Article

Adding Digital Signatures

Cryptographically sign samples.

Overview

Devices can digitally sign the samples they create, letting other apps validate the samples and verify that they have not been altered. To facilitate this process, HealthKit provides the digital signature metadata key, HKMetadataKeyDigitalSignature. Use this key to store a digitally signed copy of the sample record. The signature is generated by the device (which should be tamper-resistant, because it stores the private signature key). This allows a data consumer to check the signature against a known public key for that device to verify that the record data has not been altered.

Because each record is signed individually, storage overhead is on the order of 1 KB per record. Thus, this metadata signature item is intended for records where the sample rate is no more than a few times per day. Higher sample rates will require signatures applied to coalesced groups of samples, which is beyond the scope of this document.

Typically, a tamper-resistant measurement device provisions a private key at the time of manufacture. (Policies and mechanisms for private-key reprovisioning or certificate updating are outside the scope of this document.) The device manufacturer publishes the corresponding public key (for example, on a web page). The device communicates the sample record and signature of each sample to an iOS app, which stores them in the HealthKit database. Note that the private-public key pair is used for digital signing to provide data integrity, not for encryption. The actual values in the data record are cleartext.

The format used for the digital signature is the Cryptographic Message Syntax (CMS) specified in IETF RFC 5652. The signature is encoded using ASN.1 with Distinguished Encoding Rules (DER). The message digest used should be SHA256, and the signature cipher should be FIPS PUB 186-4 Digital Signature Standard Elliptic Curve P-256. This will ensure both strength and efficiency. In addition, the entire signature should be base64 encoded so that it can be stored in the HealthKit NSString metadata object.

The signature should be of the ASN.1 Signed-data Content Type:

SignedData ::= SEQUENCE {
  version CMSVersion,
  digestAlgorithms DigestAlgorithmIdentifiers,
  encapContentInfo EncasulatedContentInfo,
  signerInfos SignerInfo }

where SignerInfo type is:

SignerInfo ::= SEQUENCE {
  version CMSVersion,
  sid SignerIdentifier,
  digestAlgorithm DigestAlgorithmIdentifier,
  signatureAlgorithem SignatureAlgorithmIdentifier,
  signatureSignatureValue }

The digest and signature algorithms are as noted above. Optional items have been left out. The SignerIdentifier is used to retrieve the proper public key for signature verification.

The EncapsulatedContentInfo should be a copy of the relevant items from the sample record generated by the device. This copy should be encoded using ASN.1 DER, and should contain at least a sample timestamp and sample value. The record data is copied inside the signature in order to have a stable, well-defined binary encoding (ASN.1 DER) of the data, which is necessary to produce a verifiable signature. A plist structure (key-value pairs) that is ASN.1-encoded should be sufficient for most record types.