idnits 2.17.00 (12 Aug 2021) /tmp/idnits63687/draft-richardson-rats-usecases-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 239 instances of too long lines in the document, the longest one being 77 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 06, 2019) is 957 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 2787 -- Looks like a reference, but probably isn't: '3' on line 2835 -- Looks like a reference, but probably isn't: '701' on line 1732 -- Looks like a reference, but probably isn't: '709' on line 1735 -- Looks like a reference, but probably isn't: '1' on line 1750 -- Looks like a reference, but probably isn't: '2' on line 1758 -- Looks like a reference, but probably isn't: '5' on line 1770 -- Looks like a reference, but probably isn't: '6' on line 2223 -- Looks like a reference, but probably isn't: '200' on line 1185 -- Looks like a reference, but probably isn't: '503' on line 1784 -- Looks like a reference, but probably isn't: '702' on line 1787 -- Looks like a reference, but probably isn't: '703' on line 1194 -- Looks like a reference, but probably isn't: '704' on line 1790 -- Looks like a reference, but probably isn't: '705' on line 1802 -- Looks like a reference, but probably isn't: '706' on line 1805 -- Looks like a reference, but probably isn't: '710' on line 1808 -- Looks like a reference, but probably isn't: '711' on line 1811 -- Looks like a reference, but probably isn't: '712' on line 1814 -- Looks like a reference, but probably isn't: '713' on line 1817 -- Looks like a reference, but probably isn't: '716' on line 1820 -- Looks like a reference, but probably isn't: '717' on line 1823 -- Looks like a reference, but probably isn't: '509' on line 1729 -- Looks like a reference, but probably isn't: '4' on line 1764 -- Looks like a reference, but probably isn't: '718' on line 1826 -- Looks like a reference, but probably isn't: '719' on line 1829 == Unused Reference: 'RFC4210' is defined on line 2981, but no explicit reference was found in the text == Unused Reference: 'RFC7030' is defined on line 2996, but no explicit reference was found in the text == Unused Reference: 'RFC8555' is defined on line 3001, but no explicit reference was found in the text == Outdated reference: A later version (-05) exists of draft-fedorkow-rats-network-device-attestation-00 == Outdated reference: draft-gutmann-scep has been published as RFC 8894 == Outdated reference: A later version (-09) exists of draft-tschofenig-rats-psa-token-02 Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 26 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 RATS Working Group M. Richardson 3 Internet-Draft Sandelman Software Works 4 Intended status: Informational C. Wallace 5 Expires: April 8, 2020 Red Hound Software 6 W. Pan 7 Huawei Technologies 8 October 06, 2019 10 Use cases for Remote Attestation common encodings 11 draft-richardson-rats-usecases-05 13 Abstract 15 This document details mechanisms created for performing Remote 16 Attestation that have been used in a number of industries. The 17 document initially focuses on existing industry verticals, mapping 18 terminology used in those specifications to the more abstract 19 terminology used by the IETF RATS Working Group. 21 The document aspires to describe possible future use cases that would 22 be enabled by common formats. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on April 8, 2020. 41 Copyright Notice 43 Copyright (c) 2019 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2.1. Static attestations . . . . . . . . . . . . . . . . . . . 4 61 2.2. Session attestations . . . . . . . . . . . . . . . . . . 4 62 2.3. Statements . . . . . . . . . . . . . . . . . . . . . . . 4 63 2.4. Hardware Root Of Trust . . . . . . . . . . . . . . . . . 4 64 2.5. Template for Use cases . . . . . . . . . . . . . . . . . 5 65 3. Requirements Language . . . . . . . . . . . . . . . . . . . . 5 66 4. Overview of Sources of Use Cases . . . . . . . . . . . . . . 6 67 5. Use case summaries . . . . . . . . . . . . . . . . . . . . . 6 68 5.1. Device Capabilities/Firmware Attestation . . . . . . . . 6 69 5.1.1. Relying on an (third-party) Attestation Server . . . 7 70 5.1.2. Autonomous Relying Party . . . . . . . . . . . . . . 7 71 5.1.3. Proxy Root of Trust . . . . . . . . . . . . . . . . . 8 72 5.1.4. network scaling - small . . . . . . . . . . . . . . . 8 73 5.1.5. network scaling - medium . . . . . . . . . . . . . . 9 74 5.1.6. network scaling - large . . . . . . . . . . . . . . . 9 75 5.2. Hardware resiliency / watchdogs . . . . . . . . . . . . . 10 76 5.3. IETF TEEP WG use case . . . . . . . . . . . . . . . . . . 10 77 5.4. Confidential Machine Learning (ML) model . . . . . . . . 11 78 5.5. Critical infrastructure . . . . . . . . . . . . . . . . . 11 79 5.5.1. Computation characteristics . . . . . . . . . . . . . 12 80 5.6. Virtualized multi-tenant hosts . . . . . . . . . . . . . 13 81 5.7. Cryptographic Key Attestation . . . . . . . . . . . . . . 13 82 5.7.1. Device Type Attestation . . . . . . . . . . . . . . . 14 83 5.7.2. Key storage attestation . . . . . . . . . . . . . . . 14 84 5.7.3. End user authorization . . . . . . . . . . . . . . . 15 85 5.8. Geographic attestation . . . . . . . . . . . . . . . . . 15 86 5.8.1. I am here . . . . . . . . . . . . . . . . . . . . . . 16 87 5.8.2. I am near . . . . . . . . . . . . . . . . . . . . . . 16 88 5.8.3. You are here . . . . . . . . . . . . . . . . . . . . 16 89 5.9. Connectivity attestation . . . . . . . . . . . . . . . . 16 90 5.10. Component connectivity attestation . . . . . . . . . . . 17 91 5.11. Device provenance attestation . . . . . . . . . . . . . . 17 92 6. Technology users for RATS . . . . . . . . . . . . . . . . . . 18 93 6.1. Trusted Computing Group Remove Integrity Verification 94 (TCG-RIV) . . . . . . . . . . . . . . . . . . . . . . . . 18 95 6.2. Android Keystore system . . . . . . . . . . . . . . . . . 20 96 6.3. Fast IDentity Online (FIDO) Alliance . . . . . . . . . . 21 98 7. Examples of Existing Attestation Formats. . . . . . . . . . . 22 99 7.1. Android Keystore . . . . . . . . . . . . . . . . . . . . 22 100 7.1.1. TEE . . . . . . . . . . . . . . . . . . . . . . . . . 23 101 7.1.2. Secure Element . . . . . . . . . . . . . . . . . . . 35 102 7.2. Windows 10 TPM . . . . . . . . . . . . . . . . . . . . . 48 103 7.2.1. Attestation statement . . . . . . . . . . . . . . . . 50 104 7.3. Yubikey . . . . . . . . . . . . . . . . . . . . . . . . . 54 105 7.3.1. Yubikey 4 . . . . . . . . . . . . . . . . . . . . . . 54 106 7.3.2. Yubikey 5 . . . . . . . . . . . . . . . . . . . . . . 58 107 8. Privacy Considerations. . . . . . . . . . . . . . . . . . . . 62 108 9. Security Considerations . . . . . . . . . . . . . . . . . . . 62 109 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 62 110 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 62 111 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 62 112 12.1. Normative References . . . . . . . . . . . . . . . . . . 62 113 12.2. Informative References . . . . . . . . . . . . . . . . . 62 114 Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 65 115 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 65 117 1. Introduction 119 The recently chartered IETF RATS WG intends to create a system of 120 attestations that can be shared across a multitude of different 121 users. 123 This document exists as place to collect use cases for the common 124 RATS technologies in support of the IETF RATS charter point 1. This 125 document is not expected to be published as an RFC, but remain open 126 as a working document. It could become an appendix to provide 127 motivation for a protocol standards document. 129 End-user use cases that would either directly leverage RATS 130 technology, or would serve to inform technology choices are welcome, 131 however. 133 2. Terminology 135 Critical to dealing with and contrasting different technologies is to 136 collect terms which are compatible, to distinguish those terms which 137 are similar but used in different ways. 139 This section will grow to include forward and external references to 140 terms which have been seen. When terms need to be disambiguated they 141 will be prefixed with their source, such as "TCG(claim)" or 142 "FIDO(relying party)" 143 Platform attestations generally come in two categories. This 144 document will attempt to indicate for a particular attestation 145 technology falls into this. 147 2.1. Static attestations 149 A static attestation says something about the platform on which the 150 code is running. 152 2.2. Session attestations 154 A session attestation says something about how a session key used in 155 a connection such as TLS connection was created. It is usually the 156 result of evaluating attestations that are attached to the 157 certificates used to create such a session. 159 2.3. Statements 161 The term "statement" is used as the generic term for the semantic 162 content which is being attested to. 164 2.4. Hardware Root Of Trust 166 [SP800-155] offers the following definition for root of trust. 168 "Roots of Trust are components (software, hardware, or hybrid) and computing 169 engines that constitute a set of unconditionally trusted functions. Reliable 170 and trustworthy BIOS integrity measurement and reporting depend upon software 171 agents; each software agent relies upon Roots of Trust, and the level of 172 trustworthiness in each agent depends on its Roots of Trust. BIOS integrity 173 measurement requires the coordination of a Measurement Agent to harvest 174 measurements, a Storage Agent to protect the measurements from modification 175 until they can be reported, and a Reporting Agent to reliably report the 176 measurements. Each of these agents has a corresponding Root of Trust (Root of 177 Trust for Measurement, etc.) These Roots of Trust must act in concert and 178 build on each other to enable reliable and trustworthy measurement, 179 reporting, and verification of BIOS integrity measurements." 181 SP800-155 uses the terms RoT for Reporting, Storage and Measurement, 182 but not RoT for Verification - it uses "Verification Agent". Though 183 it is assumed the verifier is trustworthy. 185 However, [tcgglossary] (page 9) includes a RoT for Verification (RTV) 186 as well. 188 The TCG Glossary also offers a general definition for Root of Trust 189 "A component that performs one or more security-specific functions, 190 such as measurement, storage, reporting, verification, and/or update. 192 It is trusted always to behave in the expected manner, because its 193 misbehavior cannot be detected (such as by measurement) under normal 194 operation. " 196 [SP800-147B] defines RoT for Update (RoTU) and RoTU verification 197 (RoTU-v). 199 The TCG definition seems more concise than the NIST, but gets to the 200 same point. 202 For the purpose of this documenet, a hardware root of trust refers to 203 security functionality that is trusted to behave in the expected 204 manner, because its misbehavior cannot be detected under normal 205 operation and resists soft exploits by encapsulating the 206 functionality in hardware. 208 2.5. Template for Use cases 210 Each use case will consist of a table with a number of constant 211 fields, as illustrated below. The claim names will be loosely 212 synchronized with the EAT draft. The architecture draft (will) 213 describe two classes of attestation flow: the passport type (Attestee 214 sends evidence to Attester, receives signed statment, which is sent 215 to relying party), or the background check type (Attestee sends 216 measurements to Relying party, Relying Party checks with Attester). 218 Use case name: Twelve Monkeys 220 Who will use it: Army of the Twelve Monkeys SDO 222 Attesting Party: James Cole 224 Relying Party: Dr. Kathryn Reilly 226 Attestation type: Passport 228 Claims used: OEM Identity, Age Claim, Location Claim, ptime Claim 230 Description: James Cole must convince Dr. Reilly he is from the 231 future, and not insane. 233 3. Requirements Language 235 This document is not a standards track document and does not make any 236 normative protocol requirements using terminology described in 237 [RFC2119]. 239 4. Overview of Sources of Use Cases 241 The following specifications have been covered in this document: 243 o The Trusted Computing Group "Network Device Attestation Workflow" 244 [I-D.fedorkow-rats-network-device-attestation] 246 o Android Keystore 248 o Fast Identity Online (FIDO) Alliance attestation, 250 This document will be expanded to include summaries from: 252 o Trusted Computing Group (TCG) Trusted Platform Module 253 (TPM)/Trusted Software Stack (TSS) 255 o ARM "Platform Security Architecture" 256 [I-D.tschofenig-rats-psa-token] 258 o Intel SGX attestation [intelsgx] 260 o Windows Defender System Guard attestation [windowsdefender] 262 o Windows Device Health Attestation [windowshealth] 264 o Azure Sphere Attestation [azureattestation]: 265 https://azure.microsoft.com/enus/resources/azure-sphere-device- 266 authentication-andattestation-service/en-us/ 268 o IETF NEA WG [RFC5209] 270 And any additional sources suggested. 