIPS 140-2 Level 1 (approved algorithms) but can never be more than that, unless the entire device is hardened around it.
Hardware Security Module (HSM): This is an entirely separate runtime context. It must be a Trusted Platform Module (TPM) in this case, since we are talking about Android devices including additional hardware on the device. At the enterprise level, an HSM is a separate computing environment, generally implemented on a PCIe card. TPMs can probably achieve FIPS 140-2 Level 2 (tamper evident), but again, higher levels (3 and 4) only if the device itself is hardened around the TPM. Because it is a separate runtime context, the OS will send data to it, and the keys it contains will be used to crypt or sign or hmac or whatever it is being asked to do. In the event of tamper, this device won't (if it is Level 2) delete the keys. in most cases the keys are stored outside the TPM, wrapped with a key that remains inside the TEE of the TPM.
As for the second part of your question, not with any real security, and not with any usefulness as a 'reasonable cryptographic coprocessor'.
The storage, algorithm selection, and processing speed on a TPM is going to be way less than on the main platform on which the TPM is integrated. Think "three or four keys" instead of tens, hundreds or thousands (although the number of keys will be limited by the NV RAM on the TPM, so class this one as 'indeterminate').
This is the list of algorithms supported by the Keymaster Strongbox hardware abstraction layer (HAL):
So no EdDSA (ed25519). No RSA 4k keys. No SHA3 family. And it supports 3DES, so forget about FIPS certification, and its inclusion means that the Android dev team expects commodity (cheap) TPMs because the inclusion of 3DES means they are supporting TPM <1.2, so not even modern commodity TPMs.
I keep bringing up FIPS because of the second part of the question -- "can we use this as a cryptography solution".
And the TPM will be slower than the main CPU [3].
TPMs are aimed at securing the platform it is attached to, not at providing bulk crypto for third party applications except under specific requirements (data-at-rest encryption, DH key exchanges).
[1] The concept of hardware-backed security, as it is maybe using specific opcodes that decrypt/encrypt data on the fly, using the CPU. ie, the 'hardware' in this case is the CPU.
[2] "Trust" is built right into the label.
[3] Yes, sometimes ASICs are faster. But we are talking about mass-market, commodity hardware. If you need bulk, and secure Crypto, buy a real HSM.
© 2022 - 2024 — McMap. All rights reserved.
