Enhanced Attestation (v3) | Knox Attestation (2024)

Table of Contents
About Enhanced Attestation Samsung Attestation Key Enhanced Attestation process Signature Certificate and Verification Secure communication How Attestation works FAQs

Samsung Knox Enhanced Attestation is a feature that verifies a Samsung device’s data integrity by checking that the device isn’t rooted or running unofficial firmware.

Knox 3.4 introduced the latest version of Attestation (v3) running on flagship devices from the Note 10 onwards.Enhanced Attestation uses the EnhancedAttestationPolicy class and v3 REST API. For information about the previous version of Attestation, see Attestation (v2).

About Enhanced Attestation

Samsung Attestation Key

Enhanced Attestation uses the Samsung Attestation Key (SAK)to prove:

  • The key is protected by a secure hardware.
  • The device is manufactured by Samsung.
  • The device ID isn’t compromised.

When verifying devices as Samsung devices, it’s important to note that certificate change alone isn’t enough to prove that a device is a Samsung device since malicious attackers can send a certificate chain generated by other devices.

With SAK, it’s injected during the manufacturing process of a Samsung device to ensure it’s protected by secure hardware. When verifying devices as Samsung devices, the attestation certificate chain is validated, which contains a hash value that includes the device IMEI and serial number. This hash value is embedded as the unique identifier (UID) in the subject field, which is then used to prove the device ID hasn’t been changed after the SAK certificate has been generated.

Enhanced Attestation process

With Knox Enhanced Attestation, device integrity can be validated on-demand by a remote Samsung Attestation server.

Enhanced Attestation (v3) | Knox Attestation (1)

See Also
Qu’est-ce que « com.wssyncmldm » dans Android ? - Pouvez-vous le supprimer ?Verifying attestations  |  Cloud KMS Documentation  |  Google CloudWhat is wssyncmldm? All about Samsung update package - AndroidSRCWhat is com.wssyncmldm? (Exploring Its Significance & Functionality)

When an attestation request is made:

  1. The device side Knox Enhanced Attestation agent uses the Keystore attest API to receive an attestation certificate chain paired with an application private key.

  2. The attestation certificate chain is used by apps for validation, which consists of:

    • The attested key certificate — A certificate of the application key stored and managed in the Keystore.
    • The attestation certificate — The certificate of SAK. The attestation key is used to sign the attested key certificate.
    • The root certificate — The certificate of the root key issuing the SAK certificate, which is the last component of the attestation certificate chain.

    When validating the chain, the root certificate must be obtained through another route since the root certificate is public data. It’s recommended that the root certificate is used as a Trust root or to be compared with the root certificate of the attestation certificate chain.

  3. The Knox Warranty Bit value is checked to determine if a device has been rooted.

  4. The Knox Enhanced Attestation agent combines proprietary data to produce an attestation verdict, which indicates if tampering is suspected.

The attestation verdict is sent to the requesting web server on the TLS connection between the Samsung Attestation Server and the partner’s web server. This process ensures the attestation verdict is secured during transfer to protect it from being modified.

See Also
What is com.wssyncmldm App and How To Disable It? | New Scitech

If device tampering is suspected, security measures may include: uninstalling apps from the device, erasing sensitive data, checking the device location, or simply logging the event for later action.

Signature

For a remote MDM server to verify the integrity and authenticity of an attestation result, the result must be signed by the attestation app inside the device’s TrustZone.

On each device that supports TrustZone-based Integrity Measurement Architecture (TIMA) Attestation, a unique RSA private/public key pair is generated when a device is manufactured. This key pair is the SAK. Note that the public key of SAK is also signed by a special Samsung Root Key to generate a X.509 certificate. SAK and its certificate are secured in the device’s TrustZone.

When the device is booted up for the first time, another RSA private/public key pair is generated specially for the purpose of attestation. This is the Attestation Key. To generate a X.509 certificate, the Attestation Key’s public key is signed by SAK. The Attestation Key and its certificate are secured in the device’s TrustZone.

The chain of trust is formed by the Attestation Key, SAK, and the Samsung Root Key, which is is used to sign the SAK certificate.

After attestation result is generated, it will be signed by Attestation Key and the signature will be appended to the result. To verify the signature, the Attestation Key certificate and SAK certificate are also appended to the result.

Certificate and Verification

When the attestation result is verified by the server, it must have the Samsung Root Key and certificate installed and trusted. Once installed, it’s used to verify the SAK certificate, Attestation certificate, and the signature. This ensures the integrity of the attestation result.

To protect from a replay attack, which replays the attestation result collected on a different device or the same device before it was compromised, TIMA Attestation requires the caller to send a nonce in the request.

The nonce is returned as part of the Attestation result, and the returned nonce is validated by the caller before accepting the result: Below illustrates how a MDM server can request TIMA attestation.

Enhanced Attestation (v3) | Knox Attestation (2)

Secure communication

To ensure a secure communication with the Attestation server, use an HTTPS connection and a SSL certificate to encrypt data sent over the connection. Make sure to purchase an SSL certificate from a trusted provider. Self-signed certificates are not trusted by the Attestation server. Also, make sure your certificate contains the complete certificate chain. For help, please consult with your web provider.

