[EAT] Introduction
Shawn Willden <swillden@google.com> Thu, 06 September 2018 16:38 UTC
Return-Path: <swillden@google.com>
X-Original-To: eat@ietfa.amsl.com
Delivered-To: eat@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71320130ED3 for <eat@ietfa.amsl.com>; Thu, 6 Sep 2018 09:38:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.509
X-Spam-Level:
X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ews_7kWzHG7E for <eat@ietfa.amsl.com>; Thu, 6 Sep 2018 09:38:05 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EE90130ECD for <eat@ietf.org>; Thu, 6 Sep 2018 09:38:04 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id g6-v6so9597821lfb.11 for <eat@ietf.org>; Thu, 06 Sep 2018 09:38:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=4AJQTpMC/wBDh/yWF8g1HqZyYWB+MCPoY865ew8iiuw=; b=I16xXlQ0LF0XqW8lyxbhrKkh/J+jSY73wh8QOlRF8JOr8vZL9pDgNQhMQAAiqKQkbs 7fTlibSXnKdw99xuPu4BntmTqSN3htOrq6rWMrKYejrDFOcU8SmqKHityS4jI3V6JSgN BYoFdi5lb6m3+mcPGldCRUiSW9luDf8SfNOWn9Lq/7GZl67YlQBT/3e9zcuvHrgNjKVj SbE1BGlIcbW3emfhxGgeQAlr/61FdlUM0FZn0GWvOA+6EF4x8eRTErNpMMY9mMJjVSeU 6ikZoZv7nM2iiZq8B9Z0LiDPMSnDkVgWr1Prml4hoXcf+7YdcbmQR5716++628t1VvVi XzgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4AJQTpMC/wBDh/yWF8g1HqZyYWB+MCPoY865ew8iiuw=; b=A+k56/Rc1XXOcjCF57DvcwtKqsFlqkha+SrOvG1wcPC1fKpqLPaJBxQNlbgOW730BN BMKlu/gmMFkMkGAouwe5/gPI1XbbSk9bnKuaPsGQGU4+4+BzYP4g4E/Jw6I5NywmAe8m FjsutZRDNHrfKtGURXkuVpG3s2QtuCMwJ1nTK6LV6SPx/aAoxrB1fbb0ReG8X0+gIERm zgJZq/Ga8+ec8abU3QYDd7qfmzt9yhqKKo438Q1zxoELTSDHz2FeWe/3SCmJAwnNvgu8 Fd1NSWBYU3J0hJlCzPwiBsmk3jiHNF4kL2ruzWB5HlVObtYW7B81x96DTV2+vJYDbc+o nLXw==
X-Gm-Message-State: APzg51CCWYn6qy93mFUAqCpfqbiWrFgd5FLxevbg7Pr2hflvqPCwnwbS +LMnyYVEla6jkWtGVR+3+devcunEI/69ykvPc9zoPpLFpA0=
X-Google-Smtp-Source: ANB0VdZ4TAowZe6BqXtX3p8LpoklB9p7yOrmzA4KL+OkAsW3YjlABC9+8O7wUFt9FqSoLv33QIQFgvRcUr/2XWJA+dg=
X-Received: by 2002:a19:ead4:: with SMTP id y81-v6mr2474441lfi.110.1536251881911; Thu, 06 Sep 2018 09:38:01 -0700 (PDT)
MIME-Version: 1.0
From: Shawn Willden <swillden@google.com>
Date: Thu, 06 Sep 2018 10:37:50 -0600
Message-ID: <CAFyqnhUh0Ncd+VrXyLgrfgZZxcLLAcaQq4nsh16ts5-80wbUAQ@mail.gmail.com>
To: eat@ietf.org, rats@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b5a5050575368391"
Archived-At: <https://mailarchive.ietf.org/arch/msg/eat/xo9aUgnHUCMrijbT8dOjnJP3gSY>
Subject: [EAT] Introduction
X-BeenThere: eat@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EAT - Entity Attestation Token <eat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eat>, <mailto:eat-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/eat/>
List-Post: <mailto:eat@ietf.org>
List-Help: <mailto:eat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eat>, <mailto:eat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2018 17:09:17 -0000
Please excuse me if I'm violating some list etiquette with this introduction; it seemed like the best way to jump in. It appears that cross-posting between RATS and EAT is fairly common, so I think I'm good on that front :-) My name is Shawn Willden, and I lead the Android hardware-backed security team at Google. I designed and implemented the Keystore attestation scheme that's been present in Android since 7.0 (Nougat) and required for new devices since 8.0 (Oreo). Laurence invited me to participate in the EAT effort. I'm very interested in standard attestation protocols. Attestation in Keystore began as a narrow solution to a narrow problem, but it has become clear that there is massive demand for attestation in a wide variety of contexts. I'm not particularly happy with Keystore attestation, but it's hard to argue for changing it given that many people have implemented solutions on it, warty as it is. Compliance with an IETF standard would provide a perfect rationale for revising it -- assuming, of course, that the standard actually meets all of Android's needs. Since I doubt everyone is familiar with Android Keystore attestation [1], let me give a brief overview. Android Keystore provides a place for Android apps and system components to store and use cryptographic key material (RSA, ECC, AES & HMAC) in a trusted [2] environment. The goal is that key material should not be compromised even by total compromise of the Android operating system, e.g. kernel compromise. Further, since 6.0 (Marshmallow), various usage constraints can be attached to keys at key creation time, and most of these constraints are also enforced by the trusted environment, limiting the use of