Mai 30, 2022

Differentiator factors of the usage of Knox Vault

Kamil Grondys, Solutions Architect of Samsung R&D Institute Poland

Samsung Knox is already well recognized and trusted by security experts and government agencies. Knox has achieved many certifications including Common Criteria and FIPS 140-2. Knox provides secure critical communication and encryption at the highest possible levels. Applications of Knox allows users to replace physical documents, including digital IDs for car keys. 

The newly introduced Knox Vault is integrated into Samsung devices starting from the Galaxy S21, and its components are evaluated at EAL4+ and higher. By default, Knox Vault can:

·        Store sensitive data such as hardware-backed Android Keystore keys, the Samsung Attestation Key (SAK), biometric data, and blockchain credentials.

·      Run security-critical code that authenticates a user with increasing timeouts between failures and controls access to keys depending on authentication.

By using StrongBox Keymaster powered by Knox Vault, partners can elevate their solutions and replace external EAL4+ storage and use it for critical communication or increase device encryption by incorporating API to generate and encrypt keys for securing communication or provide an additional layer of encryption using DualDAR architecture.

The other area that could easily be improved by applying Knox Vault is e-signature, including qualified and secure biometric signatures.

The architecture of basically any cryptographic solution that is using asymmetric or symmetric cryptography can not only be improved but also a partner who would like to achieve a certification level for their solution often required by customers or regulations can follow up the integration of Knox Vault.

In critical communication, where end-to-end encryption is an important differentiator, private key of a user can be securely generated inside embedded Secure Element (eSE), and session keys can be protected by that key or other side’s public key. That can be also added to e-mail clients using the OpenPGP standard.

All the above is already a huge game-changer. However, Knox Vault is not only limited to protecting Data-at-Rest (DAR). It can also be applied to Data in Transit. A part of the Knox SDK is the Knox VPN framework that allows third-party developers to implement it in VPN client solutions. Availability of open-source solutions (such as strongSwan) can help to implement required by Government Customers standards, i.e. IKEv2.

In summary, if you are a Partner who provides the following:

·        Communicator, including voice/video, text

·        Biometric or e-signature

·        Encrypted E-mails (OpenPGP standard)

·        Secure storage for qualified documents

·        VPN Client

You can elevate your solutions with StrongBox Keymaster and Samsung Knox to the highest possible level achievable only on mobile devices supporting Knox Vault.

For more information, visit the following links:

Whitepaper - Knox Vault

DualDAR architecture

Knox SDK overview