Some content of this application is unavailable at the moment.
If this situation persist, please contact us atFeedback&Contact
1. (WO2019029817) DEVICES AND METHODS FOR KEY ATTESTATION WITH MULTIPLE DEVICE CERTIFICATES
Note: Text based on automatic Optical Character Recognition processes. Please use the PDF version for legal matters

DEVICES AND METHODS FOR KEY ATTESTATION WITH MULTIPLE DEVICE CERTIFICATES

TECHNICAL FIELD

The present application relates to the field of encryption and key generation, and more particularly to key attestation.

BACKGROUND

Modern electronic devices often have a possibility to perform key attestation on keys that have been generated onboard the device. The key may be protected by trusted hardware, for example in a Trusted Execution Environment (TEE). The key attestation may take form of an attestation certificate where the subject public key info is a public key part of the generated key pair, and where there is an extension describing the properties of the key pair in question. The attestation certificate in turn can be signed by a device certificate that is enrolled to the device during manufacturing.

At present, when key pairs are generated and key attestation is required, the mechanism used to sign an attestation certificate is to set a challenge as one of the parameters of the key pair generation. The challenge parameter is typically generated by the party that is requesting the key generation with an attestation certificate.

SUMMARY

This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.

The inventors have found that it can be beneficial to configure a device with more than one device certificate. In such case indicating which device certificate should be used for signing the attestation certificate may be challenging in state of the art solutions.

Hence, it is an object of the present invention to provide a device with improved key pair attestation functionality.

Another object of the present invention is to provide methods for key pair attestation and for selecting a device certificate used in key pair attestation.

The foregoing and other objects are achieved by the features of the independent claims. Further implementation forms are apparent from the dependent claims, the description and the figures.

According to a first aspect a device is presented. The device may be a mobile

device, for example a mobile device that has key attestation functionality. The device comprises: a processor and a memory, an operating system stored in the memory, the operating system comprising a secure environment including a trusted application, and two or more device certificates, each associated with a device key pair, stored in the memory. When the operating system is run on the processor, the trusted application is configured to: receive a key pair generation request, generate a key pair in response to the key pair generation request, receive a key pair attestation request with an indication of a preferred device certificate, generate an attestation certificate in response to the key pair attestation request, and sign the attestation certificate using one of the two or more device certificates with its associated device key pair based on the indication of a preferred device certificate.

The device certificates and their associated key pairs may be stored in the device after manufacture. The device key pairs can be generated in a secure environment such as a Hardware Security Module (HSM) or a Trusted Execution Environment (TEE) when the device is assembled, and the device certificates associated with the device key pairs are enrolled from a certification authority (CA) and can be securely injected in the device during device manufacturing.

The operating system may comprise other applications and application programming interfaces used in normal operation of the device, and the trusted application may be a Keymaster trusted application configured to sign key attestation certificates.

The device of the first aspect and implementations thereof provide a device with multiple (two or more) device certificates for signing key attestations. Aspects of the present invention also provide a mechanism of indication which device certificate should be used to sign the attestation.

In an implementation of the device according to the first aspect, the device further comprises an application stored in the memory. The application is configured to send to the operating system the key pair generation request and the key pair attestation request with an indication of a preferred device certificate. The trusted application is configured to receive the key pair generation request and the attestation request with the indication of the preferred device certificate from the application.

The application may comprise application logic configured to generate the key pair generation and attestation requests. The indication of a preferred device certificate may relate to a specific certificate or a general certificate class such as a "vendor certificate". The indication may also include more than one preferred device certificate.

This allows an application to request key generation with e.g. a predetermined selection of a device certificate.

In a further implementation form according to the previous implementation, the key pair attestation request sent by the application comprises a challenge message which includes a prefix indicating a preferred device certificate.

The challenge message may include a string naming a brand name as a prefix

indicating the specific brand-issued device certificate, or simply "vendor" as a prefix indicating a vendor-issued device certificate.

In a further possible implementation form alternative to the previous implementation of the first aspect, the key pair attestation request sent by the application comprises a challenge message, and the operating system comprises an application configured to add a prefix indicating a preferred device certificate to the challenge message.

