Samsung Knox comes pre-installed on pretty much every Samsung Galaxy smartphone, and it exists as a security solution for device owners to ensure that both their smartphones and their data are safe. It makes use of both hardware-backed security and software, extending upon what TrustZone, a Trusted Execution Environment (TEE) that Samsung implements on its smartphones, previously offered. Knox Vault operates entirely separately from the primary processor on an Android smartphone, and it's available on newer Samsung flagship smartphones.

Knox Vault, like TrustZone, protects your passwords, biometrics, and cryptographic keys. The difference is that TrustZone runs a separate operating system concurrently with Android but still on the primary application processor, and when you unlock your phone, Android requests a TrustZone applet to verify the fingerprint or password on your behalf. It's designed so that even if your Android installation is compromised, your biometrics and passwords can't be exfiltrated. Knox Vault takes things a step further than that and acts as a souped up replacement for TrustZone.

TrustZone versus Knox Vault, what's the difference?

A TEE is a secure region on the SoC that is used for handling critical data. TEE is mandatory on devices launched with Android 8 Oreo and higher, meaning that any recent smartphone has it. Anything not within the TEE is considered "untrusted" and can only see encrypted content. For example, DRM-protected content is encrypted with keys that can only be accessed by software running on the TEE. The main processor can only see a stream of encrypted content, whereas the content can be decrypted by the TEE and then displayed to the user. Knox Vault is also a TEE.

In the case of Knox Vault, Samsung says that it "extends" upon the protection offered by TrustZone. Knox Vault is a replacement for TrustZone according to Samsung, and the company describes the difference in the following way in a blog post:

The way I think of it, TrustZone was a great safe in the middle of your bank’s branch office. There are a lot of people you don’t necessarily trust walking by the safe, doing day-to-day work that doesn’t require physical access to the safe. The secure processor in Samsung Knox Vault is more like Fort Knox: a safe securely placed far away from the bank, isolated from whoever walks into the branch.

How Samsung's Knox Vault works

knox-vault

Knox Vault extends the security that TrustZone already offers, and Samsung phones from the Galaxy S21 and above have it. Knox Vault can:

  • Store sensitive data such as hardware-backed Android Keystore keys, the Samsung Attestation Key (SAK), biometric data, and blockchain credentials.
  • Run security-critical code that authenticates users with increasing timeouts between failures and controls access to keys depending on authentication.

Knox Vault isn't just a software isolation, it's a physical isolation from the chipset on your smartphone. It's an independent processor on the SoC with storage physically separate from the rest of the SoC. Because of this physical isolation, Knox Vault is even protected from side-channel attacks that target other software running on the primary processor.

Knox Vault's architecture

knox-vault-architecture

Knox Vault is made up of the following:

  • Knox Vault Subsystem: implemented as part of the SoC
  • Knox Vault Storage: an integrated circuit physically outside the SoC

How Knox Vault protects itself from attacks

If someone has physical access to your device, you should act and prepare as if it's only a matter of time before they gain access to the protected data stored on it. Samsung says that with Knox Vault, that may not necessarily be the case. It's resistant to hardware attacks such as the following:

  • Physical probing to disclose data
  • Physical manipulation of the circuitry to deactivate security mechanisms
  • Forced information leakage
  • Hardware side-channel attacks such as differential power analysis to disclose data
  • Fault injection to bypass security mechanisms.

As well, the Knox Vault Processor communicates with Knox Vault Storage via a dedicated I2C (Inter-Integrated Circuit) bus. Traffic on this bus is encrypted and transmitted with an authentication code to prevent eavesdropping on communications, and those communications are also protected against replay attacks.

Knox Vault Subsystem

The Knox Vault Subsystem is designed to operate separately from other SoC components. It has its own secure processing environment consisting of the Knox Vault Processor, SRAM, and ROM. It also provides enhanced security and data protection against various hardware-based attacks by monitoring the hardware status and its environment using a series of security sensors or detectors including:

  • High and low temperature detectors
  • High and low supply voltage detectors
  • Supply voltage glitch detector
  • Laser detector

When the Knox Vault Processor starts, the ROM code is loaded into SRAM. While the ROM code loads the Knox Vault Processor firmware, with the help of the modules running on the SoC's main processor. The software stack of the Knox Vault Processor has its own secure boot chain.

The Knox Vault Subsystem also includes a dedicated random number generator and its own Crypto Engine. The Knox Vault Processor can access system DRAM through the External Memory Manager. This monitoring cannot be affected or bypassed by any application on the Knox Vault Processor, and physical intrusion will initiate a device lockdown sequence.

The crypto engine provides the following cryptographic functions:

  • AES encryption/decryption
  • DRBG random number generation
  • SHA hashing
  • HMAC keyed-hashing for message authentication code
  • RSA and ECC key generation and services

Knox Vault Storage

The Knox Vault Storage is a dedicated non-volatile memory device that stores sensitive data such as the following:

  • Cryptographic keys such as Blockchain keys and Device keys
  • Biometric data
  • Hashed authentication credentials

Just like the Knox Vault Processor, the storage is also safeguarded against physical and side-channel attacks. It has a secure core to do the following:

  • Execute the ROM code
  • Provide cryptographic operations for public key algorithms (RSA, ECC) and SHA algorithm with software libraries
  • Safely store data in dedicated SRAM and ROM

Samsung phones that support Knox Vault

Knox vault is supported by select Samsung Galaxy smartphones and tablets such as the Samsung Galaxy S21 and devices released later in both the S series and the Fold series. The level of security on offer is designed to give you complete confidence in your smartphone in housing personal data, particularly for people who may rely on their phones for sensitive data storage or other enterprise uses.