Some content of this application is unavailable at the moment.
If this situation persist, please contact us atFeedback&Contact
1. (WO2019029817) DEVICES AND METHODS FOR KEY ATTESTATION WITH MULTIPLE DEVICE CERTIFICATES
Note: Text based on automatic Optical Character Recognition processes. Please use the PDF version for legal matters

CLAIMS:

1 . A device, comprising:

a processor and a memory,

an operating system stored in the memory, the operating system comprising a secure environment including a trusted application,

two or more device certificates, each associated with a device key pair, stored in the memory,

wherein, when the operating system is run on the processor, the trusted application is configured to:

receive a key pair generation request,

generate a key pair in response to the key pair generation request, receive a key pair attestation request with an indication of a preferred device certificate,

generate an attestation certificate in response to the key pair attestation request, and

sign the attestation certificate using one of the two or more device certificates with its associated device key pair based on the indication of a preferred device certificate.

2. The device of claim 1 , further comprising an application stored in the memory, wherein

the application is configured to send to the operating system the key pair generation request and the key pair attestation request with an indication of a preferred device certificate, and

the trusted application is configured to receive the key pair generation request and the attestation request with the indication of the preferred device certificate from the application.

3. The device of claim 2, wherein the key pair attestation request sent by the application comprises a challenge message which includes a prefix indicating a preferred device certificate.

4. The device of claim 2, wherein the key pair attestation request sent by the application comprises a challenge message, and the operating system comprises an application configured to add a prefix indicating a preferred device certificate to the challenge message.

5. The device of any one of claims 3 or 4, wherein

the challenge message also includes a cryptographic hash function or a message authentication code confirming that the challenge message has a prefix indicating a preferred device certificate, and, when the operating system is run on the processor, the trusted application is configured to

verify the cryptographic hash function or the message authentication code, and, if the verification is successful,

sign the attestation certificate using one of the two or more device certificates with its associated device key pair based on the challenge message prefix indicating the preferred device certificate.

6. The device of claim 1 , comprising a stack of application programming interfaces, API-s, configured to generate an indication of a preferred device certificate, and add the indication of the preferred device certificate to the key pair attestation request before it is received by the trusted application.

7. The device of any one of claims 1 -6, wherein the device key pair comprises a public key bound to the associated device certificate, and a private key available only to the trusted application.

8. The device of claim 7, wherein the memory comprises a secure segment accessible only to the trusted application; and wherein the private key of the device key pair is stored in the secure segment of the memory.

9. The device of any one of claims 1 -8, wherein the processor is operable in a secure mode, and, when the operating system is run on the processor, the operating system is configured to initiate the secure mode of the processor and execute the trusted application to generate and sign the attestation certificate.

10. The device of any one of claims 1 -9, wherein the two or more device certificates comprise certificates selected from the group of: vendor specific certificates, operating system specific certificates, default certificate, and generic vendor certificate.

1 1. The device of any one of claims 1 -10, wherein the operating system is a mobile operating system based on the Linux kernel.

12. A method of attestation of a key pair by a trusted application stored in a secure environment of an operating system, the method comprising:

receiving a key pair generation request,

generating a key pair in response to the key pair generation request, receiving a key pair attestation request with an indication of a preferred device certificate,

generating an attestation certificate in response to the key pair attestation request,

checking availability of the preferred device certificate,

if the preferred device certificate is available, signing the attestation certificate using the preferred device certificate with its associated device key pair, and

if the preferred device certificate is unavailable, signing the attestation certificate using a default device certificate with its associated device key pair.

13. The method of claim 12, comprising receiving a challenge message as part of the key pair attestation request, wherein the challenge message includes a prefix indicating a preferred device certificate.

14. The method of claim 13, wherein the challenge message also includes a cryptographic hash function or a message authentication code confirming that the challenge message has a prefix indicating a preferred device certificate, the method further comprising:

verifying the cryptographic hash function or the message authentication code, if the verification is successful, checking availability of the preferred device certificate indicated in the prefix, and

if the verification is unsuccessful, signing the attestation certificate using a default device certificate with its associated device key pair.

15. The method of claim 12, comprising initiating a secure mode of operation prior to generating the attestation certificate.

16. A computer program comprising program code for performing a method according to one of claims 12 to 15, when the computer program is run on a computer.