What is device attestation?

Jeremy O’Donoghue of GlobalPlatform

As an organisation that is founded on the expertise and insights of our members, we have taken the opportunity to discuss some of the new and emerging technologies shaping our industries, and how GlobalPlatform is working to define standards that enable digital devices and services to be securely brought to market.

In this interview, Jeremy O’Donoghue, chair of GlobalPlatform’s Trusted Platform Services (TPS) Committee and director of engineering at Qualcomm, explains what attestation is and why it is so important for the success of secure IoT deployments. Jeremy also shares insight into GlobalPlatform’s Entity Attestation API specification and how it will bring greater trust to the connected device ecosystem.

GlobalPlatform: Firstly, what is device attestation?

Jeremy O’Donoghue: The basic idea of attestation is that it is trustworthy evidence or proof about something. In the case of a cybersecurity system, for example, it means that a relying party like a bank or an IoT cloud provider can be confident about what it is that they are receiving from a device.

Digging deeper into that, what we really mean by attestation is that we have a Secure Environment – a Root of Trust (RoT) – that is providing cryptographically signed evidence about the state of the device. For example, is it securely booted, is debug enabled, is there any evidence of tampering? This enables the relying party, because it is cryptographically signed, to verify that it is a particular device from a particular manufacturer, and that it has not been tampered with before it is connected to the network

GlobalPlatform: Why is attestation important for the success of Internet of Things (IoT) deployments?

Jeremy O’Donoghue: One of the big challenges of the IoT has been achieving confidence in the growing number of ‘things’ that are now connecting to our networks. Are they really what they say they are? Will they behave as they should and not cause risks to the network? And we have seen security be a real problem. Attestation helps us to find those devices that have been tampered with, or may have a bad or outdated version of software running on them, or even be outright fakes, to be identified. These are the types of things that you can determine.

By having confidence in the things on your network, backed by a RoT and ideally one that is security certified, you begin to make real and accurate assessments about what it is that you have and how much you can trust it.

GlobalPlatform: Are there any interoperability challenges, and are they limiting adoption?

Jeremy O’Donoghue: Today it is very difficult to do trustworthy attestations, and in practice relying parties have to use some sort of proprietary set of metrics to identify information about the device they are talking to. There is ongoing activity among standards bodies to ensure a single and interoperable base standard, so that relying parties and device manufacturers can be confident that what they are developing is likely to be widely used and interoperable.

GlobalPlatform is particularly well positioned to help because, with our compliance programs and with all our interoperability testing schemes, we’re able to create devices that you can be confident will have a high degree of interoperability. Additionally, and what is crucial, is that the whole attestation framework that we are using is already being broadly standardised at the IETF, and there is growing interest from other groups. We are confident that, in time, interoperability challenges will go away and there will be a single and reliable way of determining trustworthy evidence about a device that, because it is backed by a RoT, has genuine confidence behind it.

GlobalPlatform: What is the value of GlobalPlatform’s Entity Attestation API?

Jeremy O’Donoghue: The value really is several fold. We are taking an openly developed standard – that is the Entity Attestation Token (EAT) work from the IETF – and we are extending it to define EAT that has been produced in a GlobalPlatform RoT. Going one step further, we’re defining how that RoT behaves and covering the security certification of it. This would enable trustworthy attestation, and not only one from a Secure Element (SE) or Trusted Execution Environment (TEE), but one from a RoT that has been independently certified, for example, under the GlobalPlatform TEE security certification or Common Criteria. That is a huge value because it brings the ability to know in a trustworthy way that somebody else has audited that RoT.

GlobalPlatform: What are the next steps for the ecosystem?

Jeremy O’Donoghue: The first thing is to finish the specifications and then start early on with the interoperability testing, which we are planning for 2020. Then, and this is the critical factor, we will look at security certification. As I previously discussed, a RoT by its nature is something that you have to trust. The best way to ensure that trust is to get a third party to audit it, for example an independent security laboratory that knows how to break things and can tell you the real level of security that you must have.

Join GlobalPlatform to engage in the work of GlobalPlatform’s Trusted Platform Services Committee.

The author is Jeremy O’Donoghue, chair of GlobalPlatform’s Trusted Platform Services (TPS) Committee and director of engineering at Qualcomm.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

Workz launches eSIM cloud

Posted on: November 29, 2021

Dubai. 29 November 2021 – IoT solutions provider Workz has expanded its eSIM subscription management solution to offer a GSMA certified cloud-based platform in the US. The platform, which is certified by the GSMA’s Security Accreditation Scheme (SAS) and hosted at Microsoft Azure’s Virginia, USA site enables mobile network operators (MNOs) to remotely manage consumer

Read more

Laiye partners with HUAWEI CLOUD to drive Brazil’s digital transformation

Posted on: November 29, 2021

Laiye, a provider of intelligent automation, and HUAWEI CLOUD, a global provider of cloud services, announced a strategic alliance to drive digital transformation in Brazil through of cloud computing, artificial intelligence (AI) and big data. The alliance will be implemented in the rest of Latin America. 

Read more