New Minimum Key Protection Config Flag in MC Config
The new configuration flag 'minimumKeyProtection' impacts the behavior of the MasterController (MC) when maverick.mKex and/or maverick.useSEKeyForSigningTransactions are set to true.
If neither of these flags is set to true, the new flag has no effect.
Key Protection Levels
The following table outlines the available key protection levels and their descriptions:
| Key Protection Level | Description |
|---|---|
| ENFORCE_STRONG_HARDWARE | MC will only run if the device can create keys in a Secure Element (SE) and successfully attest them. |
| ENFORCE_HARDWARE | MC will only run if the device can create keys in any hardware-backed store and successfully attest them. |
| ALLOW_VIRTUAL_SMART_CARD | MC will also work on devices without a hardware-backed keystore, while using the strongest available keystore available (e.g., StrongBox). |
Fallback for Devices Without a Hardware-Backed Keystore
To allow devices without a hardware-backed keystore when maverick.mKex or maverick.useSEKeyForSigningTransactions is true, set the minimumKeyProtection value to ALLOW_VIRTUAL_SMART_CARD.
- ALLOW_VIRTUAL_SMART_CARD: This level attempts to use the strongest available keystore (e.g., StrongBox) on the device while also supporting devices without a hardware-backed store.
- The SetAuthorisationCodeResultEvent provides mkex_key_protection and tms_key_protection parameters, indicating the key protection levels used during the SetAuthorisationCodeEvent flow.
Restrictions on Dynamically Changing Key-Related Config Flags
With the introduction of the new flag, the MC enforces restrictions on changing the following flags:
- MinimumKeyProtection
- maverick.useSEKeyForSigningTransactions
- maverick.mKex
Restrictions:
- Changes to these flags are not allowed if there is at least one activated user.
- Changes are permitted only when there are no activated users.
For example:- If a user was activated but later deleted, the MC allows changes to the flag values.
Backend Configuration
To use this new feature, you need to set the following in your backend's AST-CA service:
publicKeyProvider.attestation.mode = ENFORCE