IETF Logo Mail Archive

Re: [Cfrg] Including "internal APIs" in CFRG security analysis

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Sun, 13 October 2019 12:19 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7873B120044 for <cfrg@ietfa.amsl.com>; Sun, 13 Oct 2019 05:19:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=CFMvu1jI; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=qn7v4GaC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QjEI9krUMxsI for <cfrg@ietfa.amsl.com>; Sun, 13 Oct 2019 05:19:16 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40056.outbound.protection.outlook.com [40.107.4.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F95F12000F for <cfrg@irtf.org>; Sun, 13 Oct 2019 05:19:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sdcIsLKINfSSnft201pCtEiAZErojYrgIZIw6v7FC44=; b=CFMvu1jIESQDKuaGJUeXUJ3Iib0yvHBcm0nwph0ulXuHHQtPdLa9rp7+03GPWs27+eSH/b9O1C1fIIgSwt3YDGB0aMx3voJZR5XSJ7YqBr/YjbgNzM0pNH4Vr6ITU9WJVrk/RmkZi/HntqNXNIfFA5mglHXB5wqibL5PMveP6nk=
Received: from VI1PR08CA0120.eurprd08.prod.outlook.com (2603:10a6:800:d4::22) by AM6PR08MB3957.eurprd08.prod.outlook.com (2603:10a6:20b:a2::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.18; Sun, 13 Oct 2019 12:19:12 +0000
Received: from VE1EUR03FT039.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::200) by VI1PR08CA0120.outlook.office365.com (2603:10a6:800:d4::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2347.16 via Frontend Transport; Sun, 13 Oct 2019 12:19:12 +0000
Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; irtf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;irtf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT039.mail.protection.outlook.com (10.152.19.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2305.15 via Frontend Transport; Sun, 13 Oct 2019 12:19:10 +0000
Received: ("Tessian outbound e4042aced47b:v33"); Sun, 13 Oct 2019 12:19:10 +0000
X-CR-MTA-TID: 64aa7808
Received: from 75989e5d3ab7.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.5.52]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 178E41DD-4FE6-4E41-83FD-1A3BA15AC35F.1; Sun, 13 Oct 2019 12:19:05 +0000
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-he1eur02lp2052.outbound.protection.outlook.com [104.47.5.52]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 75989e5d3ab7.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Sun, 13 Oct 2019 12:19:05 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gZkt1UHH1SrXh4JTcLhW9M9sntsHma0L9PAn1QV0fgTijyvHp6Yjx8urFVNB269AwZ+nQSZ2BAKHmkAX3F+ne4XJcxIA+ekF2b6ncgAlNW+KHILgACI7Ui7oBA/xg5HXfjzL6q3ePbs+pq+/+M9N7iwDJ6ISzt+jCjTYlyRooONBvVjcaGyus4vkx+PLYhGJSzcG46kHansz7/SRqsxl5P5411l5rcdGZWdOAMdXrUBxCtOWDvm8G8TGcO11ZsBoDn/EE1g+iroFBD7C5TZA6sDFIte725c26w7xbJTrfsf89cGTB/xM1PFVTp5aNSfJ1m0fas1KWlassrxELJIBiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UZm2Bz6PXytsQMDexeNKMjiPPN5kGqPV+Ckm/DVh5ac=; b=S47StbhH6s50NZ70miTkHACNhdc87SMamLfgPkhIThPtVw5knPwhDEXptMPt4Ta+8lLzJ9it2WTmrAnz6upAr5ntCVad0SerA2wSoLzLMkd54WrGDIe9C+3xPng9BK/5DrMV/bG7XU8htGNzfvVVGJ53TIV983oBdaJtJjt8/wCQx+yZ/NM7Yw7kLDCDTAOInCE/1cplgcSLw4a9ieS021bMIvqTUSRDp0Cr1kMcuQ03SlHkr4XjAMVUlWL8mELej9Ur8I8gnWU5dWZ5nHeDOSnbBIlan/4W5guoDRRC/qi2MQWSEwsrfYmoOccIOFJz3id85LkUHqVipLj7fzaKNw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UZm2Bz6PXytsQMDexeNKMjiPPN5kGqPV+Ckm/DVh5ac=; b=qn7v4GaCx08A+KKnjhCmyHhYbHfBweL/29w8G/BMolpTnZPAacZCnCLOVvqZYB/hvcxp6T/yRDJWV2TR1LdLXPqyDh3x0WstX7lIJ+gilt34amcKZI5OoZj+mtmeH+Uz4fb2C73oYwNSd4h8KrgPHkKduOI2XZDism9jfrh1U4E=
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com (52.133.245.74) by VI1PR08MB4350.eurprd08.prod.outlook.com (20.179.27.80) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.16; Sun, 13 Oct 2019 12:19:03 +0000
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::b003:8767:35c7:e31]) by VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::b003:8767:35c7:e31%2]) with mapi id 15.20.2347.021; Sun, 13 Oct 2019 12:19:03 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
CC: "Canetti, Ran" <canetti@bu.edu>, cfrg <cfrg@irtf.org>
Thread-Topic: [Cfrg] Including "internal APIs" in CFRG security analysis
Thread-Index: AQHVgYpWPNdwusWfEE6z+Hatosv6FqdYRHxggABuUAD//8k+sA==
Date: Sun, 13 Oct 2019 12:19:03 +0000
Message-ID: <VI1PR08MB5360362B6E769689112EA302FA910@VI1PR08MB5360.eurprd08.prod.outlook.com>
