Menu

Attestation feature

You can use Samsung Knox Attestation to verify the integrity of a device. You can check if a device has been rooted, has its firmware corrupted, or is running unauthorized firmware. You might do this, for example, to avoid handling private or confidential data on a device that might be compromised and be vulnerable to malware.

Perform attestation for a device

To perform a reliable attestation check, you must create both, a Tizen app to initiate the attestation check on a device as well as a web script to communicate with Samsung's Attestation server.

Following is an overview of the attestation process:

  1. Your web server requests a nonce from Samsung's Attestation Server.
  2. Your web server passes the nonce to your Tizen app, which starts an attestation check on a device. This is to see if the device is running authorized firmware.
  3. Your Tizen app sends back a blob (Binary Large OBject) containing the attestation results.
  4. Your web server requests an attestation verdict from Samsung's Attestation Server, based on the generated blob. The verdict indicates if the device passed or failed the attestation check.

Set up web server

Your web server communicates with Samsung’s Attestation Server, which provides you with nonces and translates blob data into attestation verdicts.Communication is through REST API calls over a secure HTTPS connection. You use JSON to build requests for and parse responses from the Attestation Server.

To set up your web server to communicate with the Attestation Server, see:

  1. To set up an Apache server supporting PHP
  2. To communicate securely over HTTPS

Set up an Apache server supporting PHP

In the following examples, we use an Apache server with the Linux operating system, and the PHP scripting language. You can set up such a web server from scratch quite simply. If you do not have a web server, you can enroll in a free or trial cloud service to get quick access to one.

If you are new to web server setup, here are some basic Linux commands to set up the server:

  1. install Ubuntu 14.0
  2. sudo apt-get update
  3. sudo apt-get install apache2
  4. sudo apt-get install php5 libapache2-mod-php5 php5-mcrypt php5-curl
  5. sudo /etc/init.d/apache2 restart

Alternatively, you can use a pre-built environment, such as that provided by Apache Friends.

Once you have a web server with PHP support, copy your scripts into the folder /var/www/html. In the sample Attestation app, there are two PHP scripts, called nonces.php and measurements.php, which you can copy into this folder.

Communicate securely over HTTPS

For secure communication with the attestation server, you use an HTTPS connection. Use an SSL certificate to encrypt data sent over the connection. Make sure to purchase an SSL certificate from a trusted provider. Self-signed certificates are not trusted by the Attestation server. Also, make sure your certificate contains the complete certificate chain. For help, please consult with your web provider.

Use Attestation APIs

The following are the Attestation APIs you can use to perform attestation for a device:

Get attestation blob

You can use the API method knox_attestation_get_attestation_blob (const unsigned char *nonce, int size, unsigned char **blob_data, int *blob_data_size) to get the blob data to check if device is available for authentication.

A nonce is a random number that uniquely identifies each attestation request. The server creates and returns a nonce, which you use to identify an attestation request.

NOTE — Each nonce is valid for a short time period, after which the Attestation Server fails any request made using that nonce. This is to avoid a replay attack that could allow an attacker to reuse a past attestation result.

A blob_data is used to hold device integrity measurements, device ID, signature, and public key certificate. The server checks the validity of the blob using the signature and public key certificate. It then parses the integrity measurements and returns a verdict indicating whether or not the device has official firmware.

Get device ID for attestation

You can use the API method knox_attestation_get_attestation_device_id (unsigned char **device_id, int *size) to get the device ID for attestation.