Key attestation is a necessary part of creating valid X.509 digital certificates. Asymmetric cryptography requires that the client be able to prove its identity by attesting to the secure creation of a private key.
For enterprises that want to securely onboard users’ Apple devices or need to deploy managed Apple devices, digital certificates provide a solution that is both simpler and more secure than a credential-based alternative. Key attestation is a fundamental part of configuring certificate authentication, so here’s a primer on key attestation for macOS.
What is Private Key Attestation?
Attestation is, ultimately, a mechanism for proving the identity of something (in this case, a device). While possible, it’s particularly difficult to prove identity to a remote third party since any communication that takes place between the two entities could be compromised.
A common solution manufacturers use is to equip devices with a Trusted Platform Module (TPM) or Hardware Security Module (HSM), a secure cryptoprocessor similar to the smart card chip on a credit card or security key. These are highly secure, tamper-proof systems that can perform limited cryptographic functions.
Key attestation is one of those functions – it’s a cryptographic proof that proves a given key was generated on-device (and never moved or copied). A certificate authority will encode that key (along with other information) onto a digital certificate, ready for use. Certificates, by providing high identity assurance, are what bridge the trust gap between a device and the network at large.
Does macOS Support Key Attestation?
Yes, you can perform key attestation on some Apple devices – but not all of them. The capacity for attestation is dependent on the presence of the Secure Enclave, Apple’s proprietary hardware cryptographic key manager (similar to a TPM or HSM).
The Secure Enclave is included on devices with the Apple A7 or later A-series processor. Only iOS devices with one of these processors or a MacBook Pro with the Touch Bar and Touch ID support this feature.
Note that there are a few restrictions on the Secure Enclave, but they only serve to enhance the security of the module:
- You cannot import or export private keys into or out of the Secure Enclave. There’s no way around this, it’s a fundamental part of making the system secure.
- There are no custom encryption options. Secure Enclave only stores 256-bit elliptic curve private keys which, fortunately, are considered the pinnacle of certificate encryption. By extension, it supports elliptic curve Diffie-Hellman key exchange (and therefore, symmetric encryption in addition to asymmetric).
So… What does this mean? If you’re using certificate-authentication on your network, you can safely give managed macOS devices high levels of security clearance. Key attestation provides a high degree of identity assurance, confirming that the device attempting to authenticate is legitimate.
BYOD and MDM Certificate Enrollment for macOS
Obviously, manually performing key attestation on every macOS device in an organization is not a realistic option. Not only would it be exceedingly mind-numbing, but manual configuration of devices inevitably leads to misconfiguration, which is one of the most common vectors for a breach.
In regards to BYOD devices, self-configuration is clearly off the table. I shudder to imagine the average Mac or iPhone user trying to configure their device for certificate enrollment. Can you imagine the carnage?
That’s why an Apple device onboarding solution is critical for any organization that wants to include BYOD or MDM Apple devices on their certificate-based WPA2-Enterprise network. SecureW2 is proud to present the industry’s best enterprise solution for key attestation and certificate enrollment on macOS. It allows you to push an automatic configuration package to BYOD and MDM devices that initiates the certificate enrollment process. BYOD end users are guided through a foolproof onboarding flow while MDM can be remotely configured in minutes.
The result? Certificate-based EAP-TLS authentication for Wi-Fi, VPN, desktop login, and a multitude of other applications – dependent on your identity provider. Your Apple devices will be seamlessly and securely tied into the rest of the network. Network administrators can easily monitor authentication activity at a device or certificate level.
Perhaps most importantly – our Apple onboarding solution can integrate with your existing network infrastructure to save time and money. Whether you simply need help securely getting Macs onto the network or you want an entire managed cloud PKI service, our products are vendor neutral and don’t require any forklift upgrades to implement.
We have affordable solutions for organizations of every size! Click here to see our pricing.