272 5. Use case summaries 274 This section lists a series of cases where an attestation is done. 276 5.1. Device Capabilities/Firmware Attestation 278 This is a category of claims 280 Use case name: Device Identity 282 Who will use it: Network Operators 284 Attesting Party: varies 286 Attestation type: varies 287 Relying Party: varies 289 Claims used: TBD 291 Description: Network operators want a trustworth report of identity 292 and version of information of the hardware and software on the 293 machines attached to their network. The process starts with some 294 kind of Root of Trust that provides device identity and protected 295 storage for measurements. The mechanism performs a series of 296 measurements, and expresses this with an attestation as to the 297 hardware and firmware/software which is running. 299 This is a general description for which there are many specific use 300 cases, including [I-D.fedorkow-rats-network-device-attestation] 301 section 1.2, "Software Inventory" 303 5.1.1. Relying on an (third-party) Attestation Server 305 Use case name: Third Party Attestation Server 307 Who will use it: Network Operators 309 Attestation type: background check 311 Attesting Party: manufacturer of OS or hardware system 313 Relying Party: network access control systems 315 Claims used: TBD 317 Description: The measurements from a heterogenous network of devices 318 are provided to device-specific attestation servers. The 319 attestation servers know what the "golden" measurements are, and 320 perform the appropriate evaluations, resulting in attestations 321 that the relying parties can depend upon. 323 5.1.2. Autonomous Relying Party 325 Use case name: Autonomous 327 Who will use it: network operators 329 Attestation type: passport 331 Attesting Party: manufacturer of OS or hardware system 333 Relying Party: peer systems 334 Claims used: TBD 336 Description: The signed measurements are sent to a relying party 337 which must validate them directly. They are not sent to a third 338 party. (It may do so with the help of a signed list of golden 339 values, or some other process). The relying party needs to 340 validate the signed statements directly. 342 This may occur because the network is not connected, or even because 343 it can not be connected until the equipment is validated. 345 5.1.3. Proxy Root of Trust 347 Use case name: Proxy Root of Trust 349 Who will use it: network operators 351 Attestation type: passport 353 Attesting Party: manufacturer of OS or hardware system 355 Relying Party: peer systems 357 Claims used: TBD 359 Description: A variety of devices provide measurements via their 360 Root of Trust. A proxy server collects these measurements, and 361 (having applied a local policy) then creates a device agnostic 362 attestation. The relying party can validate the claims in a 363 standard format. 365 5.1.4. network scaling - small 367 Use case name: Network scaled - small 369 Who will use it: enterprises 371 Attestation type: background check 373 Attesting Party: manufacturer of OS or hardware system 375 Relying Party: network equipment 377 Claims used: TBD 379 Description: An entire network of systems needs to be validated 380 (such as all the desktops in an enterprise's building). The 381 infrastructure is in control of a single operator and is already 382 trusted. The network can be partitioned so that machines that do 383 not pass attestation can be quarantined. A 1:1 relationship 384 between the device and the relying party can be used to maintain 385 freshness of the attestation. 387 5.1.5. network scaling - medium 389 Use case name: Network scaled - medium 391 Who will use it: larger enterprises, including network operators 393 Attestation type: passport 395 Attesting Party: manufacturer of OS or hardware system 397 Relying Party: network equipment 399 Claims used: TBD 401 Description: An entire network of systems needs to be validated: 402 such as all the desktops in an enterprise's building, or all the 403 routers at an ISP. The infrastructure is not necessarily trusted: 404 it could be subverted, and it must also attest. The devices may 405 be under a variety of operators, and may be mutually suspicious: 406 each device may therefore need to process attestations from every 407 other device. An NxM mesh of attestations may be untenable, but a 408 system of N:1:M relationships can be setup via proxy attestations. 410 5.1.6. network scaling - large 412 Use case name: Network scaled - medium 414 Who will use it: telco/LTE operators 416 Attestation type: passport 418 Attesting Party: manufacturer of OS or hardware system 420 Relying Party: malware auditing systems 422 Claims used: TBD 424 Description: An entire network of systems need to be continuously 425 attested. This could be all of the smartphones on an LTE network, 426 or every desktop system in a worldwide enterprise. The network 427 operator wishes to do this in order to maintain identities of 428 connected devices more than to validate correct firmware, but both 429 situations are reasonable. 431 5.2. Hardware resiliency / watchdogs 433 Use case name: Hardware watchdog 435 Who will use it: individual system designers 437 Attestation type: passport 439 Attesting Party: manufacturer of OS or hardware system 441 Relying Party: bootloader or service processor 443 Claims used: TBD 445 Description: One significant problem is malware that holds a device 446 hostage and does not allow it to reboot to prevent updates to be 447 applied. This is a significant problem, because it allows a fleet 448 of devices to be held hostage for ransom. Within CyRes the TCG is 449 defining hardware Attention Triggers that force a periodical 450 reboot in hardware. 452 This can be implemented by forcing a reboot unless attestation to an 453 Attestation Server succeeds within the period interval, and having a 454 reboot do remediation by bringing a device into compliance, including 455 installation of patches as needed. 457 This is unlike the previous section on Device Attestation in that the 458 attestation comes from a network operator, as to the device's need to 459 continue operating, and is evaluated by trusted firmware (the relying 460 party), which resets a watchdog timer. 462 5.3. IETF TEEP WG use case 464 Use case name: TAM validation 466 Who will use it: The TAM server 468 Attestation type: background check 470 Attesting Party: Trusted Execution Environment (TEE) 472 Relying Party: end-application 474 Claims used: TBD 476 Description: The "Trusted Application Manager (TAM)" server wants to 477 verify the state of a TEE, or applications in the TEE, of a 478 device. The TEE attests to the TAM, which can then decide whether 479 to install sensitive data in the TEE, or whether the TEE is out of 480 compliance and the TAM needs to install updated code in the TEE to 481 bring it back into compliance with the TAM's policy. 483 5.4. Confidential Machine Learning (ML) model 485 Use case name: Machine Learning protection 487 Who will use it: Machine Learning systems 489 Attestation type: TBD 491 Attesting Party: hardware TEE 493 Relying Party: machine learning model owner 495 Claims used: TBD 497 Description: Microsoft talked about this category of use cases at 498 the recent Microsoft //build conference. 500 An example use case is where a device manufacturer wants to protect 501 its intellectual property in terms of the ML model it developed and 502 that runs in the devices that its customers purchased, and it wants 503 to prevent attackers, potentially including the customer themselves, 504 from seeing the details of the model. This works by having some 505 protected environment (e.g., a hardware TEE) in the device attest to 506 some manufacturer's service, which if attestation succeeds, then the 507 manufacturer service releases the model, or a key to decrypt the 508 model, to the requester. If a hardware TEE is involved, then this 509 use case overlaps with the TEEP use case. 511 5.5. Critical infrastructure 513 Use case name: Critical Infrastructure 515 Who will use it: devices 517 Attestation type: TBD 519 Attesting Party: plant controller 521 Relying Party: actuator 523 Claims used: TBD 525 Description: When a protocol operation can affect some critical 526 system, the device attached to the critical equipment wants some 527 assurance that the requester has not been compromised. As such, 528 attestation can be used to only accept commands from requesters 529 that are within policy. Hardware attestation in particular, 530 especially in conjunction with a TEE on the requester side, can 531 provide protection against many types of malware. 533 5.5.1. Computation characteristics 535 Use case name: Shared Block Chain Computational claims 537 Who will use it: Consortia of Computation systems 539 Attestation type: TBD 541 Attesting Party: computer system (physical or virtual) 543 Relying Party: other computer systems 545 Claims used: TBD 547 Description: A group of enterprises organized as a consortium seeks 548 to deploy computing nodes as the basis of their shared blockchain 549 system. Each member of the consortium must forward an equal 550 number of computing nodes to participate in the P2P network of 551 nodes that form the basis of the blockchain system. In order to 552 prevent the various issues (e.g. concentration of hash power, 553 anonymous mining nodes) found in other blockchain systems, each 554 computing node must comply to a predefined allowable manifest of 555 system hardware, software and firmware, as agreed to by the 556 membership of the consortium. Thus, a given computing node must 557 be able to report the (pre-boot) configuration of its system and 558 be able to report at an y time the operational status of the 559 various components that make-up its system. 561 The consortium seeks to have the following things attested: system 562 configuration, group membership, and virtualization status. 564 This is a peer-to-peer protocol so each device in the consortium is a 565 relying party. The attestation may be requested online by another 566 entity within the consortium, but not by other parties. The 567 attestation needs to be compact and interoperable and may be included 568 in the blockchain itself at the completion of the consensus 569 algorithm. 571 The attestation will need to start in a hardware RoT in order to 572 validate if the system is running real hardware rather than running a 573 virtual machine. 575 5.6. Virtualized multi-tenant hosts 577 Use case name: Multi-tenant hosts 579 Who will use it: Virtual machine systems 581 Attestation type: TBD 583 Attesting Party: virtual machine hypervisor 585 Relying Party: network operators 587 Claims used: TBD 589 Description: The host system will do verification as per 5.1. 591 The tenant virtual machines will do verification as per 5.1 593 The network operator wants to know if the system _as a whole_ is free 594 of malware, but the network operator is not allowed to know who the 595 tenants are. 597 This is contrasted to the Chassis + Line Cards case (To Be Defined: 598 TBD). 600 Multiple Line Cards, but a small attestation system on the main card 601 can combine things together. This is a kind of proxy. 603 5.7. Cryptographic Key Attestation 605 Use case name: Key Attestation 607 Who will use it: network authentication systems 609 Attestation type: TBD 611 Attesting Party: device platform 613 Relying Party: internet peers 615 Claims used: TBD 617 Description: The relying party wants to know how secure a private 618 key that identifies an entity is. Unlike the network attestation, 619 the relying party is not part of the network infrastructure, nor 620 do they necessarily have a business relationship (such as 621 ownership) over the end device. 623 5.7.1. Device Type Attestation 625 Use case name: Device Type Attestation 627 Who will use it: mobile platforms 629 Attestation type: TBD 631 Attesting Party: device platform 633 Relying Party: internet peers 635 Claims used: TBD 637 Description: This use case convinces the relying party of the 638 characteristics of a device. For privacy reasons, it might not 639 identify the actual device itself, but rather the class of device. 640 The relying party can understand from either in-band (claims) or 641 out-of-band (model numbers, which may be expressed as a claim) 642 whether the device has trustworthy features such as a hardware 643 TPM, software TPM via TEE, or software TPM without TEE. Other 644 details such as the availability of finger-print readers or HDMI 645 outputs may also be inferred. 