getac mx50 administrator guidance instructions · this permission falls in category signature or...
TRANSCRIPT
Getac MX50 Administrator Guidance Instructions Version 0.8
2017/4/2
Page 1 of 28
1. DOCUMENT INTRODUCTION ...................................................................................................................... 2
1.1 EVALUATED DEVICES .................................................................................................................................... 2 1.2 ACRONYMS .................................................................................................................................................... 2
2. EVALUATED CAPABILITIES ........................................................................................................................ 3
2.1 DATA ENCRYPTION ........................................................................................................................................ 3 2.2 CERTIFICATE VALIDATION ............................................................................................................................. 3 2.3 MDM CAPABILITY ......................................................................................................................................... 3
3. SECURITY CONFIGURATION ...................................................................................................................... 5
3.1 COMMON CRITERIA MODE ............................................................................................................................ 5 3.2 CRYPTOGRAPHIC MODULE IDENTIFICATION .................................................................................................. 5
3.2.1 Getac Linux Kernel Crypto Module ................................................................................................................................... 5 3.2.2 Getac OpenSSL FIPS Object Module ................................................................................................................................ 5
3.3 PERMISSIONS MODEL..................................................................................................................................... 6 3.4 COMMON CRITERIA RELATED SETTINGS ....................................................................................................... 7 3.5 PASSWORD RECOMMENDATIONS ................................................................................................................. 11 3.6 BUG REPORTING PROCESS ........................................................................................................................... 11
4. REMOVABLE STORAGE ENCRYPTION .................................................................................................. 12
5. BLUETOOTH AUTHENTICATION ............................................................................................................. 17
6. SECURE UPDATE PROCESS ........................................................................................................................ 18
7. APIS SPECIFICATION ................................................................................................................................... 20
7.1 ANDROID KEYSTORE ................................................................................................................................... 20 7.1.1 Cryptographic secure random number generator ............................................................................................................ 20 7.1.2 Asymmetric cryptographic key pair generation ............................................................................................................... 20 7.1.3 Symmetric cryptographic key generation ......................................................................................................................... 21 7.1.4 Key destruction ................................................................................................................................................................ 22
7.2 CRYPTOGRAPHIC APIS ................................................................................................................................ 23 7.2.1 Symmetric key encryption ................................................................................................................................................ 23 7.2.2 Cryptographic hashing .................................................................................................................................................... 23 7.2.3 Cryptographic key establishment ..................................................................................................................................... 24 7.2.4 Keyed-hash message authentication ................................................................................................................................ 24 7.2.5 Cryptographic signature services (generation and verification) ..................................................................................... 25
7.3 CERTIFICATE VALIDATION ........................................................................................................................... 26 7.4 TLS/HTTPS ................................................................................................................................................ 26 7.5 BLUETOOTH ................................................................................................................................................. 27
APPENDIX A. RECOVERY MODE ................................................................................................................ 28
Page 2 of 28
1. Document Introduction
This guide includes procedures for configuring Common Criteria on Getac MX50 tablet.
1.1 Evaluated Devices
The evaluated device is the Getac MX50, an Android 5.1.1 rugged tablet.
The software identification for the evaluated devices is as follows:
MDFPP20, Release 1
To check software system version, go to Settings About tablet Image version.
1.2 Acronyms
API(s): Application programming interface(s)
BLE: Bluetooth low energy
CA: Certificate authority
CC: Common Criteria
CRL: Certificate revocation list
DEK: Data(Device) encryption key
CSP : Cryptographic service provider
EMM: Enterprise mobile management
GPT: GUID partition table
GUID: Globally unique identifiers
KEK: Key encryption key
MDFPP: Mobile device fundamental, protection profile
MDM: Mobile device management
OTA: Over-the-air
REK: Root encryption key
VPN: Virtual private network
Page 3 of 28
2. Evaluated Capabilities
The Common Criteria configuration adds support for many security capabilities. Some of those capabilities include the following:
2.1 Data encryption
Internal storage, including all application data and user data, is encrypted in block-level by AES algorithm with 256-bit DEK key. The
DEK is further encrypted by the 256-bit KEK and stored in access-limited crypto footer partition. The KEK is derived from PIN or
password with PBKDF2 algorithm and protected by an RSA2048 key. The RSA2048 key is randomly generated by hardware crypto
module and further encrypted by REK to be stored in crypto footer. The REK is stored in hardware crypto module in the SoC and
never accessible directly from outside.
