Remote Key Attestation is the mechanism by which a relying party can cryptographically verify that a public key is part of a key pair that was generated inside a trusted device. The relying party can be a certification authority, that wants to enforce a certain policy for storing key material.
The SmartCard-HSM has supported key attestation from it’s very beginning. It does that by signing the public key using its Device Authentication Key as soon as the key pair is generated.
Every SmartCard-HSM carries a Device Authentication Certificate, that is issued by the Device Issuer CA to bind the unique identity of the device to an unique Device Authentication key pair generated during production.
For that purpose, every licensed producer of SmartCard-HSMs operates a Device Issuer CA (DICA), that in turn is certified by the Scheme Root CA (SRCA) we operate at CardContact.
The resulting certificate chain is stored in the SmartCard-HSM. You can see the certificate chain in the Key Manager of the Smart Card Shell:
>load("keymanager/keymanager.js");
SmartCard-HSM Version 4.0 on JCOP 4 Free memory 129992 byte
Issuer Certificate : CVC id-SC-HSM DICA CAR=DESRCACC100001 CHR=DEDICC1200001 CED=6. September 2021 CXD=5. September 2029
Device Certificate : CVC id-SC-HSM Device CAR=DEDICC1200001 CHR=DECC120323900000 CED=7. September 2023 CXD=5. September 2029
This is device DECC1203239, produced on September 7th, 2023 by the Device Issuer DEDICC12, that was certified by DESRCACC1.
The certificates are Card Verifiable Certificates (CVC), a compact certificate format that can be processed by devices with limited processing power, like smartcards. A CVC has a field CHR to denote the certificate holder (like Subject-DN in X.509) and CAR to denote the issuer (like Issuer-DN in X.509). Both CHR and CAR follow a naming scheme, that consists of a country code (DE), a holder mnemonic (DICC12) and a serial number (00001).
The CVC format was initially defined by ISO 7816-8 and further detailed by BSI TR-03110-3, which is the basis for ICAO Machine Readable Travel Documents, better known as EAC-PKI for e-Passports with chip.
TR-03110-3 also defines in chapter C.2 a certificate request format that an entity in an EAC-PKI shall use to request a certificate from a superior CA. This request format is what the SmartCard-HSM uses as format for remote key attestation.
To dive a little deeper into the mechanics of key attestation, you could use the key-attestation.js script for the Smart Card Shell from the Starterkit.
/**
* ---------
* |.##> <##.| SmartCard-HSM Support Scripts
* |# #|
* |# #| Copyright (c) 2011-2015 CardContact Software & System Consulting
* |'##> <##'| Andreas Schwier, 32429 Minden, Germany (www.cardcontact.de)
* ---------
*
* Consult your license package for usage terms and conditions.
*
* @fileoverview Key attestation example
*/
var CVC = require("scsh/eac/CVC").CVC;
var SmartCardHSM = require("scsh/sc-hsm/SmartCardHSM").SmartCardHSM;
var SmartCardHSMKeySpecGenerator = require("scsh/sc-hsm/SmartCardHSM").SmartCardHSMKeySpecGenerator;
var HSMKeyStore = require("scsh/sc-hsm/HSMKeyStore").HSMKeyStore;
var crypto = new Crypto();
var card = new Card(_scsh3.reader);
card.reset(Card.RESET_COLD);
// Obtain a SmartCardHSM instance bound to the card
var sc = new SmartCardHSM(card);
// Read device certificate and validate chain up to the SRCA
var devAutCert = sc.readBinary(SmartCardHSM.C_DevAut);
var chain = SmartCardHSM.validateCertificateChain(crypto, devAutCert);
if (this.chain == null) {
throw new GPError(module.id, GPError.DEVICE_ERROR, 0, "SmartCard-HSM authentication failed");
}
// Authenticate the device and open a secure messaging channel