The application in the operating system may be a service application configured to add prefixes to incoming challenge messages. In a further example, adding a prefix to the challenge message according to this implementation may override the previously assigned preferred device certificate, if the device certificate already had a prefix with such indication.

In this implementation, the device certificate selection is shifted to the preference of the operating system rather than an application running separately on the device. The application comprised in the operating system may add more than one preferred device certificate to the challenge message. The challenge message then proceeds to the trusted application in the secure environment.

In a further implementation form according to the first aspect, the challenge message also includes a cryptographic hash function or a message authentication code confirming that the challenge message has a prefix indicating a preferred device certificate. When the operating system is run on the processor, the trusted application is configured to verify the cryptographic hash function or the message authentication code, and, if the verification is successful, sign the attestation certificate using one of the two or more device certificates with its associated device key pair based on the challenge message prefix indicating a preferred device certificate.

The hash function or message authentication can reduce the chance of an incorrect selection of the device certificate.

In alternative implementations, the key pair generation request and the key pair attestation request may be sent to the trusted application by an external application, for example over a network.

In the implementations above, the attestation certificate may be sent back to the application separately. This can be done when the application requests the attestation certificate after the key pair has been successfully generated.

In a further implementation form according to the first aspect, the device comprises a stack of application programming interfaces, (API-s) configured to generate an indication of a preferred device certificate, and add the indication of the preferred device certificate to the key pair attestation request before it is received by the trusted application.

In this implementation, API calls are added to all layers of security indicating the preferred device certificate. This implementation does not require sending of a separate challenge message to the trusted application, since the key generation and attestation can be required through API calls.

In a further implementation form according to the first aspect, the device key pair comprises a public key bound to the associated device certificate, and a private key available only to the trusted application.

The private key of the device key pair may be stored in the secure environment after being injected into the device during manufacture.

In a further implementation form according to the first aspect, the memory comprises a secure segment accessible only to the trusted application; and wherein the private key of the device key pair is stored in the secure segment of the memory.

In further implementation form according to the first aspect , the processor is operable in a secure mode. When the operating system is run on the processor, the operating system is configured to initiate the secure mode of the processor and execute the trusted application to generate and sign the attestation certificate.

In a further possible implementation, the processor has access to the secure segment of the memory only in the secure mode.

In a further implementation form according to the first aspect , the two or more device certificates comprise certificates selected from the group of: vendor specific certificates, operating system specific certificates, default certificate, and generic vendor certificate.

The vendor specific certificates may include certificates tied to the manufacturer of the device. Generic vendor certificate may be identified by a generic reference such as the word "vendor". The operating system specific certificate may have a reference to the name of the operating system. The default certificate is the one used when no preferred device certificate is indicated, or when an unavailable device certificate is preferred.

In a further implementation form according to the first aspect, the operating system is a mobile operating system based on the Linux kernel.

Android (Android is a trademark of Google Inc.) is an example of an operating system based on the Linux kernel. In Android 7 and later, the key attestation mechanism is available to provide an attestation that the corresponding key pair is indeed protected by hardware. This allows to enable the selection of the device certificate without changing the existing Android APIs.

According to a second aspect a method of attestation of a key pair by a trusted application stored in a secure environment of an operating system is presented. The method comprises the following operations: receiving a key pair generation request, generating a key pair in response to the key pair generation request, receiving a key pair attestation request with an indication of a preferred device certificate, and generating an attestation certificate in response to the key pair attestation request and checking availability of the preferred device certificate. If the preferred device certificate is available, the method also comprises signing the attestation certificate using the preferred device certificate with its associated device key pair. If the preferred device certificate is unavailable, the method comprises signing the attestation certificate using a default device certificate with its associated device key pair.

The method according to the second aspect may be carried out by a trusted application stored in the Trusted Execution Environment (TEE) of an Android operating system.

In a possible implementation of the method according to the second aspect, the method comprises receiving a challenge message as part of the key pair attestation request, wherein the challenge message includes a prefix indicating a preferred device certificate.

