Knox White Paper
Universal Credential Management (UCM)
Digital credentials are critical mobile security building blocks, leveraging trusted authorities to validate identity and secure private channels across public deployments. Your mobile device credentials provide seamless access to secured Wi-Fi, VPN, email, and websites. Credentials include certificates providing identity and private keys to decrypt sensitive data. These credentials must be securely stored to prevent malicious parties from exploiting your identity and accessing confidential data.
The storage available to you can evolve with the introduction of new technology, and emerging security standards. For example, a mobile device used in a regulated industry may need to obtain personal credentials from a physical Smart Card. In the future, it may need to switch from physical smart cards to virtual ones on an NFC chip. This change process presents a fragmentation problem for credential consuming app developers, since each storage provider has its own proprietary APIs, so adding or switching to new storage hardware introduces new coding cycles, testing, and app re-distribution.
The Knox Platform's Universal Credential Management (UCM) provides a plug-and-play framework for credential management across a variety of different storage media. A significant benefit of the UCM framework is that it uniquely enables storage vendors to develop a plugin, distributed as a standard Android app, that provides access to their storage space and cryptographic operations without forcing app developers to change their code or forcing IT admins or end users to update their apps. The plugin essentially acts as the link between the UCM framework and a specific storage device.
The UCM framework consolidates and standardizes credential services to provide a streamlined interface for:
- EMM or ISV apps — These apps configure, provision, and consume credentials, managing credential storage access permissions, and activating advanced UCM permissions. The apps can enforce the installation, removal, or per-app access control of a credential.
- Storage provider plugin — These apps are provided by storage vendors to link the UCM framework to their storage solution, to manage stored credentials.
- Secure storage — This feature currently includes the Samsung eSE and Smart Card readers described in Secure storage options. You can easily support other storage options through additional vendor plugins.
The Knox SDK provides credential storage vendors a set of UCM APIs to make current and future storage options available on Samsung devices, hiding the implementation details of their solution so that mobile app developers can transparently access stored credentials through standard APIs, such as the Android Keychain. Similarly, developers can use the Java Cryptography Extension APIs to offload cryptographic operations to a capable Smart Card. This abstraction, made possible by the UCM framework, eliminates the need for complex vendor-specific code within mobile apps, meaning enterprise customers have a wide range of existing apps available to them and can easily develop in-house apps without worrying about the underlying storage implementation.
The UCM framework supports the following secure storage options:
- Samsung Embedded Secure Element (eSE) — eSE supports the storing and accessing of credentials, allowing secure storage on the device without additional hardware.
- Smart cards — Smart cards' resiliency makes them ideal for storing credentials if the threat
model calls for trust to be shifted outside the device. You can use Smart Cards for unlock actions such as:
- Knox Platform's On Device Encryption (ODE) — You can configure ODE to depend cryptographically on the PIN unlock of a Smart Card inserted in the device, which manages the decryption key for the internal data partition.
- Device lockscreen — You can store the device unlock passcode in a Smart Card.
Note — eSE is not available with the following countries and carriers: USA-Verizon, Korea-All, Japan-All, Canada-Telus.
The UCM framework uses two types of whitelists, which uniquely manage access controls for credential storage and offer fully customizable access permissions:
- App whitelist — Enforces which apps can access each secure storage type. Every secure storage device maps to its respective UCM plugin, that a secure storage solution provider creates and maintains.
- Credential whitelist — Enforces each app's access to credentials, providing app-specific access permissions. By enforcing access control, admins can prevent credential usage by malicious or untrusted apps.