On many computing devices, e.g., computers, laptops, cell phones, etc., data can be protected from unauthorized users and entities through the use of encryption. Cryptographic keys are used to protect data stored on, or otherwise accessible to, a computing device that the computing device's owner and/or authorized user and/or entity, collectively referred to herein as user, does not want attackers, i.e., unauthorized individuals and/or entities that attempt to obtain data from others' computing devices, to be able to access. Cryptographic keys are pieces of information, or parameters, which are used to determine the output value of a cryptographic algorithm that is used to encrypt and decrypt data and/or other keys to be protected. Without the proper cryptographic key(s), and proper access to them, a cryptographic algorithm will produce no useful result, and thus, attackers can not gain access to protected data.
Computing devices can protect access to their cryptographic keys, and thus the data the cryptographic keys protect, with one or more user credentials such as a user personal identification number, i.e., PIN, or password. User credentials are generally intended to be unique and secret to a computing device user so that only a valid user can input the correct user credential(s) to log onto the computing device and gain access to its protected data.
However, sometimes valid users forget their user credential(s). Also, there can be legitimate instances when a second party, e.g., another user, an administrative entity, etc., may want access to the computing device but have no notion of the valid user credential value(s). A methodology has been established to allow a valid user or legitimate second party to gain access to a computing device using a challenge-response based unlock of a computing device's credentials, i.e., cryptographic keys. A methodology has also been established to allow a valid user or legitimate second party to gain access to a computing device using a PIN unlock key, also referred to herein as a PUK, to unlock a computing device's credentials.
Trusted Execution Environments, also referred to herein as TrEEs, are utilized on computing devices to provide strong asymmetric cryptographic key protection from would-be attackers. A TrEE, therefore, can be utilized as a convenient substitute for regular credential container environments such as smart cards. However, current TrEEs do not necessarily provide the capabilities that a legitimate user or second party can rely on to perform traditional credential recovery operations, e.g., PIN-based unlock of computing device credentials or challenge-response based unlock of computing device credentials, when a user credential has been forgotten or is unknown. This lack of traditional computing device credential recovery operation support can pose a detriment to the eventual usefulness of a TrEE within a computing device.
Thus, it is desirable to develop TrEE-supported functionality that can be utilized in conjunction with existing computing device credential recovery operations to enable legitimate access to computing device credentials without user credentials such as a user PIN and/or password.