Additionally, removable storage like SD card or USB disk can also be encrypted in block-level by the same 256 bit DEK key.
Therefore no device except for the one performing encryption can decrypt the removable storage.
2.2 Certificate validation
In CC mode, the MX50 automatically enforces more strict validation against certificates used by the system. Features include:
Use CRL to check revocation status.
Examine basicConstraint attribute of CA certificate.
Check hostname wildcard according to RFC6125.
2.3 MDM capability
By extending the generic Android Device Policy Manager, Getac MX50 provides abundant MDM APIs covering most requirements
of modern Enterprise/Government IT management.
The following figure show how the Getac MDM extension attached to existing Android framework. Attached to standard
DevicePolicyManager, the Getac extension creates a rich set of MDM APIs.
Figure 1. Getac MDM Architecture
MDM functions in Getac MX50 include:
Page 4 of 28
Password management
Data encryption and erase
Certificate management
Application management
Hardware control
Radio control
CC mode management
Screen lock policy
Getac MX50 is compatible with most existing commercial MDM solutions. A demo MDM agent is available in
https://android.getac.com/mx50/mdm_demo.apk.
Page 5 of 28
3. Security Configuration
The Getac MX50 offers a rich built-in user interface and MDM callable APIs for security configuration. This section identifies the
security parameters for configuring your device in Common Criteria mode and for managing its security settings.
3.1 Common Criteria Mode
To configure the device into Common Criteria (CC) Mode, the user or administrator must set the following options through user
interface or API:
1. Enable the PIN or password on the lock screen
2. Enable device encryption
3. Enable SD card encryption if the device has an SD card embedded
4. Turn on CC Mode in Getac Settings or via APIs.
A reboot is required. The following configuration will be activated in CC mode.
a. Certificate Revocation List (CRL)
b. Certificate hostname check (RFC6125)
c. OEM bootloader unlock disabled
d. OpenSSL FIPS mode
e. Passphrase hiding
f. VPN split tunneling disabled
3.2 Cryptographic Module Identification
The Getac Linux Kernel crypto module requires no specific configuration and works the same in normal mode and CC mode.
The Getac OpenSSL FIPS object module is automatically activated while CC mode is turned on.
3.2.1 Getac Linux Kernel Crypto Module
Getac MX50’s Linux kernel, based on version 3.14.37, contains crypto module, which provides the following algorithms.
AES-CBC 128/192/256 (as defined in FIPS PUB 197, and NIST SP 800-38A)
AES-GCM 128/192/256 (as defined in NIST SP 800-38D),
AES-CCM 128/192/256 (as defined in NIST SP 800-38C),
AES-XTS 128/192/256 (as defined in NIST SP 800-38E)
HMAC-SHA1, HMAC-SHA256/384/512 (as defined in FIPS 198-1 & 180-4)
SHA1, SHA256/384/512 (as defined in FIPS 180-4)
CPRNG AES128 (as defined in ANSI X9.31 A.2.4)
3.2.2 Getac OpenSSL FIPS Object Module
The Getac OpenSSL FIPS object module, based on OpenSSL 1.0.1k and FIPS object 2.0.10, provides the following algorithms.
Cipher suites supported under CC mode:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Page 6 of 28
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
3.3 Permissions Model
https://developer.android.com/guide/topics/security/permissions.html
As legacy Android device, the Getac MX50 provides the following categories of system service to applications:
1. Normal - these are lower-risk services that the system automatically grants to a requesting application at installation,
without asking for the user’s explicit approval (though the user always has the option to review these permissions before
installing). The following table shows the set of ‘Normal’ android permissions.
2. Dangerous - these are higher-risk services that would give a requesting application access to private user data or control
over the device that can negatively impact the user.
3. Signature - these are privileged services that the system grants only if the requesting application is signed with the same
certificate as the application that declared the permission. If the certificates match, the system automatically grants the
permission without notifying the user or asking for the user’s explicit approval.
4. Signature or System - these are privileged services that the system grants only to applications that are in the Android
system image or that are signed with the same certificate as the application that declared the permission. Like the
Signature permission, the system automatically grants the permission without notifying the user.
Refer to https://developer.android.com/reference/android/Manifest.permission.html for a full list of permission description of generic
Android.
The Getac MX50 has an extra permission named “android.permission.GETAC_MDM” for access to GetacMDMService as shown
in Figure 1. This permission falls in category Signature or System and allows access from system applications/services or
applications signed by platform key only.