the trusted environment as an oracle for an attacker who has compromised Android. The ways that keys can be used are expressed affirmatively as "authorizations"; keys may only be used in ways defined by the associated authorizations. Perhaps the most obviously-useful of the authorizations is authentication binding. Authentication-bound keys may only be used when the user authenticates via password or fingerprint so an attacker who steals or finds your phone cannot use the keys. So Keystore provides a valuable tool to authors of apps that require strong security. For example, for a key used to authenticate an account holder to a banking system. But this tool is much less valuable if the bank's server can't verify that the secret is managed in a trusted environment. Hence, Keystore attestation, which allows the trusted environment to prove that it secures the key material, and specifies the authorizations that define how it may be used. Some important constraints upon Keystore derive from the fact that it is an implementation (some may say "subversion") of the Java Keystore API [3]. A result of needing to fit attestation into the standard Java APIs was that attestations must come in the form of an X.509 certificate chain. Given that it would be necessary for users of Keystore attestations to parse the ASN.1 DER-encoded X.509 certificate, I opted to implement attestation as an ASN.1 DER-encoded certificate extension, so they didn't have to parse two different sorts of encodings. To simplify implementation in resource-constrained trusted environments, I opted to structure the schema around the data structure that implementations already used to manage authorizations, namely "authorization lists". The schema has subsequently been extended to support device ID attestation (attesting to various device identifiers -- though this functionality is tightly restricted in the interest of user privacy), and attestation of firmware versioning data. I expect more such extensions to come in each release of Android, as more use cases are identified and implemented. Within the Android scheme, attestation signing keys are injected into devices during manufacturing and can never be rotated without returning the device to the manufacturer. Signing keys are also not device-unique, because we use standard RSA and ECDSA signatures, not a group scheme, and we wished to avoid providing a strong unique device identifier, again for user privacy reasons. Android compliance requirements specify that each signing key must be injected into at least 100K devices, all of the same model. Attestation key certificate chains are rooted in a Google-owned certificate for Android devices with Google Play; manufacturers of non-Play devices (e.g. Amazon) can provide their own root. Because this is already long I won't go into the rationale behind the decisions described in the last paragraph, but I'm happy to explain. [1] https://source.android.com/security/keystore/attestation [2] "Trusted" is always an interesting word. The actual security level of the various Android trusted execution environments (TEEs) is largely unknown. Based on what has happened every time security researchers looked hard at them, I suspect they're not very good. However, they are isolated from the main Android OS and the usage model generally means that it's necessary to first compromise Android in order to even begin attacking the TEE. Thus they provide a security benefit, though precisely how large is unknown. With Android 9.0 (Pie) we've begun supporting Android Keystore backed by hardware secure elements, which come with a culture of certification testing which is presently lacking in the TEE world. [3] https://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.html -- Shawn Willden | Staff Software Engineer | swillden@google.com | 801-477-4296
- [EAT] Introduction Shawn Willden
- Re: [EAT] Introduction Smith, Ned
- Re: [EAT] Introduction Suresh Marisetty
- Re: [EAT] Introduction Shawn Willden
- Re: [EAT] Introduction Shawn Willden
- Re: [EAT] Introduction Carl Wallace
- Re: [EAT] Introduction Carsten Bormann
- Re: [EAT] Introduction Shawn Willden
- Re: [EAT] Introduction Shawn Willden
- Re: [EAT] [Rats] Introduction Ira McDonald
- Re: [EAT] Introduction Laurence Lundblade
- Re: [EAT] [Rats] Introduction AndreRein
- Re: [EAT] [Rats] Introduction Laurence Lundblade
- Re: [EAT] [Rats] Introduction Henk Birkholz
- Re: [EAT] [Rats] Introduction Michael Richardson