How does Samsung Knox Vault works

Almost all Samsung Galaxy smartphones come with Samsung Knox pre-installed, and it serves as a security solution for device owners to make sure that both their smartphones and their data are protected. It goes beyond what TrustZone, a Trusted Execution Environment (TEE) that Samsung uses on its smartphones, previously provided by combining hardware-backed security with software. On more recent Samsung flagship smartphones, Knox Vault is an option that runs completely independently of the main processor.

Like TrustZone, Knox Vault safeguards your biometrics, cryptographic keys, and passwords. The distinction is that Android asks a TrustZone applet to validate the fingerprint or password on your behalf when you unlock your phone, even though TrustZone runs in parallel with Android on the same core application processor. Your biometric data and passwords cannot be stolen, even if your Android installation has been compromised. Knox Vault goes a step farther and serves as a beefed-up substitute for TrustZone.

TrustZone vs Knox Vault, difference?

On the SoC, a TEE is a secure area that manages sensitive data. Any modern smartphone has TEE because it is required for devices launched with Android 8 Oreo and higher. Anything outside of the TEE is regarded as “untrusted” and is limited to viewing encrypted content. For instance, content that is DRM-protected is encrypted using keys that are only accessible by software operating on the TEE. The content can be decrypted by the TEE and then shown to the user, while the main CPU can only see a stream of the encrypted content. Another TEE is Knox Vault.

In the case of Knox Vault, Samsung says that it “extends” upon the protection offered by TrustZone. Knox Vault is a replacement for TrustZone according to Samsung, and the company describes the difference in the following way in a blog post:

The way I think of it, TrustZone was a great safe in the middle of your bank’s branch office. There are a lot of people you don’t necessarily trust walking by the safe, doing day-to-day work that doesn’t require physical access to the safe. The secure processor in Samsung Knox Vault is more like Fort Knox: a safe securely placed far away from the bank, isolated from whoever walks into the branch.

How Samsung’s Knox Vault works

Knox Vault extends the security that TrustZone already offers, and Samsung phones from the Galaxy S21 and above have it. Knox Vault can:

• Store sensitive data such as hardware-backed Android Keystore keys, the Samsung Attestation Key (SAK), biometric data, and blockchain credentials.
• Run security-critical code that authenticates users with increasing timeouts between failures and controls access to keys depending on authentication.

Knox Vault isn’t just a software isolation, it’s a physical isolation from the chipset on your smartphone. It’s an independent processor on the SoC with storage physically separate from the rest of the SoC. Because of this physical isolation, Knox Vault is even protected from side-channel attacks that target other software running on the primary processor.

Knox Vault’s architecture

Knox Vault is made up of the following:

• Knox Vault Subsystem: implemented as part of the SoC
• Knox Vault Storage: an integrated circuit physically outside the SoC

How Knox Vault protects itself from attacks

If someone has physical access to your device, you should act and prepare as if it’s only a matter of time before they gain access to the protected data stored on it. Samsung says that with Knox Vault, that may not necessarily be the case. It’s resistant to hardware attacks such as the following:

• Physical probing to disclose data
• Physical manipulation of the circuitry to deactivate security mechanisms
• Forced information leakage
• Hardware side-channel attacks such as differential power analysis to disclose data
• Fault injection to bypass security mechanisms.

As well, the Knox Vault Processor communicates with Knox Vault Storage via a dedicated I2C (Inter-Integrated Circuit) bus. Traffic on this bus is encrypted and transmitted with an authentication code to prevent eavesdropping on communications, and those communications are also protected against replay attacks.

Knox Vault Subsystem

It is intended for the Knox Vault Subsystem to function independently of other SoC components. The Knox Vault Processor, SRAM, and ROM make up its own safe processing environment. Additionally, it offers improved security and data protection from a variety of hardware-based threats by monitoring the environment and hardware state using a number of security sensors or detectors, such as:

• High and low temperature detectors
• High and low supply voltage detectors
• Supply voltage glitch detector
• Laser detector

When the Knox Vault Processor starts, the ROM code is loaded into SRAM. While the ROM code loads the Knox Vault Processor firmware, with the help of the modules running on the SoC’s main processor. The software stack of the Knox Vault Processor has its own secure boot chain.

The Knox Vault Subsystem also includes a dedicated random number generator and its own Crypto Engine. The Knox Vault Processor can access system DRAM through the External Memory Manager. This monitoring cannot be affected or bypassed by any application on the Knox Vault Processor, and physical intrusion will initiate a device lockdown sequence.

The crypto engine provides the following cryptographic functions:

• AES encryption/decryption
• DRBG random number generation
• SHA hashing
• HMAC keyed-hashing for message authentication code
• RSA and ECC key generation and services

Knox Vault Storage

The Knox Vault Storage is a dedicated non-volatile memory device that stores sensitive data such as the following:

• Cryptographic keys such as Blockchain keys and Device keys
• Biometric data
• Hashed authentication credentials

Just like the Knox Vault Processor, the storage is also safeguarded against physical and side-channel attacks. It has a secure core to do the following:

• Execute the ROM code
• Provide cryptographic operations for public key algorithms (RSA, ECC) and SHA algorithm with software libraries
• Safely store data in dedicated SRAM and ROM

Samsung phones that support Knox Vault

Certain Samsung Galaxy tablets and smartphones, including the Samsung Galaxy S21 and later models in both the S series and the Fold series, feature Knox vault. Particularly for users who may rely on their smartphones for sensitive data storage or other enterprise usage, the level of security offered is intended to give you entire trust in your smartphone’s ability to house personal data.