Page 7 of 28
3.4 Common Criteria Related Settings
The Common Criteria evaluation requires a range of security settings be available. Those security settings are identified in the table
below. In many cases, the administrator or user has to have the ability to configure the setting but no specific value is required.
Setting
(CC-required value)
Description API
[DevicePolicyManager] indicates native
Android APIs
User Interface
(under Settings App if
not specified)
CC mode
CC Mode
(enable)
Set/get the CC mode status void setCommonCriteriaMode
(ComponentName admin, boolean enabled)
Getac Settings
Common Criteria mode
Encryption
Device Encryption
(enable)
Encrypts all internal storage [DevicePolicyManager]
void setStorageEncryption
(ComponentName admin, boolean encrypt)
Security (Encryption)
Encrypt tablet
SD Card Encryption
(enable)
Encrypts all SD card storage void setExternalStorageEncryption
(ComponentName admin, boolean encrypt)
Storage (SD card)
Encrypt removable
storage
Wipe Device
(--)
Removes all data from device [DevicePolicyManager]
void wipeData(int flag)
Back & Reset Factory
data reset
Password
Management
Password Length
(--)
Minimum number of
characters in a password
[DevicePolicyManager]
void setPasswordMinimumLength
(ComponentName admin, int length)
Security Screen lock
password
Password Complexity
(--)
Specify the type of characters
required in a password
[DevicePolicyManager]
void setPasswordMinimumLetter
(ComponentName admin, int length)
void setPasswordMinimumNumeric
(ComponentName admin, int length)
void setPasswordMinimumLowerCase
(ComponentName admin, int length)
void setPasswordMinimumUpperCase
(ComponentName admin, int length)
void setPasswordMinimumSymbols
(ComponentName admin, int length)
void setPasswordMinimumNonLetter
(ComponentName admin, int length)
void setPasswordQuality (ComponentName
admin, int quality)
Security Screen lock
password
Password Expiration
(--)
Maximum length of time
before a password must
change
void setPasswordExpires (ComponentName
admin, int expirationDays)
N/A
Password Attempt
(--)
Maximum number of Failed
password attempt
[DevicePolicyManager]
void setMaximumFailedPasswordsForWipe
(ComponentName admin, int num)
N/A
Show password Disallow show password void setPasswordVisibilityEnabled Security Make
Page 8 of 28
(disable) option (ComponentName admin, boolean allow) password visible
Lockscreen
Inactivity to lockout
(--)
Time before lockscreen is
engaged
[DevicePolicyManager]
void setMaximumTimeToLock
(ComponentName admin, long timeMs)
Display Screen
timeout
Banner
(function available)
Banner message displayed on
the lockscreen void changeLockScreenString (String
statement)
Security (Screen
security) Owner info
Remote Lock
(API available)
Looks the device remotely [DevicePolicyManager]
void lockNow()
N/A
Notification
(API available)
Disable display notification in
the locked state
[DevicePolicyManager]
void setKeyguardDisabledFeatures
(ComponentName admin, int which)
With
KEYGUARD_DISABLE_SECURE_NOTIFI
CATIONS
N/A
Certificate
Management
Import CA Certificates
(--)
Import CA Certificates into
the Trust Anchor Database or
the credential storage
[DevicePolicyManager]
boolean installCaCert (ComponentName
admin, byte[] certBuffer)
Security (Credential
storage) Install from SD
card/USB storage
Remove Certificates
(--)
Remove certificates from the
Trust Anchor Database or the
credential storage
[DevicePolicyManager]
void uninstallCaCert (ComponentName
admin, byte[] certBuffer)
Security (Credential
storage) Clear
credentials
Clear Certificates Clear all user-installed CA
certificates in Trusted Anchor
[DevicePolicyManager]
void clearCaCert (ComponentName admin)
Validate Certificate Validate a certificate against
Trusted Anchor
[CertPathValidator]
CertPathValidatorResult validate(CertPath
cp, PKIXParameters params)
Radio Control
Control Wi-Fi
(function available)
Control access to Wi-Fi [DevicePoicyManager]
set Settings.GLOBAL.WIFI_ON with
void setGlobalSetting (ComponentName
admin, String setting, String value,)
Wireless & networks
Wi-Fi
Control Bluetooth
(function available)
Control access to Bluetooth [DevicePoicyManager]
set Settings.GLOBAL.BLUETOOTH_ON
with
void setGlobalSetting (ComponentName
admin, String setting, String value,)
Wireless & networks
Bluetooth
Control Location
Service
(function available)
Control access to Location
Service void setLocationServiceDisabled
(ComponentName admin, boolean disabled)
Location
Wi-Fi Settings
Specify Wi-Fi SSIDs
(function available)
Specify SSID values for
connecting to Wi-Fi. void specifyExistSSIDtoConnect
(ComponentName admin, String ssid)
Wireless & networks
Wi-Fi
Set White list for
SSIDs
(function available)
Set white lists for SSIDs boolean addWifiSSIDWhiteList
(ComponentName admin, String ssid)
boolean removeWifiSSIDWhiteList
N/A
Page 9 of 28