647 5.7.2. Key storage attestation 649 Use case name: Key storage Attestation 651 Who will use it: secure key storage subsystems 653 Attestation type: TBD 655 Attesting Party: device platform 657 Relying Party: internet peers 659 Claims used: TBD 661 Description: This use case convinces the relying party only about 662 the provenance of a private key by providing claims of the storage 663 security of the private key. This can be conceived as a subset of 664 the previous case, but may be apply very specifically to just a 665 keystore. Additional details associated with the private key may 666 be provided as well, including limitations on usage of the key. 668 Key storage attestations may be consumed by systems provisioning 669 public key certificates for devices or human users. In these cases, 670 attestations may be incorporated into certificate request protocols 671 (e.g., EST {#rfc7030}, CMP {#rfc4210}, ACME {#rfc8555}, SCEP 672 [I-D.gutmann-scep], etc.) and processed by registration authorities 673 or certification authorities prior to determining contents for any 674 issued certificate. 676 5.7.3. End user authorization 678 Use case name: End User authorization 680 Who will use it: authorization systems 682 Attestation type: TBD 684 Attesting Party: device platform 686 Relying Party: internet peers 688 Claims used: TBD 690 Description: This use case convinces the relying party that the 691 digital signatures made by the indicated key pair were done with 692 the approval of the end-user operator. This may also be 693 considered possible subset of the device attestation above, but 694 the attestation may be on a case-by-case basis. The nature of the 695 approval by the end-user would be indicated. Examples include: 696 the user unlocked the device, the user viewed some message and 697 acknowledge it inside an app, the message was displayed to the 698 user via out-of-app control mechanism. The acknowledgements could 699 include selecting options on the screen, pushing physical buttons, 700 scanning fingerprints, proximity to other devices (via bluetooth 701 beacons, chargers, etc) 703 5.8. Geographic attestation 705 Use case name: Location attestation 707 Who will use it: geo-fenced systems 709 Attestation type: passport (probably) 711 Attesting Party: secure GPS system(s) 713 Relying Party: internet peers 715 Claims used: TBD 717 Description: The relying party wants to know the physical location 718 (on the planet earth) of the device. This may be provided 719 directly by a GPS/GLONASS/Galileo module that is incorporated into 720 a TPM. This may also be provided by collecting other proximity 721 messages from other device that the relying party can form a trust 722 relationship with. 724 5.8.1. I am here 726 The simplest use case is the claim of some specific coordinates. 728 5.8.2. I am near 730 The second use case is the claim that some other devices are nearby. 731 This may be absolute ("I am near device X, which claims to be at 732 location A"), or just relative, ("I am near device X"). This use 733 could use "I am here" or "I am near" claims from a 1:1 basis with 734 device X, or use some other protocol. The nature of how the 735 proximity was established would be part of this claim. In order to 736 defeat a variety of mechanisms that might attempt to proxy 737 ("wormhole") radio communications, highly precise clocks may be 738 required, and there may also have to be attestations as to the 739 precision of those clocks. 741 An additional example of being near would be for the case where two 742 smartphones can establish that they are together by recording a 743 common random movement, such as both devices being shaken together. 744 Each device may validate the claim from the other (in a disconnected 745 fashion), or a third party may validate the claim as the relying 746 party. 748 This could be used to establish that a medical professional was in 749 proximity of a patient with implanted devices who needs help. 751 5.8.3. You are here 753 A third way to establish location is for a third party to communicate 754 directly with the relying party. The nature of how this trust is 755 established (and whether it is done recursively) is outside of the 756 scope here. What is critical is that the identity of "You" can be 757 communicated through the third party in a way that the relying party 758 can use, but other intermediaries can not view. 760 5.9. Connectivity attestation 762 Use case name: Connectivity attestation 764 Who will use it: entertainment systems 766 Attestation type: TBD 767 Attesting Party: hardware-manufacturer/TEE 769 Relying Party: connected peer 771 Claims used: TBD 773 Description: The relying party wants to know what devices are 774 connected. A typical situation would be a media owner needing to 775 know what TV device is connected via HDMI and if High-bandwidth 776 Digital Content Protection (HDCP) is intact. 778 5.10. Component connectivity attestation 780 Use case name: Component connectivity 782 Who will use it: chassis systems with pluggable components 784 Attestation type: background check 786 Attesting Party: line card 788 Relying Party: management/control plane software 790 Claims used: TBD 792 Description: A management controller or similar hardware component 793 wants to know what peripherals, rack scale device or other 794 dynamically configurable components are currently attached to the 795 platform that is under management controller control. The 796 management controller may serve as attestation verifier over a 797 local bus or backplane but may also aggregate local attestation 798 results and act as a platform attester to a remote verifier. 800 5.11. Device provenance attestation 802 Use case name: RIV - Device Provenance 804 Who will use it: Industrial IoT devices 806 Attestation type: passport 808 Attesting Party: network management station 810 Relying Party: a network entity 812 Claims used: TBD 813 Description: A newly manufactured device needs to be onboarded into 814 a network where many if not all device management duties are 815 performed by the network owner. The device owner wants to verify 816 the device originated from a legitimate vendor. A cryptographic 817 device identity such as an IEEE802.1AR is embedded during 818 manufacturing and a certificate identifying the device is 819 delivered to the owner onboarding agent. The device authenticates 820 using its 802.1AR IDevID to prove it originated from the expected 821 vendor. 823 The device chain of custody from the original device manufacturer to 824 the new owner may also be verified as part of device provenance 825 attestation. The chain of custody history may be collected by a 826 cloud service or similar capability that the supply chain and owner 827 agree to use. 829 [I-D.fedorkow-rats-network-device-attestation] section 1.2 refers to 830 this as "Provable Device Identity", and section 2.3 details the 831 parties. 833 6. Technology users for RATS 835 6.1. Trusted Computing Group Remove Integrity Verification (TCG-RIV) 837 The TCG RIV Reference Document addresses the problem of knowing if a 838 networking device should be part of a network, if it belongs to the 839 operator, and if it is running appropriate software. The work covers 840 most of the use cases in Section 5.1. 842 This proposal is available as 843 [I-D.fedorkow-rats-network-device-attestation]. The goal is to be 844 multi-vendor, scalable and extensible. The proposal intentionally 845 limits itself to: 847 o "non-privacy-preserving applications (i.e., networking, Industrial 848 IoT )", 850 o the firmware is provided by the device manufacturer 852 o there is a manufacturer installed hardware root of trust (such as 853 a TPM and boot ROM) 855 Service providers and enterprises deploy hundreds of routers, many of 856 them in remote locations where they're difficult to access or secure. 857 The point of remote attestation is to: 859 o identify a remote box in a way that's hard to spoof 860 o report the inventory of software was launched on the box in a way 861 that cannot be spoofed, that is undetectably altered by a "Lying 862 Endpoint" 864 The use case described is to be able to monitor the authenticity of 865 software versions and configurations running on each device. This 866 allows owners and auditors to detect deviation from approved software 867 and firmware versions and configurations, potentially identifying 868 infected devices. [RFC5209] 870 Attestation may be performed by network management systems. 871 Networking Equipment is often highly interconnected, so it's also 872 possible that attestation could be performed by neighboring devices. 874 Specifically listed to be out of scope for the first generation 875 includes: Linux processes, composite assemblies of hardware/software 876 created by end-customers, and equipment that uses Sleep or Hibernate 877 modes. There is an intention to cover some of these are topics in 878 future versions of the documents. 880 The TCG-RIV Attestation leverages the TPM to make a series of 881 measurements during the boot process, and to have the TPM sign those 882 measurements. The resulting "PCR" hashes are then available to an 883 external verifier. 885 A critical component of the RIV is compatibility with existing TPM 886 practice for attestation proceedures, as spelled out in the TCG TAP 887 Informational Model [tapinfomodel] and TPM architecture 888 specifications [tpmarchspec]. 890 The TCG uses the following terminology: 892 o Device Manufacturer 894 o Attester ("device under attestation") 896 o Verifier (Network Management Station) 898 o "Explicit Attestation" is the TCG term for a static (platform) 899 attestation 901 o "Implicit Attestation" is the TCG term for a session attestation 903 o Reference Integrity Measurements (RIM), which are signed my device 904 manufacturer and integrated into firmware. 906 o Quotes: measured values (having been signed), and RIMs 907 o Reference Integrity Values (RIV) 909 o devices have a Initial Attestation Key (IAK), which is provisioned 910 at the same time as the IDevID [ieee802-1AR] 912 o PCR - Platform Configuration Registry (deals with hash chains) 914 The TCG document builds upon a number of IETF technologies: SNMP 915 (Attestation MIB), YANG, XML, JSON, CBOR, NETCONF, RESTCONF, CoAP, 916 TLS and SSH. The TCG document leverages the 802.1AR IDevID and 917 LDevID processes. 919 6.2. Android Keystore system 921 [keystore] describes a system used in smart phones that run the 922 Android operation system. The system is primarily a software 923 container to contain and control access to cryptographic keys, and 924 therefore provides many of the same functions that a hardware Trusted 925 Platform Module might provide. 927 The uses described in section Section 5.7 are the primary focus. 929 On hardware which is supported, the Android Keystore will make use of 930 whatever trusted hardware is available, including use of a Trusted 931 Execution Environment (TEE) or Secure Element (SE). The Keystore 932 therefore abstracts the hardware, and guarantees to applications that 933 the same APIs can be used on both more and less capable devices. 935 A great deal of focus from the Android Keystore seems to be on 936 providing fine-grained authorization of what keys can be used by 937 which applications. 939 XXX - clearly there must be additional (intended?) use cases that 940 provide some kind of attestation. 942 Android 9 on Pixel 2 and 3 can provided protected confirmation 943 messages. This uses hardware access from the TPM/TEE to display a 944 message directly to the user, and receives confirmation directly from 945 the user. A hash of the contents of the message can provided in an 946 attestation that the device provides. 948 In addition, the Android Keystore provides attestation information 949 about itself for use by FIDO. 951 QUOTE: Finally, the Verified Boot state is included in key 952 attestation certificates (provided by Keymaster/Strongbox) in the 953 deviceLocked and verifiedBootState fields, which can be verified by 954 apps as well as passed onto backend services to remotely verify boot 955 integrity 957 6.3. Fast IDentity Online (FIDO) Alliance 959 The FIDO Alliance [fido] has a number of specifications aimed 960 primarily at eliminating the need for passwords for authentication to 961 online services. The goal is to leverage asymmetric cryptographic 962 operations in common browser and smart-phone platforms so that users 963 can easily authentication. 965 The use cases of Section 5.7 are primary. 967 FIDO specifications extend to various hardware second factor 968 authentication devices. 970 Terminology includes: 972 o "relying party" validates a claim 974 o "relying party application" makes FIDO Authn calls 976 o "browser" provides the Web Authentication JS API 978 o "platform" is the base system 980 o "internal authenticator" is some credential built-in to the device 982 o "external authenticator" may be connected by USB, bluetooth, wifi, 983 and may be an stand-alone device, USB connected key, phone or 984 watch. 986 FIDO2 had a Key Attestation Format [fidoattestation], and a Signature 987 Format [fidosignature], but these have been combined into the W3C 988 document [fido_w3c] specification. 990 A FIDO use case involves the relying party receiving a device 991 attestation about the biometric system that performs the identication 992 of the human. It is the state of the biometric system that is being 993 attested to, not the identity of the human! 