Post on 25-Oct-2021
!"Joachim Gärtner
gematik | Android Development E-Rezeptjoachim.gaertner@gematik.de fnordlicht fnordlicht
Martin Fiebiggematik | iOS Development E-Rezeptmartin.fiebig@gematik.de mrtnfbg mfiebig
Sichere App–Entwicklung
Biometrische Authentifizierung in mobilen AppsZeig dein Gesicht!
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Agenda
2
Motivation How Unlock App
Secure Accounts
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Agenda
3
Motivation How Unlock App
Secure Accounts
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Motivation
4
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Motivation
• eGK based authentication complicated
• Goals:
• Improve UX
• Keep highest level of security
5
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021 6
Motivation How Unlock App
Secure Accounts
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Biometrics on iOSWhat is the Secure Enclave?
• Separated Processor with inaccessible storage
• Stores biometric data and processes FaceID/TouchID sensor input
• Runs Cryptographic operations with private keys
• Creates key pairs where private key cannot be exported
• Good in depth documentation from Apple [1]
[1]: https://support.apple.com/de-de/guide/security/sec59b0b31ff/web
7
!
Overview Secure Enclave (Source: [1])
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Can I use it on iOS?
• iOS
• >= iPhone 5s
• >= iPad Air
• macOS
• Touchbar/TouchID Sensor (T1/T2/M1)
• But:
• Managed device profiles may forbid biometrics
• Biometrics may not be setup[1]: https://support.apple.com/de-de/guide/security/sec59b0b31ff/web
8
!
✔
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Biometrics on Android
• AndroidKeystore API abstrahiert Zugriff auf Keystore-Funktionen
Source: https://movi.fokus.fraunhofer.de/androidSecurityFeatures/9
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Can I use it?On Android, it depends…
• 19,239 devices listed in Google Play (14.09.2021) [1]
• 39 (sic!) devices support StrongBox (android.hardware.strongbox_keystore)
• So quite likely: No 😔
• But we implemented it nevertheless 😎
[1]: https://play.google.com/console/about/devicecatalog/10
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021 11
Motivation How Unlock App
Secure Accounts
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Simple Authentication
Available?
Evaluate?
Yes No
Start
12
!
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Simple Authentication
• Select best available option
• Set it
• This can potentially also be a non-biometric option like Password, Pattern or PIN
13
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021 14
Motivation How Unlock App
Secure Accounts
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
eGK
Alternative AuthenticationExample: E-Rezept IDP – simplified login flow
App Identity ProviderLogin eGK
getChallenge
challenge
signChallenge
signedChallenge
Verify
Token
15
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Secure Enclave/StrongBox
Alternative AuthenticationExample: E-Rezept IDP – simplified login flow
App Identity ProviderLogin eGK
getChallenge
challenge
signChallenge
signedChallenge
Verify
Token
! FaceID " TouchID
16
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Using a biometric secured key pair
17
Create key pair Register key pair Use the key pair
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Create biometric key pair
PrivateKeyContainer.swift#L117
1. SecAccessControlCreateWithFlags
2. attributes
3. SecKeyCreateRandomKey
18
Create key pair
!
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Create biometric key pair
PrivateKeyContainer.swift#L117
Set Access Control
func SecAccessControlCreateWithFlags(_ allocator: CFAllocator?, _ protection: CFTypeRef, _ flags: SecAccessControlCreateFlags, _ error: UnsafeMutablePointer<Unmanaged<CFError>?>?) -> SecAccessControl?
https://developer.apple.com/documentation/security/1394452-secaccesscontrolcreatewithflags/
19
Create key pair
!
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Create biometric key pair
PrivateKeyContainer.swift#L117
Set Access Control protection
Values you use with the kSecAttrAccessible attribute key, listed from most to least restrictive.
let kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly: CFString
The data in the keychain can only be accessed when the device is unlocked. Only available if a passcode is set on the device.
let kSecAttrAccessibleWhenUnlockedThisDeviceOnly: CFString
The data in the keychain item can be accessed only while the device is unlocked by the user.
let kSecAttrAccessibleWhenUnlocked: CFString
The data in the keychain item can be accessed only while the device is unlocked by the user.
let kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly: CFString
The data in the keychain item cannot be accessed after a restart until the device has been unlocked once by the user.
let kSecAttrAccessibleAfterFirstUnlock: CFString
The data in the keychain item cannot be accessed after a restart until the device has been unlocked once by the user.
Source: https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_attribute_keys_and_values#1679100
20
Create key pair
!
