Nonce value in DeviceInformation query

I am getting the response back for DevicePropertiesAttestation and can match the other oids. For nonce value, I am using Base64.encode to match it with what I sent but I am getting a different value. What is the right way to extract this nonce value from response?

Answered by developer123321 in 769152022

Thank you! Was able to verify the nonce. However, I successfully sent a new nonce yesterday morning and verified the nonce in response matches with my request. I tried it again next day by sending a new nonce and surprisingly instead of cached nonce, I received a new nonce in response. This is not expected but is there some glitch/bug? I did not unenroll/re-enroll the device. (I am aware of limit of once every 7 days, I was testing something so generated a new nonce)

The nonce OID's value is a data type, not a string type. In ASN.1 encoding terminology it's an "OCTET STRING", so make sure you're interpreting it that way when reading out the value. This means that there's no need to Base64 encode your nonce.

The nonce is limited to 32 bytes, and the device will reject nonce values longer than that.

Keep in mind that the value you choose must not be predictable; otherwise an attacker can defeat the purpose of the nonce. For highest security you should use a cryptographically strong random number generator that fills the full 32 bytes. Using Base64 means the nonce value has lower entropy.

Also make sure your testing is not affected by rate limiting. The device caches its most recent DevicePropertiesAttestation certificate. If it's been less than a week since it was generated, the device ignores the nonce and returns the cached cert, and that cert will have an old nonce. By the way, if this rate limit gets in the way of your development and testing, you can reset that one week rate limit by unenrolling and re-enrolling the device. I suggest reviewing this part of the Discover Managed Device Attestation WWDC session about nonces and rate limiting of DeviceInformation attestation.

Accepted Answer

Thank you! Was able to verify the nonce. However, I successfully sent a new nonce yesterday morning and verified the nonce in response matches with my request. I tried it again next day by sending a new nonce and surprisingly instead of cached nonce, I received a new nonce in response. This is not expected but is there some glitch/bug? I did not unenroll/re-enroll the device. (I am aware of limit of once every 7 days, I was testing something so generated a new nonce)

Nonce value in DeviceInformation query
 
 
Q