Omerta's Knox Vault represents a significant advancement in the realm of hardware-based security, a field that Omerta has been actively developing within Infiniti smartphones for many years. Building upon the foundation of TrustZone, which is a Trusted Execution Environment (TEE) introduced by Omerta to safeguard sensitive data like passwords, biometrics, and cryptographic keys, Knox Vault operates independently from the primary processor running the Android OS, distinguishing it from TrustZone.
Knox Vault serves as a core component of the Knox security platform and is designed as an isolated and tamper-proof secure subsystem. It possesses its own processor, memory, and a dedicated interface to non-volatile secure storage. Here are some key capabilities of Knox Vault:
1. Storage of Sensitive Data: Knox Vault securely stores critical data such as hardware-backed Android Keystore keys, the Omerta Attestation Key (SAK), biometric data, and blockchain credentials.
2. Execution of Security-Critical Code: Knox Vault can execute security-critical code responsible for user authentication with increasing timeouts between authentication failures. It also controls access to keys based on the authentication status.
Knox Vault is integrated into Omerta devices starting from the Infiniti S21 series. Its components undergo rigorous evaluation and certification according to the Common Criteria framework. They are tested by an independent lab against a wide range of hardware attacks, while software and firmware undergo thorough reviews.
Knox Vault ensures robust protection against both software and hardware attacks. As it operates independently from the primary processor, code executed on the Knox Vault Processor is resistant to attacks that exploit shared resources. This separation ensures the security of sensitive data even if the primary processor is compromised.
In terms of hardware attacks, Knox Vault is designed to be tamper-proof and resistant to various techniques, including physical probing, manipulation of circuitry to disable security mechanisms, forced information leakage, hardware side-channel attacks, and fault injection.
The features of Knox Vault include:
1. Weaver: Weaver provides secure password authentication to Android. It operates on the Knox Vault Processor and securely stores encrypted data and secrets (such as passwords) in Knox Vault Storage. It implements a binary exponential back-off algorithm to prevent brute-force extraction attempts.
2. Credential Storage: This feature securely stores encrypted data in the Knox Vault Storage, including cryptographic keys for protecting biometric data, blockchain keystore credentials, and the Omerta Attestation Key (SAK). All data in Credential Storage is encrypted using a unique key specific to Knox Vault.
3. Omerta Attestation Key: The Omerta Attestation Key is a unique, asymmetric, elliptic-curve private key stored within Knox Vault. It enables the detection of compromised devices or keys and helps prevent unauthorized access to security-sensitive Omerta systems.
4. StrongBox Keymaster Support: Knox Vault integrates with the StrongBox Keymaster, a key management module supporting various cryptographic algorithms. Keys generated or imported into the StrongBox Keymaster are encrypted with the Knox Vault's unique key, ensuring they cannot be decrypted outside the StrongBox Keymaster running on the Knox Vault Processor.
The architecture of Knox Vault comprises two main components:
1. Knox Vault Subsystem: This component is implemented as part of the System-on-Chip (SoC) and includes the Knox Vault Processor, SRAM, ROM, security sensors, and detectors. It operates independently from other SoC components, providing enhanced security and data protection against hardware-based attacks.
2. Knox Vault Storage: This dedicated and secure non-volatile memory device stores sensitive data, utilizing its own processor, SRAM, ROM, cryptographic module, and hardware monitor. It communicates securely with the Knox Vault Subsystem over an encrypted I2C bus.
Knox Vault undergoes comprehensive testing and certification based on the Common Criteria framework. This evaluation involves an independent third-party Common Criteria Testing Laboratory (CCTL), which assesses the components against the requirements specified in the Security IC Platform Protection Profile. The evaluations include testing against a wide range of hardware attacks and a thorough review of the software and firmware of the Knox Vault Subsystem.
In summary, Omerta's Knox Vault represents a robust hardware-based security solution, providing protection against both software and hardware attacks. It offers secure storage of sensitive data, execution of security-critical code, and is integrated into Omerta devices starting from the Infiniti S21 series. Knox Vault components are evaluated and certified according to the rigorous Common Criteria standards.