In a further possible implementation form of the second aspect, the challenge message also includes a cryptographic hash function or a message authentication code confirming that the challenge message has a prefix indicating a preferred device certificate. The method further comprises verifying the cryptographic hash function or the message authentication code. If the verification is successful, the method continues by checking availability of the preferred device certificate indicated in the prefix, and if the verification is unsuccessful, the method comprises signing the attestation certificate using a default device certificate with its associated device key pair.

In a further implementation form according to the second aspect, the method comprises initiating a secure mode of operation prior to generating the attestation certificate.

The secure mode of operation of the processor can be activated to provide access to a secure memory segment needed to generate and/or sign the key pair attestation.

According to a third aspect a method of indicating a preferred device certificate by an application is provided. The method comprises: creating a key pair generation request, creating a key pair attestation request comprising a challenge message, adding a prefix to the challenge message, wherein the prefix comprises an indication of a preferred device certificate, and sending the key pair generation request together with the key pair attestation request to a trusted application stored in a secure environment of an operating system.

The method according to the third aspect can be carried out by an application comprised in a device like the devices of the first aspect and its implementations. The method allows creating a request that can be received and recognized by the trusted application stored in a secure environment such as the TEE and comprising two or more device certificates to sign the attestation.

In a possible implementation of the method according to the third aspect, the method comprises adding to the challenge message a cryptographic hash function or a message authentication code confirming that the challenge message has a prefix comprising an indication of a preferred device certificate.

According to a fourth aspect, a computer program is presented. The computer program comprises program code configured to perform a method according to any one of the implementations of the second and third aspects, when the computer program is executed on a computer.

Many of the attendant features will be more readily appreciated as they become better understood by reference to the following detailed description considered in connection

with the accompanying drawings.

DESCRIPTION OF THE DRAWINGS

The present description will be better understood from the following detailed description read in light of the accompanying drawings, wherein:

Fig. 1 is a block diagram illustrating a device according to an embodiment; Fig. 2a is a block diagram illustrating a device with an application according to an embodiment;

Fig. 2b is a block diagram illustrating a device with an application according to another embodiment;

Fig. 3 is a block diagram illustrating the device hardware;

Fig. 4 is a flow chart illustrating a method according to an embodiment;

Fig. 5 is a flow chart illustrating another method according to an embodiment.

Like references are used to designate like parts in the accompanying drawings.

DETAILED DESCRIPTION

The detailed description provided below in connection with the appended drawings is intended as a description of the embodiments and is not intended to represent the only forms in which the embodiment may be constructed or utilized. However, the same or equivalent functions and structures may be accomplished by different embodiments.

In the following description, embodiments of a device and methods for key attestation are disclosed.

A concept underlying the present disclosure is that a secure trusted application of an operating system may have two or more device certificates that can be used for signing key pair attestations. The two or more different device certificates may indicate different security levels when key pair attestations are signed by these certificates. The indication of different security levels may refer to different levels of security of device key pair and certificate injection, or to different levels of protection of the device key pair in the device itself. The former levels of security may vary between manufacturers and their injection processes, and the latter security levels may vary based on the type of protection such as - protected only by the TEE, additionally protected by a secure element etc. These security levels may be indicated in a device certificate chain of information, or certification practice statement documents. Thus, when a key pair attestation request is sent to the trusted application, it may carry an indication of which device certificate should be used. This indication can be part of a challenge parameter in the request. The indication can be given in several ways, including but not limited to: providing an Application Programming Interface (API) stack supporting an indication from the application, or embedding the indication into the challenge parameter at various stages to indicate which device certificate should be used.

Fig. 1 schematically illustrates an embodiment of the device 100. The device 100 may be a mobile device, for example a mobile device that has key attestation functionality, or any other device wherein key attestation is useful. Fig. 1 is an illustration of the software features of an operating system (OS) 101 of the device 100. The device 100 comprises a processor and a memory, and the OS 101 is stored in the memory. The OS 101 comprises a secure environment 102 including a trusted application (TA) 1 12. Two or more device certificates 122, each associated with a device key pair, are also stored in the memory. They are schematically illustrated inside the TA box 1 12 on Fig. 1 , which is meant to show that the device certificates 122 are accessible to the TA 1 12. More than two device certificates 122 may be stored in the memory. The device key pair bound to the associated device certificate 122 can comprise a public key, and a private key available only to the TA 1 12. The private key of the device key pair may be stored in the secure environment 102 after being injected into the device or after being generated inside the secure environment 102 during manufacture.

When the OS 101 is run on the processor, the TA 1 12 is configured to: receive a key pair generation request, generate a key pair in response to the key pair generation request, receive a key pair attestation request with an indication of a preferred device certificate 122, generate an attestation certificate in response to the key pair attestation request, and sign the attestation certificate using one of the two or more device certificates 122 with its associated device key pair based on the indication of the preferred device certificate. The key pair generation and attestation requests may be received together or separately by the TA 1 12.

The operating system may comprise other applications and application programming interfaces (APIs) 104 used in normal operation of the device. The key pair generation request, as well as the key pair attestation request, may be delivered to the TA 1 12 via the APIs 104. In an embodiment, the key pair attestation request may be supplemented with an indication of a preferred device certificate 122 by the APIs 104. This can be achieved by configuring the stack of API-s 104 to generate an indication of a preferred device certificate 122, and add this indication to the key pair attestation request before it is received by the TA 1 12.

Fig. 2a illustrates a device 200 according to an embodiment. The device 200 includes a processor and a memory. The device 200 also comprises an OS similar to the OS 101 of Fig. 1 , also comprising a secure environment 102 including a trusted application (TA) 1 12. Two or more device certificates, each associated with a device key pair, are similarly stored in the memory. The device 200 further comprises an application 210 stored in the memory. The application 210 may be any application running on the processor that may request key pair attestation. The application 210 is configured to send to the OS 101 the key pair generation request and the key pair attestation request with an indication of a preferred device certificate. The TA 1 12 receives the key pair generation request and the attestation request with an indication of a preferred device certificate from the application 210. In the

example shown on Fig. 2a, the attestation request also includes a challenge message 21 1 , and the challenge message has a prefix 212 indicating a selection of a preferred device certificate for attestation.

The challenge message 21 1 with the prefix 212 can flow through the APIs 104 in the application (not shown in the Figures) and in the OS 101 to the TA 1 12. The TA 1 12 may be the Keymaster TA if the OS 101 is the Android operating system. When the TA 1 12 receives the key pair generation request, it can inspect whether the request is accompanied with a challenge parameter in a challenge message 21 1. If the challenge parameter is present, the TA 1 12 is configured to initiate the generation of an attestation certificate. During generation of the attestation certificate, TA 1 12 can also scan the challenge message 21 1 for a prefix. If a recognized prefix 212 is found, the TA 1 12 can use this information to select the correct device certificate to sign the attestation certificate.

Figs. 2a and 2b also schematically illustrate the injection of a device certificate and key pair 221 during manufacture of the device 200. The dashed box 220 schematically illustrates the device manufacturer. The device key pair can be generated in a secure environment like a Hardware Security Module of the manufacturer 220, and a device certificate can be enrolled for this key pair during manufacture from a specific certification authority (CA) that is also operated by the manufacturer 220. The device certificate and the key pair 221 are then securely injected to the device 200 in a device assembly line. In order to make the injection secure, there can be several protection layers to ensure that the private key of the key pair is usable in the secure environment 102 only.

Alternatively to the example embodiment above, the corresponding key pair can be generated in the device 200 during its manufacture inside the secure environment 102, while the device 200 has a secure connection to the CA. The device 200 can then enroll a device certificate directly from the CA using a secure connection. In this alternative, the private key is still only available inside the secure environment 102. The elements 220 and 221 (the certificates and key pairs remain injected in the device) do not relate to normal operation of the device 200 after its manufacture.