995 FIDO does provides a transport in the form of the WebAuthn and FIDO 996 CTAP protocols. 998 According to [fidotechnote] FIDO uses attestation to make claims 999 about the kind of device which is be used to enroll. Keypairs are 1000 generated on a per-device _model_ basis, with a certificate having a 1001 trust chain that leads back to a well-known root certificate. It is 1002 expected that as many as 100,000 devices in a production run would 1003 have the same public and private key pair. One assumes that this is 1004 stored in a tamper-proof TPM so it is relatively difficult to get 1005 this key out. The use of this key attests to the the device type, 1006 and the kind of protections for keys that the relying party may 1007 assume, not to the identity of the end user. 1009 7. Examples of Existing Attestation Formats. 1011 This section provides examples of some existing attestation formats. 1013 7.1. Android Keystore 1015 Android Keystore attestations take the form of X.509 certificates. 1016 The examples below package the attestation certificate along with 1017 intermediate CA certificates required to validate the attestation as 1018 a certificates-only SignedData message [RFC5652]. The trust anchor 1019 is available here: [keystore_attestation]. 1021 The attestations below were generated using the generateKeyPair 1022 method from the DevicePolicyManager class using code similar to the 1023 following. 1025 KeyGenParameterSpec.Builder builder = null; 1026 if(hasStrongBox) { 1027 builder = new KeyGenParameterSpec.Builder( 1028 m_alias, 1029 KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY | KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) 1030 .setKeySize(2048) 1031 .setDigests(KeyProperties.DIGEST_NONE, KeyProperties.DIGEST_SHA256) 1032 .setBlockModes(KeyProperties.BLOCK_MODE_CBC, KeyProperties.BLOCK_MODE_GCM) 1033 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1, KeyProperties.ENCRYPTION_PADDING_RSA_OAEP) 1034 .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PSS, KeyProperties.SIGNATURE_PADDING_RSA_PKCS1) 1035 .setUserAuthenticationRequired(false) 1036 .setIsStrongBoxBacked(true) 1037 .setUnlockedDeviceRequired(true); 1038 } 1039 else { 1040 builder = new KeyGenParameterSpec.Builder( 1041 m_alias, 1042 KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY | KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) 1043 .setKeySize(2048) 1044 .setDigests(KeyProperties.DIGEST_NONE, KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA384, KeyProperties.DIGEST_SHA512) 1045 .setBlockModes(KeyProperties.BLOCK_MODE_CBC, KeyProperties.BLOCK_MODE_CTR,KeyProperties.BLOCK_MODE_GCM) 1046 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1, KeyProperties.ENCRYPTION_PADDING_RSA_OAEP) 1047 .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PSS, KeyProperties.SIGNATURE_PADDING_RSA_PKCS1) 1048 .setUserAuthenticationRequired(false) 1049 .setIsStrongBoxBacked(false) 1050 .setUnlockedDeviceRequired(true); 1051 } 1052 builder.setAttestationChallenge(challenge_bytes); 1054 KeyGenParameterSpec keySpec = builder.build(); 1055 AttestedKeyPair akp = dpm.generateKeyPair(componentName, algorithm, keySpec, idAttestationFlags); 1057 7.1.1. TEE 1059 Annotations included below are delimited by ASN.1 comments, i.e., -. 1060 Annotations should be consistent with structures described here: 1061 [keystore_attestation]. 1063 0 1172: SEQUENCE { 1064 4 764: SEQUENCE { 1065 8 3: [0] { 1066 10 1: INTEGER 2 1067 : } 1068 13 1: INTEGER 1 1069 16 13: SEQUENCE { 1070 18 9: OBJECT IDENTIFIER 1071 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 1073 29 0: NULL 1074 : } 1075 31 27: SEQUENCE { 1076 33 25: SET { 1077 35 23: SEQUENCE { 1078 37 3: OBJECT IDENTIFIER serialNumber (2 5 4 5) 1079 42 16: PrintableString 'c6047571d8f0d17c' 1080 : } 1081 : } 1082 : } 1083 60 32: SEQUENCE { 1084 62 13: UTCTime 01/01/1970 00:00:00 GMT 1085 77 15: GeneralizedTime 07/02/2106 06:28:15 GMT 1086 : } 1087 94 31: SEQUENCE { 1088 96 29: SET { 1089 98 27: SEQUENCE { 1090 100 3: OBJECT IDENTIFIER commonName (2 5 4 3) 1091 105 20: UTF8String 'Android Keystore Key' 1092 : } 1093 : } 1094 : } 1095 127 290: SEQUENCE { 1096 131 13: SEQUENCE { 1097 133 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 1098 144 0: NULL 1099 : } 1100 146 271: BIT STRING, encapsulates { 1101 151 266: SEQUENCE { 1102 155 257: INTEGER 1103 : 00 B5 3A 83 61 A2 85 CC D2 D6 25 7F 07 0B B4 A0 1104 : F6 FE 05 01 C9 55 CB 0D 18 D2 C6 79 BA 82 12 67 1105 : 75 8D 5B F3 24 D3 F8 EA 99 82 7D 1F 5E CD 77 D6 1106 : 99 11 13 FF 18 C9 3D 4D 01 C5 8E E9 04 E7 17 E2 1107 : 88 12 2B B9 A1 77 2F C2 4F 57 78 98 4E E3 DE 7A 1108 : 1B 18 BE D3 ED C9 59 A0 24 50 E1 FA AC 81 B6 DA 1109 : 80 B0 BD 48 AD 26 9C 4A 4E CE 54 17 58 C1 F4 F8 1110 : 7F 3C 5D 8F C8 2C 2A 7B 18 95 B3 D4 E0 3A C8 9D 1111 : [ Another 129 bytes skipped ] 1112 416 3: INTEGER 65537 1113 : } 1114 : } 1115 : } 1116 421 347: [3] { 1117 425 343: SEQUENCE { 1118 429 14: SEQUENCE { 1119 431 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 1120 436 1: BOOLEAN TRUE 1121 439 4: OCTET STRING, encapsulates { 1122 441 2: BIT STRING 4 unused bits 1123 : '1100'B 1124 : } 1125 : } 1126 445 323: SEQUENCE { 1127 449 10: OBJECT IDENTIFIER '1 3 6 1 4 1 11129 2 1 17' 1128 461 307: OCTET STRING, encapsulates { -- Attestation Extension 1129 465 303: SEQUENCE { -- KeyDescription 1130 469 1: INTEGER 2 -- attestationVersion (KM3) 1131 472 1: ENUMERATED 1 -- attestationSecurityLevel (TrustedEnv.) 1132 475 1: INTEGER 3 -- keymasterVersion 1133 478 1: ENUMERATED 1 -- keymasterSecurityLevel (TrustedEnv.) 1134 481 9: OCTET STRING 'challenge' -- attestationChallenge 1135 492 0: OCTET STRING -- reserved 1136 : Error: Object has zero length. 1137 494 44: SEQUENCE { -- softwareEnforced 1138 496 8: [701] { -- creationDateTime 1139 500 6: INTEGER 01 64 47 2A 4B 64 1140 : } 1141 508 28: [709] { -- attestationApplicationId 1142 512 26: OCTET STRING, encapsulates { 1143 514 24: SEQUENCE { -- AttestationApplicationId 1144 516 20: SET { -- package_infos 1145 518 18: SEQUENCE { -- AttestationPackageInfo 1146 520 13: OCTET STRING 'AndroidSystem' -- package_name 1147 535 1: INTEGER 1 -- version 1148 : } 1149 : } 1150 538 0: SET {} -- signature_digests 1151 : } 1152 : } 1153 : } 1154 : } 1155 540 229: SEQUENCE { -- hardwareEnforced 1156 543 14: [1] { -- purpose 1157 545 12: SET { 1158 547 1: INTEGER 0 -- KeyPurpose.ENCRYPT 1159 550 1: INTEGER 1 -- KeyPurpose.DECRYPT 1160 553 1: INTEGER 2 -- KeyPurpose.SIGN 1161 556 1: INTEGER 3 -- KeyPurpose.VERIFY 1162 : } 1163 : } 1164 559 3: [2] { -- algorithm 1165 561 1: INTEGER 1 -- Algorithm.RSA 1166 : } 1167 564 4: [3] { -- keySize 1168 566 2: INTEGER 2048 1169 : } 1170 570 11: [5] { -- digest 1171 572 9: SET { 1172 574 1: INTEGER 4 -- Digest.SHA256 1173 577 1: INTEGER 5 -- Digest.SHA384 1174 580 1: INTEGER 6 -- Digest.SHA512 1175 : } 1176 : } 1177 583 14: [6] { -- padding 1178 585 12: SET { 1179 587 1: INTEGER 4 -- PaddingMode.RSA_PKCS1_1_5_ENCRYPT 1180 590 1: INTEGER 2 -- PaddingMode.RSA_OAEP 1181 593 1: INTEGER 3 -- PaddingMode.RSA_PKCS1_1_5_SIGN 1182 596 1: INTEGER 5 -- PaddingMode.RSA_PSS 1183 : } 1184 : } 1185 599 5: [200] { -- rsaPublicExponent 1186 603 3: INTEGER 65537 1187 : } 1188 608 2: [503] { -- noAuthRequired 1189 612 0: NULL -- documentation indicates this is a Boolean 1190 : } 1191 614 3: [702] { -- origin 1192 618 1: INTEGER 0 -- KeyOrigin.GENERATED 1193 : } 1194 621 2: [703] { -- rollbackResistant 1195 625 0: NULL -- documentation indicates this is a Boolean 1196 : } 1197 627 42: [704] { -- rootOfTrust 1198 631 40: SEQUENCE { -- verifiedBootKey 1199 633 32: OCTET STRING 1200 : 19 62 B0 53 85 79 FF CE 9A C9 F5 07 C4 6A FE 3B 1201 : 92 05 5B AC 71 46 46 22 83 C8 5C 50 0B E7 8D 82 1202 667 1: BOOLEAN TRUE -- deviceLocked 1203 670 1: ENUMERATED 0 -- verifiedBootState (verified) 1204 : } 1205 : } 1206 673 5: [705] { -- osVersion 1207 677 3: INTEGER 90000 -- Android P 1208 : } 1209 682 5: [706] { -- osPatchLevel 1210 686 3: INTEGER 201806 -- June 2018 1211 : } 1212 691 8: [710] { -- attestationIdBrand 1213 695 6: OCTET STRING 'google' 1214 : } 1215 703 9: [711] { -- attestationIdDevice 1216 707 7: OCTET STRING 'walleye' 1217 : } 1218 716 9: [712] { -- attestationIdProduct 1219 720 7: OCTET STRING 'walleye' 1220 : } 1221 729 14: [713] { -- attestationIdSerial 1222 733 12: OCTET STRING 'HT83K1A03849' 1223 : } 1224 747 8: [716] { -- attestationIdManufacturer 1225 751 6: OCTET STRING 'Google' 1226 : } 1227 759 9: [717] { -- attestationIdModel 1228 763 7: OCTET STRING 'Pixel 2' 1229 : } 1230 : } 1231 : } 1232 : } 1233 : } 1234 : } 1235 : } 1236 : } 1237 772 13: SEQUENCE { 1238 774 9: OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11) 1239 785 0: NULL 1240 : } 1241 787 385: BIT STRING 1242 : 05 41 B9 13 11 53 93 A2 02 62 1F 15 35 8E D9 7C 1243 : A1 D5 2E ED 13 AC 24 26 B2 A1 2F EE B4 0C 4D 71 1244 : DC 9F 55 EC A1 F6 64 62 F2 73 A8 7E FC 48 63 29 1245 : 1E F5 0D 48 F3 73 43 0C 00 E0 D4 07 86 A6 A4 38 1246 : 0E A8 47 0F 27 01 01 31 52 F6 62 8A 4B 80 BE 72 1247 : FB 02 E7 56 84 CA CA 4D C3 6C 7C B2 BA C7 D7 9B 1248 : C5 9D 90 65 4E F5 54 8F 25 CC 11 7F 8E 77 10 6A 1249 : 6E 9F 80 89 48 8B 1D 51 AA 3B B7 C5 24 3C 28 B1 1250 : [ Another 256 bytes skipped ] 1251 : } 1252 0 1304: SEQUENCE { 1253 4 768: SEQUENCE { 1254 8 3: [0] { 1255 10 1: INTEGER 2 1256 : } 1257 13 10: INTEGER 10 34 53 32 94 08 68 79 38 72 1258 25 13: SEQUENCE { 1259 27 9: OBJECT IDENTIFIER 1260 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 1261 38 0: NULL 1262 : } 1263 40 27: SEQUENCE { 1264 42 25: SET { 1265 44 23: SEQUENCE { 1266 46 3: OBJECT IDENTIFIER serialNumber (2 5 4 5) 1267 51 16: PrintableString '87f4514475ba0a2b' 1268 : } 1269 : } 1270 : } 1271 69 30: SEQUENCE { 1272 71 13: UTCTime 26/05/2016 17:14:51 GMT 1273 86 13: UTCTime 24/05/2026 17:14:51 GMT 1274 : } 1275 101 27: SEQUENCE { 1276 103 25: SET { 1277 105 23: SEQUENCE { 1278 107 3: OBJECT IDENTIFIER serialNumber (2 5 4 5) 1279 112 16: PrintableString 'c6047571d8f0d17c' 1280 : } 1281 : } 1282 : } 1283 130 418: SEQUENCE { 1284 134 13: SEQUENCE { 1285 136 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 1286 147 0: NULL 1287 : } 1288 149 399: BIT STRING, encapsulates { 1289 154 394: SEQUENCE { 1290 158 385: INTEGER 1291 : 00 B3 01 0D 78 BC 06 33 25 CA D6 A7 2C EF 49 05 1292 : 4C C1 77 36 F2 E5 7B E8 4C 0A 87 8F 77 6A 09 45 1293 : 9B AC E8 72 DA E2 0E 20 3D 68 30 A5 86 26 14 77 1294 : AD 7E 93 F5 1D 38 A9 DB 5B FE B2 B8 1A 7B CD 22 1295 : 3B 17 98 FC 1F 4F 77 2D 92 E9 DE 5F 6B 02 09 4E 1296 : 99 86 53 98 1C 5E 23 B6 A4 61 53 A5 FB D1 37 09 1297 : DB C0 0A 40 E9 28 E6 BE E2 8E 57 94 A9 F2 13 3A 1298 : 11 40 D2 34 99 A6 B4 F3 99 F2 5D 4A 5D 6A 6C 4B 1299 : [ Another 257 bytes skipped ] 1300 547 3: INTEGER 65537 1301 : } 1302 : } 1303 : } 1304 552 221: [3] { 1305 555 218: SEQUENCE { 1306 558 29: SEQUENCE { 1307 560 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 1308 565 22: OCTET STRING, encapsulates { 1309 567 20: OCTET STRING 1310 : 7B 7B F8 43 CA 1F 0F 96 27 0F 10 6F 7D 0C 23 14 1311 : 72 8F 1D 80 1312 : } 1313 : } 1314 589 31: SEQUENCE { 1315 591 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 1316 596 24: OCTET STRING, encapsulates { 1317 598 22: SEQUENCE { 1318 600 20: [0] 1319 : 0E 55 6F 46 F5 3B 77 67 E1 B9 73 DC 55 E6 AE EA 1320 : B4 FD 27 DD 1321 : } 1322 : } 1323 : } 1324 622 12: SEQUENCE { 1325 624 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 1326 629 1: BOOLEAN TRUE 1327 632 2: OCTET STRING, encapsulates { 1328 634 0: SEQUENCE {} 1329 : } 1330 : } 1331 636 14: SEQUENCE { 1332 638 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 1333 643 1: BOOLEAN TRUE 1334 646 4: OCTET STRING, encapsulates { 1335 648 2: BIT STRING 7 unused bits 1336 : '1'B (bit 0) 1337 : } 1338 : } 1339 652 36: SEQUENCE { 1340 654 3: OBJECT IDENTIFIER nameConstraints (2 5 29 30) 1341 659 29: OCTET STRING, encapsulates { 1342 661 27: SEQUENCE { 1343 663 25: [0] { 1344 665 23: SEQUENCE { 1345 667 21: [2] 'invalid;email:invalid' 1346 : } 1347 : } 1348 : } 1349 : } 1350 : } 1351 690 84: SEQUENCE { 1352 692 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) 1353 697 77: OCTET STRING, encapsulates { 1354 699 75: SEQUENCE { 1355 701 73: SEQUENCE { 1356 703 71: [0] { 1357 705 69: [0] { 1358 707 67: [6] 1359 : 'https://android.googleapis.com/attestation/crl/1' 1360 : '0345332940868793872' 1361 : } 1362 : } 1363 : } 1364 : } 1365 : } 1366 : } 1367 : } 1368 : } 1369 : } 1370 776 13: SEQUENCE { 1371 778 9: OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11) 1372 789 0: NULL 1373 : } 1374 791 513: BIT STRING 1375 : 69 13 A7 56 B3 9F E1 2B CE A2 09 89 E5 DC 03 B4 1376 : B6 FF F6 1E 96 C7 62 C2 31 D1 B3 D6 1A 9E 36 CF 1377 : C2 FC 0E 06 FA 0E CF B5 2D F8 19 D6 13 96 0B 56 1378 : B0 EE 86 3B B1 B8 38 70 4E 57 EB D9 60 DC 58 74 1379 : FE C8 EB A5 78 9F B7 19 5C F0 80 CF 29 16 6B 04 1380 : 3A 5D 7C 2E 5F 11 12 36 BE 46 29 45 04 41 8F B5 1381 : AB C6 31 5F 23 28 0C F2 7C 48 4A F6 43 AA 50 D0 1382 : 53 96 1E AD 7C A3 89 96 BB 8B