sc.openSecureChannel(crypto, chain.publicKey, Key.AES);
// Verify the PIN
sc.verifyUserPIN(new ByteString("648219", ASCII));
// Obtain a key store for the SmartCard-HSM
var ks = new HSMKeyStore(sc);
// Create a key spec for generating the key pair
var dp = new Key();
dp.setComponent(Key.ECC_CURVE_OID, new ByteString("brainpoolP256r1", OID));
var gen = new SmartCardHSMKeySpecGenerator(Crypto.EC, dp);
var label = "Key Attestation Example";
print("Generating " + label);
if (ks.hasKey(label)) {
ks.deleteKey(label);
}
// Generate the key pair
var req = ks.generateKeyPair(label, gen);
print("Full certificate chain:");
print("SRCA : " + chain.srca);
print("DICA : " + chain.dica);
print("DevAut : " + chain.devicecert);
print("Request : " + req);
print(req.getASN1());
assert(chain.dica.verifyWithCVC(crypto, chain.srca), "Could not validate DICA");
assert(chain.devicecert.verifyWithCVC(crypto, chain.dica), "Could not validate Device");
assert(req.verifyATWithCVC(crypto, chain.devicecert), "Could not validate request");
The script generates a fresh key pair and then validates the signed public key request generated inside the SmartCard-HSM:
>load("/home/asc/share/projects/workspace_scsh/sc-hsm-sdk-scripts/examples/key-attestation.js");
Generating Key Attestation Example
Full certificate chain:
SRCA : CVC id-SC-HSM SRCA CAR=DESRCACC100001 CHR=DESRCACC100001 CED=9. November 2012 CXD=8. November 2032
DICA : CVC id-SC-HSM DICA CAR=DESRCACC100001 CHR=DEDICC1200001 CED=6. September 2021 CXD=5. September 2029
DevAut : CVC id-SC-HSM Device CAR=DEDICC1200001 CHR=DECC120323900000 CED=7. September 2023 CXD=5. September 2029
Request : AT-CVREQ CAR=UTDUMMY00001 CHR=UTDUMMY00001 oCAR=DECC120323900000
Authenticated CVC Request 67 [ APPLICATION 7 ] IMPLICIT SEQUENCE SIZE( 485 )
CV Certificate 7F21 [ APPLICATION 33 ] IMPLICIT SEQUENCE SIZE( 395 )
Certificate Body 7F4E [ APPLICATION 78 ] IMPLICIT SEQUENCE SIZE( 323 )
Certificate Profile Indicator 5F29 [ APPLICATION 41 ] SIZE( 1 )
0000 00 .
Certification Authority Reference 42 [ APPLICATION 2 ] SIZE( 12 )
0000 55 54 44 55 4D 4D 59 30 30 30 30 31 UTDUMMY00001
Public Key 7F49 [ APPLICATION 73 ] IMPLICIT SEQUENCE SIZE( 285 )
OBJECT IDENTIFIER = { id-TA-ECDSA-SHA-256 }
Prime/Modulus 81 [ CONTEXT 1 ] SIZE( 32 )
0000 A9 FB 57 DB A1 EE A9 BC 3E 66 0A 90 9D 83 8D 72 ..W.....>f.....r
0010 6E 3B F6 23 D5 26 20 28 20 13 48 1D 1F 6E 53 77 n;.#.& ( .H..nSw
First coefficient a/Exponent 82 [ CONTEXT 2 ] SIZE( 32 )
0000 7D 5A 09 75 FC 2C 30 57 EE F6 75 30 41 7A FF E7 }Z.u.,0W..u0Az..
0010 FB 80 55 C1 26 DC 5C 6C E9 4A 4B 44 F3 30 B5 D9 ..U.&.\l.JKD.0..
Second coefficient b 83 [ CONTEXT 3 ] SIZE( 32 )
0000 26 DC 5C 6C E9 4A 4B 44 F3 30 B5 D9 BB D7 7C BF &.\l.JKD.0....|.
0010 95 84 16 29 5C F7 E1 CE 6B CC DC 18 FF 8C 07 B6 ...)\...k.......
Base Point G 84 [ CONTEXT 4 ] SIZE( 65 )
0000 04 8B D2 AE B9 CB 7E 57 CB 2C 4B 48 2F FC 81 B7 ......~W.,KH/...
0010 AF B9 DE 27 E1 E3 BD 23 C2 3A 44 53 BD 9A CE 32 ...'...#.:DS...2
0020 62 54 7E F8 35 C3 DA C4 FD 97 F8 46 1A 14 61 1D bT~.5......F..a.
0030 C9 C2 77 45 13 2D ED 8E 54 5C 1D 54 C7 2F 04 69 ..wE.-..T\.T./.i
0040 97 .
Order of the base point 85 [ CONTEXT 5 ] SIZE( 32 )
0000 A9 FB 57 DB A1 EE A9 BC 3E 66 0A 90 9D 83 8D 71 ..W.....>f.....q
0010 8C 39 7A A3 B5 61 A6 F7 90 1E 0E 82 97 48 56 A7 .9z..a.......HV.
Public Point y 86 [ CONTEXT 6 ] SIZE( 65 )
0000 04 46 0F 3F 19 06 3F 8C 3E 42 BC 48 63 17 F0 5D .F.?..?.>B.Hc..]
0010 9B C4 31 97 A8 5F 3F 40 D3 5D F1 22 10 51 2C 26 ..1.._?@.].".Q,&
0020 53 13 DA 38 19 A4 10 CD 71 1B 72 4A CD AC AB 94 S..8....q.rJ....
0030 47 4B 74 7A 25 99 68 89 CF A2 56 8F 93 44 C0 C3 GKtz%.h...V..D..
