Re: [Anima] IDevID and TPM devices and draft-richardson-anima-masa-considerations-02

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 08 March 2020 21:31 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A01843A053F for <anima@ietfa.amsl.com>; Sun, 8 Mar 2020 14:31:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XEUqOtKCzn8t for <anima@ietfa.amsl.com>; Sun, 8 Mar 2020 14:31:17 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A914C3A053E for <anima@ietf.org>; Sun, 8 Mar 2020 14:31:17 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id ADFE13818F; Sun, 8 Mar 2020 17:30:04 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 2CEE6D98; Sun, 8 Mar 2020 17:31:15 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Laurence Lundblade <lgl@island-resort.com>
cc: anima@ietf.org
In-Reply-To: <18696.1583274800@localhost>
References: <10130.1583246743@localhost> <18696.1583274800@localhost>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Sun, 08 Mar 2020 17:31:15 -0400
Message-ID: <5412.1583703075@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/p5z2KMReZW6U_hDCJImNY_Kdhg0>
Subject: Re: [Anima] IDevID and TPM devices and draft-richardson-anima-masa-considerations-02
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Mar 2020 21:31:20 -0000

Laurence, do you think this text matches your slide 32?
I would like to link to manufacturers that do this.

https://github.com/mcr/masa-operational-considerations/commit/a56e4255864cfb86aa14790505633e310fbfe18d

### Key setup based on 256-bit secret seed

A hybrid of the previous two methods leverages a symmetric key that is often provided by a silicon vendor to OEM manufacturers.
Each CPU (or a Trusted Execution Environment {{I-D.ietf-teep-architecture}}, or a TPM) is provisioned at fabrication time with a unique, secret seed, usually at least 256-bits in size.

This value is revealed to the OEM board manufacturer only via a secure channel.
Upon first boot, the system (probably within a TEE, or within a TPM) will generate a key pair using the seed to initialize a Pseudo-Random-Number-Generator (PRNG).
The OEM, in a separate system, will initialize the same PRNG, generating the same key pair.
The OEM then derives the public key part, signs it and turns it into a certificate.
The private part is then destroyed, ideally never stored or seen by anyone.
The certificate (being public information) is placed into a database, in some cases it is loaded by the device as its IDevID, in other cases, it is retrieved during the onboarding process based upon a unique serial number asserted by the device.

This method appears to have all of the downsides of the previous two methods: the device must correctly derive its own private key, and the OEM has access to the private key, making it also vulnerable.
The secret seed must be created in a secure way and it must also be communicated.

There are some advantages to the OEM however: the major one is that the problem of securely communicating with the device is outsourced to the silicon vendor.
The private keys and certificates may be calculated by the OEM asynchronously to the manufacturing process, either done in batches in advance of actual manufacturing, or on demand when an IDevID is demanded.
Doing the processing in this way permits the key derivation system to be completely disconnected from any network, and requires placing very little trust in the system assembly factory.
Operational security such as is often incorrectly presented fictionalized stories of a "mainframe" system to which only physical access is permitted begin to become realistic.
That trust has been replaced with a heightened trust placed in the silicon (integrated circuit) fabrication facility.

The downsides of this method to the OEM are: they must be supplied by a trusted silicon fabrication system, which must communicate the set of secrets seeds to the OEM in batches, and they OEM must store and care for these keys very carefully.
There are some operational advantages to keeping the secret seeds around in some form, as they same secret seed could be used for other things.
There are some significant downsides to keeping that secret seed around.





--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-