BF 2D 9A 0C 16 35 1383 : [ Another 384 bytes skipped ] 1384 : } 1385 0 1393: SEQUENCE { 1386 4 857: SEQUENCE { 1387 8 3: [0] { 1388 10 1: INTEGER 2 1389 : } 1390 13 10: INTEGER 03 88 26 67 60 65 89 96 85 74 1391 25 13: SEQUENCE { 1392 27 9: OBJECT IDENTIFIER 1393 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 1394 38 0: NULL 1395 : } 1396 40 27: SEQUENCE { 1397 42 25: SET { 1398 44 23: SEQUENCE { 1399 46 3: OBJECT IDENTIFIER serialNumber (2 5 4 5) 1400 51 16: PrintableString 'f92009e853b6b045' 1401 : } 1402 : } 1403 : } 1404 69 30: SEQUENCE { 1405 71 13: UTCTime 26/05/2016 17:01:32 GMT 1406 86 13: UTCTime 24/05/2026 17:01:32 GMT 1407 : } 1408 101 27: SEQUENCE { 1409 103 25: SET { 1410 105 23: SEQUENCE { 1411 107 3: OBJECT IDENTIFIER serialNumber (2 5 4 5) 1412 112 16: PrintableString '87f4514475ba0a2b' 1413 : } 1414 : } 1415 : } 1416 130 546: SEQUENCE { 1417 134 13: SEQUENCE { 1418 136 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 1419 147 0: NULL 1420 : } 1421 149 527: BIT STRING, encapsulates { 1422 154 522: SEQUENCE { 1423 158 513: INTEGER 1424 : 00 D2 60 D6 45 85 E3 E2 23 79 5A DA 45 57 A7 D8 1425 : 5B AF BD 9A 37 CB FA 97 C0 65 44 9D 3A C6 47 F6 1426 : 0D 0B A2 74 12 CA F7 4B B9 5F FB B4 EC 5A 2B D0 1427 : 16 01 DE BE E2 FE D2 76 0D 75 C4 B1 6A CB 3A 67 1428 : 07 21 E0 D5 19 68 C8 1B 01 A2 24 02 FE AD 40 D6 1429 : A7 98 16 0F A2 98 2E A7 AD 75 34 84 6F F8 CF 8A 1430 : A1 0E 90 33 40 9E D0 86 26 57 71 CE FF CF 52 E1 1431 : F0 F9 2B 7E 68 62 03 D8 FD FD 02 53 03 19 AC 28 1432 : [ Another 385 bytes skipped ] 1433 675 3: INTEGER 65537 1434 : } 1435 : } 1436 : } 1437 680 182: [3] { 1438 683 179: SEQUENCE { 1439 686 29: SEQUENCE { 1440 688 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 1441 693 22: OCTET STRING, encapsulates { 1442 695 20: OCTET STRING 1443 : 0E 55 6F 46 F5 3B 77 67 E1 B9 73 DC 55 E6 AE EA 1444 : B4 FD 27 DD 1445 : } 1446 : } 1447 717 31: SEQUENCE { 1448 719 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 1449 724 24: OCTET STRING, encapsulates { 1450 726 22: SEQUENCE { 1451 728 20: [0] 1452 : 36 61 E1 00 7C 88 05 09 51 8B 44 6C 47 FF 1A 4C 1453 : C9 EA 4F 12 1454 : } 1455 : } 1456 : } 1458 750 15: SEQUENCE { 1459 752 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 1460 757 1: BOOLEAN TRUE 1461 760 5: OCTET STRING, encapsulates { 1462 762 3: SEQUENCE { 1463 764 1: BOOLEAN TRUE 1464 : } 1465 : } 1466 : } 1467 767 14: SEQUENCE { 1468 769 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 1469 774 1: BOOLEAN TRUE 1470 777 4: OCTET STRING, encapsulates { 1471 779 2: BIT STRING 1 unused bit 1472 : '1100001'B 1473 : } 1474 : } 1475 783 80: SEQUENCE { 1476 785 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) 1477 790 73: OCTET STRING, encapsulates { 1478 792 71: SEQUENCE { 1479 794 69: SEQUENCE { 1480 796 67: [0] { 1481 798 65: [0] { 1482 800 63: [6] 1483 : 'https://android.googleapis.com/attestation/crl/E' 1484 : '8FA196314D2FA18' 1485 : } 1486 : } 1487 : } 1488 : } 1489 : } 1490 : } 1491 : } 1492 : } 1493 : } 1494 865 13: SEQUENCE { 1495 867 9: OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11) 1496 878 0: NULL 1497 : } 1498 880 513: BIT STRING 1499 : 0E 0D 71 4A 88 0A 58 53 B6 31 14 7D DA 22 31 C6 1500 : 06 D6 EF 3B 22 4D D7 A5 C0 3F BF C6 B4 64 A3 FB 1501 : 92 C2 CC 67 F4 6C 24 25 49 6E F6 CB 08 D6 A8 0D 1502 : 94 06 7F 8C 8C 3C B1 77 CD C2 3F C7 5E A3 85 6D 1503 : F7 A5 94 13 CD 5A 5C F3 9B 0A 0D E1 82 42 F4 C9 1504 : 3F AD FC FB 7C AA 27 04 CC 1C 12 45 15 EB E6 70 1505 : A0 6C DE 77 77 54 9B 1F 02 05 76 03 A4 FC 6C 07 1506 : F4 CB BB 59 F5 CB ED 58 D8 30 9B 6E 3C F7 76 C1 1507 : [ Another 384 bytes skipped ] 1508 : } 1509 0 1376: SEQUENCE { 1510 4 840: SEQUENCE { 1511 8 3: [0] { 1512 10 1: INTEGER 2 1513 : } 1514 13 9: INTEGER 00 E8 FA 19 63 14 D2 FA 18 1515 24 13: SEQUENCE { 1516 26 9: OBJECT IDENTIFIER 1517 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 1518 37 0: NULL 1519 : } 1520 39 27: SEQUENCE { 1521 41 25: SET { 1522 43 23: SEQUENCE { 1523 45 3: OBJECT IDENTIFIER serialNumber (2 5 4 5) 1524 50 16: PrintableString 'f92009e853b6b045' 1525 : } 1526 : } 1527 : } 1528 68 30: SEQUENCE { 1529 70 13: UTCTime 26/05/2016 16:28:52 GMT 1530 85 13: UTCTime 24/05/2026 16:28:52 GMT 1531 : } 1532 100 27: SEQUENCE { 1533 102 25: SET { 1534 104 23: SEQUENCE { 1535 106 3: OBJECT IDENTIFIER serialNumber (2 5 4 5) 1536 111 16: PrintableString 'f92009e853b6b045' 1537 : } 1538 : } 1539 : } 1540 129 546: SEQUENCE { 1541 133 13: SEQUENCE { 1542 135 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 1543 146 0: NULL 1544 : } 1545 148 527: BIT STRING, encapsulates { 1546 153 522: SEQUENCE { 1547 157 513: INTEGER 1548 : 00 AF B6 C7 82 2B B1 A7 01 EC 2B B4 2E 8B CC 54 1549 : 16 63 AB EF 98 2F 32 C7 7F 75 31 03 0C 97 52 4B 1550 : 1B 5F E8 09 FB C7 2A A9 45 1F 74 3C BD 9A 6F 13 1551 : 35 74 4A A5 5E 77 F6 B6 AC 35 35 EE 17 C2 5E 63 1552 : 95 17 DD 9C 92 E6 37 4A 53 CB FE 25 8F 8F FB B6 1553 : FD 12 93 78 A2 2A 4C A9 9C 45 2D 47 A5 9F 32 01 1554 : F4 41 97 CA 1C CD 7E 76 2F B2 F5 31 51 B6 FE B2 1555 : FF FD 2B 6F E4 FE 5B C6 BD 9E C3 4B FE 08 23 9D 1556 : [ Another 385 bytes skipped ] 1557 674 3: INTEGER 65537 1558 : } 1559 : } 1560 : } 1561 679 166: [3] { 1562 682 163: SEQUENCE { 1563 685 29: SEQUENCE { 1564 687 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 1565 692 22: OCTET STRING, encapsulates { 1566 694 20: OCTET STRING 1567 : 36 61 E1 00 7C 88 05 09 51 8B 44 6C 47 FF 1A 4C 1568 : C9 EA 4F 12 1569 : } 1570 : } 1571 716 31: SEQUENCE { 1572 718 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 1573 723 24: OCTET STRING, encapsulates { 1574 725 22: SEQUENCE { 1575 727 20: [0] 1576 : 36 61 E1 00 7C 88 05 09 51 8B 44 6C 47 FF 1A 4C 1577 : C9 EA 4F 12 1578 : } 1579 : } 1580 : } 1581 749 15: SEQUENCE { 1582 751 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 1583 756 1: BOOLEAN TRUE 1584 759 5: OCTET STRING, encapsulates { 1585 761 3: SEQUENCE { 1586 763 1: BOOLEAN TRUE 1587 : } 1588 : } 1589 : } 1590 766 14: SEQUENCE { 1591 768 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 1592 773 1: BOOLEAN TRUE 1593 776 4: OCTET STRING, encapsulates { 1594 778 2: BIT STRING 1 unused bit 1595 : '1100001'B 1596 : } 1597 : } 1598 782 64: SEQUENCE { 1599 784 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) 1600 789 57: OCTET STRING, encapsulates { 1601 791 55: SEQUENCE { 1602 793 53: SEQUENCE { 1603 795 51: [0] { 1604 797 49: [0] { 1605 799 47: [6] 1606 : 'https://android.googleapis.com/attestation/crl/' 1607 : } 1608 : } 1609 : } 1610 : } 1611 : } 1612 : } 1613 : } 1614 : } 1615 : } 1616 848 13: SEQUENCE { 1617 850 9: OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11) 1618 861 0: NULL 1619 : } 1620 863 513: BIT STRING 1621 : 20 C8 C3 8D 4B DC A9 57 1B 46 8C 89 2F FF 72 AA 1622 : C6 F8 44 A1 1D 41 A8 F0 73 6C C3 7D 16 D6 42 6D 1623 : 8E 7E 94 07 04 4C EA 39 E6 8B 07 C1 3D BF 15 03 1624 : DD 5C 85 BD AF B2 C0 2D 5F 6C DB 4E FA 81 27 DF 1625 : 8B 04 F1 82 77 0F C4 E7 74 5B 7F CE AA 87 12 9A 1626 : 88 01 CE 8E 9B C0 CB 96 37 9B 4D 26 A8 2D 30 FD 1627 : 9C 2F 8E ED 6D C1 BE 2F 84 B6 89 E4 D9 14 25 8B 1628 : 14 4B BA E6 24 A1 C7 06 71 13 2E 2F 06 16 A8 84 1629 : [ Another 384 bytes skipped ] 1630 : } 1632 7.1.2. Secure Element 1634 The structures below are not annotated except where the difference is 1635 specific to the difference between the TEE structure shown above and 1636 artifacts emitted by StrongBox. 1638 0 5143: SEQUENCE { 1639 4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 1640 15 5128: [0] { 1641 19 5124: SEQUENCE { 1642 23 1: INTEGER 1 1643 26 0: SET {} 1644 28 11: SEQUENCE { 1645 30 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) 1646 : } 1647 41 5100: [0] { 1648 45 1114: SEQUENCE { 1649 49 834: SEQUENCE { 1650 53 3: [0] { 1651 55 1: INTEGER 2 1652 : } 1653 58 1: INTEGER 1 1654 61 13: SEQUENCE { 1655 63 9: OBJECT IDENTIFIER 1656 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 1657 74 0: NULL 1658 : } 1659 76 47: SEQUENCE { 1660 78 25: SET { 1661 80 23: SEQUENCE { 1662 82 3: OBJECT IDENTIFIER serialNumber (2 5 4 5) 1663 87 16: PrintableString '90e8da3cadfc7820' 1664 : } 1665 : } 1666 105 18: SET { 1667 107 16: SEQUENCE { 1668 109 3: OBJECT IDENTIFIER title (2 5 4 12) 1669 114 9: UTF8String 'StrongBox' 1670 : } 1671 : } 1672 : } 1673 125 30: SEQUENCE { 1674 127 13: UTCTime 01/01/1970 00:00:00 GMT 1675 142 13: UTCTime 23/05/2028 23:59:59 GMT 1676 : } 1677 157 31: SEQUENCE { 1678 159 29: SET { 1679 161 27: SEQUENCE { 1680 163 3: OBJECT IDENTIFIER commonName (2 5 4 3) 1681 168 20: UTF8String 'Android Keystore Key' 1682 : } 1683 : } 1684 : } 1685 190 290: SEQUENCE { 1686 194 13: SEQUENCE { 1687 196 9: OBJECT IDENTIFIER 1688 : rsaEncryption (1 2 840 113549 1 1 1) 1689 207 0: NULL 1690 : } 1691 209 271: BIT STRING, encapsulates { 1692 214 266: SEQUENCE { 1693 218 257: INTEGER 1694 : 00 DE 98 94 D5 E5 05 98 E8 FC 73 4D 26 FB 48 6A 1695 : CA 06 A0 24 FA 05 D1 D2 32 10 46 F8 50 DD 3E 0D 1696 : DF 4F 95 53 D2 CB 10 1F 00 B2 62 15 1E 21 7E 05 1697 : C6 10 AC EE 7A D8 69 F1 1F 32 C3 17 CA D7 07 BE 1698 : 3B 2B 83 0F B4 9C 3D C7 13 0B 9C 59 2F 1A 38 CE 1699 : A5 1D 95 A7 3C EE 70 6A CF 41 FF 55 3F E0 9C 69 1700 : E5 A0 C1 19 EF 40 E9 40 FC 74 D3 3B 96 D9 0E C1 1701 : C3 9D 14 10 0C A6 95 19 49 88 F4 AB 74 FC 86 A6 1702 : [ Another 129 bytes skipped ] 1703 479 3: INTEGER 65537 1704 : } 1705 : } 1706 : } 1707 484 399: [3] { 1708 488 395: SEQUENCE { 1709 492 14: SEQUENCE { 1710 494 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 1711 499 1: BOOLEAN TRUE 1712 502 4: OCTET STRING, encapsulates { 1713 504 2: BIT STRING 7 unused bits 1714 : '1'B (bit 0) 1715 : } 1716 : } 1717 508 375: SEQUENCE { 1718 512 10: OBJECT IDENTIFIER '1 3 6 1 4 1 11129 2 1 17' 1719 524 359: OCTET STRING, encapsulates { 1720 528 355: SEQUENCE { 1721 532 1: INTEGER 3 1722 535 1: ENUMERATED 2 -- attestationSecurityLevel (StrongBox) 1723 538 1: INTEGER 4 1724 541 1: ENUMERATED 2 -- attestationSecurityLevel (StrongBox) 1725 544 9: OCTET STRING 'challenge' 1726 555 0: OCTET STRING 1727 : Error: Object has zero length. 1728 557 53: SEQUENCE { 1729 559 2: [509] { 1730 563 0: NULL 1731 : } 1732 565 11: [701] { 1733 569 9: INTEGER 00 FF FF FF FF FF E5 99 78 1734 : } 1735 580 28: [709] { 1736 584 26: OCTET STRING, encapsulates { 1737 586 24: SEQUENCE { 1738 588 20: SET { 1739 590 18: SEQUENCE { 1740 592 13: OCTET STRING 'AndroidSystem' 1741 607 1: INTEGER 1 1742 : } 1743 : } 1744 610 0: SET {} 1745 : } 1746 : } 1747 : } 1748 : } 1749 612 271: SEQUENCE { 1750 616 14: [1] { 1751 618 12: SET { 1752 620 1: INTEGER 0 1753 623 1: INTEGER 1 1754 626 1: INTEGER 2 1755 629 1: INTEGER 3 1756 : } 1757 : } 1758 632 3: [2] { 1759 634 1: INTEGER 1 1760 : } 1761 637 4: [3] { 1762 639 2: INTEGER 2048 1763 : } 1764 643 8: [4] { 1765 645 6: SET { 1766 647 1: INTEGER 2 1767 650 1: INTEGER 32 1768 : } 1769 : } 1770 653 8: [5] { 1771 655 6: SET { 1772 657 1: INTEGER 0 1773 660 1: INTEGER 4 1774 : } 1775 : } 1776 663 14: [6] { 1777 665 12: SET { 1778 667 1: INTEGER 2 1779 670 1: INTEGER 3 1780 673 1: INTEGER 4 1781 676 1: INTEGER 5 1782 : } 1783 : } 1784 679 2: [503] { 1785 683 0: NULL 1786 : } 1787 685 3: [702] { 1788 689 1: INTEGER 0 1789 : } 1790 692 76: [704] { 1791 696 74: SEQUENCE { 1792 698 32: OCTET STRING 1793 : 61 FD A1 2B 32 ED 84 21 4A 9C F1 3D 1A FF B7 AA 1794 : 80 BD 8A 26 8A 86 1E D4 BB 7A 15 17 0F 1A B0 0C 1795 732 1: BOOLEAN TRUE 1796 735 1: ENUMERATED 0 1797 738 32: OCTET STRING 1798 : 77 96 C5 3D 0E 09 46 2B BA BB FB 7B 8A 65 F6 8D 1799 : EF 5C 46 88 BF 99 C4 1E 88 42 01 4D 1F 01 2D C5 1800 : } 1801 : } 1802 772 3: [705] { 1803 776 1: INTEGER 0 1804 : } 1805 779 5: [706] { 1806 783 3: INTEGER 201903 1807 : } 1808 788 8: [710] { 1809 792 6: OCTET STRING 'google' 1810 : } 1811 800 10: [711] { 1812 804 8: OCTET STRING 'blueline' 1813 : } 1814 814 10: [712] { 1815 818 8: OCTET STRING 'blueline' 1816 : } 1817 828 11: [713] { 1818 832 9: OCTET STRING '8A2X0KLUU' 1819 : } 1820 843 8: [716] { 1821 847 6: OCTET STRING 'Google' 1822 : } 1823 855 9: [717] { 1824 859 7: OCTET STRING 'Pixel 3' 1825 : } 1826 868 6: [718] { 1827 872 4: INTEGER 20180905 1828 : } 1829 878 5: [719] { 1830 882 3: INTEGER 201903 1831 : } 1832 : } 1833 : } 1834 : } 1835 : } 1836 : } 1837 : } 1838 : } 1839 887 13: SEQUENCE { 1840 889 9: OBJECT IDENTIFIER 1841 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 1843 900 0: NULL 1844 : } 1845 902 257: BIT STRING 1846 : 83 EA 59 8D BE 37 4A D5 C0 FC F8 FB AC 8B 72 1E 1847 : A5 C2 3B 0C C0 04 1B C0 5A 18 A5 DF D4 67 1D B9 1848 : 08 42 4B E2 2C AC 07 0F D8 0E 24 97 56 9E 14 F2 1849 : D0 AC DD 1E FC DD 68 20 11 DF 88 B8 B6 22 AD 2B 1850 : DB 9C 2E 5C 3F AF 0B 8F 02 68 AA 34 4B 5E C8 75 1851 : B1 1A 09 D2 19 41 24 61 65 97 2C 0D A4 78 43 A7 1852 : 9A 27 B2 4E 24 11 4F FF E2 D8 04 56 39 75 B2 34 1853 : D8 18 C7 25 F3 3F C0 6A 37 AB 49 B6 96 51 61 72 1854 : [ Another 128 bytes skipped ] 1855 : } 1856 1163 1181: SEQUENCE { 1857 1167 645: SEQUENCE { 1858 1171 3: [0] { 1859 1173 1: INTEGER 2 1860 : } 1861 1176 10: INTEGER 17 10 24 68 40 71 02 97 78 50 1862 1188 13: SEQUENCE { 1863 1190 9: