Introduction to Universal Keystore Kit
Note:
Currently in the beta phase.
Universal Keystore Kit (Key Management Service, hereinafter referred to as HUKS) provides businesses/applications with unified and secure key operation capabilities, including key management (key generation/destruction, key import, key attestation, key agreement, key derivation) and key usage (encryption/decryption, signing/verification, access control), among other functions.
Keys managed by HUKS can be imported by businesses/applications or generated by calling HUKS interfaces. Additionally, HUKS offers key access control capabilities to ensure that keys stored in HUKS are accessed legally and correctly.
Overall Architecture
As shown in the diagram, the HUKS module can be divided into the following three major components:
- SDK: Provides key management interfaces for developers to call.
- HUKS Service Layer: Implements key session management and storage management.
- HUKS Core Layer: Hosts the core functionalities of HUKS, including cryptographic operations on keys, encryption/decryption of plaintext keys, key access control, etc.
Note:
For systems/devices equipped with a secure environment (e.g., TEE, secure chip), the HUKS Core Layer must run within the secure environment. Since the secure environment relies on hardware support, the open-source repository only provides a simulated implementation, requiring adaptation by OEM vendors.
Core Features
HUKS provides developers with full lifecycle key management capabilities. Its core functionalities are categorized by the key lifecycle as follows:
Key Generation
| Feature | Description |
|---|---|
| Key Generation | Randomly generates keys, ensuring that their plaintext is only accessed within the secure environment throughout the key's lifecycle and never transmitted outside the secure environment. |
| Key Import | Businesses can import externally generated keys into HUKS for management. |
Key Usage
| Feature | Description |
|---|---|
| Encryption/Decryption | Uses keys to encrypt data into ciphertext unintelligible to attackers or decrypt data into plaintext usable by businesses. |
| Signing/Verification | Authenticates the content of messages and the identity of the sender. |
| Key Agreement | Enables two or more entities to jointly establish a session key through negotiation. |
| Key Derivation | Derives one or more new keys from an existing key. |
Key Deletion
| Feature | Description |
|---|---|
| Key Deletion | Securely deletes key data stored in HUKS. |
Key Attestation
| Feature | Description |
|---|---|
| Key Attestation | Issues certificates for the public keys in asymmetric key pairs stored in HUKS to prove the legitimacy of the keys (e.g., keys generated in a secure environment). |