IETF Logo Mail Archive

[Anima] cBRSKI

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 30 April 2023 18:41 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 736A0C14CEFF for <anima@ietfa.amsl.com>; Sun, 30 Apr 2023 11:41:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cD2CDmoRxaFm for <anima@ietfa.amsl.com>; Sun, 30 Apr 2023 11:41:36 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7149C14CEFA for <anima@ietf.org>; Sun, 30 Apr 2023 11:41:36 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 2572A3898F; Sun, 30 Apr 2023 14:59:45 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 8dMM3gUd7eKL; Sun, 30 Apr 2023 14:59:42 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id CA1E13898E; Sun, 30 Apr 2023 14:59:42 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1682881182; bh=ati6iM213ntSLYh/tTr7ktroodwAcYbjiDZ9M3NgnKk=; h=From:To:Subject:Date:From; b=SJpQm2adAY2phnJ4l99M+T1q+k96YjpQOf2ohkkFkABt1tP7M9TtrI7BuGEOlkuEY q2U8LfpmkDi6FXBhZnoGPFOPbBzK2VhhWmiBBj609N+ghlLK/MYb+Q3BXW5vzm1WN9 bpiQaSfot+PH7T2G20B/8YwzkLBjGGycQfkt65cEAB1wdIOYngJClkRImlFmp+dFZo iriTHxn+dygNX3SZJU5s20Y17wgD09moVRc42DbkQWrJj4ipIaC3rlSC9M8QGCEZGU UTx1u8xWLJgtBRBs1iHMckLLuqINno88esHik6DOnMjZwWF5/HcNDC1AQxv8xyFk9k MBFRHht1MeFhQ==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 8B746449; Sun, 30 Apr 2023 14:41:32 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Christian Amsüss <christian@amsuess.com>, anima@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 30 Apr 2023 14:41:32 -0400
Message-ID: <15797.1682880092@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/paVetYZvWeAWiHhwO1MSmGwYfLg>
Subject: [Anima] cBRSKI
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Apr 2023 18:41:42 -0000

> * What's the assumption of voucher-artifacts on the the IDevID's private
> key's secrecy once BRSKI has completed?

The private key is private.  Nothing needs to be revealed.
It can be stored in a TPM/fTPM or SecureElement.
Whether the LDevID certificate(s), have the same private key or a newly
minted one is a topic that 802.1AR section 6.

> Will the now-owner be able to read it? If so, once you see a logged
> assertion you can already not trust that device again.

Non-owners would have no access to the secret.
In many devices, owners would also have no access, but it depends upon the device.

> Or the owner still can't? Then why the logging in the first place, the
> IDevID will only be used in BRSKI if the device is pristine (or has been
> factory-reset).

The logging is about witnessing that the device became owned.
Subsequent owners can review this information to determine if they device is
still useable.   While we think about malware and root kits and the like,
other users might also think about wear and tear, such as for a braking system.

> Or is this a matter of security-in-depth, where the owner has better
> chances of exploiting weaknesses, so we better make as-sure-as-we-can that
> there was never an owner who could have done so?

Yes, that's certainly a concern.  An owner might be permitted to load
whatever code they want, and depending upon many concerns, that might include
getting access to the IDevID private key, if it is stored on an fTPM or not
secured at all.
To my mind, the smallest of IoT microcontrollers likely will be without
secred storage for private keys for a few generations, but many have secure
boot mechanisms, so in theory, the entire device is secured, and will not run
arbitrary code.

> Is delegated-voucher The (only) Way to oboard a resold device (or a device
> from a domain that suffered critical infrastructure collapse) without
> taking a programmer to it?

No.  A device could go through a controlled factory reset so that it no
longer knows it's LDevID, or network credentials, at which point, it would
start over.  The only evidence of the previous owner would be in the MASA
audit log.
This could be via button push, via software command.

delegated-voucher has two purposes: 1) to enable resale without talking to
the original MASA (infrastructure collapse), 2) to enable aggregation of
devices into sub-systems.

I think, and I think that there will be regulatory processes that go with
this, that in the event of infrastructure collapse one of two things will
occur:

a) a new MASA will be operated, and a new set of code will be produced from
   escrowed sources.  (Back when software was expensive, in the hundreds of
   thousands of dollars/copy, source code escrow was a normal thing to do)
   If done in an orderly fashion, the old supplier would
   produce a new firmware image with new anchors and would deploy that before
   going out of business.

b) the devices would be marked a regulator as no longer safe, since they have
   no one to patch them, and would be forced out of service.


> If an owner can take complete control over a device (like, switch over the
> firmware, as you can do with a PC or a device that contains GPL-3
> software), would the issuer of such a new firmware also need to provision
> the device with a new IDevID?

Maybe.  Probably be a good idea.  The MASA URL would be wrong in the existing
IDevID.  RFC8995 provides for the Registrar to have the ability to override
that URL under operator control.  That would apply to all devices from that
manufacturer, probably, so it's a big hammer. Replacing the IDevID would be
simpler.

There are many different ways in which one can switch over the firmware.
On a PC, one does not typically replace the BIOS, so it might be that one is
just using a secure boot shim, or a replacing trust anchors.
For a PC, my notion is that BRSKI would not be used for the main CPU, but
rather for the BMC.





--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email