OBJECT IDENTIFIER 1864 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 1865 1201 0: NULL 1866 : } 1867 1203 47: SEQUENCE { 1868 1205 25: SET { 1869 1207 23: SEQUENCE { 1870 1209 3: OBJECT IDENTIFIER serialNumber (2 5 4 5) 1871 1214 16: PrintableString 'ccd18b9b608d658e' 1872 : } 1873 : } 1874 1232 18: SET { 1875 1234 16: SEQUENCE { 1876 1236 3: OBJECT IDENTIFIER title (2 5 4 12) 1877 1241 9: UTF8String 'StrongBox' 1878 : } 1879 : } 1880 : } 1881 1252 30: SEQUENCE { 1882 1254 13: UTCTime 25/05/2018 23:28:47 GMT 1883 1269 13: UTCTime 22/05/2028 23:28:47 GMT 1884 : } 1885 1284 47: SEQUENCE { 1886 1286 25: SET { 1887 1288 23: SEQUENCE { 1888 1290 3: OBJECT IDENTIFIER serialNumber (2 5 4 5) 1889 1295 16: PrintableString '90e8da3cadfc7820' 1890 : } 1891 : } 1892 1313 18: SET { 1893 1315 16: SEQUENCE { 1894 1317 3: OBJECT IDENTIFIER title (2 5 4 12) 1895 1322 9: UTF8String 'StrongBox' 1896 : } 1897 : } 1898 : } 1899 1333 290: SEQUENCE { 1900 1337 13: SEQUENCE { 1901 1339 9: OBJECT IDENTIFIER 1902 : rsaEncryption (1 2 840 113549 1 1 1) 1903 1350 0: NULL 1904 : } 1905 1352 271: BIT STRING, encapsulates { 1906 1357 266: SEQUENCE { 1907 1361 257: INTEGER 1908 : 00 A5 09 D4 09 D2 30 19 36 34 71 FD 7D 41 89 E6 1909 : 2C A5 9D 10 1B 4F 40 6A B0 5F 56 34 16 E6 EB D7 1910 : F3 E9 C5 DC 20 F3 86 D1 77 19 D7 15 1F E7 EC 62 1911 : DC 0A BC 64 E9 18 52 B0 AA B8 FF 58 6A E0 0F B8 1912 : 56 AF 77 D3 CE 3C DC 48 52 DD B2 86 0D 76 17 7C 1913 : FD EE B4 E6 6E 0A 08 9E 06 CA 0F EC 4B B0 7C AF 1914 : EA 82 27 A8 C9 A7 63 DA 89 F6 30 BA 3C 3A E5 C6 1915 : EF 11 06 42 8A 2E FE 19 BE F2 C7 3B 34 16 B2 E2 1916 : [ Another 129 bytes skipped ] 1917 1622 3: INTEGER 65537 1918 : } 1919 : } 1920 : } 1921 1627 186: [3] { 1922 1630 183: SEQUENCE { 1923 1633 29: SEQUENCE { 1924 1635 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 1925 1640 22: OCTET STRING, encapsulates { 1926 1642 20: OCTET STRING 1927 : 77 A4 AD DF 1D 29 89 CA 92 E3 BA DE 27 3C 70 DF 1928 : 36 03 7C 0C 1929 : } 1930 : } 1931 1664 31: SEQUENCE { 1932 1666 3: OBJECT IDENTIFIER 1933 : authorityKeyIdentifier (2 5 29 35) 1934 1671 24: OCTET STRING, encapsulates { 1935 1673 22: SEQUENCE { 1936 1675 20: [0] 1937 : 1B 17 70 C6 97 DC 84 54 75 7C 3C 98 5C E6 1D 1D 1938 : 08 59 5D 53 1939 : } 1940 : } 1941 : } 1942 1697 15: SEQUENCE { 1943 1699 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 1944 1704 1: BOOLEAN TRUE 1945 1707 5: OCTET STRING, encapsulates { 1946 1709 3: SEQUENCE { 1947 1711 1: BOOLEAN TRUE 1948 : } 1949 : } 1950 : } 1951 1714 14: SEQUENCE { 1952 1716 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 1953 1721 1: BOOLEAN TRUE 1954 1724 4: OCTET STRING, encapsulates { 1955 1726 2: BIT STRING 2 unused bits 1956 : '100000'B (bit 5) 1957 : } 1958 : } 1959 1730 84: SEQUENCE { 1960 1732 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) 1961 1737 77: OCTET STRING, encapsulates { 1962 1739 75: SEQUENCE { 1963 1741 73: SEQUENCE { 1964 1743 71: [0] { 1965 1745 69: [0] { 1966 1747 67: [6] 1967 : 'https://android.googleapis.com/attestation/crl/1' 1968 : '7102468407102977850' 1969 : } 1970 : } 1971 : } 1972 : } 1973 : } 1974 : } 1975 : } 1976 : } 1977 : } 1978 1816 13: SEQUENCE { 1979 1818 9: OBJECT IDENTIFIER 1980 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 1981 1829 0: NULL 1982 : } 1983 1831 513: BIT STRING 1984 : 13 22 DA F2 92 93 CE C0 9F 70 40 C9 DA 85 6B 61 1985 : 6F 8F BE E0 A4 04 55 C1 63 84 61 37 F5 4B 71 6D 1986 : 62 AA 6F BF 6C E8 48 03 AD 28 85 21 9E 3C 1C 91 1987 : 48 EE 65 28 65 70 D0 BD 5B CC DB CE B1 F5 B5 C3 1988 : CA 7A A9 C8 8A 68 12 8A CA 6A 85 A6 BC DA 36 E9 1989 : B9 94 35 82 5B CA BC B6 9F 83 03 7F 21 6C EE 82 1990 : C1 3F BD C1 41 4B DD 1A 6F 6C AF 4A 52 FC 19 19 1991 : 17 AC 29 0C 5E D7 57 90 D5 B1 2B 36 29 1F 45 33 1992 : [ Another 384 bytes skipped ] 1993 : } 1994 2348 1376: SEQUENCE { 1995 2352 840: SEQUENCE { 1996 2356 3: [0] { 1997 2358 1: INTEGER 2 1998 : } 1999 2361 9: INTEGER 00 E8 FA 19 63 14 D2 FA 18 2000 2372 13: SEQUENCE { 2001 2374 9: OBJECT IDENTIFIER 2002 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 2003 2385 0: NULL 2004 : } 2005 2387 27: SEQUENCE { 2006 2389 25: SET { 2007 2391 23: SEQUENCE { 2008 2393 3: OBJECT IDENTIFIER serialNumber (2 5 4 5) 2009 2398 16: PrintableString 'f92009e853b6b045' 2010 : } 2011 : } 2012 : } 2013 2416 30: SEQUENCE { 2014 2418 13: UTCTime 26/05/2016 16:28:52 GMT 2015 2433 13: UTCTime 24/05/2026 16:28:52 GMT 2016 : } 2017 2448 27: SEQUENCE { 2018 2450 25: SET { 2019 2452 23: SEQUENCE { 2020 2454 3: OBJECT IDENTIFIER serialNumber (2 5 4 5) 2021 2459 16: PrintableString 'f92009e853b6b045' 2022 : } 2023 : } 2024 : } 2025 2477 546: SEQUENCE { 2026 2481 13: SEQUENCE { 2027 2483 9: OBJECT IDENTIFIER 2028 : rsaEncryption (1 2 840 113549 1 1 1) 2029 2494 0: NULL 2030 : } 2031 2496 527: BIT STRING, encapsulates { 2032 2501 522: SEQUENCE { 2033 2505 513: INTEGER 2034 : 00 AF B6 C7 82 2B B1 A7 01 EC 2B B4 2E 8B CC 54 2035 : 16 63 AB EF 98 2F 32 C7 7F 75 31 03 0C 97 52 4B 2036 : 1B 5F E8 09 FB C7 2A A9 45 1F 74 3C BD 9A 6F 13 2037 : 35 74 4A A5 5E 77 F6 B6 AC 35 35 EE 17 C2 5E 63 2038 : 95 17 DD 9C 92 E6 37 4A 53 CB FE 25 8F 8F FB B6 2039 : FD 12 93 78 A2 2A 4C A9 9C 45 2D 47 A5 9F 32 01 2040 : F4 41 97 CA 1C CD 7E 76 2F B2 F5 31 51 B6 FE B2 2041 : FF FD 2B 6F E4 FE 5B C6 BD 9E C3 4B FE 08 23 9D 2042 : [ Another 385 bytes skipped ] 2043 3022 3: INTEGER 65537 2044 : } 2045 : } 2046 : } 2047 3027 166: [3] { 2048 3030 163: SEQUENCE { 2049 3033 29: SEQUENCE { 2050 3035 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 2051 3040 22: OCTET STRING, encapsulates { 2052 3042 20: OCTET STRING 2053 : 36 61 E1 00 7C 88 05 09 51 8B 44 6C 47 FF 1A 4C 2054 : C9 EA 4F 12 2055 : } 2056 : } 2057 3064 31: SEQUENCE { 2058 3066 3: OBJECT IDENTIFIER 2059 : authorityKeyIdentifier (2 5 29 35) 2060 3071 24: OCTET STRING, encapsulates { 2061 3073 22: SEQUENCE { 2062 3075 20: [0] 2063 : 36 61 E1 00 7C 88 05 09 51 8B 44 6C 47 FF 1A 4C 2064 : C9 EA 4F 12 2065 : } 2066 : } 2067 : } 2068 3097 15: SEQUENCE { 2069 3099 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 2070 3104 1: BOOLEAN TRUE 2071 3107 5: OCTET STRING, encapsulates { 2072 3109 3: SEQUENCE { 2073 3111 1: BOOLEAN TRUE 2074 : } 2075 : } 2076 : } 2077 3114 14: SEQUENCE { 2078 3116 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 2079 3121 1: BOOLEAN TRUE 2080 3124 4: OCTET STRING, encapsulates { 2081 3126 2: BIT STRING 1 unused bit 2082 : '1100001'B 2083 : } 2084 : } 2085 3130 64: SEQUENCE { 2086 3132 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) 2087 3137 57: OCTET STRING, encapsulates { 2088 3139 55: SEQUENCE { 2089 3141 53: SEQUENCE { 2090 3143 51: [0] { 2091 3145 49: [0] { 2092 3147 47: [6] 2093 : 'https://android.googleapis.com/attestation/crl/' 2094 : } 2095 : } 2096 : } 2097 : } 2098 : } 2099 : } 2100 : } 2101 : } 2102 : } 2103 3196 13: SEQUENCE { 2104 3198 9: OBJECT IDENTIFIER 2105 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 2106 3209 0: NULL 2107 : } 2108 3211 513: BIT STRING 2109 : 20 C8 C3 8D 4B DC A9 57 1B 46 8C 89 2F FF 72 AA 2110 : C6 F8 44 A1 1D 41 A8 F0 73 6C C3 7D 16 D6 42 6D 2111 : 8E 7E 94 07 04 4C EA 39 E6 8B 07 C1 3D BF 15 03 2112 : DD 5C 85 BD AF B2 C0 2D 5F 6C DB 4E FA 81 27 DF 2113 : 8B 04 F1 82 77 0F C4 E7 74 5B 7F CE AA 87 12 9A 2114 : 88 01 CE 8E 9B C0 CB 96 37 9B 4D 26 A8 2D 30 FD 2115 : 9C 2F 8E ED 6D C1 BE 2F 84 B6 89 E4 D9 14 25 8B 2116 : 14 4B BA E6 24 A1 C7 06 71 13 2E 2F 06 16 A8 84 2117 : [ Another 384 bytes skipped ] 2118 : } 2119 3728 1413: SEQUENCE { 2120 3732 877: SEQUENCE { 2121 3736 3: [0] { 2122 3738 1: INTEGER 2 2123 : } 2124 3741 10: INTEGER 03 88 26 67 60 65 89 96 85 99 2125 3753 13: SEQUENCE { 2126 3755 9: OBJECT IDENTIFIER 2127 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 2128 3766 0: NULL 2129 : } 2130 3768 27: SEQUENCE { 2131 3770 25: SET { 2132 3772 23: SEQUENCE { 2133 3774 3: OBJECT IDENTIFIER serialNumber (2 5 4 5) 2134 3779 16: PrintableString 'f92009e853b6b045' 2135 : } 2136 : } 2137 : } 2138 3797 30: SEQUENCE { 2139 3799 13: UTCTime 20/06/2018 22:47:35 GMT 2140 3814 13: UTCTime 17/06/2028 22:47:35 GMT 2141 : } 2142 3829 47: SEQUENCE { 2143 3831 25: SET { 2144 3833 23: SEQUENCE { 2145 3835 3: OBJECT IDENTIFIER serialNumber (2 5 4 5) 2146 3840 16: PrintableString 'ccd18b9b608d658e' 2147 : } 2148 : } 2149 3858 18: SET { 2150 3860 16: SEQUENCE { 2151 3862 3: OBJECT IDENTIFIER title (2 5 4 12) 2152 3867 9: UTF8String 'StrongBox' 2153 : } 2154 : } 2155 : } 2156 3878 546: SEQUENCE { 2157 3882 13: SEQUENCE { 2158 3884 9: OBJECT IDENTIFIER 2159 : rsaEncryption (1 2 840 113549 1 1 1) 2160 3895 0: NULL 2161 : } 2162 3897 527: BIT STRING, encapsulates { 2163 3902 522: SEQUENCE { 2164 3906 513: INTEGER 2165 : 00 E8 22 0B F1 72 A6 01 63 D3 3C 44 9D DB 7A 87 2166 : D6 3D 6F 6D 92 B7 C9 4A 70 96 5D 29 7A 8E 96 3E 2167 : FE F3 10 53 B2 19 A5 BF 6E 54 AD D0 0A A2 8E 54 2168 : E0 D4 B4 2E A6 E0 D4 30 F8 5A 47 CC 09 00 56 45 2169 : BE DA 5A 84 59 90 18 CE 29 6C 8E 9E E6 90 98 BD 2170 : D4 D8 F8 38 82 90 C9 79 DB 31 D3 7A A1 CA BA 6A 2171 : 8B 9D 15 91 E2 6C 41 A3 2B 25 DA 4F E4 B3 14 E5 2172 : 4B EC B7 89 06 44 18 67 C1 4C 03 35 18 D8 FD 7D 2173 : [ Another 385 bytes skipped ] 2174 4423 3: INTEGER 65537 2175 : } 2176 : } 2177 : } 2178 4428 182: [3] { 2179 4431 179: SEQUENCE { 2180 4434 29: SEQUENCE { 2181 4436 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 2182 4441 22: OCTET STRING, encapsulates { 2183 4443 20: OCTET STRING 2184 : 1B 17 70 C6 97 DC 84 54 75 7C 3C 98 5C E6 1D 1D 2185 : 08 59 5D 53 2186 : } 2187 : } 2188 4465 31: SEQUENCE { 2189 4467 3: OBJECT IDENTIFIER 2190 : authorityKeyIdentifier (2 5 29 35) 2191 4472 24: OCTET STRING, encapsulates { 2192 4474 22: SEQUENCE { 2193 4476 20: [0] 2194 : 36 61 E1 00 7C 88 05 09 51 8B 44 6C 47 FF 1A 4C 2195 : C9 EA 4F 12 2196 : } 2197 : } 2198 : } 2199 4498 15: SEQUENCE { 2200 4500 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 2201 4505 1: BOOLEAN TRUE 2202 4508 5: OCTET STRING, encapsulates { 2203 4510 3: SEQUENCE { 2204 4512 1: BOOLEAN TRUE 2205 : } 2206 : } 2207 : } 2208 4515 14: SEQUENCE { 2209 4517 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 2210 4522 1: BOOLEAN TRUE 2211 4525 4: OCTET STRING, encapsulates { 2212 4527 2: BIT STRING 2 unused bits 2213 : '100000'B (bit 5) 2214 : } 2215 : } 2216 4531 80: SEQUENCE { 2217 4533 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) 2218 4538 73: OCTET STRING, encapsulates { 2219 4540 71: SEQUENCE { 2220 4542 69: SEQUENCE { 2221 4544 67: [0] { 2222 4546 65: [0] { 2223 4548 63: [6] 2224 : 'https://android.googleapis.com/attestation/crl/8' 2225 : 'F6734C9FA504789' 2226 : } 2227 : } 2228 : } 2229 : } 2230 : } 2231 : } 2232 : } 2233 : } 2234 : } 2235 4613 13: SEQUENCE { 2236 4615 9: OBJECT IDENTIFIER 2237 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 2238 4626 0: NULL 2239 : } 2240 4628 513: BIT STRING 2241 : 9B E2 2D 8C 43 AC 8F 11 35 11 77 BD F9 32 B3 01 2242 : 8C E9 97 58 08 E5 C0 DD C4 CC A6 B1 4A A3 E5 D0 2243 : 48 A6 18 1C 8E 5C FD 35 4A A5 12 C2 1A 82 64 3E 2244 : B4 CC 0C 0B 1F 5E D5 11 C0 B7 49 5B A6 E7 74 37 2245 : 0B 7D 99 27 84 B7 E0 34 58 28 01 CC 03 76 50 F8 2246 : 1A B5 3B EF CA D2 FF 7D C9 37 FE D9 F7 30 3D 31 2247 : 24 CA 83 FD 67 AC 38 E3 82 23 B0 70 80 48 84 D6 2248 : A1 2E 18 BD 94 1F 9A 8E 82 CC 2F EB 97 AA 5B A3 2249 : [ Another 384 bytes skipped ] 2250 : } 2251 : } 2252 5145 0: SET {} 2253 : } 2254 : } 2255 : } 2257 7.2. Windows 10 TPM 2259 The next two sections provide two views of a CSR generated via 2260 invocation of the Certificate Enrollment Manager API similar to the 2261 below: 2263 CertificateRequestProperties request = new CertificateRequestProperties(); 2264 request.FriendlyName = "Self-Signed Device Certificate"; 2266 request.KeyAlgorithmName = KeyAlgorithmNames.Rsa; 2267 request.KeyStorageProviderName = "Microsoft Smart Card Key Storage Provider"; 2268 request.UseExistingKey = true; 2269 request.Exportable = ExportOption.NotExportable; 2270 request.ContainerName = prj.GetContainerName(); 2272 request.Subject = subject_name; 2273 request.KeyUsages = keyUsages; 2274 request.SmartcardReaderName = smartCardReaderName; 2276 string privacyCa = 2277 "MIIDezCCAmOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBUMQswCQYDVQQGEwJVUzEY" + 2278 "MBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQ0wCwYDVQQLEwRESVNBMRwwGgYDVQQD" + 2279 "ExNQdXJlYnJlZCBQcml2YWN5IENBMB4XDTE4MDQwMzE0NTQwMFoXDTI4MDQwMzE0" + 2280 "NTQwMFowVDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEN" + 2281 "MAsGA1UECxMERElTQTEcMBoGA1UEAxMTUHVyZWJyZWQgUHJpdmFjeSBDQTCCASIw" + 2282 "DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMROV8sQ707OSvjRxoX5S6MaB0r4" + 2283 "r5TnM97cx0RjtSVPu3O/WG9KRQdJtG9gARKKlxqgKOPJkTfTIxvUvWwKrtL9HjYs" + 2284 "IC2V/otsX3JKgPepud2CTIy3I1ADU7UD0/0MGqALbn+grDTaZOSi5p6cA0eo/f0X" + 2285 "O7UNh5r2YWOYAhZdhIy5F9BIOZEN/7pRyvKziupf3OVTQaMjMWoiDrCQC+D0xya4" + 2286 "8qxU/VFy4c9BmIg7uNzkHDqdaogo1Gsj5t2y0lW37IbRo6HrZ5Dl18laIX7s7n9k" + 2287 "Mp7GbK4rq/1FTMvI5bBpN/Pp4syi3f+oyQbSz+FPQwfBWGLukTUzPYcDVfUCAwEA" + 2288 "AaNYMFYwHQYDVR0OBBYEFAFy9PrSM65GYyC0EVDPU91WJ0BXMAsGA1UdDwQEAwIC" + 2289 "pDAoBgNVHSUEITAfBggrBgEFBQcDAgYIKwYBBQUHAwEGCSsGAQQBgjcVJDANBgkq" + 2290 "hkiG9w0BAQsFAAOCAQEAG777BuS/EXmuoHiVctA0n58u4SZb6i9Jvw1gI3qIryGM" + 2291 "2oxDSKPr36c7R2tFmAqo4m9N97wh4xFebkkYHgZWPsp0hRFy79veE+wMCw+Z0B88" + 2292 "ri4a2z/oTDmW9uf3r+BaZjRKpVoaYW9eztmz6DJA3wtvEdvUE2Nq4G1V5yXIdiSU" + 2293 "pfVd4eyEPVNy0Yp9DZDBP9vVcd5x7VfG8rzQoaDcerwrsXJ9/WLDz76A6d2/syHN" + 2294 "74CRuXYGhpBb7YL1jIhgVi6Rb4Dbq3dgDIkmTqUecEknuX73Oddr/phgqMOrVWUB" + 2295 "1XrHJbPUuC+nuPbShhJ0vPRw13TX3deqjzTsj8XEcA=="; 2297 byte[] privacyCaBytes = Convert.FromBase64String(privacyCa); 2298 IBuffer buffer = privacyCaBytes.AsBuffer(); 2299 request.AttestationCredentialCertificate = new Certificate(buffer); ; 2301 csrToDiscard = await 2302 CertificateEnrollmentManager.UserCertificateEnrollmentManager.