References: <e9043999-6015-d010-b023-4cb784d4d7b9@bu.edu> <VI1PR08MB53601BD61DC9AA5DDEE2D80CFA910@VI1PR08MB5360.eurprd08.prod.outlook.com> <970E3D8E-EE68-421E-8C11-5D8CA2C808D3@ll.mit.edu>
In-Reply-To: <970E3D8E-EE68-421E-8C11-5D8CA2C808D3@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 0f5ef0ed-e5d7-4068-8b1e-d86e8a0bc909.1
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [195.149.223.115]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 3cf82ab8-14a5-493a-a6ec-08d74fd78d7d
X-MS-Office365-Filtering-HT: Tenant
X-MS-TrafficTypeDiagnostic: VI1PR08MB4350:|AM6PR08MB3957:
X-MS-Exchange-PUrlCount: 1
X-Microsoft-Antispam-PRVS: <AM6PR08MB3957420DABE52EE0CA4EE3CCFA910@AM6PR08MB3957.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 01894AD3B8
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(376002)(366004)(136003)(396003)(346002)(39860400002)(40434004)(189003)(199004)(4326008)(2171002)(6246003)(6506007)(2420400007)(53546011)(966005)(606006)(25786009)(66066001)(33656002)(15650500001)(14454004)(99286004)(76176011)(7696005)(478600001)(81156014)(8676002)(256004)(14444005)(5024004)(81166006)(52536014)(71200400001)(71190400001)(66946007)(76116006)(64756008)(66556008)(66446008)(66476007)(8936002)(476003)(11346002)(7736002)(74316002)(186003)(5660300002)(6916009)(26005)(102836004)(2906002)(486006)(446003)(6436002)(86362001)(7110500001)(316002)(3846002)(6116002)(790700001)(54906003)(229853002)(54896002)(55016002)(236005)(6306002)(9686003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB4350; H:VI1PR08MB5360.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: r1IV5a9qtlaSeE4hVGvZsY+++iUH/wcG0ujJ6oV/xWjoRaqsseSXKM5pID5Lcx6mkSlOqzrXbpRq2jg2y4EXsd8KlW9+iddjv+51F8tiGL4fwfNbAoCqWTGxHhjBrop1+kgnDADCgP/U3JfRdozZmMdqUc/K/VZnG1zr+fWiPYzdaAS8fUb7OFQN5yQBiBohxnesQwcQn4ysTUbWNBZpL61MHkVwScAdpUmyXmVZzs/9yqioAkRIu5kCBVqjQvoVzWbFe8H92RrZLraxiSLc4IR66feG/aIF5VVRrzKA9YNP1mSutTAutVyT3T4NjS7aYDbAAJ288wMwE2rOompHakmxoKJzpYyTSiK7X1gHkArpZDcTII3mY6zTp+tM6DGfgKdBCDHmZqhBoo9FpdJzJrwouLEqiPnFTEGyjguxrrPDlPyVh5qsw+GADcw5ch4tkQC/m8MQqT3Bflrw+qbEgg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_VI1PR08MB5360362B6E769689112EA302FA910VI1PR08MB5360eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB4350
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT039.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(346002)(136003)(396003)(39860400002)(376002)(189003)(199004)(40434004)(4326008)(33964004)(81156014)(14444005)(33656002)(76176011)(5024004)(356004)(606006)(76130400001)(26005)(186003)(36906005)(70586007)(70206006)(2906002)(8676002)(81166006)(7696005)(53546011)(316002)(102836004)(54906003)(16586007)(99286004)(6506007)(476003)(126002)(74316002)(25786009)(86362001)(486006)(7736002)(66066001)(6246003)(446003)(11346002)(2171002)(63350400001)(6306002)(236005)(9686003)(336012)(15650500001)(229853002)(55016002)(6862004)(54896002)(8936002)(22756006)(2420400007)(71190400001)(52536014)(790700001)(478600001)(26826003)(5660300002)(6116002)(966005)(14454004)(3846002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB3957; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:TempError; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; MX:1; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: eb6f56c5-eece-43b6-aa29-08d74fd78914
X-Forefront-PRVS: 01894AD3B8
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: mop35/gT4BrReOItPqiiJv3VWG2faQUTHgncfeSaV/0VxUsuRLSfWHg0fmmAwfNLjaXuZkrOo7gOafSY60KuWP5LkfMmZ+7Ci/CIcGugVbyNuPx2bE5MGRzLi4SDs+lTIXwKZ0766hnNm/2vEnqXs3pQgpwhjvFYBOudtcLPnJahjPwoA1ZeQOcp1lo1Nebz7SfvOb5uOyJ+x29YCnXdo9qA08PE0h5/kHXUGH3tyAuB52R4qAZUScg4w94Pxjb6kyEOZgcJLTqQuxF8aqi9ohBwPKZTTcFxcQkSdBwwZebDfRph2r2mtDFM724qyNqKfiVfFSqM1r1t2d4y+WXgwsDz1wUc0IVuqnJ59sQH96w/75iwPI8Nov9OuMQmIWiu1mnGF5dj0lB4CEVDVFbiw0xgIbKQEYdVTT3q4PK3+glR/BD0KUISi1JfFNaF7x7dscfJcIzGyWBJpbQS+VBeMg==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Oct 2019 12:19:10.5218 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3cf82ab8-14a5-493a-a6ec-08d74fd78d7d
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3957
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/oDlMlKq8lxuXq0PP9iHb9bMMEjE>
Subject: Re: [Cfrg] Including "internal APIs" in CFRG security analysis
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Oct 2019 12:19:20 -0000

