Home
Главная
Google
Смартфон
Pixel 3A 64Gb+4Gb LTE
Руководство по эксплуатации Страница: 127

Google Pixel 3A 64Gb+4Gb LTE [127/132] Strongbox

the function on device implementations that are typically shared (e.g. Android Television

or Automotive device).

[C-7-4] MUST encrypt all stored tokens added by TrustAgentService.addEscrowToken() .

[C-7-5] MUST NOT store the encryption key on the same device where the key is used. For

example, it is allowed for a key stored on a phone to unlock a user account on a TV.

[C-7-6] MUST inform the user about the security implications before enabling the escrow

token to decrypt the data storage.

[C-7-7] MUST have a fall-back mechanism to use one of the recommended primary

authentication methods.

[C-7-8] The user MUST be challenged for one of the recommended primary authentication

(eg: PIN, pattern, password) methods at least once every 72 hours or less.

[C-7-9] The user MUST be challenged for one of the recommended primary authentication

(eg: PIN, pattern, password) methods after any 4-hour idle timeout period. The idle

timeout period is reset after any successful confirmation of the device credentials.

[C-7-10] MUST NOT be treated as a secure lock screen and MUST follow the constraints

listed in C-8 below.

If device implementations add or modify the authentication methods to unlock the lock screen that is

not a secure lock screen as described above, and use a new authentication method to unlock the

keyguard:

[C-8-1] The new method MUST be disabled when the Device Policy Controller (DPC)

application has set the password quality policy via the

DevicePolicyManager.setPasswordQuality() method with a more restrictive quality constant than

PASSWORD_QUALITY_UNSPECIFIED .

[C-8-2] They MUST NOT reset the password expiration timers set by

DevicePolicyManager.setPasswordExpirationTimeout() .

[C-8-3] They MUST NOT authenticate access to keystores when the application sets true

for KeyGenParameterSpec.Builder.setUserAuthenticationRequired() ).

9.11.2. StrongBox

The Android Keystore System allows app developers to store cryptographic keys in a dedicated

secure processor as well as the isolated execution environment described above.

Device implementations:

[C-SR] Are STRONGLY RECOMMENDED to support StrongBox.

If device implementations support StrongBox, they:

[C-1-1] MUST declare FEATURE_STRONGBOX_KEYSTORE .

[C-1-2] MUST provide dedicated secure hardware that is used to back keystore and secure

user authentication.

[C-1-3] MUST have a discrete CPU that shares no cache, DRAM, coprocessors or other

core resources with the application processor (AP).

[C-1-4] MUST ensure that any peripherals shared with the AP cannot alter StrongBox

processing in any way, or obtain any information from the StrongBox. The AP MAY disable

or block access to StrongBox.

[C-1-5] MUST have an internal clock with reasonable accuracy (+-10%) that is immune to

manipulation by the AP.

[C-1-6] MUST have a true random number generator that produces uniformly-distributed

Page 127 of 132

Google Pixel 3A 64Gb+4Gb LTE [127/132] Strongbox

Содержание

Похожие устройства