Client-Server Application for Trusted Device Setup

Overview

Softeq created a client-server solution that performs device attestation and detects intrusions. The system consists of three parts:

Local Attestation Service

• Initiates the attestation process
• Collects attestation data and transfers it to the server
• Receives a health report in response

User Interface

• Serves the local attestation service
• Notifies about successful attestation or any unauthorized modifications made to the system, such as installed software or changes in configurations

Remote Device Health Attestation Server

• Collects device parameters to compare measurements against the production specifications
• Generates health reports

How Device Attestation Works

The device attestation flow starts on the first boot.

• The local attestation agent (LAA) connects to a cloud-based Remote Health Attestation Server (RHAS)
• The server receives the device ID and sends a challenge response to LAA to collect the following device parameters:
  - Attestation data stored in a Converged Security and Management Engine (CSME) module residing in the device’s chip
  - Trusted Platform Module (TPM) quote that enables digest authentication—secure authorization on the server
• When RHAS has collected the required data, it performs the attestation process—the validation of device parameters against the production specifications
• The server generates and signs a statement of health
• LAA uses this report to notify users via the dashboard about successful attestation or any vulnerabilities

Solution Composition

The solution is based on the Amazon Virtual Private Cloud (VPC)—an isolated secure private cloud within AWS.

Health Report

Health attestation reports are XML files that verify the successful device attestation and report on the machine/system integrity.

The report contains:

• Session ID
• Timestamp
• The laptop’s serial number
• BIOS number
• Status report
• Policies to attest the device

The report also includes a log containing information about boots and any locking/unlocking events or unauthorized modifications.

An “unhealthy” report status may indicate unauthorized access or that the attestation request was transferred under the table to another server.

Security

We provided data protection based on Lenovo and Intel security requirements.

The solution’s security capabilities include:

• Direct Anonymous Attestation (DAA)—a cryptographic primitive that enables remote authentication of a trusted computer while ensuring user privacy
• Digital seal set at the factory and activated on the first boot. The device sealing event is stored in the CSME module, which resides in the Intel chips and contains the event log
  TPM module—a dedicated microcontroller that secures hardware through integrated cryptographic keys. TPMs contain both public and private keys. The public keys, which are stored in the production base, authorize TPMs on the server
• AWS Secrets Manager—stores keys supporting secure access to the production specifications
• The server makes a digital signature of a health report with the Elliptic Curve Digital Signature Algorithm (ECDSA), a cryptographic encryption algorithm used to secure communication

User Interface

A desktop user interface supports the device attestation process on the user side. A simple pop-up window notifies users about the successful attestation, warns in the event of a lost network connection, and alerts any intrusion events.