Creating a Trusted Web of Devices: Entity Attestation Tokens Explained
As the number of IoT devices being integrated into our businesses and lives increase, more decisions are made on the data and insights from these devices. For informed decisions to be made, we need to trust the data, which relies on having trusted devices. This is increasingly difficult, as IoT devices are complicated – containing a lot of code and hardware that will inevitably contain security vulnerabilities.
Enabling Risk-based Judgements
PSA Certified calls for a small hardware protected region of the chip, called the PSA Root of Trust (PSA-RoT), that acts as a source of confidentiality and integrity. The PSA-RoT includes a small set of useful security functions, which are made accessible to software developers via open source and easy-to-use PSA Functional APIs. One of these key APIs deals with attestation and the creation of an Entity Attestation Token (EAT).
The Entity Attestation Token is a beautifully simple way for IoT devices to make claims about a device’s status that can be useful to OEMs and cloud service providers who want assurance that they can trust the devices. Simply explained it’s a digital report card on what the device is and how it is performing.
A Mechanism for Communicating Trust
With large amounts of fragmentation in IoT devices and software, service providers struggle to know how to identify the trustworthiness of devices they are connected to. Cloud service providers need to make informed judgements on end devices to ensure the data they are providing can be trusted. This requires a mechanism to identify, characterize and authenticate them.
EAT has the capabilities to provide this source of trust, using a cryptographically signed piece of data containing claims that are generated in the device Root of Trust (RoT). There are many ways it can be useful, but most importantly it can be read by a Relying Party (for example, the server or service). The Relying Party can verify the claims made by the device such as:
- The unique identity of the device
- Installed software on the device and its integrity status
- Security assurance and certification status (such as a PSA Certified level)
- Manufacturer of the device hardware
Using this information, the Relying Party can make informed decisions such as whether the device is legitimate and should be onboarded, or what services should be enabled based on its security credentials.
Easing the Implementation of EAT
Our new Entity Attestation Token white paper was co-created with the author of the EAT source code and provides you a unique insight into the technology. Download the whitepaper to learn more including:
- The anatomy of an Entity Attestation Token
- The four-step process of device attestation
- Use cases
- How the PSA Certified ecosystem is supporting its adoption.
PSA Certified aims to reduce IoT fragmentation and ease security concerns across the ecosystem, which is why we’re passionate about providing open source examples for EAT, which you can find in the Trusted Firmware-M project. If you’re looking for products that support EAT, you can find them here.