Remote attestation is a cornerstone of trusted computing in building trustworthy systems and services. In essence, a trusted entity, also known as the verifier, obtains state or behavioral information about another entity, also known as the prover. The obtained information allows the verifier to infer whether the prover is in a secure and safe state. The prover can be a device or a critical software component of a service, often located remotely from the verifier.
There is a wide range of attestation methods. For instance, static attestation methods provide guarantees that software is correctly installed. In contrast, dynamic attestation methods aim at attesting whether services are executing as intended. Attestation methods are also often highly dependent on a prover’s underlying hardware platform, which is usually trusted and include dedicated modules with attestation support. Instances are Trusted Platform Modules (TPM), Intel’s Software Guard eXtensions (SGX), AMD’s Secure Encrypted Virtualization (SEV), and ARM TrustZone. However, this variety becomes challenging in IoT as IoT deployments usually comprise a large range of different platforms, ranging from devices with low computational power like sensors to servers and smartphones with powerful, fully equipped CPUs, each with its own attestation capabilities and protocols.
Attestation is a vital service in TERMINET’s security layer and is an integral part of TERMINET’s Minimal Platform Profile (MPP). In particular, the MPP includes the Attestation Gateway (AG), which acts as a middleware for attesting devices and services. AG provides a unifying interface for various types of devices and services with their different attestation methods. Furthermore, AG supports to group and hierarchically structure devices and services for combined attestation. AG also allows entities―depending on their permissions―to request attestation information about devices and services. Such information can, e.g., be used to only send sensitive data to services/devices that are attested and in a well-defined state. Overall, AG aims at simplifying attestation and making attestation widely available within TERMINET in particular and in IoT deployments in general by providing a general, easy-to-use, yet powerful interface for the remote attestation of devices and services.