0040 8F .
Cofactor f 87 [ CONTEXT 7 ] SIZE( 1 )
0000 01 .
Certificate Holder Reference 5F20 [ APPLICATION 32 ] SIZE( 12 )
0000 55 54 44 55 4D 4D 59 30 30 30 30 31 UTDUMMY00001
Signature 5F37 [ APPLICATION 55 ] SIZE( 64 )
0000 67 3D 0A 8E 29 40 9F 70 6E 90 C9 A6 F1 C1 93 2B g=..)@.pn......+
0010 71 4F CB C0 FC 27 A1 A8 33 1F 0A 94 FE 3A 45 0B qO...'..3....:E.
0020 80 12 4A F1 3A 2B 83 6F 5F 4C 8E A9 EA 51 87 B1 ..J.:+.o_L...Q..
0030 C7 A8 67 85 7D 25 B0 A5 AB B9 8D 76 07 B2 06 29 ..g.}%.....v...)
Certification Authority Reference 42 [ APPLICATION 2 ] SIZE( 16 )
0000 44 45 43 43 31 32 30 33 32 33 39 30 30 30 30 30 DECC120323900000
Signature 5F37 [ APPLICATION 55 ] SIZE( 64 )
0000 47 08 8E 94 AC 77 27 EB 72 27 C8 19 24 FC 22 85 G....w'.r'..$.".
0010 89 35 B1 E2 88 53 D3 88 DA 8E E2 D7 47 1B 02 4E .5...S......G..N
0020 38 CC 89 8C 88 FA DC EA 8F DB CA 2C 77 38 4A 5E 8..........,w8J^
0030 AF 5A 51 F6 1C D9 E4 23 CE 4C 96 92 B9 F8 34 2E .ZQ....#.L....4.
You can see in the TLV structure of the CVREQ that it contains in the outer tag 67 a reference to the device in tag 42 and the signature applied by the Device Authentication Key in tag 5F37.
The inner structure in tag 7F4E resembles a self-signed structure of the public key in tag 7F49 and the signature in tag 5F37.
Of course for RSA keys, the public key object contains the modulus and the public exponent:
Authenticated CVC Request 67 [ APPLICATION 7 ] IMPLICIT SEQUENCE SIZE( 671 )
CV Certificate 7F21 [ APPLICATION 33 ] IMPLICIT SEQUENCE SIZE( 581 )
Certificate Body 7F4E [ APPLICATION 78 ] IMPLICIT SEQUENCE SIZE( 315 )
Certificate Profile Indicator 5F29 [ APPLICATION 41 ] SIZE( 1 )
0000 00 .
Certification Authority Reference 42 [ APPLICATION 2 ] SIZE( 12 )
0000 55 54 44 55 4D 4D 59 30 30 30 30 31 UTDUMMY00001
Public Key 7F49 [ APPLICATION 73 ] IMPLICIT SEQUENCE SIZE( 277 )
OBJECT IDENTIFIER = { id-TA-RSA-v1-5-SHA-256 }
Prime/Modulus 81 [ CONTEXT 1 ] SIZE( 256 )
0000 B8 37 1C 78 AA F0 E9 72 72 08 A7 97 10 58 97 BB .7.x...rr....X..
0010 30 43 1D 2D 04 DF BF 54 68 01 61 A2 D8 DD 80 9F 0C.-...Th.a.....
0020 24 D2 EF 64 04 06 49 F0 51 78 C4 00 CC DA 36 D2 $..d..I.Qx....6.
0030 AF 45 96 D3 FD 74 C4 61 1D 1F EC 05 9F 29 99 8C .E...t.a.....)..
0040 BB 1B A0 5C 74 25 F8 EF 8C 69 2C 56 FD 12 0B BD ...\t%...i,V....
0050 D4 48 7B 3C 0F 7A 57 5F EF 6B 30 93 5D 11 0D 41 .H{<.zW_.k0.]..A
0060 DA FE 23 A2 34 A8 36 79 26 D9 B6 A7 68 8F CC CC ..#.4.6y&...h...
0070 4B E6 26 00 D6 62 7D 84 04 E7 F8 B1 26 DB 3A 54 K.&..b}.....&.:T
0080 DA 56 C6 93 A0 65 38 F2 BD 0A 83 C6 2D 52 75 DD .V...e8.....-Ru.
0090 65 3B 3D EF CD 16 35 38 0C 27 A2 9B A3 92 51 CF e;=...58.'....Q.
00A0 DE 77 02 CE C2 26 7B BB 04 6D 58 20 A6 A0 DD 62 .w...&{..mX ...b
00B0 27 9C 31 45 51 FB FE 30 FB 65 8C 2F 3D 50 15 72 '.1EQ..0.e./=P.r
00C0 00 88 84 9E D3 BF B8 E2 A8 7F 8A 0C 8E 13 F2 22 ..............."