Reading Ran’s text I was thinking about APIs from Global Platform used to communicate between the normal world and the secure world on Cortex A class devices, the Platform Security Architecture (PSA) APIs introduced for M-class devices (for attestation, crypto and secure storage). Those would be applicable to the TEEP, RATS, and the SUIT work.

The information flow on modern devices tends to be somewhat complex given all layers of privilege isolation going on.

From: Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu>
Sent: Sonntag, 13. Oktober 2019 13:29
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: Canetti, Ran <canetti@bu.edu>; cfrg <cfrg@irtf.org>
Subject: Re: [Cfrg] Including "internal APIs" in CFRG security analysis

Back in the days of SNMPv3, faced with a similar problem, we introduced a concept of ASI (Abstract Service Interface) that defined what input and output each architecture component used, and what the expected/allowed reaction was.

IMHO, it served us well.
Regards,
Uri

Sent from my iPhone

On Oct 13, 2019, at 07:25, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> wrote:
Hi Ran,

I agree with you that it would be super useful to consider APIs that are internal to endpoints in security assessments.
Sometimes it may be useful to even standardize such endpoint internal APIs.

I do, however, wonder how many people in the IETF/IRTF have insight into endpoint internal implementation details (or want to be exposed to those details). Acquiring this knowledge requires a lot of time.
In practice, this will be a showstopper.

I believe statements like “An IETF standard is secure" is in general of little value because you still have to implement a spec, test the spec, configure the implementation, and then put it into a larger system. The IETF does not help with any of these tasks.

Ciao
Hannes

From: Cfrg <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> On Behalf Of Canetti, Ran
Sent: Sonntag, 13. Oktober 2019 07:52
To: cfrg <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: [Cfrg] Including "internal APIs" in CFRG security analysis




BTW, a more general thought & suggestion, while at it:



One basic limitation of the IETF as a platform for standardizing security

of protocols is that the IETF traditionally shies away from standardizing

APIs that are “internal to endpoints”. However, it is hard to  meaningfully

discuss the security of protocols/ components without pinpointing  these very same

internal APIs: Need to define how other components provide inputs to the analyzed component, how

they obtain outputs from the analyzed component, and what other forms of

information exchange exist between the analyzed component and the rest of

the endpoint system (eg, shared databases). Without such determination, one cannot

meaningfully make a statement of the sort “An IETF standard is secure".

(Indeed, TLS1.* is a quintessential case where such specifications are

sorely missing from the standard.)





The CFRG is a good place to change (or, rather, complement) that - and

the current discussion on PAKE protocols is a good a place to start:

let's ask that PAKE standards (and proposals) specify how  they interact with the other relevant components within each

party, down to the API. This includes the APIs with TLS, with the secure session protocol,

with HTTPS, with the long-term signature module, with the password

store(s), etc etc…





Best, Ran
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email