(ComponentName admin, String ssid)
List<String> getWifiSSIDWhiteList
(ComponentName admin)
boolean removeAllWifiSSIDWhiteList
(ComponentName admin)
Set Black list for
SSIDs
(API available)
Set white lists for SSIDs boolean addWifiSSIDBlackList
(ComponentName admin, String ssid)
boolean removeWifiSSIDBlackList
(ComponentName admin, String ssid)
List<String> getWifiSSIDBlackList
(ComponentName admin)
boolean removeAllWifiSSIDBlackList
(ComponentName admin)
N/A
Set WLAN CA
Certificate
(API available)
Select the CA Certificate for
the Wi-FI connection int addWifiNetwork (ComponentName
admin, WifiConfiguration config)
with
WifiConfiguratio.enterpriseConfig.setCaCe
rtifacteAlias()
Security Credential
storage Install from
SD card/USB storage
Specify security type
(API available)
Specify the connection
security (WEP, WPA2, etc) int addWifiNetwork (ComponentName
admin, WifiConfiguration config)
with
WifiConfiguratio.allowKeyManagement.set
()
Wireless & networks
Wi-Fi Add network
Security
Select authentication
protocol
(API available)
Specify the EAP-TLS
connection values int addWifiNetwork (ComponentName
admin, WifiConfiguration config)
int addWifiNetwork (ComponentName
admin, WifiConfiguration config)
with
WifiConfiguratio.enterpriseConfig.setEap
Method(WifiEnterpriseConfig.Eap.TLS)
Wireless & networks
Wi-Fi Add network
EAP TLS
Select client
credentials
(API available)
Specify the client credentials
to access a specified WLAN int addWifiNetwork (ComponentName
admin, WifiConfiguration config)
with
WifiConfiguratio.enterpriseConfig.
setClientKeyEntry(PrivateKey privateKey,
X509Certificate clientCertificate)
Wireless & networks
Wi-Fi Add network
EAP TLS
Hardware Control
Control Microphone
(function available)
Control access to microphones void setMicrophoneMute(ComponentName
admin, boolean enabled)
N/A
Control Camera
(API available)
Control access to camera [DevicePolicyManager]
void setCameraDisabled(ComponentName
admin, boolean disabled)
N/A
Control USB Mass
Storage
(function available)
Control access to mounting
the device for storage over
USB.
void
setUsbMassStorageDisabled(ComponentNa
me admin, boolean disabled)
N/A
Control USB
Debugging
Control access to USB void
setUsbDebuggingDisabled(ComponentNam
Developer options
Page 10 of 28
(function available) debugging. e admin, boolean disabled) USB debugging
Control USB Tethered
Connections
(function available)
Control access to USB
tethered connections. void
setUsbTetheringDisabled(ComponentName
admin, boolean disabled)
Wireless & networks
Tethering & portable
hotspot USB
tethering
Control Bluetooth
Tethered Connections
(function available)
Control access to Bluetooth
tethered connections. void
setBluetoothTetheringDisabled(Component
Name admin, boolean disabled)
Wireless & networks
Tethering & portable
hotspot USB
tethering
Control Hotspot
Connections
(function available)
Control access to Wi-Fi
hotspot connections void
setWifiHotspotDisabled(ComponentName
admin, boolean disabled)
Wireless & networks
Tethering & portable
hotspot Portable Wi-
Fi hotspot
Automatic Time
(function available)
Allows the device to get time
from the Wi-Fi connection
[DevicePoicyManager]
set Settings.Secure.AUTO_TIME_ZONE with
void setGlobalSetting(ComponentName
admin, String setting, String value,)
Date & time
Automatic date & time
Application Control
Install Application
(API available)
Installs specified application void installApplication(ComponentName
admin, String packagePath)
N/A
Uninstall Application
(API available)
Uninstalls specified
application void uninstallApplication(ComponentName
admin, String packageName)
Apps (select App)
Uninstall
Application Whitelist
(API available)
Specifies a list of applications
that may be installed boolean addApplicationWhiteList
(ComponentName admin, String
packageName)
boolean removeApplicationWhiteList
(ComponentName admin, String
packageName)
List<String> getApplicationWhiteList
(ComponentName admin)
boolean removeAllApplicationIDWhiteList
(ComponentName admin)
N/A
Application Blacklist
(API available)
Specifies a list of applications
that may not be installed boolean addApplicationBlackList
(ComponentName admin, String
packageName)
boolean removeApplicationBlackList
(ComponentName admin, String
packageName)
List<String> getApplicationBlackList
(ComponentName admin)
boolean removeAllApplicationBlackList
(ComponentName admin)
N/A
VPN
Control VPN
(function available)
Control access to VPN void setVpnServiceDisabled
(ComponentName admin, boolean disabled)
Wireless & networks
VPN
Page 11 of 28
3.5 Password Recommendations
The device supports password to be composed of any combination of all printable ASCII characters (code 32-126), namely upper and
lower case letters], numbers, and special characters among !”#$%&’()*+,-./:;<=>?@[\]^_`{|}~, in length up to 16 characters.
