Use cases
Common use cases for key attestation are:
- Issuing code signing certificates for subscriber keys, verifying that the subscribers private signature key is generated and managed in an approved cryptographic device.
- Issuing digital signature certificate for subscriber keys, verifying that the subscribers private signature key is generated and managed in an approved cryptographic device.
There are other ways to achieve the same purpose, such as shipping hardware devices (USB tokens, smart cards, etc) to the subscriber, or requiring a formal audit of the key generation procedure from the subscriber. Using remote key attestation makes this process more efficient and possible to automate in a larger scale.
Implementations
The table lists known hardware cryptographic devices and their support, or non-support, for remote key attestation.
| Vendor/Model | Capability | Format | Documentation | Notes |
|---|---|---|---|---|
| Cloud HSMs | ||||
| Google CloudHSM | ✔️ | JSON | https://cloud.google.com/kms/docs/attest-key | |
| AWS CloudHSM | ❌ | |||
| AWS KMS | ❌ | |||
| Azure Key Vault | ❌ | |||
| Azure Managed HSM | ❌🕐 | Claimed to be on the roadmap | ||
| HSMs | ||||
| Entrust nShield | ❌🕐 | https://github.com/pkic/remote-key-attestation/issues/3 | Claimed to be on the roadmap | |
| Utimaco CryptoServer | ❌ | |||
| Thales Luna | ✔️ | CMS/PKCS#7 | Meeting CA/Browser Forum Standards with Luna and Luna Cloud HSMs / Public Key Confirmations | |
| Marvell HSMCMS/PKCS#7 | ✔️ | Proprietary/Binary | https://www.marvell.com/products/security-solutions/nitrox-hs-adapters/software-key-attestation.html | GCP Cloud HSM, AWS CloudHSM and MS Managed HSM are using Marvell hardware in the background |
| Securosys Primus HSM | ✔️ | XML with external sig | HSM User Guide Docs | |
| I4P Trident HSM | ✔️ | CMS/PKCS#7 | https://www.i4p.com/documents/Trident_RSS_summary_sheet_200929.pdf | No detailed documentation about using key attestation available publicly. |
| Fortanix | ✔️ | JSON | Verifying Key Attestation Statements Doc | |
| Tokens | ||||
| Yubico | ✔️ | X.509 | Attestation Concept PIV Attestation | |
| Trusted Platform Module | ✔️ | TPMS_ATTEST/PKCS#10 | TPM Fundamentals / MS Key Attestation / MS CSP with Key Attestation / TCG Trusted Attestation Protocol | |
| Century Longmai PKI Token | ❌🕐 | CMS/PKCS#7 | Claimed roadmap item | |
| TrustSec SLCOS - Bio/PKI token | ❌ | |||
| SmartCard-HSM | ✔️ | CVC, BSI TR-03110-3 | Remote Key Attestation explained | |
| Other Devices | ||||
| Apple iOS | ✔️ | X.509/ACME/CBOR/WebAuthn | Apple | |
| Android | ✔️ | ASN.1/CBOS/COSE | Android |
Vendor Details
Android
Android provides multiple resources.
Key attestation using a custom ASN.1 format.
A (not well documented) certificate management protocol called KeyMint, which is conceptually a CBOR/COSE-based version of a CSR plus response, the utilized attestation technology is DICE.
Apple
Apple provides multiple resources.
Managed Device Attestation, in iOS 16 and later, can be used for key attestation.
DeviceCheck app integrity attestation is not usedfor the purpose of key attestation as defined here.
