Verifying attestations | Cloud KMS Documentation

This topic shows you how to verify attestations forCloud HSM keys, which are always stored in a hardwaresecurity module (HSM).

Overview

In cryptography, an attestation is a machine-readable, programmaticallyprovable statement that a piece of software makes about itself. Attestations arean important component of trusted computing, and may be required for compliancereasons.

To view and verify the attestations, you request a cryptographically-signedattestation statement from the HSM, along with the certificate chains usedto sign it. The attestation statement is produced by the HSM hardware, andsigned by certificates owned by Google and by the HSM manufacturer.

After downloading the attestation statement and the certificate chains, you cancheck its attributes orverify the validity of the attestation using thecertificate chains.

The attestation script is an open sourcePython script developed by Google. You can view the source code for the scriptto learn more about the attestation format and how verification works, oras a model for a customized solution.

The examples in this topic are designed for Linux environments, including theCloud Shell. To follow along on macOS or Windows clients, you mayneed to make modifications.

Before you begin

If necessary, create a Cloud HSM key on a key ring in aregion supported by Cloud HSM.
Download and install thescripts for parsing the attestation's values.from the HSM manufacturer. Download each of these scripts:
- verify_pubkey.py
- parse_v1.py
- parse_v2.py
Look over the documentation for using the scripts, provided at the samelocation.
Download and install the script for verifying attestations and its prerequisites, and look over the documentation for the script.

Verifying the attestation

The attestation verification process can either be performed automaticallythrough the Google Cloud console, or manually by downloading the attestation bundleand attestation verification script andrunning it locally or in the Cloud Shell.

Verifying attestations through the Google Cloud console

You can verify the attestation through the Google Cloud console, which willopen a Cloud Shell and pre-populate it with the code snippets needed toperform the entire attestation verification process.

Go to the Key Management page in the Google Cloud console.
Go to the Key Management page
See Also
Qu’est-ce que « com.wssyncmldm » dans Android ? - Pouvez-vous le supprimer ?Enhanced Attestation (v3) | Knox Attestation What is wssyncmldm? All about Samsung update package - AndroidSRC What is com.wssyncmldm? (Exploring Its Significance & Functionality)
Select the key ring that contains the key you want to attest, then selectthe key.
Click More more_vertfor the key version you want to attest, and select Verify attestation.
In the Verify attestation dialog, click Open Cloud Shell. Thiswill open the Cloud Shell and pre-populate it with the code snippetneeded to go through the entire verification process.
Inspect the pre-populated code snippet in the Cloud Shell. Thesnippet downloads the attestation verification script and its dependencies, runs the gcloud commands to download the attestationand certificate chains, and then runs the script to verify the attestation.
Run the code snippet to verify the attestation.

Verifying the attestation manually

The attestation, certificate chains, and attestation verification script need tobe downloaded before manually verifying the attestation.

Download the attestation and certificate chains.
Console
1. Go to the Key Management page in the Google Cloud console.
  Go to the Key Management page
2. Select the key ring that contains the key you want to attest, then selectthe key.
3. Click More more_vertfor the key version you want to attest, and select Verify attestation.
4. In the Verify attestation dialog, click Download Attestation Bundle.This will download a zip file containing the attestation andcertificate chains.
  See Also
  What is com.wssyncmldm App and How To Disable It? | New Scitech
5. Extract the attestation and certificate chains from the attestationbundle.
gcloud
1. Click Activate Cloud Shell at the top ofthe console window.
  A Cloud Shell session opens inside a new frame at the bottom ofthe console and displays a command-line prompt. It can take a fewseconds for the shell session to be initialized.
2. At the Cloud Shell command-line prompt, use the gcloud kmskeys versions describe command to retrieve the attestation for thekey that you want to attest. The --attestation-file flag specifiesthe path and filename destination for the retrieved attestation.
```
gcloud kms keys versions describe key-version \ --key key-name \ --location location \ --keyring keyring-name \ --attestation-file [attestation-file] \
```
3. At the Cloud Shell command-line prompt, use the gcloud kmskeys versions get-certificate-chain command to retrieve thecertificate chains for the key that you want to attest. The--output-file flag specifies the path and filename destination forthe retrieved certificates.
```
gcloud kms keys versions get-certificate-chain key-version \ --key key-name \ --location location \ --keyring keyring-name \ --output-file [certificates-file] \
```
Download the script for verifying attestations and its prerequisites, and go through the documentation for the script to verify the attestation in the attestation file using the certificates inthe certificates file.

Parsing the attestation's values

The HSM manufacturer's documentation includes full instructions for using their scripts to parse an attestation'svalues and verify the public key for an asymmetric key pair. The attestationwill need to be decompressed with the following command before it can beparsed.

Uncompress the compressed attestation.

gzip -d < compressed_attestation.dat > attestation.dat

These links go directly to specific instructions from the HSM manufacturer:

The instructions for parsing the attestation's value include a reference ofgeneral fields in the attestation, not specific to HSM keys in Cloud HSM.

The following sections illustrate how to verify information about your keys thatis specific to Cloud HSM.

Verify the key's version ID

You can verify whether the SHA-256 hash of the key version resource ID ispresent in the attestation. The key's resource name is part of the 0x0102field or key ID field in the attestation file. The key ID is composed of twoconcatenated SHA-256 hash digests in hex format. The second one should matchthe key's resource name.