Recommendations for administrator for password strength:
Password length is at least 8 characters.
Include lowercase and uppercase alphabetic characters, numbers and symbols
Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences, usernames, relative or pet
names, romantic links (current or past) and biographical information r
Generate passwords randomly where feasible.
Test password strength with available password checker, for example
https://www.microsoft.com/protect/fraud/passwords/checker.aspx?WT.mc_id=Site_Link
3.6 Bug Reporting Process
Any bugs observed by the user can be reported to Getac through mail or web.
Contact information: http://us.getac.com/contact/contact.html
Page 12 of 28
4. Removable Storage Encryption
NOTE:
Getac MX50 support block-level encryption for removable storage. Encrypted storage is labeled with unique GUID and displayed on
Settings Storage.
Before enabling encryption of SD card storage, the SD card must be partitioned with GUID Partition Table (GPT) and the first
partition must be format to EXT4 filesystem.
After encryption, only the same device can successfully decrypt the SD card. One device can encrypt multiple SD cards and identify
each one after unplugging and plugging.
Note that if the device performs data erase or factory reset (to internal storage), then all removable storage which have been encrypted
will become unrecoverable.
To create GPT and format the SD card with EXT4 filesystem:
1. Go on Settings Storage (SD card) Create GPT and ext4 filesystem.
Page 13 of 28
2. Go on “FORMAT REMOVABLE STORAGE” and “ERASE EVERYTHING”
3. The device will display success toast once completion.
Page 14 of 28
Before start encrypting the removable storage, the user must setup PIN or password on the device.
To encrypt SD card:
1. Go into Settings Storage (SD card) Encrypt removable storage. Go on “ENCRYPT REMOVABLE STORAGE” and
authenticate with PIN or password.
Page 15 of 28
2. Go on “ENCRYPT REMOVABLE STORAGE”. Choose wipe mode:
YES wipe encryption to erase all existing data of the removable storage.
NO in-place encryption to keep current data after encryption. NOTE that it takes roughly half hour to complete encrypting an
8 GB SD in place.
3. Begin encrypting removable storage. The device will auto reboot after completion. Encrypted external storage will be shown in
list.
Page 16 of 28
Page 17 of 28
5. Bluetooth Authentication
To set Bluetooth Pairing, go to Settings Bluetooth, and then turn on the switch if it is off.
Select the device to pair with.
To unpair the paired device, click on the setting icon in the right side of the device.
Page 18 of 28
6. Secure Update Process
As of legacy Android device, the Getac MX50 in the field can receive and install over-the-air (OTA) updates to the system and
application software.
Reference: https://source.android.com/devices/tech/ota/
OTA update:
1. Device queries the Getac OTA server the availability of any update comparing with present image. It can be done by either way:
The user manually performs check in Settings About tablet System update OTA update.
An application, for instance an MDM agent, checks through API function call programmatically.
2. Update downloads to the cache partition, and its cryptographic signature is verified against the certificates in
/system/etc/security/otacerts.zip. The update continues if the signature is authentic, otherwise stops. User is prompted to install
the update if it is manual update. User interaction is skipped if it is through MDM API.
