You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 7, 2023. It is now read-only.
Currently Krypton does no verification of the device or software that the key is from. This means that on an rooted/exploited phone:
There is no assurance that the key is securely stored
There is no assurance that there are no copies of the key
There is no assurance that user authentication has happened recently
This is not a problem if the user is the one also controlling the servers being accessed, as then the trust is equivalent - the user probably trusts his own device to be secure enough, or would not try to add keys there. However, in a corporate setting, or any setting where the user is possibly untrusted, there is reason to set a policy on the security level of the device - for example, in a banking setting the bank might be liable for fraudulent transfers unless it can prove that the user authorized them and without ensuring device security the user might just claim that somebody hacked their (rooted/custom ROM) phone.
The proposal would be to add support for Secure Key Attestation. Since the key attestation would be pointless on the device itself, the key attestation must be performed by the servers using the key. The simplest way to achieve this would be to do verification during pairing by including the key certificate chain in the "me response" generated and letting krd verify the chain against root certificates.
This could also be incorporated to the Teams feature, by setting a policy for a team that requires key attestation for all users and verifying the key attestation in the sigchain.
This is also partly related to two factor authentication in #93. Without key attestation it cannot be verified that two factor authentication is actually used, as the device can claim anything it wishes.
The text was updated successfully, but these errors were encountered:
Thanks for the detailed request! I agree that we should take advantage of the key attestion Android provides and perform verification in the sigchain. We'll keep this open as a tracking issue.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Currently Krypton does no verification of the device or software that the key is from. This means that on an rooted/exploited phone:
This is not a problem if the user is the one also controlling the servers being accessed, as then the trust is equivalent - the user probably trusts his own device to be secure enough, or would not try to add keys there. However, in a corporate setting, or any setting where the user is possibly untrusted, there is reason to set a policy on the security level of the device - for example, in a banking setting the bank might be liable for fraudulent transfers unless it can prove that the user authorized them and without ensuring device security the user might just claim that somebody hacked their (rooted/custom ROM) phone.
The proposal would be to add support for Secure Key Attestation. Since the key attestation would be pointless on the device itself, the key attestation must be performed by the servers using the key. The simplest way to achieve this would be to do verification during pairing by including the key certificate chain in the "me response" generated and letting
krd
verify the chain against root certificates.This could also be incorporated to the Teams feature, by setting a policy for a team that requires key attestation for all users and verifying the key attestation in the sigchain.
This is also partly related to two factor authentication in #93. Without key attestation it cannot be verified that two factor authentication is actually used, as the device can claim anything it wishes.
The text was updated successfully, but these errors were encountered: