What is device attestation?

Jeremy O’Donoghue of GlobalPlatform

As an organisation that is founded on the expertise and insights of our members, we have taken the opportunity to discuss some of the new and emerging technologies shaping our industries, and how GlobalPlatform is working to define standards that enable digital devices and services to be securely brought to market.

In this interview, Jeremy O’Donoghue, chair of GlobalPlatform’s Trusted Platform Services (TPS) Committee and director of engineering at Qualcomm, explains what attestation is and why it is so important for the success of secure IoT deployments. Jeremy also shares insight into GlobalPlatform’s Entity Attestation API specification and how it will bring greater trust to the connected device ecosystem.

GlobalPlatform: Firstly, what is device attestation?

Jeremy O’Donoghue: The basic idea of attestation is that it is trustworthy evidence or proof about something. In the case of a cybersecurity system, for example, it means that a relying party like a bank or an IoT cloud provider can be confident about what it is that they are receiving from a device.

Digging deeper into that, what we really mean by attestation is that we have a Secure Environment – a Root of Trust (RoT) – that is providing cryptographically signed evidence about the state of the device. For example, is it securely booted, is debug enabled, is there any evidence of tampering? This enables the relying party, because it is cryptographically signed, to verify that it is a particular device from a particular manufacturer, and that it has not been tampered with before it is connected to the network

GlobalPlatform: Why is attestation important for the success of Internet of Things (IoT) deployments?

Jeremy O’Donoghue: One of the big challenges of the IoT has been achieving confidence in the growing number of ‘things’ that are now connecting to our networks. Are they really what they say they are? Will they behave as they should and not cause risks to the network? And we have seen security be a real problem. Attestation helps us to find those devices that have been tampered with, or may have a bad or outdated version of software running on them, or even be outright fakes, to be identified. These are the types of things that you can determine.

By having confidence in the things on your network, backed by a RoT and ideally one that is security certified, you begin to make real and accurate assessments about what it is that you have and how much you can trust it.

GlobalPlatform: Are there any interoperability challenges, and are they limiting adoption?

Jeremy O’Donoghue: Today it is very difficult to do trustworthy attestations, and in practice relying parties have to use some sort of proprietary set of metrics to identify information about the device they are talking to. There is ongoing activity among standards bodies to ensure a single and interoperable base standard, so that relying parties and device manufacturers can be confident that what they are developing is likely to be widely used and interoperable.

GlobalPlatform is particularly well positioned to help because, with our compliance programs and with all our interoperability testing schemes, we’re able to create devices that you can be confident will have a high degree of interoperability. Additionally, and what is crucial, is that the whole attestation framework that we are using is already being broadly standardised at the IETF, and there is growing interest from other groups. We are confident that, in time, interoperability challenges will go away and there will be a single and reliable way of determining trustworthy evidence about a device that, because it is backed by a RoT, has genuine confidence behind it.

GlobalPlatform: What is the value of GlobalPlatform’s Entity Attestation API?

Jeremy O’Donoghue: The value really is several fold. We are taking an openly developed standard – that is the Entity Attestation Token (EAT) work from the IETF – and we are extending it to define EAT that has been produced in a GlobalPlatform RoT. Going one step further, we’re defining how that RoT behaves and covering the security certification of it. This would enable trustworthy attestation, and not only one from a Secure Element (SE) or Trusted Execution Environment (TEE), but one from a RoT that has been independently certified, for example, under the GlobalPlatform TEE security certification or Common Criteria. That is a huge value because it brings the ability to know in a trustworthy way that somebody else has audited that RoT.

GlobalPlatform: What are the next steps for the ecosystem?

Jeremy O’Donoghue: The first thing is to finish the specifications and then start early on with the interoperability testing, which we are planning for 2020. Then, and this is the critical factor, we will look at security certification. As I previously discussed, a RoT by its nature is something that you have to trust. The best way to ensure that trust is to get a third party to audit it, for example an independent security laboratory that knows how to break things and can tell you the real level of security that you must have.

Join GlobalPlatform to engage in the work of GlobalPlatform’s Trusted Platform Services Committee.

The author is Jeremy O’Donoghue, chair of GlobalPlatform’s Trusted Platform Services (TPS) Committee and director of engineering at Qualcomm.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES

Panasonic and Jasmy unveil Web3 Platform for IoT data control

Posted on: March 28, 2024

Panasonic has joined forces with Jasmy (JASMY) blockchain to introduce a Web3 platform that will facilitate the connection of personal data on the Internet of Things (IoT). The collaboration between the Japanese-based blockchain and Panasonic Advanced Technology was initiated in February, but the official announcement was made on March 26.

Read more

Driving connected personalised user experiences with Generative AI

Posted on: March 27, 2024

As the world continues to rapidly move towards digitalisation, customer expectations are also on the rise. Around the globe, telcos are grappling with meeting these expectations. As well as ensuring connectivity in a secure, seamless, and consistent manner 24/7, to compete and differentiate, operators now need to provide personalised experiences that are as unique as

Read more
FEATURED IoT STORIES

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This interconnected network of devices transforms previously “dumb” objects, such as toasters or security cameras, into smart devices that can interact with each other and their

Read more

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more