Security/Tizen 3.X Key Manager Web App Encryption Support

From Tizen Wiki
Jump to: navigation, search

Introduction

  • Needs for Web application protection
- Web application is a collection of html, js, and css files.
- They are readable and their source codes are easily extracted.
- The encryption of these files can protect web applications.
  • Tizen supports Web Application Protection Since 2.0.

WAE WRT SPEC.png

Use Cases

  • Downloaded Web Application Protection
- Downloaded web app is encrypted based on the setting in config.xml by app-installers. The encryption key is randomly generated and securely stored in key-manager DB.
- The encrypted web app is decrypted by the runtime environment when being loaded.
  • Preloaded Web Application Protection
- The preloaded web app is encrypted during the image creation and the encryption key is randomly generated and temporarily stored in a encrypted file.
- The key is imported from the file to the key-manager DB when a device is booted for the first time.
- The decryption is same with the downloaded web app.

WAE Use Cases.png

High Level Design

Module View

WAE Module View.png

Process View

WAE Process View.png

Detailed Level Design

Downloaded Web App Installation

WAE Interaction View Downloaded Web App Installation.png

  1. app-installers is requested to install a web application.
  2. app-installers get the encryption information from config.xml.
  3. Request to libwebappenc to encrypt the content of the web application when encryption=“enable“.
    - all of html, js, and css files will be encrypted.
  4. libwebappenc retrieves the DEK from cache. If not exists, then get DEK from key-manager.
  5. If no DEK in key-manager, then create DEK and store it in key-manager and cache.
    - The DEK is randomly generated
    - The DEK cannot be accessed by any other web applications.
    - The DEK of non-global app is stored in a user’s DB of key-manager and the DEK of global app is stored in a system user’s DB of key-manager.
  6. libwebappenc encrypts the content of the web application with DEK.
  7. app-installers stores the application and its encrypted contents.

Running Downloaded Web App

WAE Interaction View Running Downloaded Web App.png

  1. An application requests its resources to the runtime environment such as WRT or Crosswalk.
  2. The runtime environment gets the encryption information from config.xml.
  3. The runtime environment gets an requested content from a file.
  4. The runtime environment requests to decrypt the content of the web application(repeatedly) when encryption=“enable“.
  5. libwebappenc retrieves DEK from cache. If not exists, then get DEK from key-manager.
    - If no key in key-manager, then it returns an error.
  6. libwebappenc decrypts the content of the web application with DEK.
  7. The runtime environment returns the resources of the application.

Downloaded Web App Removal

WAE Interaction View Downloaded Web App Removal.png

  1. The app-installers are requested to remove a web application.
  2. The app-installers get the encryption information from config.xml.
  3. The app-installers requests to remove the DEK of the application when encryption=“enable" using libwebapenc.
  4. The libwebappenc remove DEK from key-manager.
    - The applications with the same package id can access the same DEK.
    - Therefore, the unused DEK of an application should be removed in order to prevent a malicious application to steal the DEK.

Preloaded Web App Installation

WAE Interaction View Preloaded Web App Installation.png

The installation of a preloaded web app is done in a build machine during binary creation.

  1. app-installers is requested to install a web application.
  2. app-installers get the encryption information from config.xml.
  3. Request to libwebappenc to encrypt the content of the web application when encryption=“enable“.
  4. libwebappenc retrieves the DEK from cache. If no DEK in cache, then creates DEK. And stores it in the cache and it in a encrypted file.
    - The IPC communication is not supported in the build machine environment. Therefore the newly created DEK cannot be stored in key-manager DB.
    - The newly created DEK is stored in a file encrypted with the public key of KEK.
    - The KEK is used to protect the DEKs of preloaded web application.
  5. libwebappenc encrypts the content of the web application with DEK.
  6. app-installers stores the application and its encrypted contents.

DEK Loading at boot time

WAE Interaction View DEK loading at boot time.png

  1. The systemd invokes wae_initializer at boot time.
  2. The wae_initializer reads all encrypted DEK files.
  3. The wae_initializer decrypts all encrypted DEK files and extracts package IDs from their file names.
    - Decryption is done with the private key of KEK.
    - The private key of KEK is imported into key-manager at the first startup of key-manger from an encrypted file.
  4. The wae_initializer stores DEKs in key-manager securely.

Running Preloaded Web App

The preloaded web app running is exactly same with the downloaded web app running.

APIs

/**
* @brief Encrypts web application data with internal key(APP DEK: Application Data Encryption Key).
*
* @since_tizen 3.0
* @param[in] pPkgId   The package id of an application.
* @param[in] appType  The application type.
* @param[in] pData    The data block to be encrypted.
* @param[in] dataLen  The length of the data block.
* @param[out] ppEncryptedData The data block contaning encrypted data block. Memory allocated for ppEncryptedData. Has to be freed by free() function.
* @param[out] pEncDataLen The length of the encrypted data block.
*
* @return #WAE_ERROR_NONE on success, otherwise a negative error value
* @retval #WAE_ERROR_INVALID_PARAMETER   Invalid input parameter
* @retval #WAE_ERROR_PERMISSION_DENIED   Non-authenticated application request
* @retval #WAE_ERROR_NO_KEY              No internal key
* @retval #WAE_ERROR_KEY_MANAGER         key-manager internal error
* @retval #WAE_ERROR_CRYPTO              failed in crypto operation
* @retval #WAE_ERROR_UNKNOWN             Failed with unknown reason
*
* @see wae_decrypt_web_application()
*/
int wae_encrypt_web_application(const char* pPkgId, wae_app_type_e appType, const unsigned char* pData, size_t dataLen, unsigned char** ppEncryptedData, size_t* pEncDataLen);
/**
* @brief Encrypts web application data with internal key.
*
* @since_tizen 3.0
* @param[in] pPkgId   The package id of an application.
* @param[in] appType  The application type.
* @param[in] pData    The data block to be decrypted.
* @param[in] dataLen  The length of the data block.
* @param[out] ppDecryptedData Data block contaning decrypted data block. Memory allocated for ppEncryptedData. Has to be freed by free() function.
* @param[out] pDecDataLen The length of the decrypted data block.
*
* @return #WAE_ERROR_NONE on success, otherwise a negative error value
* @retval #WAE_ERROR_INVALID_PARAMETER   Invalid input parameter
* @retval #WAE_ERROR_PERMISSION_DENIED   Non-authenticated application request
* @retval #WAE_ERROR_NO_KEY              No internal key
* @retval #WAE_ERROR_KEY_MANAGER         key-manager internal error
* @retval #WAE_ERROR_CRYPTO              failed in crypto operation
* @retval #WAE_ERROR_UNKNOWN             Failed with unknown reason
*
* @see wae_encrypt_web_application()
*/
int wae_decrypt_web_application(const char* pPkgId, wae_app_type_e appType, const unsigned char* pData, size_t dataLen, unsigned char** ppDecryptedData, size_t* pDecDataLen);