How Attestation works

To perform attestation for a device, you must create both:

  • An Android app to initiate the attestation check on a device
  • A web script to communicate with Samsung’s Attestation server

Enhanced Attestation (v3) | Knox Attestation (3)

Here is the end-to-end process:

  1. Get a nonce: a random value that uniquely identifies each attestation request. Each nonce is valid for a short time period, after which the Attestation Server fails any request made using that nonce. This is to avoid a replay attack that could allow an attacker to reuse a past attestation result.
  2. Start attestation: To begin the attestation, your app can use startAttestation API in Knox SDK. The Knox Attestation Agent will pass attestation result over callback. Your app needs to handle attestation result (uniqueId).
  3. Get the attestation verdict: a verdict result is received from Attestation Server using a unique Id. The verdict result indicates if a device has passed or failed its integrity checks. Note that the requested nonce and unique Id should be same.
Enhanced Attestation (v3) | Knox Attestation (2024)

FAQs

What is enhanced attestation? ›

Samsung Knox Enhanced Attestation is a feature that verifies a Samsung device's data integrity by checking that the device isn't rooted or running unofficial firmware. Knox 3.4 introduced the latest version of Attestation (v3) running on flagship devices from the Note 10 onwards.

View More
What is com Samsung Android Knox attestation? ›

Samsung Knox Attestation lets you verify that a Samsung Android device has not been rooted or running unofficial firmware that can compromise the data integrity.

Get More Info
What is mcf_sak_cert samsung? ›

I found this on Samsung regarding its Knox security: Enhanced Attestation uses the Samsung Attestation Key (SAK) to prove: 1. The key is protected by a secure hardware. 2. The device is manufactured by Samsung.

Read More
What is the main purpose of attestation? ›

Attestation is the act of witnessing the signing of a formal document and then also signing it to verify that it was properly signed by those bound by its contents. Attestation is a legal acknowledgment of the authenticity of a document and a verification that proper processes were followed.

Read On
What are the different types of certificate attestation? ›

SDM Attestation (sub-divisional magistrate)/ HRD Attestation (human resource development). MEA Attestation (ministry of external affairs). Embassy attestation. MOFA Attestation (ministry of foreign affairs).

Continue Reading
What is Android device attestation? ›

Android App Attestation through SafetyNet Attestation API

It provides a cryptographically signed attestation and examines a device's software and hardware environments. A call called nonce is first made from an app to the server.

Find Out More
What is the purpose of Samsung Knox? ›

Knox ensures that confidential & sensitive data stays safe at every layer of Samsung Galaxy devices. Knox secures Android mobile devices through hard-wired protections while also serving specific management & data security needs.

Get More Info Here
How do I remove Knox security from my Samsung phone? ›

How to delete / uninstall an application which is installed by Samsung Knox?
  1. 1 Go to "Admin Profile" → "Applications & content" → "Prevent applications from being uninstalled".
  2. 2 Remove the Application package name : com. ...
  3. 3 Push the update profile to the device.
  4. 4 After you push the update you can delete the App.

Discover More Details
What are trusted root certificates? ›

Trusted certificates establish a chain of trust that verifies other certificates signed by the trusted roots — for example, to establish a secure connection to a web server. When IT administrators create Configuration Profiles, these trusted root certificates don't need to be included.

Explore More
What trusted certificates should be on my Android? ›

  • PSD2 Compliance.
  • Code Signing.
  • EV Code Signing.
  • DigiCert® Document Trust Manager.
  • Client (S/MIME)
  • Device.
  • TLS for Google AMP.
  • Verified Mark Certificates (VMC)
Apr 19, 2018

Find Out More

What would happen if a root certificate authority got hacked? ›

The root CA is at the top of the hierarchy, this makes it a very attractive target for potential attackers. If the root CA were to be compromised, an attacker could gain control of the entire PKI and compromise trust in the entire system, including any sub-systems reliant on the PKI.

Tell Me More
What is the attestation process in the US? ›

US attestation involves several steps – translation, notarization, authentication, and legalization. Stanford Global Attestation Services team is precise and strict; we know the process, making our approach detail-oriented.

Know More
Is attestation the same as transcript? ›

A Transcript Certificate is a crucial educational document that requires attestation. The authentication of the Transcript Certificate is mandatory in proving your and your document's legitimacy. The process of attestation is implemented by the home government granting the permission to enter the country abroad.

View Details
What is the difference between attestation and verification? ›

Attestation: Attestation is confirmation that a photocopy is a true copy of an original document. The British Council will not be responsible for confirming the authenticity of the original certificate. Verification: Verification is the process of ensuring that original documents are genuine.

See More
What is attestation for visa? ›

What is Attestation? Attestation, also called consular Attestation, refers to a consular practice ensuring authenticity of the very last signature or the seal affixed to a document related to the application from a natural person, legal person or other organization.

Get More Info Here
Top Articles
williamsport apartments / housing for rent - craigslist
williamsport housing - craigslist
Ada Menu new | Luna Grand Rapids
The Alpha and Luna: His Human Luna by Skylar Greene - GALATEA
Kadlec Regional Medical Center - TRIDEC
Wisconsin Supreme Court keeps ban on mobile absentee voting sites in place for now
Indiana Wesleyan University Sharepoint
Verifying Debit Card's Correct Billing Address
Live Blank Taco Bell's Slogan
Gastronomen-Paar aus Düsseldorf: Die Bar Chérie als Liebesprojekt
Best Transmission Service Margate
18008456167
Latest Posts
E*TRADE from Morgan Stanley Review 2024
E*TRADE Review 2024: Pros, Cons and How It Compares - NerdWallet
Article information

Author: Carmelo Roob

Last Updated:

Views: 6115

Rating: 4.4 / 5 (45 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Carmelo Roob

Birthday: 1995-01-09

Address: Apt. 915 481 Sipes Cliff, New Gonzalobury, CO 80176

Phone: +6773780339780

Job: Sales Executive

Hobby: Gaming, Jogging, Rugby, Video gaming, Handball, Ice skating, Web surfing

Introduction: My name is Carmelo Roob, I am a modern, handsome, delightful, comfortable, attractive, vast, good person who loves writing and wants to share my knowledge and understanding with you.