MID-028: Hardware-backed Key Storage
Mitigation Tier: Intermediate
Description
Using hardware-backed keystores allows a device to benefit from hardware-based protections for preventing key extraction or manipulation, as opposed to relying on weaker software-only protections. Hardware-backed keystores leverage dedicated hardware and hardware abstraction layers to provide security features, such as storing a root-of-trust, keys, certificates or sensitive data. Hardware-backed keystores can take different forms and can be integrated with various functionalities, such as secure elements, TPMs, or cryptographic coprocessors to offer more secure key management. For example, Android has been using hardware-backed keystores for digital signing and verification operations, key generation, and the storage of asymmetric key signing pairs.
Consideration: MID-060 - Dedicated Cryptographic Processors will include key storage mechanisms and will enable secure operation using the keys. It is also a more comprehensive and complicated mitigation.
IEC 62443 4-2 Mappings
CR 1.9 – Strength of public key-based authentication - RE (1) Hardware security for public key-based authentication
CR 1.14 – Strength of symmetric key-based Authentication - RE (1) Hardware security for symmetric key-based authentication
CR 1.5 – Authenticator management - RE (1) Hardware security for authenticators
References
[1] Android. “Hardware-backed Keystore.” android.com. Accessed: Aug. 28, 2024. [Online.] Available: https://source.android.com/docs/security/features/keystore
[2] Rambus. “Hardware Root of Trust: Everything you need to know.” rambus.com. Accessed: Aug. 28, 2024. [Online.] Available: https://www.rambus.com/blogs/hardware-root-of-trust/
[3] V. Zimmer and M. Krau. “Establishing the Root of Trust.” uefi.org. Accessed: Aug. 28, 2024. [Online.] Available: https://uefi.org/sites/default/files/resources/UEFI%20RoT%20white%20paper_Final%208%208%2016%20(003).pdf
[4] Analog Devices. “Secure Element.” analog.com. Accessed: Aug. 28, 2024. [Online.] Available: https://www.analog.com/en/resources/glossary/secure-element.html