3. Device reboots into recovery mode and auto executes update. Recovery verifies the cryptographic signature of the package
against the public keys in /res/keys. Again, the update continues if the signature is authentic, otherwise stops
4. Data is pulled from the package and used to update the boot, system, and/or vendor partitions as necessary. One of the new files
left on the system partition contains the contents of the new recovery partition.
5. Device reboots normally.
SD card update:
It is the same to generic OTA update except that the first step is duplicating OTA package from external SD card if exists to cache
partition. The user manually performs the update in Settings About tablet System update SD card update.
Page 19 of 28
Page 20 of 28
7. APIs Specification
This section provides a list of the evaluated security-related APIs that developers can use when writing their mobile applications.
7.1 Android Keystore
The Android Keystore system stores cryptographic keys in a container and thus makes it more difficult to extract from the device.
Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable.
Moreover, it offers facilities to restrict when and how keys can be used, such as requiring user authentication for key use or restricting
keys to be used only in certain cryptographic modes.
https://developer.android.com/training/articles/keystore.html
7.1.1 Cryptographic secure random number generator
The SecureRandom class provides a cryptographically strong random number generator (RNG), which complies with the statistical
random number generator tests specified in FIPS 140-2, Security Requirements for Cryptographic Modules, section 4.9.1.
https://developer.android.com/reference/java/security/SecureRandom.html
SecureRandom random = SecureRandom.getInstance("NativePRNG", “AndroidOpenSSL”);
byte bytes[] = new byte[16];
random.nextBytes(bytes);
7.1.2 Asymmetric cryptographic key pair generation
The KeyPairGenerator class is used to generate pairs of public and private keys, including DH, DSA, EC and RSA. Key pair
generators are constructed using the getInstance factory methods (static methods that return instances of a given class).
https://developer.android.com/reference/java/security/KeyPairGenerator.html
The KeyPair class is a simple holder for a key pair (a public key and a private key).
The developer access respective EC and RSA private key via interface ECPrivateKey, and RSAPrivateKey, both extended from
interface PrivateKey, and respective EC and RSA public key via interface ECPublicKey and RSAPublicKey, both extended from
interface PublicKey.
[RSA]
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
SecureRandom random = SecureRandom.getInstance("NativePRNG", “AndroidOpenSSL”)
kpg.initialize(2048, random);
KeyPair kp = kpg.generateKeyPair();
PrivateKey priv = kp.getPrivateKey();
PublicKey pub = kp.getPublicKey();
[ECC]
EllipticCurve curve = new EllipticCurve(
new ECFieldFp(new BigInteger("…")), // q
new BigInteger("…", 16), // a
new BigInteger("…", 16)); // b
Page 21 of 28
ECParameterSpec ecSpec = new ECParameterSpec(curve,
ECPointUtil.decodePoint(curve, Hex.decode("…")), // G
new BigInteger("…"), // n
1); // h
KeyPairGenerator kpg = KeyPairGenerator.getInstance("ECDSA", "AndroidKeyStore");
kpg.initialize(ecSpec, random);
KeyPair kp = kpg.generateKeyPair();
PrivateKey priv = kp.getPrivateKey();
PublicKey pub = kp.getPublicKey();
KeyFactory is used to convert keys (opaque cryptographic keys of type Key) into key specifications (transparent representations of
the underlying key material), and vice versa.
https://developer.android.com/reference/java/security/KeyFactory.html
[RSA]
KeyFactory kf = KeyFactory.getInstance("RSA", "AndroidOpenSSL");
RSAPrivateKeySpec priSpec = new RSAPrivateKeySpec(modulus, exponent)
RSAPublicKeySpec pubSpec = new RSAPublicKeySpec(modulus, exponent)
PrivateKey priv = kf.getPrivateKey(priSpec);
PublicKey pub = kf.getPublicKey(pubSpec);
Supported asymmetric key generation algorithms specified in PP includes:
RSA FCS_CKM.1(1) [cryptographic key generation]
ECC FCS_CKM.1(1) [cryptographic key generation]
7.1.3 Symmetric cryptographic key generation
KeyGenerator provides the functionality of a secret (symmetric) key generator.
https://developer.android.com/reference/javax/crypto/KeyGenerator.html
KeyGenerator kg = KeyGenerator.getInstance("AES", "AndroidKeyStore");
kg.init(256);
SecretKey sk = kg.generateKey();
Supported secret key generation algorithms specified in PP includes:
AES
Page 22 of 28
7.1.4 Key destruction
KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
ks.load(null);
ks.deleteEntry(alias);
Page 23 of 28
7.2 Cryptographic APIs
Developers are able to use NIST-validated cryptography through standard Android framework APIs. The underlying cryptographic
service provider (CSP), conscrypt package, will invoke certified OpenSSL library. The device inherently offers access to crypto-
related JAVA packages including javax.crypto.* and java.security.*.
https://developer.android.com/reference/java/security/spec/package-summary.html
https://developer.android.com/reference/javax/crypto/package-summary.html
This section demonstrates selected example codes for typical cryptographic primitives. Note that these code snippets merely give
quick impression of the crypto APIs existing in the device. While actual implementing, the developer shall take appropriate measure
against known programming faults.