\ 2303 CreateRequestAsync(request); 2305 Attestation details are described here: https://msdn.microsoft.com/ 2306 en-us/library/dn366894.aspx. 2308 The structure is essentially a Full PKI Request as described in RFC 2309 5272. 2311 * ContentInfo 2312 * SignedData 2313 * PKIData 2314 * Empty controlSequence 2315 * One TaggestRequest 2316 * PKCS 10 2317 * Basic request details along with encrypted attestation extension 2318 * Empty cmsSequence 2319 * Empty otherMsgSequence 2320 * Certificates bag with two certs (one of which is revoked) 2322 7.2.1. Attestation statement 2324 This section provides an annotation attestation statement as 2325 extracted from an encrypted attestation extension. The structure of 2326 the attestation statement is defined here: 2327 https://msdn.microsoft.com/en-us/library/dn408990.aspx. 2329 600 1256: SEQUENCE { 2330 604 9: OBJECT IDENTIFIER '1 3 6 1 4 1 311 21 24' 2331 615 1241: SET { 2332 619 1237: OCTET STRING 2333 : 4B 41 53 54 01 00 00 00 02 00 00 00 1C 00 00 00 2334 : 00 00 00 00 B9 04 00 00 00 00 00 00 4B 41 44 53 2335 : 02 00 00 00 18 00 00 00 A1 00 00 00 00 01 00 00 2336 : 00 03 00 00 FF 54 43 47 80 17 00 22 00 0B 9A FD 2337 : AB 8A 0B E9 0B BB 3F 7F E6 B6 77 91 EF A9 15 8A 2338 : 03 B2 2B 8C BE 3F EC 56 B6 30 BF 82 73 9C 00 14 2339 : 13 6E 2F 14 DD AF 30 72 A6 E3 89 4D BF 7A 54 26 2340 : 36 2F 10 D6 00 00 00 00 51 4F CB E5 AD 8C 8C 60 2341 : E6 C2 70 80 00 D4 2C 65 4C 6B 95 ED 95 00 22 00 2342 : 0B 2B E6 2C AD 8D E8 9A 85 04 D7 F3 7B B7 4C F8 2343 : 32 CD B4 F1 80 CA A6 35 B9 2C 39 87 B7 96 03 C3 2344 : A3 00 22 00 0B 6C 88 60 B2 80 E3 BE 7D 34 F2 85 2345 : DC 26 9D 1B 72 A8 0A 17 CF 31 08 F1 55 F2 9B 4E 2346 : 82 C8 5B 49 7B 1A F1 4B 12 A1 C5 D1 A4 C5 A4 59 2347 : C4 0A 97 E0 88 ED 1C D3 B6 38 4A 5D 6C 27 F5 69 2348 : 7D 17 AD F6 C0 03 27 09 5D 93 B5 13 EA 50 B5 05 2349 : 27 7B A0 51 4D 1B 17 52 87 7D B8 A6 05 4A 4F 39 2350 : CA 36 5C A1 19 19 0B 73 B4 0E 7F D3 91 DA 91 EE 2351 : 37 C6 CE 78 AF 15 21 5D EB 5E 5F 23 A7 08 E9 85 2352 : D4 6B A0 95 6D D7 E0 3A D1 92 72 B7 D4 E5 35 6A 2353 : 01 B0 7D 35 D0 99 BA A1 77 35 76 75 E3 90 A8 8B 2354 : 86 27 B8 3D 47 75 2D 98 D0 23 4E 09 D8 26 6B 32 2355 : 3C AB AC 50 A2 E8 FF 70 21 85 C5 5E B1 F5 9C B9 2356 : 6E 21 27 C7 2A CD 84 61 02 47 6A A0 E1 9A 9F AF 2357 : 02 43 08 D8 BF 9F 69 14 C4 8C 80 32 2D 5C A3 60 2358 : 48 F5 5E 8E 65 6B 5E B5 0E A4 ED B9 8B F9 C3 D9 2359 : A8 CE C0 64 71 F6 E3 81 F7 9D 79 E5 73 7B F3 A4 2360 : 6E 65 8D 72 B4 0A 3E 5E 70 5F AB 2B 89 B9 5E 65 2361 : 44 BF 44 7B FB 2E 29 39 64 36 85 63 46 62 AF 25 2362 : A5 8B 19 30 AF 50 43 50 4D 38 00 00 00 02 00 00 2363 : 00 03 00 00 00 38 01 00 00 E0 00 00 00 00 00 00 2364 : 00 00 00 00 00 B0 00 00 00 00 00 00 00 00 00 00 2365 : 00 00 00 00 00 00 00 00 00 00 00 00 00 01 36 00 2366 : 01 00 0B 00 06 00 72 00 20 9D FF CB F3 6C 38 3A 2367 : E6 99 FB 98 68 DC 6D CB 89 D7 15 38 84 BE 28 03 2368 : 92 2C 12 41 58 BF AD 22 AE 00 10 00 10 08 00 00 2369 : 00 00 00 01 00 9B B1 27 B7 E3 5D 0C 10 74 52 1B 2370 : 60 59 96 5E B6 08 D4 76 26 17 B5 92 49 39 34 CD 2371 : A4 2D 4D C9 3E 50 05 2E D8 9E 22 37 E2 05 D2 7F 2372 : 3B 3E 4D 9F E0 E0 31 52 74 A0 D5 18 BE F1 9F 79 2373 : 48 D6 24 69 35 3C D4 1F 55 73 75 ED 83 D6 3A E3 2374 : 63 77 A6 5B 92 97 86 13 7C 69 3B DE AA E5 0E 9A 2375 : 39 CF 53 DF 4C 7A E0 3C A3 EC 29 DA 18 5F 86 E6 2376 : 22 D9 2C A3 8E D8 E2 3E 80 9C 69 52 FA 1E 90 3F 2377 : BA 09 04 D0 91 6A 27 2B 44 8C FF E8 DE FF BD B9 2378 : CE DD 95 67 70 FD 94 E5 3A E6 E4 EA 01 A5 AC 4A 2379 : 79 5C 88 4D 07 43 C7 C0 B8 95 3E 7C 72 90 CD 35 2380 : 99 B3 32 8A C7 8C 90 63 E3 46 88 62 35 A4 5B 54 2381 : F1 E8 61 0E CF 85 B4 41 6F 06 94 B6 BA 6F 4B CE 2382 : F7 8A 18 6C 5E 9A 6B 65 C3 F5 58 ED 7D 6A 3A E6 2383 : 24 B6 21 6F 8C EE 1C 21 60 9E 2F 86 22 D2 2B 8F 2384 : E0 3B 12 AC 6B F5 FF 54 C6 E8 D4 3C 2E D3 B6 8E 2385 : 7A 30 36 29 3D 00 DE 00 20 13 F5 31 2B 87 50 19 2386 : D3 95 1F F2 B6 00 95 5B 0A E2 54 7A A0 CF 6A 2C 2387 : F5 4F AD 77 C6 D5 4F 52 CB 00 10 3B 41 34 BF D4 2388 : FC 8B BE 87 14 47 81 4E 5C 5C 23 73 44 AF D6 56 2389 : 6F A6 6E BE E7 63 9C 43 53 C4 3C 26 33 B6 AD 75 2390 : 36 AC 91 98 C1 FF E3 B2 AF E6 3F 14 C0 2E 65 D7 2391 : C1 AD F6 22 D9 59 96 B6 70 8C 30 2F DE 76 1B EB 2392 : 9D 56 C1 77 F8 1D 38 5C 7D 13 9C FD 1E 3E 00 1B 2393 : 5A 74 C4 8E 49 2B 0B B5 C5 0E E3 A7 2C 92 E2 96 2394 : 1E 9D C8 43 02 2F 8F F8 6E 66 4A FA D8 56 57 59 2395 : 48 A4 D5 B7 7F 49 52 CA FA 11 E4 AF 27 E7 64 21 2396 : 76 79 9B 8A A3 1A A6 FA A1 03 3E CC CD 41 26 3C 2397 : 0D 3C DC 81 21 21 DE 92 4D 2A EF 66 DE D6 77 FE 2398 : 41 0C 5D 44 1A D0 C4 D7 8B EA 6D DE 01 EE 97 DB 2399 : 61 0F FD 62 59 00 00 00 06 00 20 8F CD 21 69 AB 2400 : 92 69 4E 0C 63 3F 1A B7 72 84 2B 82 41 BB C2 02 2401 : 88 98 1F C7 AC 1E DD C1 FD DB 0E 00 20 E5 29 F5 2402 : D6 11 28 72 95 4E 8E D6 60 51 17 B7 57 E2 37 C6 2403 : E1 95 13 A9 49 FE E1 F2 04 C4 58 02 3A 00 20 AF 2404 : 2C A5 69 69 9C 43 6A 21 00 6F 1C B8 A2 75 6C 98 2405 : BC 1C 76 5A 35 59 C5 FE 1C 3F 5E 72 28 A7 E7 00 2406 : 20 C4 13 A8 47 B1 11 12 B1 CB DD D4 EC A4 DA AA 2407 : 15 A1 85 2C 1C 3B BA 57 46 1D 25 76 05 F3 D5 AF 2408 : 53 00 00 00 20 04 8E 9A 3A CE 08 58 3F 79 F3 44 2409 : FF 78 5B BE A9 F0 7A C7 FA 33 25 B3 D4 9A 21 DD 2410 : 51 94 C6 58 50 2411 : } 2413 The format is structured as follows: 2415 typedef struct { 2416 UINT32 Magic; 2417 UINT32 Version; 2418 UINT32 Platform; 2419 UINT32 HeaderSize; 2420 UINT32 cbIdBinding; 2421 UINT32 cbKeyAttestation; 2422 UINT32 cbAIKOpaque; 2423 BYTE idBinding[cbIdBinding]; 2424 BYTE keyAttestation[cbKeyAttestation]; 2425 BYTE aikOpaque[cbAIKOpaque]; 2426 } KeyAttestationStatement; 2428 4B 41 53 54 - Magic 2429 01 00 00 00 - Version 2430 02 00 00 00 - Platform 2431 1C 00 00 00 - HeaderSize 2432 00 00 00 00 - cbIdBinding 2433 B9 04 00 00 - cbKeyAttestation 2434 00 00 00 00 -- cbAIKOpaque 2436 The remainder is the keyAttestation, which is structured as follows: 2438 typedef struct { 2439 UINT32 Magic; 2440 UINT32 Platform; 2441 UINT32 HeaderSize; 2442 UINT32 cbKeyAttest; 2443 UINT32 cbSignature; 2444 UINT32 cbKeyBlob; 2445 BYTE keyAttest[cbKeyAttest]; 2446 BYTE signature[cbSignature]; 2447 BYTE keyBlob[cbKeyBlob]; 2448 } keyAttestation; 2450 4B 41 44 53 - Magic 2451 02 00 00 00 - Platform 2452 18 00 00 00 - HeaderSize 2453 A1 00 00 00 -- cbKeyAttest (161) 2454 00 01 00 00 -- cbSignature (256) 2455 00 03 00 00 - cbKeyBlob 2457 keyAttest (161 bytes) ~~~~~~~~~~~ FF 54 43 47 80 17 00 22 00 0B 9A FD 2458 AB 8A 0B E9 0B BB 3F 7F E6 B6 77 91 EF A9 15 8A 03 B2 2B 8C BE 3F EC 2459 56 B6 30 BF 82 73 9C 00 14 13 6E 2F 14 DD AF 30 72 A6 E3 89 4D BF 7A 2460 54 26 36 2F 10 D6 00 00 00 00 51 4F CB E5 AD 8C 8C 60 E6 C2 70 80 00 2461 D4 2C 65 4C 6B 95 ED 95 00 22 00 0B 2B E6 2C AD 8D E8 9A 85 04 D7 F3 2462 7B B7 4C F8 32 CD B4 F1 80 CA A6 35 B9 2C 39 87 B7 96 03 C3 A3 00 22 2463 00 0B 6C 88 60 B2 80 E3 BE 7D 34 F2 85 DC 26 9D 1B 72 A8 0A 17 CF 31 2464 08 F1 55 F2 9B 4E 82 C8 5B 49 7B ~~~~~~~~~~~ 2466 The keyAttest field is of type TPMS_ATTEST. The TPMS_ATTEST 2467 structure is defined in section 10.11.8 of 2468 https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0- 2469 Part-2-Structures-00.99.pdf. ~~~~~~~~~~~ FF 54 43 47 - magic 80 17 - 2470 type (TPM_ST_ATTEST_CERTIFY) 00 22 - name - TPM2B_NAME.size (34 2471 bytes) 00 0B 9A FD AB 8A 0B E9 0B BB - TPM2B_NAME.name 3F 7F E6 B6 77 2472 91 EF A9 15 8A 03 B2 2B 8C BE 3F EC 56 B6 30 BF 82 73 9C 2474 00 14 - extraData - TPM2B_DATA.size (20 bytes) 13 6E 2F 14 DD AF 30 2475 72 A6 E3 - TPM2B_DATA.buffer 89 4D BF 7A 54 26 36 2F 10 D6 2477 00 00 00 00 51 4F CB E5 - clockInfo - TPMS_CLOCK_INFO.clock AD 8C 8C 2478 60 - TPMS_CLOCK_INFO.resetCount E6 C2 70 80 - 2479 TPMS_CLOCK_INFO.restartCount 00 - - TPMS_CLOCK_INFO.safe 2481 D4 2C 65 4C 6B 95 ED 95 - firmwareVersion 2483 00 22 - attested - TPMS_CERTIFY_INFO.name.size 00 0B 2B E6 2C AD 8D 2484 E8 9A 85 - TPM2B_NAME.name 04 D7 F3 7B B7 4C F8 32 CD B4 F1 80 CA A6 2485 35 B9 2C 39 87 B7 96 03 C3 A3 2486 00 22 - TPMS_CERTIFY_INFO.qualifiedName.size 00 0B 6C 88 60 B2 80 E3 2487 BE 7D - TPM2B_NAME.name 34 F2 85 DC 26 9D 1B 72 A8 0A 17 CF 31 08 F1 2488 55 F2 9B 4E 82 C8 5B 49 7B ~~~~~~~~~~~ 2490 Signature (256 bytes) - generated using the AIK private key 2491 ~~~~~~~~~~~ 1A F1 4B 12 A1 C5 D1 A4 C5 A4 59 C4 0A 97 E0 88 ED 1C D3 2492 B6 38 4A 5D 6C 27 F5 69 7D 17 AD F6 C0 03 27 09 5D 93 B5 13 EA 50 B5 2493 05 27 7B A0 51 4D 1B 17 52 87 7D B8 A6 05 4A 4F 39 CA 36 5C A1 19 19 2494 0B 73 B4 0E 7F D3 91 DA 91 EE 37 C6 CE 78 AF 15 21 5D EB 5E 5F 23 A7 2495 08 E9 85 D4 6B A0 95 6D D7 E0 3A D1 92 72 B7 D4 E5 35 6A 01 B0 7D 35 2496 D0 99 BA A1 77 35 76 75 E3 90 A8 8B 86 27 B8 3D 47 75 2D 98 D0 23 4E 2497 09 D8 26 6B 32 3C AB AC 50 A2 E8 FF 70 21 85 C5 5E B1 F5 9C B9 6E 21 2498 27 C7 2A CD 84 61 02 47 6A A0 E1 9A 9F AF 02 43 08 D8 BF 9F 69 14 C4 2499 8C 80 32 2D 5C A3 60 48 F5 5E 8E 65 6B 5E B5 0E A4 ED B9 8B F9 C3 D9 2500 A8 CE C0 64 71 F6 E3 81 F7 9D 79 E5 73 7B F3 A4 6E 65 8D 72 B4 0A 3E 2501 5E 70 5F AB 2B 89 B9 5E 65 44 BF 44 7B FB 2E 29 39 64 36 85 63 46 62 2502 AF 25 A5 8B 19 30 AF ~~~~~~~~~~~ 2504 The remainder is the keyBlob, which is defined here: 2505 https://github.com/Microsoft/TSS.MSR/blob/master/PCPTool.v11/inc/ 2506 TpmAtt.h. 2508 7.3. Yubikey 2510 As with the Android Keystore attestations, Yubikey attestations take 2511 the form of an X.509 certificate. As above, the certificate is 2512 presented here packaged along with an intermediate CA certificate as 2513 a certificates-only SignedData message. 2515 The attestations below were generated using code similar to that 2516 found in the yubico-piv-tool (https://github.com/Yubico/yubico-piv- 2517 tool). Details regarding attestations are here: 2518 https://developers.yubico.com/PIV/Introduction/PIV_attestation.html 2520 7.3.1. Yubikey 4 2522 0 1576: SEQUENCE { 2523 4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 2524 15 1561: [0] { 2525 19 1557: SEQUENCE { 2526 23 1: INTEGER 1 2527 26 0: SET {} 2528 28 11: SEQUENCE { 2529 30 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) 2530 : } 2531 41 1533: [0] { 2532 45 742: SEQUENCE { 2533 49 462: SEQUENCE { 2534 53 3: [0] { 2535 55 1: INTEGER 2 2536 : } 2537 58 9: INTEGER 00 A4 85 22 AA 34 AF AE 4F 2538 69 13: SEQUENCE { 2539 71 9: OBJECT IDENTIFIER 2540 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 2541 82 0: NULL 2542 : } 2543 84 43: SEQUENCE { 2544 86 41: SET { 2545 88 39: SEQUENCE { 2546 90 3: OBJECT IDENTIFIER commonName (2 5 4 3) 2547 95 32: UTF8String 'Yubico PIV Root CA Serial 263751' 2548 : } 2549 : } 2550 : } 2551 129 32: SEQUENCE { 2552 131 13: UTCTime 14/03/2016 00:00:00 GMT 2553 146 15: GeneralizedTime 17/04/2052 00:00:00 GMT 2554 : } 2555 163 33: SEQUENCE { 2556 165 31: SET { 2557 167 29: SEQUENCE { 2558 169 3: OBJECT IDENTIFIER commonName (2 5 4 3) 2559 174 22: UTF8String 'Yubico PIV Attestation' 2560 : } 2561 : } 2562 : } 2563 198 290: SEQUENCE { 2564 202 13: SEQUENCE { 2565 204 9: OBJECT IDENTIFIER 2566 : rsaEncryption (1 2 840 113549 1 1 1) 2567 215 0: NULL 2568 : } 2569 217 271: BIT STRING 2570 : 30 82 01 0A 02 82 01 01 00 AB A9 0B 16 9B EF 31 2571 : CC 3E AC 18 5A 2D 45 80 75 70 C7 58 B0 6C 3F 1B 2572 : 59 0D 49 B9 89 E8 6F CE BB 27 6F D8 3C 60 3A 85 2573 : 00 EF 5C BC 40 99 3D 41 EE EA C0 81 7F 76 48 E4 2574 : A9 4C BC D5 6B E1 1F 0A 60 93 C6 FE AA D2 8D 8E 2575 : E2 B7 CD 8B 2B F7 9B DD 5A AB 2F CF B9 0E 54 CE 2576 : EC 8D F5 5E D7 7B 91 C3 A7 56 9C DC C1 06 86 76 2577 : 36 44 53 FB 08 25 D8 06 B9 06 8C 81 FD 63 67 CA 2578 : [ Another 142 bytes skipped ] 2579 : } 2580 492 21: [3] { 2581 494 19: SEQUENCE { 2582 496 17: SEQUENCE { 2583 498 10: OBJECT IDENTIFIER '1 3 6 1 4 1 41482 3 3' 2584 510 3: OCTET STRING 04 03 03 2585 : } 2586 : } 2587 : } 2588 : } 2589 515 13: SEQUENCE { 2590 517 9: OBJECT IDENTIFIER 2591 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 2592 528 0: NULL 2593 : } 2594 530 257: BIT STRING 2595 : 52 80 5A 6D C3 9E DF 47 A8 F1 B2 A5 9C A3 80 81 2596 : 3B 1D 6A EB 6A 12 62 4B 11 FD 8D 30 F1 7B FC 71 2597 : 10 C9 B2 08 FC D1 4E 35 7F 45 F2 10 A2 52 B9 D4 2598 : B3 02 1A 01 56 07 6B FA 64 A7 08 F0 03 FB 27 A9 2599 : 60 8D 0D D3 AC 5A 10 CF 20 96 4E 82 BC 9D E3 37 2600 : DA C1 4C 50 E1 3D 16 B4 CA F4 1B FF 08 64 C9 74 2601 : 4F 2A 3A 43 E0 DE 42 79 F2 13 AE 77 A1 E2 AE 6B 2602 : DF 72 A5 B6 CE D7 4C 90 13 DF DE DB F2 8B 34 