Fig. 2b illustrates a device 200 according to a further embodiment. The device 200 includes a processor and a memory. The device 200 of Fig. 2b is similar to the device 200 of Fig. 2a, with the difference that the application 210 is configured to send to the OS 101 a key pair generation request and the key pair attestation request without an indication of a preferred device certificate. The attestation request shown in Fig. 2b also includes a challenge message 21 1 , but the prefix 212' indicating a selection of a preferred device certificate for attestation is added to the challenge message by an application 204 in the OS 101.

The application 204 configured to add the prefix 212' can be set up by a vendor-specific application service onboard the device 200. This service may provide an API to the application 210 requesting key generation to indicate the device certificate. For example, the device according to the embodiment may provide means to set up a device certificate alias:

setDeviceCertificateAlias (String alias). The alias in this case would be the same as the prefix 212 in the embodiment shown on Fig. 2a, and is added to the challenge parameter by the vendor specific service. When the TA 1 12 inspects the challenge, it may remove the prefix 212' from the challenge before it is included in further extensions. In this embodiment, the usage of the prefix 212' may be visible to external applications.

The challenge message 21 1 as shown in Figs. 2a and 2b may also include a cryptographic hash function or a message authentication code (MAC) confirming that the challenge message 21 1 has a prefix 212, 212' indicating a preferred device certificate. Format of the prefix indication can be a simple string like "vendor", or more complex like a Type Length Value (TLV) parameter, where the value could be either a simple string or a more complex value. In order to detect that a prefix is present intentionally in the challenge 21 1 , the challenge 21 1 may include a MAC or hash function at the end of the challenge 21 1 . This way the detection of "false positives" is enabled. In this case, the entity adding a prefix 212, 212' to the challenge 21 1 , is also configured to add a postfix that contains a MAC or a hash function. For instance, a hash-based challenge can be calculated as follows:

challenge_new = prefix | challenge | HASH ( prefix | challenge )

When the TA 1 12 inspects this challenge_new parameter and detects that the prefix 212, 212' is present, it will also check that the hash or MAC is present in the challenge 21 1 to verify that the prefix 212, 212' is intentional and then proceeds with the device certificate selection. If the HASH or MAC is not present, the TA 1 12 can use the default device certificate to sign the attestation certificate. In an embodiment where the prefix 212' and the HASH or MAC are added by the vendor-specific service onboard the device, the TA 1 12 can in turn remove the prefix 212' and the HASH or MAC, extracting the original challenge 21 1.

The prefix 212, 212' is associated with the device certificate at that time. For instance, when importing a vendor-specific device certificate, the prefix could be "vendor" or the name of the vendor. The prefix could also be any arbitrary octet data, including TLV parameters. The TA 1 12 may be configured to treat it as arbitrary octet data checked to be part of the challenge. There may be also multiple prefixes to indicate one device certificate.

For instance, the vendor-specific device certificate could be indicated both with the "vendor" prefix and a vendor name itself (for instance "huawei").

Fig. 3 illustrates a device 300 according an embodiment from a hardware perspective. The device 300 may be a device according to any of the embodiments described above, for example a device shown in one of Figs. 1 , 2a, 2b. The device 300 comprises a processor 301 and a memory 302. The memory 302 comprises a secure segment 322 accessible only to the trusted application. In an embodiment, the private key of the device key pair is stored in the secure segment 322 of the memory 302.

The processor 301 in the embodiment is operable in a secure mode. When the

operating system is run on the processor, the operating system is configured to initiate the secure mode of the processor and execute the trusted application to generate and sign the attestation certificate. The processor 301 may also comprise a secure area 31 1 such as a trusted execution environment (TEE), configured to isolate and protect data loaded into it. The secure area 31 1 may be activated when the processor 301 is run in the secure mode initiated by the trusted application.

Fig. 4 is a flow chart of a method of attestation of a key pair by a trusted application stored in a secure environment of an operating system. The operating system comprising the trusted application may be run on a device, such as the devices described in relation to Figs. 1 -3.

The method includes receiving 401 a key pair generation request, and generating 402 a key pair in response to the key pair generation request. The key pair generation request may be received by the trusted application from an external application, or from an application comprised in the operating system. The method further comprises receiving 403 a key pair attestation request with an indication of a preferred device certificate, and generating 404 an attestation certificate in response to the key pair attestation request. The method may include receiving a challenge message as part of the key pair attestation request, wherein the challenge message includes a prefix indicating a preferred device certificate.

