Minimum Key Protection MC Config Flag
The maverick.minimumKeyProtection configuration flag in mc_config.json controls the minimum key protection level required by the MasterController (MC) when maverick.mKex and/or maverick.useSEKeyForSigningTransactions are set to true.
If neither of these flags is set to true, minimumKeyProtection has no effect.
Note: This flag uses the same key protection levels as
maverick.jwtSignKeySecurityPolicy. For the fullmc_config.jsonreference, see MC Configuration.
Key Protection Levels
The following table outlines the available key protection levels and their descriptions:
| Key Protection Level | Description |
|---|---|
| ENFORCE_STRONG_HARDWARE | MC will only run if the device can create keys in a Secure Element (SE) and successfully attest them. If the device does not have a Secure Element, the StartEvent will fail. |
| ENFORCE_HARDWARE | MC will only run if the device can create keys in any hardware-backed store and successfully attest them. If the device does not have a hardware-backed keystore, the StartEvent will fail. |
| ALLOW_VIRTUAL_SMART_CARD | MC will also work on devices without a hardware-backed keystore, while still using the strongest available one if present. The SDK prefers key storage in the following order: Secure Element (SE / Secure Enclave) → Hardware Keystore (TEE on Android; iOS only has Secure Enclave) → Software solution. |
Fallback for Devices Without a Hardware-Backed Keystore
To allow devices without a hardware-backed keystore when maverick.mKex or maverick.useSEKeyForSigningTransactions is true, set minimumKeyProtection to ALLOW_VIRTUAL_SMART_CARD.
- ALLOW_VIRTUAL_SMART_CARD attempts to use the strongest available keystore (e.g., StrongBox) while also supporting devices without a hardware-backed store.
- The SetAuthorisationCodeResultEvent provides mkex_key_protection and tms_key_protection parameters, indicating the key protection levels used during the SetAuthorisationCodeEvent flow.
Restrictions on Dynamically Changing Key-Related Config Flags
With the introduction of the new flag, the MC enforces restrictions on changing the following flags:
- MinimumKeyProtection
- maverick.useSEKeyForSigningTransactions
- maverick.mKex
Restrictions
- Changes to these flags are not allowed if there is at least one activated user.
- Changes are permitted only when there are no activated users (e.g., if a user was activated but later deleted, the MC allows changes).
App Dependency
The MC-SDK uses a third-party library for some of the features mentioned above. Your app needs to include it as a dependency:
implementation("org.bouncycastle:bcpkix-jdk15to18:1.78.1")
Do not use a version older than 1.78.1. Failing to add this dependency will result in error 800000278 when trying to use minimumKeyProtection or related features.
Backend Configuration
To use this new feature, you need to set the following in your backend's AST-CA service:
publicKeyProvider.attestation.mode = ENFORCE