Digital credentials are critical mobile security building blocks, leveraging trusted authorities to validate identity and secure private channels across public deployments. Your mobile device credentials provide seamless access to secured Wi-Fi, VPN, email, and websites. Credentials include certificates providing identity and private keys to decrypt sensitive data. These credentials must be securely stored to prevent malicious parties from exploiting your identity and accessing confidential data.
The storage available to you can evolve with the introduction of new technology, and emerging security standards. For example, a mobile device used in a regulated industry may need to obtain personal credentials from a physical Smart Card. In the future, it may need to switch from physical smart cards to virtual ones on an NFC chip. This change process presents a fragmentation problem for credential consuming app developers, since each storage provider has its own proprietary APIs, so adding or switching to new storage hardware introduces new coding cycles, testing, and app re-distribution.
The Knox Platform's Universal Credential Management (UCM) provides a plug-and-play framework for credential management across a variety of different storage media. A significant benefit of the UCM framework is that it uniquely enables storage vendors to develop a plugin, distributed as a standard Android app, that provides access to their storage space and cryptographic operations without forcing app developers to change their code or forcing IT admins or end users to update their apps. The plugin essentially acts as the link between the UCM framework and a specific storage device.
The UCM framework consolidates and standardizes credential services to provide a streamlined interface for:
The Knox SDK provides credential storage vendors a set of UCM APIs to make current and future storage options available on Samsung devices, hiding the implementation details of their solution so that mobile app developers can transparently access stored credentials through standard APIs, such as the Android Keychain. Similarly, developers can use the Java Cryptography Extension APIs to offload cryptographic operations to a capable Smart Card. This abstraction, made possible by the UCM framework, eliminates the need for complex vendor-specific code within mobile apps, meaning enterprise customers have a wide range of existing apps available to them and can easily develop in-house apps without worrying about the underlying storage implementation.
The UCM framework supports the following secure storage options:
Note — eSE is not available with the following countries and carriers: USA-Verizon, Korea-All, Japan-All, Canada-Telus.
The UCM framework uses two types of whitelists, which uniquely manage access controls for credential storage and offer fully customizable access permissions: