[EAT] Introduction

Shawn Willden <swillden@google.com> Thu, 06 September 2018 16:38 UTC

Return-Path: <swillden@google.com>
X-Original-To: eat@ietfa.amsl.com
Delivered-To: eat@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 71320130ED3 for <eat@ietfa.amsl.com>; Thu, 6 Sep 2018 09:38:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.509
X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Ews_7kWzHG7E for <eat@ietfa.amsl.com>; Thu, 6 Sep 2018 09:38:05 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EE90130ECD for <eat@ietf.org>; Thu, 6 Sep 2018 09:38:04 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id g6-v6so9597821lfb.11 for <eat@ietf.org>; Thu, 06 Sep 2018 09:38:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=4AJQTpMC/wBDh/yWF8g1HqZyYWB+MCPoY865ew8iiuw=; b=I16xXlQ0LF0XqW8lyxbhrKkh/J+jSY73wh8QOlRF8JOr8vZL9pDgNQhMQAAiqKQkbs 7fTlibSXnKdw99xuPu4BntmTqSN3htOrq6rWMrKYejrDFOcU8SmqKHityS4jI3V6JSgN BYoFdi5lb6m3+mcPGldCRUiSW9luDf8SfNOWn9Lq/7GZl67YlQBT/3e9zcuvHrgNjKVj SbE1BGlIcbW3emfhxGgeQAlr/61FdlUM0FZn0GWvOA+6EF4x8eRTErNpMMY9mMJjVSeU 6ikZoZv7nM2iiZq8B9Z0LiDPMSnDkVgWr1Prml4hoXcf+7YdcbmQR5716++628t1VvVi XzgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4AJQTpMC/wBDh/yWF8g1HqZyYWB+MCPoY865ew8iiuw=; b=A+k56/Rc1XXOcjCF57DvcwtKqsFlqkha+SrOvG1wcPC1fKpqLPaJBxQNlbgOW730BN BMKlu/gmMFkMkGAouwe5/gPI1XbbSk9bnKuaPsGQGU4+4+BzYP4g4E/Jw6I5NywmAe8m FjsutZRDNHrfKtGURXkuVpG3s2QtuCMwJ1nTK6LV6SPx/aAoxrB1fbb0ReG8X0+gIERm zgJZq/Ga8+ec8abU3QYDd7qfmzt9yhqKKo438Q1zxoELTSDHz2FeWe/3SCmJAwnNvgu8 Fd1NSWBYU3J0hJlCzPwiBsmk3jiHNF4kL2ruzWB5HlVObtYW7B81x96DTV2+vJYDbc+o nLXw==
X-Gm-Message-State: APzg51CCWYn6qy93mFUAqCpfqbiWrFgd5FLxevbg7Pr2hflvqPCwnwbS +LMnyYVEla6jkWtGVR+3+devcunEI/69ykvPc9zoPpLFpA0=
X-Google-Smtp-Source: ANB0VdZ4TAowZe6BqXtX3p8LpoklB9p7yOrmzA4KL+OkAsW3YjlABC9+8O7wUFt9FqSoLv33QIQFgvRcUr/2XWJA+dg=
X-Received: by 2002:a19:ead4:: with SMTP id y81-v6mr2474441lfi.110.1536251881911; Thu, 06 Sep 2018 09:38:01 -0700 (PDT)
MIME-Version: 1.0
From: Shawn Willden <swillden@google.com>
Date: Thu, 6 Sep 2018 10:37:50 -0600
Message-ID: <CAFyqnhUh0Ncd+VrXyLgrfgZZxcLLAcaQq4nsh16ts5-80wbUAQ@mail.gmail.com>
To: eat@ietf.org, rats@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b5a5050575368391"
Archived-At: <https://mailarchive.ietf.org/arch/msg/eat/xo9aUgnHUCMrijbT8dOjnJP3gSY>
Subject: [EAT] Introduction
X-BeenThere: eat@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EAT - Entity Attestation Token <eat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eat>, <mailto:eat-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/eat/>
List-Post: <mailto:eat@ietf.org>
List-Help: <mailto:eat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eat>, <mailto:eat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2018 17:09:17 -0000

Please excuse me if I'm violating some list etiquette with this
introduction; it seemed like the best way to jump in. It appears that
cross-posting between RATS and EAT is fairly common, so I think I'm good on
that front :-)

My name is Shawn Willden, and I lead the Android hardware-backed security
team at Google. I designed and implemented the Keystore attestation scheme
that's been present in Android since 7.0 (Nougat) and required for new
devices since 8.0 (Oreo). Laurence invited me to participate in the EAT

I'm very interested in standard attestation protocols.  Attestation in
Keystore began as a narrow solution to a narrow problem, but it has become
clear that there is massive demand for attestation in a wide variety of
contexts. I'm not particularly happy with Keystore attestation, but it's
hard to argue for changing it given that many people have implemented
solutions on it, warty as it is. Compliance with an IETF standard would
provide a perfect rationale for revising it -- assuming, of course, that
the standard actually meets all of Android's needs.

Since I doubt everyone is familiar with Android Keystore attestation [1],
let me give a brief overview.

Android Keystore provides a place for Android apps and system components to
store and use cryptographic key material (RSA, ECC, AES & HMAC) in a
trusted [2] environment. The goal is that key material should not be
compromised even by total compromise of the Android operating system, e.g.
kernel compromise.

Further, since 6.0 (Marshmallow), various usage constraints can be attached
to keys at key creation time, and most of these constraints are also
enforced by the trusted environment, limiting the use of the trusted
environment as an oracle for an attacker who has compromised Android. The
ways that keys can be used are expressed affirmatively as "authorizations";
keys may only be used in ways defined by the associated authorizations.
Perhaps the most obviously-useful of the authorizations is authentication
binding. Authentication-bound keys may only be used when the user
authenticates via password or fingerprint so an attacker who steals or
finds your phone cannot use the keys.

So Keystore provides a valuable tool to authors of apps that require strong
security. For example, for a key used to authenticate an account holder to
a banking system. But this tool is much less valuable if the bank's server
can't verify that the secret is managed in a trusted environment. Hence,
Keystore attestation, which allows the trusted environment to prove that it
secures the key material, and specifies the authorizations that define how
it may be used.

Some important constraints upon Keystore derive from the fact that it is an
implementation (some may say "subversion") of the Java Keystore API [3].  A
result of needing to fit attestation into the standard Java APIs was that
attestations must come in the form of an X.509 certificate chain. Given
that it would be necessary for users of Keystore attestations to parse the
ASN.1 DER-encoded X.509 certificate, I opted to implement attestation as an
ASN.1 DER-encoded certificate extension, so they didn't have to parse two
different sorts of encodings. To simplify implementation in
resource-constrained trusted environments, I opted to structure the schema
around the data structure that implementations already used to manage
authorizations, namely "authorization lists".

The schema has subsequently been extended to support device ID attestation
(attesting to various device identifiers -- though this functionality is
tightly restricted in the interest of user privacy), and attestation of
firmware versioning data. I expect more such extensions to come in each
release of Android, as more use cases are identified and implemented.

Within the Android scheme, attestation signing keys are injected into
devices during manufacturing and can never be rotated without returning the
device to the manufacturer. Signing keys are also not device-unique,
because we use standard RSA and ECDSA signatures, not a group scheme, and
we wished to avoid providing a strong unique device identifier, again for
user privacy reasons. Android compliance requirements specify that each
signing key must be injected into at least 100K devices, all of the same
model. Attestation key certificate chains are rooted in a Google-owned
certificate for Android devices with Google Play; manufacturers of non-Play
devices (e.g. Amazon) can provide their own root.

Because this is already long I won't go into the rationale behind the
decisions described in the last paragraph, but I'm happy to explain.

[1] https://source.android.com/security/keystore/attestation
[2] "Trusted" is always an interesting word. The actual security level of
the various Android trusted execution environments (TEEs) is largely
unknown. Based on what has happened every time security researchers looked
hard at them, I suspect they're not very good. However, they are isolated
from the main Android OS and the usage model generally means that it's
necessary to first compromise Android in order to even begin attacking the
TEE. Thus they provide a security benefit, though precisely how large is
unknown. With Android 9.0 (Pie) we've begun supporting Android Keystore
backed by hardware secure elements, which come with a culture of
certification testing which is presently lacking in the TEE world.
[3] https://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.html

Shawn Willden | Staff Software Engineer | swillden@google.com | 801-477-4296