The attestation certificate needs to be signed with a device certificate, and so the method also comprises checking 405 the availability of the preferred device certificate. If the preferred device certificate is available, the attestation certificate is signed at 415 using the preferred device certificate with its associated device key pair. If the preferred device certificate is unavailable, the method continues with signing 425 the attestation certificate using a default device certificate with its associated device key pair.

In an example embodiment, the challenge message also includes a cryptographic hash function or a message authentication code confirming that the challenge message has a prefix indicating a preferred device certificate. Thus the method may comprise an optional step of verifying 413 the cryptographic hash function or the message authentication code. If the verification is unsuccessful, the method may include directly signing the attestation certificate using a default device certificate with its associated device key pair.

In an embodiment, the method may also comprise initiating a secure mode of operation prior to generating the attestation certificate. The secure mode of operation may be a secure mode of the central processor.

In an example embodiment, the method may also comprise sending the signed attestation certificate and the device certificate back to the requesting application. These certificates may be sent back to the application separately or together in a certificate chain.

Fig. 5 illustrates a method of indicating a preferred device certificate by an application. The application carrying out this selection-related method may be for example the application 210 according to the embodiments illustrated by Fig. 2a.

The method comprises creating 501 a key pair generation request, creating 502 a key pair attestation request comprising a challenge message, then adding 503 a prefix to the challenge message. The prefix comprises an indication of a preferred device certificate. In an alternative method, the prefix may be added later on by an application running within the operating system.

The method further comprises sending 504 the key pair generation request together with the key pair attestation request to a trusted application stored in a secure environment of an operating system. The method may comprise an optional step of adding to the challenge message a cryptographic hash function or a message authentication code confirming that the challenge message has a prefix comprising an indication of a preferred device certificate, which is carried out before sending 504 the requests.

Furthermore, an apparatus configured to perform the method shown in Fig. 5 is disclosed.

The functionality described herein can be performed, at least in part, by one or more computer program product components such as software components. According to an embodiment, the system 100 comprises a processor configured by program code to execute the embodiments of the operations and functionality described. Alternatively, or in addition, the functionality described herein can be performed, at least in part, by one or more hardware logic components. For example, and without limitation, illustrative types of hardware logic components that can be used include Field-programmable Gate Arrays (FPGAs), Program-specific Integrated Circuits (ASICs), Program-specific Standard Products (ASSPs), System-on-a-chip systems (SOCs), Complex Programmable Logic Devices (CPLDs), and Graphics Processing Units (GPUs).

Any range or device value given herein may be extended or altered without losing the effect sought. Also any embodiment may be combined with another embodiment unless explicitly disallowed.

Although the subject matter has been described in language specific to structural features and/or acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as examples of implementing the claims and other equivalent features and acts are intended to be within the scope of the claims.

It will be understood that the benefits and advantages described above may relate to one embodiment or may relate to several embodiments. The embodiments are not limited to those that solve any or all of the stated problems or those that have any or all of the stated benefits and advantages. It will further be understood that reference to 'an' item may refer to one or more of those items.

The steps of the methods described herein may be carried out in any suitable order, or simultaneously where appropriate. Additionally, individual blocks may be deleted from any of the methods without departing from the spirit and scope of the subject matter described herein. Aspects of any of the embodiments described above may be combined with aspects of any of the other embodiments described to form further embodiments without losing the effect sought.

The term 'comprising' is used herein to mean including the method, blocks or elements identified, but that such blocks or elements do not comprise an exclusive list and a method or apparatus may contain additional blocks or elements.

It will be understood that the above description is given by way of example only and that various modifications may be made by those skilled in the art. The above specification, examples and data provide a complete description of the structure and use of exemplary embodiments. Although various embodiments have been described above with a certain degree of particularity, or with reference to one or more individual embodiments, those skilled in the art could make numerous alterations to the disclosed embodiments without departing from the spirit or scope of this specification.