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Create biometric key pair
PrivateKeyContainer.swift#L117
Set Access Control flags
static var devicePasscode: SecAccessControlCreateFlags
Constraint to access an item with a passcode.
static var biometryAny: SecAccessControlCreateFlags
Constraint to access an item with Touch ID for any enrolled fingers, or Face ID.
static var biometryCurrentSet: SecAccessControlCreateFlags
Constraint to access an item with Touch ID for currently enrolled fingers, or from Face ID with the currently enrolled user.
static var userPresence: SecAccessControlCreateFlags
Constraint to access an item with either biometry or passcode.
static var watch: SecAccessControlCreateFlags
Constraint to access an item with a watch.
Source: https://developer.apple.com/documentation/security/secaccesscontrolcreateflags
⚠ macOS only
21
Create key pair
!
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Create biometric key pair
PrivateKeyContainer.swift#L117
Set Access Control
let kSecAttrKeyType: CFString
A key whose value indicates the item's algorithm.
let kSecAttrKeySizeInBits: CFString
A key whose value indicates the number of bits in a cryptographic key.
let kSecPrivateKeyAttrs: CFString
A key whose value is a dictionary of cryptographic key attributes specific to a private key.
let kSecPublicKeyAttrs: CFString
A key whose value is a dictionary of cryptographic key attributes specific to a public key.
let kSecAttrTokenID: CFString
A key whose value indicates that a cryptographic key is in an external store.
...
Source: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/key_generation_attributes
22
Create key pair
!
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Create biometric key pair
PrivateKeyContainer.swift#L117
Set Access Control
func SecKeyCreateRandomKey(_ parameters: CFDictionary, _ error: UnsafeMutablePointer<Unmanaged<CFError>?>?) -> SecKey?
https://developer.apple.com/documentation/security/1823694-seckeycreaterandomkey/
🎉
23
Create key pair
!
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Create biometric key pair
AuthenticationUseCaseProduction.kt#L218
1. Get instance of KeyPairGenerator
2. Create KeyGenParameterSpec
3. Generate key pair
24
Create key pair
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Create biometric key pairKeyPairGenerator
• Get instance of KeyPairGenerator
• Specify algorithm to use [1]
• Specify name for the provider
AuthenticationUseCaseProduction.kt#L21825
Create key pair
[1] Java™ Cryptography Architecture Standard Algorithm Name Documentation
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Create biometric key pairKeyGenParameterSpec
• Specify a keyStoreAlias and a purpose:
ENCRYPT, DECRYPT, SIGN, VERIFY or WRAP_KEY
• Configure invalidating on new enrollment and is only valid after authentication
• Request usage of StrongBox
• Specify Elliptic Curve to use
26
Create key pair
AuthenticationUseCaseProduction.kt#L218
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Create biometric key pairGenerate key pair
• Wire everything up and generate key pair
• Return the public key
27
Create key pair
AuthenticationUseCaseProduction.kt#L218
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
eGK
Register the key pairExample: E-Rezept IDP – simplified flow
App Identity ProviderLogin eGK
getChallenge
challenge
signChallenge
signedChallenge
Verify
Token
registerPublicKey
registrationData28
Register key pair
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Secure Enclave/StrongBox
Alternative AuthenticationExample: E-Rezept IDP – simplified flow
App Identity ProviderLogin eGK
getChallenge
challenge
signChallenge
signedChallenge
Verify
Token
! FaceID " TouchID
29
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Use biometric secured key pair (Android)
• Load keystore and retrieve key by alias name
• BouncyCastle needs a workaround here [1]
30
IdpUseCase.kt#L177
Use the key pair
[1] AndroidKeyStoreBCWorkaroundProvider.java
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Use biometric secured key pair
PrivateKeyContainer.swift#L58
func SecItemCopyMatching(_ query: CFDictionary, _ result: UnsafeMutablePointer<CFTypeRef?>?) -> OSStatus
Source: https://developer.apple.com/documentation/security/1398306-secitemcopymatching/
31
Use the key pair
!
Retrieve the private key reference
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Use biometric secured key pair
PrivateKeyContainer.swift#L222
func SecKeyCreateSignature(_ key: SecKey, _ algorithm: SecKeyAlgorithm, _ dataToSign: CFData, _ error: UnsafeMutablePointer<Unmanaged<CFError>?>?) -> CFData?
Source: https://developer.apple.com/documentation/security/1643916-seckeycreatesignature/
32
Use the key pair
!
Use the private key to sign the challenge
Fachkonferenz: Sichere App-Entwicklung | 17.09.2021
Biometrics within E-Rezept
33
gematik/E-Rezept-App-iOS! gematik/E-Rezept-App-Android
Source
Martin Fiebiggematik | iOS Development E-Rezeptmartin.fiebig@gematik.de mrtnfbg mfiebig
Joachim Gärtnergematik | Android Development E-Rezeptjoachim.gaertner@gematik.de fnordlicht fnordlicht
E-Rezept App
Thank you!
34