Paper 2017/577

Boot Attestation: Secure Remote Reporting with Off-The-Shelf IoT Sensors

Steffen Schulz, André Schaller, Florian Kohnhäuser, and Stefan Katzenbeisser


A major challenge in computer security is about establishing the trustworthiness of remote platforms. Remote attestation is the most common approach to this challenge. It allows a remote platform to measure and report its system state in a secure way to a third party. Unfortunately, existing attestation solutions either provide low security, as they rely on unrealistic assumptions, or are not applicable to commodity low-cost and resource-constrained devices, as they require custom secure hardware extensions that are difficult to adopt across IoT vendors. In this work, we propose a novel remote attestation scheme, named Boot Attestation, that is particularly optimized for low-cost and resource-constrained embedded devices. In Boot Attestation, software integrity measurements are immediately committed to during boot, thus relaxing the traditional requirement for secure storage and reporting. Our scheme is very light on cryptographic requirements and storage, allowing efficient implementations, even on the most low-end IoT platforms available today. We also describe extensions for more flexible management of ownership and third party (public-key) attestation that may be desired in fully Internet-enabled devices. Our scheme is supported by many existing off-the-shelf devices. To this end, we review the hardware protection capabilities for a number of popular device types and present implementation results for two such commercially available platforms.

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
remote attestationimplementationembedded devices
Contact author(s)
steffen schulz @ intel com
2017-07-03: revised
2017-06-20: received
See all versions
Short URL
Creative Commons Attribution


      author = {Steffen Schulz and André Schaller and Florian Kohnhäuser and Stefan Katzenbeisser},
      title = {Boot Attestation: Secure Remote Reporting with Off-The-Shelf IoT Sensors},
      howpublished = {Cryptology ePrint Archive, Paper 2017/577},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.