7.2.1 Symmetric key encryption
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding", “AndroidOpenSSL”);
cipher.init(Cipher.DECRYPT_MODE, key);
byte[] secret = cipher.doFinal();
Supported encryption algorithms specified in PP include:
AES/CBC/NoPadding FCS_COP.1(1) [cryptographic hashing]
AES/CBC/PKCS5Padding
7.2.2 Cryptographic hashing
This MessageDigest class provides applications the functionality of a message digest algorithm, including SHA-1, SHA-256, SHA-
384, and SHA-512. Message digests are secure one-way hash functions that take arbitrary-sized data and output a fixed-length hash
value.
https://developer.android.com/reference/java/security/MessageDigest.html
MessageDigest md = MessageDigest.getInstance("SHA-512", “AndroidOpenSSL”);
try {
md.update(toChapter1);
MessageDigest tc1 = md.clone();
byte[] toChapter1Digest = tc1.digest();
md.update(toChapter2);
...etc.
} catch (CloneNotSupportedException cnse) {
throw new DigestException("couldn't make digest of partial content");
}
Supported hash algorithms specified in PP includes:
SHA-1 FCS_COP.1(2) [cryptographic hashing]
SHA-256/384/512 FCS_COP.1(2) [cryptographic hashing]
Page 24 of 28
7.2.3 Cryptographic key establishment
Cipher provides the functionality of a cryptographic cipher for encryption and decryption.
https://developer.android.com/reference/javax/crypto/Cipher.html
KeyAgreement provides the functionality of a key agreement (or key exchange) protocol of DH and ECDH.
https://developer.android.com/reference/javax/crypto/KeyAgreement.html
Assume that Alice is to establish secret key with Bob by decrypting his encrypted payload.
[RSA-based key establishment schemes]
Cipher cipher = Cipher.getInstance("RSA/ECB/NoPadding", “AndroidOpenSSL”)
cipher.init(Cipher.DECRYPT_MODE, privateKeyAlice);
cipher.update(secretEncryptedByBob);
byte[] secret = cipher.doFinal();
Supported algorithms specified in PP include:
RSA/ECB/NoPadding FCS_CKM.2(1) [cryptographic key establishment]
RSA/ECB/PKCS1Padding FCS_CKM.2(1) [cryptographic key establishment]
[Elliptic curve-based key establishment schemes]
KeyAgreement ka = KeyAgreement.getInstance("ECDH", “AndroidOpenSSL”)
ka.init(privateKeyAlice);
ka.doPhase (secretEncryptedByBob, true);
byte[] secret = ka.generateSecret;
Supported algorithms specified in PP include:
ECDH FCS_CKM.2(1) [cryptographic key establishment]
7.2.4 Keyed-hash message authentication
Mac mac = Mac.getInstance("HmacsSHA1", “AndroidOpenSSL”)
mac.init(key);
byte[] digest = mac.doFinal(context);
Supported hash algorithms specified in PP includes:
HmacSHA1 FCS_COP.1(4) [keyed-hash message authentication]
HmacSHA256 FCS_COP.1(4) [keyed-hash message authentication]
HmacSHA384 FCS_COP.1(4) [keyed-hash message authentication]
HmacSHA512 FCS_COP.1(4) [keyed-hash message authentication]
Page 25 of 28
7.2.5 Cryptographic signature services (generation and verification)
The Signature class is used to provide applications the functionality of a digital signature algorithm. Digital signatures are used for
authentication and integrity assurance of digital data.
