...Yeah, the rumors were true:...

Gepostet von Daniel Hong am Donnerstag, 21. Februar 2019…/samsung-galaxy-s10-more-screen-…/

...Yeah, the rumors were true: Samsung's new Galaxy S10 series smartphone *does* include support for native blockchain/cryptocurrency wallets and keystores.

The way they handle it? With both software AND hardware, with Knox acting as a software backbone for managing keystores and a PUF (Physical Unclonable Function) module included within the Exynos 9820 SoC protecting them at the silicon level.

Knox is Samsung's "military-grade" secure container solution, which has been enabled by default within all Samsung devices all the way back from the Galaxy Note 3. It stores sensitive data, such as payment tokens used with Samsung Pay or a secondary Android user profile, within a secure container that is encrypted on-the-fly. It ensures system integrity through a low-level solution called an eFUSE; Knox looks for any traits and behavior that may break software integrity, such as flashing custom firmware/kernel not signed by Samsung or rooting the device, and destroys both the container and the entire Knox module once the eFUSE is triggered. There's no way going back; once the eFUSE flags the device as "custom" (KNOX WARRENTY VOID 0x1), no one can restore Knox functionality and the container other than replacing the entire logic board of the phone.

...but there may still be vulnerabilities with software-based encryption solutions. One example is towelroot (, created by the legendary hacker geohot back in 2014. The vulnerability used here actually lies within the Linux kernel itself, used with all Android systems: named CVE-2014-3153 (…/…/msg00130.html) and discovered by an anonymous teenage code reviewer named Pinkie Pie, this vulnerability could be exploited to execute arbitrary code with escalated privileges, without the rest of the system triggering a security alert by exploiting the futex syscall. And Knox was no exception: using towelroot, a root tool using the serious vulnerability, a device could be rooted without triggering the Knox warranty void flag. Samsung was quick to merge a proposed kernel patch from the CyanogenMod team, but a number of Knox containers could possibly have been exposed as well if there was another vulnerability within Knox itself... Whoops.

That's where hardware-backed solutions - especially PUFs - comes into play. PUFs are essentially small and simple silicon modules that can be embedded into processors, especially SoCs. The idea here is that instead of relying on a single secret key for encryption as of with traditional PKI systems with a public-secret key match, using a challenge-response paradigm - which uses a completely unpredictable nonce as a challenge to securely store and transfer data - with a hardware-backed encryption module will allow secure hardware level encrypted keystores that's much more immune to software-level vulnerabilities and attacks. Because challenge-response authentication does not directly reveal the secret key or password to an eavesdropper - because the challenger only has to pass a seemingly random value to the other end, and verify whether the response is a valid decryption of the challenged nonce. As this is very efficient both in terms of security and cryptographic authentication, it's also being adopted within the blockchain world as well, including zero-knowledge proof based protocols that does not reveal actual information within the communication process and only acknowledges the "existence" of such information. The idea of a challenge-response based encryption system is not new, though; SSH's passphrase-based keys also does not reveal the actual password nor the keys during authentication, as the server only has to verify that the client "knows" the passphrase for a key to allow access.

Personally I don't think incorporating hardware-backed blockchain keystores within the world's best selling flagship Android phone will instantly make a huge difference. Even though the hardware technically supports it, the entire blockchain industry is stuck in this chicken-and-egg problem that is present with all platforms: the application ecosystem. No developers mean no apps, and no apps mean a lack of incentive for developers to build an app. The important point here is that one of the world's biggest electronics giant is taking blockchain technology seriously, and began putting the necessary infrastructure required for mobile Dapps within their flagship phones for the future of decentralized applications. Blockchain isn't a solution looking for a problem, it's just that it isn't mature enough to be widely adopted. The industry might be able to sort this out with the hardware development infrastructure now available within thousands of people's hands... but not yet. It needs more time, just like the concept of "smartphones" and "PDAs" did before the introduction of the iPhone. Maybe what we need with blockchains is an iPhone-like infrastructure for blockchain application platforms, and we just... aren't getting it.