00D0 B8 4C 98 6B EC 42 C8 4C 47 AB 6A D6 71 BA F2 38 .L.k.B.LG.j.q..8
00E0 44 7C DB DE C8 85 69 FB 19 58 5F 41 7E 39 68 A0 D|....i..X_A~9h.
00F0 F1 18 98 99 B3 9D 1A 4D A1 D3 1A BA DB 32 13 51 .......M.....2.Q
First coefficient a/Exponent 82 [ CONTEXT 2 ] SIZE( 3 )
0000 01 00 01 ...
Certificate Holder Reference 5F20 [ APPLICATION 32 ] SIZE( 12 )
0000 55 54 44 55 4D 4D 59 30 30 30 30 31 UTDUMMY00001
Signature 5F37 [ APPLICATION 55 ] SIZE( 256 )
0000 74 B7 8D 16 40 EE 16 D1 53 83 15 31 FB AD ED 7E t...@...S..1...~
0010 61 EB AE 5A 49 F5 AE 9E 15 13 B4 2B 3D 6E 58 32 a..ZI......+=nX2
0020 B6 9D 3C 53 92 27 20 56 B0 82 09 AE 57 3D 73 5B ..<S.' V....W=s[
0030 19 E1 81 E8 3F 93 25 BB 3B C1 8C 49 0B 47 82 8E ....?.%.;..I.G..
0040 68 9E C6 5A 83 47 6D 9B 63 0F 9F 59 3B DF A7 3E h..Z.Gm.c..Y;..>
0050 5D F1 74 F3 65 F1 E9 74 70 E1 9D 62 87 3D 57 C2 ].t.e..tp..b.=W.
0060 83 5E 3A 40 6B 6C D7 11 67 34 98 58 EC EF F8 6A .^:@kl..g4.X...j
0070 B6 A3 81 F7 64 5B B0 76 D8 42 C7 B2 4D 9F 5C 26 ....d[.v.B..M.\&
0080 67 72 E1 3F 82 7B 76 97 04 64 90 75 70 70 42 8C gr.?.{v..d.uppB.
0090 71 A0 9B 15 92 9C 93 DD E6 0F 18 8C 1F BD 74 F6 q.............t.
00A0 9E A9 72 9F 6A 50 E3 BF 4D 77 47 F9 31 2F DD 98 ..r.jP..MwG.1/..
00B0 93 74 B4 9B B5 F1 18 CC E0 30 50 98 85 A9 56 87 .t.......0P...V.
00C0 ED 48 47 1C E7 63 90 4A 28 95 A0 44 DA 50 D6 43 .HG..c.J(..D.P.C
00D0 51 66 D8 F8 A8 77 7B 06 25 CA AD E9 88 47 15 75 Qf...w{.%....G.u
00E0 E7 B8 86 D1 43 F3 86 DD 75 4F 46 75 24 BA F8 72 ....C...uOFu$..r
00F0 32 BA C3 10 56 9D AB 79 89 9D 22 4E F2 08 EF 55 2...V..y.."N...U
Certification Authority Reference 42 [ APPLICATION 2 ] SIZE( 16 )
0000 44 45 43 43 31 32 30 33 32 33 39 30 30 30 30 30 DECC120323900000
Signature 5F37 [ APPLICATION 55 ] SIZE( 64 )
0000 1E CB 77 3B 53 EF 50 43 26 0A F0 EE 44 44 D5 47 ..w;S.PC&...DD.G
0010 60 62 C2 27 68 FB 53 31 45 BF 4E 8B BA DA 4C 67 `b.'h.S1E.N...Lg
0020 60 7F 46 98 EA 5F 2D AB 30 73 26 27 1D CB D2 87 `.F.._-.0s&'....
0030 02 B8 95 5E D2 D8 F9 F4 09 DE DF 01 2D B7 19 23 ...^........-..#
The inner CAR and CHR (here UTDUMMY00001) can be chosen arbitrarily to further identify the key pair (CHR) or the designated recipient (Inner CAR).
The key-attestation.js script also shows the other use of the Device Authentication Certificate: You can remotely authenticate the SmartCard-HSM using Chip Authentication V2 (as defined in TR-03110) and establish a secure messaging communication channel to protect integrity and confidentiality of data exchange with the SmartCard-HSM. This mechanisms is used to connect a SmartCard-HSM to cloud systems and for remote management.
Unfortunately key attestation is not widely supported by commercial CAs and CA software. Our PKI-as-a-Service Portal has support for remote key attestation when requesting certificates for a SmartCard-HSM.
But there is a promising task going on at the PKI Consortium to promote the adoption of remote key attestations.