https://developer.android.com/reference/java/security/Signature.html
X509EncodedKeySpec bobPubKeySpec = new X509EncodedKeySpec(bobEncodedPubKey);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey bobPubKey = keyFactory.generatePublic(bobPubKeySpec);
Signature sig = Signature.getInstance("SHA512WithRSA");
sig.initVerify(bobPubKey);
sig.update(data);
sig.verify(signature);
Supported signature algorithms specified in PP includes:
SHA1WithRSA FCS_COP.1(3) [cryptographic signature services (generation and verification)]
SHA256WithRSA FCS_COP.1(3) [cryptographic signature services (generation and verification)]
SHA512WithRSA FCS_COP.1(3) [cryptographic signature services (generation and verification)]
SHA256WithECDSA FCS_COP.1(3) [cryptographic signature services (generation and verification)]
SHA384WithECDSA FCS_COP.1(3) [cryptographic signature services (generation and verification)]
SHA512WithECDSA FCS_COP.1(3) cryptographic signature services (generation and verification)
Page 26 of 28
7.3 Certificate validation
Example to validate X509 certificate, including pem, der, and p12 files, against the Trusted Anchor.
CertificateFactory cf = CertificateFactory.getInstance("X.509");
CertPath cp = cf.generateCertPath(mCertsP12);
PKIXParameters params = new PKIXParameters(mKeyStore);
params.setRevocationEnabled(true); //true to check CRL, otherwise false
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
CertPathValidatorResult cpvr = cpv.validate(cp, params);
7.4 TLS/HTTPS
Connection to HTTPS server example:
URL url = new URL("https://wikipedia.org");
URLConnection urlConnection = url.openConnection();
InputStream in = urlConnection.getInputStream();
copyInputStreamToOutputStream(in, System.out);
https://developer.android.com/training/articles/security-ssl.html
An example code snippet for HTTPS with client certificate:
KeyManagerFactory kmf = KeyManagerFactory.getInstance("X509");
kmf.init(keyStore, clientCertPassword.toCharArray());
KeyManager[] keyManagers = kmf.getKeyManagers();
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagers, null, null);
String result = null;
HttpURLConnection urlConnection = null;
try {
URL requestedUrl = new URL(url);
urlConnection = (HttpURLConnection) requestedUrl.openConnection();
if (urlConnection instanceof HttpsURLConnection) {
((HttpsURLConnection) urlConnection)
.setSSLSocketFactory(sslContext.getSocketFactory());
}
urlConnection.setRequestMethod("GET");
urlConnection.setConnectTimeout(1500);
urlConnection.setReadTimeout(1500);
lastResponseCode = urlConnection.getResponseCode();
result = IOUtil.readFully(urlConnection.getInputStream());
Page 27 of 28
lastContentType = urlConnection.getContentType();
} catch (Exception ex) {
result = ex.toString();
} finally {
if (urlConnection != null) {
urlConnection.disconnect();
}
}
https://developer.android.com/reference/javax/net/ssl/HttpsURLConnection.html
7.5 Bluetooth
The Getac MX50 supports generic Android Bluetooth APIs..
https://developer.android.com/reference/android/bluetooth/BluetoothDevice.html
An example code can be found in https://github.com/googlesamples/android-BluetoothChat
BluetoothSocket socket = null;
// Listen to the server socket if we're not connected while (mState != STATE_CONNECTED) {
try {
// This is a blocking call and will only return on a // successful connection or an exception socket = mmServerSocket.accept(); } catch (IOException e) {
Log.e(TAG, "Socket Type: " + mSocketType + "accept() failed", e);
break;
}
// If a connection was accepted if (socket != null) { synchronized (BluetoothChatService.this) {
switch (mState) {
case STATE_LISTEN:
case STATE_CONNECTING:
// Situation normal. Start the connected thread. connected(socket, socket.getRemoteDevice(), mSocketType);
break;
case STATE_NONE:
case STATE_CONNECTED:
// Either not ready or already connected. Terminate new socket. try { socket.close();
} catch (IOException e) {
Log.e(TAG, "Could not close unwanted socket", e);
}
break;
}
}
}
}
Page 28 of 28
Appendix A. Recovery Mode
Recovery mode allows the users to safely reset the device (erasing all data) and execute OTA update.
There are two ways to boot into recovery mode:
Execute “adb reboot recovery” through ADB interface to reboot into recovery mode.
Hold down the “-” (minus) physical button after pressing the power button. DO NOT release the “-” button until the recovery
screen is shown. It takes about 5 to 8 seconds.
Primary functions available in recovery mode:
Apply update (all) from sdcard The device automatically copies the OTA file “getac-ota.zip from sdcard if any, verifies the signature, and performs system
update.
Wipe data / factory reset Erase all user data and restore the device back to factory configuration.