Get the key version resource ID for the key version. You can use theGoogle Cloud console to get the key version resource ID oryou can run the following command:
```
gcloud kms keys versions list \ --location location \ --keyring key-ring-name \ --key key-name
```

At the command line, assign resource_name to the key version resource IDthat you just retrieved.

RESOURCE_NAME="projects/project-id/locations/location/keyRings/key-ring-name/cryptoKeys/key-name/cryptoKeyVersions/key-version"

Since the parse script dumps all attestation fields in hex format, the keyID would have been formatted into hex format twice. (Once while creating thekeyID, the other while parsing the attestation). To verify that the resourcename matches with the key ID, convert the resource name to a SHA-256 hex digest,revert one hex conversion of the key ID in the attestation file, and comparethe two.
```
RESOURCE_NAME_HEX="$(echo -n ${RESOURCE_NAME} | openssl dgst -sha256 -hex | awk '{print $2}')"
```
The parse script dumps all attestation fields in hex format, and the key IDis internally hex-encoded a second time. Set the KEYID_HEX environmentvariable to the value of the key ID with one layer of hex-encoding decoded:
```
KEYID_HEX=$(grep -m 1 0x0102 /path/to/parsed/attestation.dat | awk '{print $2}' | xxd -p -r)
```
Compare the values of RESOURCE_NAME_HEX and KEYID_HEX as strings:
```
test ${RESOURCE_NAME_HEX} == ${KEYID_HEX:(-64)} || echo "Values don't match"
```
If the values match, no output is returned and the command exits with code0.

Verify other properties of the key

You can view various key properties, which correspond tofields in the PKCS #11 standard. Use the followingexamples as guides to verify other properties of the key.

Whether a key is extractable is stored in the 0x0102 field of the parsedoutput. To determine whether a key is extractable, examine the 0x0162 field.A value of \x01 is true and a value of \x00 is false.
Cloud HSM keys are not extractable.
```
grep '0x0162:' /path/to/parsed/attestation.dat
```
How the key got into the HSM (whether it was created directly orimported) is stored in the 0x0163 field. Ifthe key was created locally on the HSM, the field is set to \x01. Animported key's field is set to \x00.
You can infer a few pieces of information from how the key came to be on theHSM. If the key was created in Cloud HSM, that means the key hasnever been stored unencrypted outside of an HSM. If the key was imported, thenthe import mechanism guarantees that the key is protected at transit during theimport process, and within Cloud HSM afterward.
```
grep '0x0163:' /path/to/parsed/attestation.dat
```
A key's type is stored in the 0x0100 field. Key types are documented inthe PCKS#11 standard with prefix CKK_*. For example, an AES key has a type of\x1f.
```
grep '0x0100:' /path/to/parsed/attestation.dat
```

Additional information

You verify an attestation to determine whether a key version was createdinside an HSM.

FAQs

Verifying attestations | Cloud KMS Documentation | Google Cloud? ›

Go to the Key Management page in the Google Cloud console. Select the key ring that contains the key you want to attest, then select the key. Click More more_vert for the key version you want to attest, and select Verify attestation.

What is the difference between cloud kms and secret manager? ›

Secret Manager works well for storing configuration information such as database passwords, API keys, or TLS certificates needed by an application at runtime. A key management system, such as Cloud KMS, lets you manage cryptographic keys and to use them to encrypt or decrypt data.

Get More Info ›

What is Google Cloud KMS used for? ›

Cloud Key Management Service allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service.

Can Google access my data in Google Cloud? ›

Strong authentication and role-based, non-unilateral access restrictions: By default Google personnel do not have access to Google Cloud customer data. Google personnel must be a member of relevant access control lists to gain access to sensitive data.

Tell Me More ›

Why is Google Cloud so expensive? ›

Data transfer costs can be a significant factor in your overall expenses. While Google Cloud Platform offers generous allowances for inbound data transfer (data going into GCP's network), outbound data transfer (data leaving GCP's network) can incur additional charges, and these costs can sometimes be overlooked.

Know More ›

What is key ring in GCP? ›

A key ring organizes keys in a specific Google Cloud location and lets you manage access control on groups of keys. A key ring's name does not need to be unique across a Google Cloud project, but must be unique within a given location.

View Details ›

How do I clear GCP logs? ›

def delete_logger(logger_name): """Deletes a logger and all its entries. Note that a deletion can take several minutes to take effect. To learn how to install and use the client library for Logging, see Logging client libraries.

What is the Azure equivalent of secrets manager? ›

Azure Key Vault is one of several key management solutions in Azure, and helps solve the following problems: Secrets Management - Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.

Get More Info Here ›

What is the equivalent of AWS secret manager? ›

AWS Secrets Manager is not the only option for Privileged Access Management (PAM) Software. Explore other competing options and alternatives. Other important factors to consider when researching alternatives to AWS Secrets Manager include security. The best overall AWS Secrets Manager alternative is HashiCorp Vault.

Know More ›

When to use CloudHSM vs KMS? ›

CloudHSM is generally used for scenarios requiring stringent regulatory adherence and complete control over the Hardware Security Module (HSM). On the other hand, KMS offers a cost-efficient and user-friendly solution suitable for general key management tasks.

See Details ›

What is the AWS secret manager? ›

What is AWS Secrets Manager? AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Verifying attestations | Cloud KMS Documentation | Google Cloud (2024)