45 2603 : [ Another 128 bytes skipped ] 2604 : } 2605 791 783: SEQUENCE { 2606 795 503: SEQUENCE { 2607 799 3: [0] { 2608 801 1: INTEGER 2 2609 : } 2610 804 17: INTEGER 2611 : 00 FE B9 AF 03 3B 0B A7 79 04 02 F5 67 AE DF 72 2612 : ED 2613 823 13: SEQUENCE { 2614 825 9: OBJECT IDENTIFIER 2615 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 2616 836 0: NULL 2617 : } 2618 838 33: SEQUENCE { 2619 840 31: SET { 2620 842 29: SEQUENCE { 2621 844 3: OBJECT IDENTIFIER commonName (2 5 4 3) 2622 849 22: UTF8String 'Yubico PIV Attestation' 2623 : } 2624 : } 2625 : } 2626 873 32: SEQUENCE { 2627 875 13: UTCTime 14/03/2016 00:00:00 GMT 2628 890 15: GeneralizedTime 17/04/2052 00:00:00 GMT 2629 : } 2631 907 37: SEQUENCE { 2632 909 35: SET { 2633 911 33: SEQUENCE { 2634 913 3: OBJECT IDENTIFIER commonName (2 5 4 3) 2635 918 26: UTF8String 'YubiKey PIV Attestation 9e' 2636 : } 2637 : } 2638 : } 2639 946 290: SEQUENCE { 2640 950 13: SEQUENCE { 2641 952 9: OBJECT IDENTIFIER 2642 : rsaEncryption (1 2 840 113549 1 1 1) 2643 963 0: NULL 2644 : } 2645 965 271: BIT STRING 2646 : 30 82 01 0A 02 82 01 01 00 93 C4 C0 35 95 7E 26 2647 : 2A 7E A5 D0 29 C4 D7 E9 39 67 22 B1 09 45 46 4D 2648 : DB A4 77 CB 0B A3 F1 D0 69 3C 24 8D A2 72 72 27 2649 : E1 7F DE CB 67 A4 1D D2 E5 43 44 6F 21 39 F8 57 2650 : 34 01 0E 7E C3 81 63 63 6A 6D D7 40 20 7B AF 35 2651 : 61 9C 8D C1 D1 2B 25 48 EE 52 FC F3 72 6A 74 96 2652 : 01 CB 1C 1A B2 AD F9 18 96 EB 59 EF E3 3A CA BC 2653 : AA 9B 42 FE FF 60 6E 28 89 49 0D C1 B1 B0 25 AE 2654 : [ Another 142 bytes skipped ] 2655 : } 2656 1240 60: [3] { 2657 1242 58: SEQUENCE { 2658 1244 17: SEQUENCE { 2659 1246 10: OBJECT IDENTIFIER '1 3 6 1 4 1 41482 3 3' 2660 1258 3: OCTET STRING 04 03 03 -- firmware version 2661 : } 2662 1263 19: SEQUENCE { 2663 1265 10: OBJECT IDENTIFIER '1 3 6 1 4 1 41482 3 7' 2664 1277 5: OCTET STRING 02 03 4F 9B B5 -- serial number 2665 : } 2666 1284 16: SEQUENCE { 2667 1286 10: OBJECT IDENTIFIER '1 3 6 1 4 1 41482 3 8' 2668 1298 2: OCTET STRING 01 01 -- PIN and touch policy 2669 : } 2670 : } 2671 : } 2672 : } 2673 1302 13: SEQUENCE { 2674 1304 9: OBJECT IDENTIFIER 2675 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 2676 1315 0: NULL 2677 : } 2678 1317 257: BIT STRING 2679 : 1F 2B B8 1C 95 A1 01 74 3F 87 27 F6 B3 A6 A9 9D 2680 : 11 B9 ED 68 92 B9 05 2D 22 36 51 28 23 3D B0 2F 2681 : 7A 17 D5 8C 0C F4 3A 68 FD 2A 34 0D 80 3C F7 8F 2682 : B8 79 B0 76 E5 4D 61 94 C5 72 D6 9F 6E 26 76 5F 2683 : 03 94 55 40 93 5C 04 EF CC 58 41 EB 7C 86 64 23 2684 : 5F 23 5E 94 78 73 2E 77 8C 58 C5 45 87 22 CF BA 2685 : 69 06 B8 C7 06 37 10 21 8C 74 AD 08 B9 85 F2 7B 2686 : 99 02 4A 3E E8 96 09 D3 F4 C6 AB FA 49 68 E2 E0 2687 : [ Another 128 bytes skipped ] 2688 : } 2689 : } 2690 1578 0: SET {} 2691 : } 2692 : } 2693 : } 2695 7.3.2. Yubikey 5 2697 0 1613: SEQUENCE { 2698 4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 2699 15 1598: [0] { 2700 19 1594: SEQUENCE { 2701 23 1: INTEGER 1 2702 26 0: SET {} 2703 28 11: SEQUENCE { 2704 30 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) 2705 : } 2706 41 1570: [0] { 2707 45 762: SEQUENCE { 2708 49 482: SEQUENCE { 2709 53 3: [0] { 2710 55 1: INTEGER 2 2711 : } 2712 58 9: INTEGER 00 86 77 17 E0 1D 19 2B 26 2713 69 13: SEQUENCE { 2714 71 9: OBJECT IDENTIFIER 2715 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 2716 82 0: NULL 2717 : } 2718 84 43: SEQUENCE { 2719 86 41: SET { 2720 88 39: SEQUENCE { 2721 90 3: OBJECT IDENTIFIER commonName (2 5 4 3) 2722 95 32: UTF8String 'Yubico PIV Root CA Serial 263751' 2723 : } 2724 : } 2725 : } 2726 129 32: SEQUENCE { 2727 131 13: UTCTime 14/03/2016 00:00:00 GMT 2728 146 15: GeneralizedTime 17/04/2052 00:00:00 GMT 2729 : } 2730 163 33: SEQUENCE { 2731 165 31: SET { 2732 167 29: SEQUENCE { 2733 169 3: OBJECT IDENTIFIER commonName (2 5 4 3) 2734 174 22: UTF8String 'Yubico PIV Attestation' 2735 : } 2736 : } 2737 : } 2738 198 290: SEQUENCE { 2739 202 13: SEQUENCE { 2740 204 9: OBJECT IDENTIFIER 2741 : rsaEncryption (1 2 840 113549 1 1 1) 2742 215 0: NULL 2743 : } 2744 217 271: BIT STRING 2745 : 30 82 01 0A 02 82 01 01 00 C5 5B 8D E9 B9 3C 53 2746 : 69 82 88 FE DA 70 FC 5C 88 78 41 25 A2 1D 7B 84 2747 : 8E 93 36 AD 67 2B 4C AB 45 BE B2 E0 D5 9C 1B A1 2748 : 68 D5 6B F8 63 5C 83 CB 83 38 62 B7 64 AE 83 37 2749 : 37 8E C8 60 80 E6 01 F8 75 AA AE F6 6E A7 D5 76 2750 : C5 C1 25 AD AA 9E 9D DC B5 7E E9 8E 2A B4 3F 99 2751 : 0D F7 9F 20 A0 28 A0 9F B3 B1 22 5F AF 38 FB 73 2752 : 46 F4 C7 93 30 DD FA D0 86 E0 C9 C6 72 99 AF FB 2753 : [ Another 142 bytes skipped ] 2754 : } 2755 492 41: [3] { 2756 494 39: SEQUENCE { 2757 496 17: SEQUENCE { 2758 498 10: OBJECT IDENTIFIER '1 3 6 1 4 1 41482 3 3' 2759 510 3: OCTET STRING 05 01 02 2760 : } 2761 515 18: SEQUENCE { 2762 517 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 2763 522 1: BOOLEAN TRUE 2764 525 8: OCTET STRING 30 06 01 01 FF 02 01 00 2765 : } 2766 : } 2767 : } 2768 : } 2769 535 13: SEQUENCE { 2770 537 9: OBJECT IDENTIFIER 2771 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 2772 548 0: NULL 2773 : } 2774 550 257: BIT STRING 2775 : 05 57 B7 BF 5A 41 74 F9 5F EC 2E D2 B8 78 26 E5 2776 : EF 4F EA BF 5A 64 C9 CF 06 7F CA 8C 0A FC 1A 47 2777 : 1C D6 AC ED C8 5B 54 72 00 9F B8 59 AB 73 25 B2 2778 : D6 02 A3 59 83 31 69 EE C1 5F 3D F2 2B 1B 22 CA 2779 : B6 FC F9 FB 21 32 9E 08 F3 08 54 6D C9 26 10 42 2780 : 08 1D 3C B5 F0 5A B1 98 D4 68 DC 91 F1 D3 91 54 2781 : 7A A0 34 8B F6 65 EB 13 9F 3A 1C BF 43 C5 D1 D0 2782 : 33 23 C6 25 A0 4C E4 E9 AA 59 80 D8 02 1E B0 10 2783 : [ Another 128 bytes skipped ] 2784 : } 2785 811 800: SEQUENCE { 2786 815 520: SEQUENCE { 2787 819 3: [0] { 2788 821 1: INTEGER 2 2789 : } 2790 824 16: INTEGER 2791 : 17 7D 2D F7 D6 6D 97 CC D6 CF 69 33 87 5B F1 5E 2792 842 13: SEQUENCE { 2793 844 9: OBJECT IDENTIFIER 2794 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 2795 855 0: NULL 2796 : } 2797 857 33: SEQUENCE { 2798 859 31: SET { 2799 861 29: SEQUENCE { 2800 863 3: OBJECT IDENTIFIER commonName (2 5 4 3) 2801 868 22: UTF8String 'Yubico PIV Attestation' 2802 : } 2803 : } 2804 : } 2805 892 32: SEQUENCE { 2806 894 13: UTCTime 14/03/2016 00:00:00 GMT 2807 909 15: GeneralizedTime 17/04/2052 00:00:00 GMT 2808 : } 2809 926 37: SEQUENCE { 2810 928 35: SET { 2811 930 33: SEQUENCE { 2812 932 3: OBJECT IDENTIFIER commonName (2 5 4 3) 2813 937 26: UTF8String 'YubiKey PIV Attestation 9e' 2814 : } 2815 : } 2816 : } 2817 965 290: SEQUENCE { 2818 969 13: SEQUENCE { 2819 971 9: OBJECT IDENTIFIER 2820 : rsaEncryption (1 2 840 113549 1 1 1) 2821 982 0: NULL 2822 : } 2824 984 271: BIT STRING 2825 : 30 82 01 0A 02 82 01 01 00 A9 02 2D 7A 4C 0B B1 2826 : 0C 02 F9 E5 9C E5 6F 20 D1 9D F9 CE B3 B3 4D 1B 2827 : 61 B0 B4 E0 3F 44 19 72 88 8B 8D 9F 86 4A 5E C7 2828 : 38 F0 AF C9 28 5C D8 A2 80 C9 43 93 2D FA 39 7F 2829 : E9 39 2D 18 1B A7 A2 76 8F D4 6C D0 75 96 99 0D 2830 : 06 37 9D 90 D5 71 00 6E FB 82 D1 5B 2A 7C 3B 62 2831 : 9E AB 15 81 B9 AD 7F 3D 30 1C C2 4B 9D C4 D5 64 2832 : 32 9A 54 D6 23 B1 65 92 A3 D7 57 E2 62 10 2B 93 2833 : [ Another 142 bytes skipped ] 2834 : } 2835 1259 78: [3] { 2836 1261 76: SEQUENCE { 2837 1263 17: SEQUENCE { 2838 1265 10: OBJECT IDENTIFIER '1 3 6 1 4 1 41482 3 3' 2839 1277 3: OCTET STRING 05 01 02 -- firmware version 2840 : } 2841 1282 20: SEQUENCE { 2842 1284 10: OBJECT IDENTIFIER '1 3 6 1 4 1 41482 3 7' 2843 1296 6: OCTET STRING 02 04 00 93 6A A0 -- serial number 2844 : } 2845 1304 16: SEQUENCE { 2846 1306 10: OBJECT IDENTIFIER '1 3 6 1 4 1 41482 3 8' 2847 1318 2: OCTET STRING 01 01 -- PIN and touch policy 2848 : } 2849 1322 15: SEQUENCE { 2850 1324 10: OBJECT IDENTIFIER '1 3 6 1 4 1 41482 3 9' 2851 1336 1: OCTET STRING 02 -- form factor 2852 : } 2853 : } 2854 : } 2855 : } 2856 1339 13: SEQUENCE { 2857 1341 9: OBJECT IDENTIFIER 2858 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 2859 1352 0: NULL 2860 : } 2861 1354 257: BIT STRING 2862 : 9F EB 7A 4C F0 7C 67 11 ED C5 84 07 C8 19 41 B2 2863 : 71 42 08 2B D6 CD A8 5F DC AE 79 75 6C F1 E5 4D 2864 : 28 95 89 69 9D C0 2E A7 D4 48 51 B0 75 FF 63 FD 2865 : B8 79 93 03 EA BB 8A 67 D8 E7 EC C9 1C 8E 3F AF 2866 : 74 30 D4 7E 74 A4 26 50 9F D4 57 AE 23 C0 8A 63 2867 : 4E F3 C7 CF 5A AF 91 11 A2 6B 3B 49 24 32 26 88 2868 : D8 4F 6F BE BC F0 2D A9 A2 88 B4 5F 54 AF 42 72 2869 : 08 74 64 57 76 5A 02 9A 9D 21 4B FD 7F 44 8F AF 2870 : [ Another 128 bytes skipped ] 2871 : } 2872 : } 2873 1615 0: SET {} 2874 : } 2875 : } 2876 : } 2878 8. Privacy Considerations. 2880 TBD 2882 9. Security Considerations 2884 TBD. 2886 10. IANA Considerations 2888 TBD. 2890 11. Acknowledgements 2892 Thomas Hardjono provided the text on blockchain system. Dave Thaler 2893 suggested many small variations. Frank Xialiang suggested the 2894 scalling scenarios that might preclude a 1:1 protocol between 2895 attesters and relying parties. Henk Birkholz provided many reviews. 2896 Kathleen Moriarty provided many useful edits. Ned Smith, Anders 2897 Rundgren and Steve Hanna provided many useful pointers to TCG terms 2898 and concepts. Thomas Fossati and Shawn Willden elucidated the 2899 Android Keystore goals and limitations. 2901 12. References 2903 12.1. Normative References 2905 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2906 Requirement Levels", BCP 14, RFC 2119, 2907 DOI 10.17487/RFC2119, March 1997, 2908 . 2910 12.2. Informative References 2912 [android_security] 2913 Kralevich, R., "The Android Platform Security Model", 2914 n.d., . 2916 [azureattestation] 2917 Microsoft, ., "Azure Sphere Attestation", n.d., 2918 . 2921 [fido] FIDO Alliance, ., "FIDO Specification Overview", n.d., 2922 . 2924 [fido_w3c] 2925 W3C, ., "Web Authentication: An API for accessing Public 2926 Key Credentials Level 1", n.d., 2927 . 2929 [fidoattestation] 2930 FIDO Alliance, ., "FIDO 2.0: Key Attestation", n.d., 2931 . 2934 [fidosignature] 2935 FIDO Alliance, ., "FIDO 2.0: Signature Format", n.d., 2936 . 2939 [fidotechnote] 2940 FIDO Alliance, ., "FIDO TechNotes: The Truth about 2941 Attestation", n.d., . 2944 [I-D.fedorkow-rats-network-device-attestation] 2945 Fedorkow, G. and J. Fitzgerald-McKay, "Network Device 2946 Attestation Workflow", draft-fedorkow-rats-network-device- 2947 attestation-00 (work in progress), July 2019. 2949 [I-D.gutmann-scep] 2950 Gutmann, P., "Simple Certificate Enrolment Protocol", 2951 draft-gutmann-scep-14 (work in progress), June 2019. 2953 [I-D.tschofenig-rats-psa-token] 2954 Tschofenig, H., Frost, S., Brossard, M., Shaw, A., and T. 2955 Fossati, "Arm's Platform Security Architecture (PSA) 2956 Attestation Token", draft-tschofenig-rats-psa-token-02 2957 (work in progress), July 2019. 2959 [ieee802-1AR] 2960 IEEE Standard, ., "IEEE 802.1AR Secure Device Identifier", 2961 2009, . 2964 [intelsgx] 2965 Intel, ., "Intel(R) Software Guard Extensions: Attestation 2966 & Provisioning Services", n.d., 2967 . 2970 [keystore] 2971 Google, ., "Android Keystore System", n.d., 2972 . 2975 [keystore_attestation] 2976 Google, ., "Verifying hardware-backed key pairs with Key 2977 Attestation", n.d., 2978 . 2981 [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, 2982 "Internet X.509 Public Key Infrastructure Certificate 2983 Management Protocol (CMP)", RFC 4210, 2984 DOI 10.17487/RFC4210, September 2005, 2985 . 2987 [RFC5209] Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J. 2988 Tardo, "Network Endpoint Assessment (NEA): Overview and 2989 Requirements", RFC 5209, DOI 10.17487/RFC5209, June 2008, 2990 . 2992 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 2993 RFC 5652, DOI 10.17487/RFC5652, September 2009, 2994 . 2996 [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., 2997 "Enrollment over Secure Transport", RFC 7030, 2998 DOI 10.17487/RFC7030, October 2013, 2999 . 3001 [RFC8555] Barnes, R., Hoffman-Andrews, J., McCarney, D., and J. 3002 Kasten, "Automatic Certificate Management Environment 3003 (ACME)", RFC 8555, DOI 10.17487/RFC8555, March 2019, 3004 . 3006 [SP800-147B] 3007 NIST, ., "BIOS Protection Guidelines for Servers", n.d., 3008 . 3011 [SP800-155] 3012 NIST, ., "BIOS Integrity Measurement Guidelines (Draft)", 3013 n.d., . 3016 [tapinfomodel] 3017 Group, T., "TCG Trusted Attestation Protocol (TAP) 3018 Information Model for TPM Families 1.2 and 2.0 and DICE 3019 Family 1.0", n.d., . 3023 [tcgglossary] 3024 Group, T., "TCG Glossary, Version 1.1", n.d., 3025 . 3028 [tpmarchspec] 3029 Group, T., "TPM 2.0 Mobile Reference Architecture", n.d., 3030 . 3033 [windowsdefender] 3034 Microsoft, ., "Windows Defender System Guard attestation", 3035 n.d., . 3039 [windowshealth] 3040 Microsoft, ., "Windows Device Health Attestation", n.d., 3041 . 3044 [yubikey_attestation] 3045 Yubico, ., "PIV Attestation", n.d., 3046 . 3049 Appendix A. Changes 3051 o created new section for target use cases 3053 o added comments from Guy, Jessica, Henk and Ned on TCG description. 3055 Authors' Addresses 3057 Michael Richardson 3058 Sandelman Software Works 3060 Email: mcr+ietf@sandelman.ca 3061 Carl Wallace 3062 Red Hound Software 3064 Email: carl@redhoundsoftware.com 3066 Wei Pan 3067 Huawei Technologies 3069 Email: william.panwei@huawei.com