IETF Logo Mail Archive

Re: [Rats] Two types of secure attestation

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 19 November 2019 14:36 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3F7F12096F for <rats@ietfa.amsl.com>; Tue, 19 Nov 2019 06:36:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fiadDroM60H1 for <rats@ietfa.amsl.com>; Tue, 19 Nov 2019 06:36:01 -0800 (PST)
Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3B4D120935 for <rats@ietf.org>; Tue, 19 Nov 2019 06:36:00 -0800 (PST)
Received: by mail-ot1-x331.google.com with SMTP id 94so18007949oty.8 for <rats@ietf.org>; Tue, 19 Nov 2019 06:36:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mvv5+nFe7ELQgvYmvgdRoGEDKGhnmBIsdEEC/vkQGPI=; b=iHsT7bPsKWqvdMF5tI+BGTReo/uAmAytw5aZcSoBLgBGfGkaLwdbVMi/gcs75i13SP BqMT8dfMDpnYF87iWi6wI49l+MMSEkrmV1DTqpX1dfLponAABWIQF67TgBqzXNvfae72 q1CYTJ4IDTDCVgdt0fpWwi8u/Pj1PKjUtuXG3/2I5MgVeEVKZb/GjpdnNUVQYYfR9y30 qg/nCmXr2XJ+DE7X5OZT/idugUybSoL26HbqRt4lbMho9FfAo8zx+YcPZ0DyCHPDR2xz m0Y9zq/AxTyivyplD8aVq1ygOXJ5JK0ElQk19uxl4S5qs1GlZiayeQViggcHZ9YcFQLY wKcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mvv5+nFe7ELQgvYmvgdRoGEDKGhnmBIsdEEC/vkQGPI=; b=UijZWSKTlwqapNpwjlAUydOQZ42AiWFtcCMJL/a+0ZnctrejCrFEkBJ0/dEOxYW0gs ewd5FX0G4cC0Bs3vamXjFpuqlN/Y32MWXoFx8Xe4jOBqa2XzvzdSh7j3B2Tx/DdXZWv/ x9d6yYthzq6QEm9kLmizDcXY70bD7Jj1Km4CSubNr49fYAKDSnj47C5VcZgyLchQS7Wk D7k533+JkJQNagPXwSEkqWNEA3AjNftR2+uhGFLsxL5l/mUnk9vHpvvtOtNeGlUcb95C a6EOOyhdjzb+/Y32wHwVm4FWW8Q+MaVqU47+sj+TCOj8FvhyxzcUhStefCzAS5fjzkkw 0bdg==
X-Gm-Message-State: APjAAAUmgnj61n2lPZeBM3m5HuZrZIVzjYmLKSecwKdx3cjSuOSiFcWN pJGDQSqiblZs5GCbqJoBkWDPNWRl9dLpFG2bsp0=
X-Google-Smtp-Source: APXvYqyjhi40eOBd2jsCXHG8EKFL7pUIFhw8gojLxv5JiD/xPYDR7HtoH3luEeDCqMFmyp/Nx90uWIWnREv36HKgJcM=
X-Received: by 2002:a9d:17ca:: with SMTP id j68mr3962235otj.250.1574174159993; Tue, 19 Nov 2019 06:35:59 -0800 (PST)
MIME-Version: 1.0
References: <B099349B-711D-4A11-9E58-0886307FB7AF@island-resort.com>
In-Reply-To: <B099349B-711D-4A11-9E58-0886307FB7AF@island-resort.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 19 Nov 2019 09:35:23 -0500
Message-ID: <CAHbuEH6qtVbzRXUALKBrr3butc8qT8Y81X-nQ6+PjC1n08CkvA@mail.gmail.com>
To: Laurence Lundblade <lgl@island-resort.com>
Cc: rats@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009f02890597b3fb0a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/0IuzHiD829xUT-eXFoAMI1sv33Q>
Subject: Re: [Rats] Two types of secure attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 14:36:08 -0000

Hi Laurence,

Where does the code signing example fit in that you gave as it's not really
an attestation, but could be useful in the format of an EAT/CWT?   This
questions considers the CoSWID discussion as well as another example you
had in your slides later (which was really the same) on just validating the
code was signed by the expected private key?  Should that be called an
attestation or just using the format for signing?  You might add claims
in above what's in the CoSWID and use the nesting of EAT/subdomains as well
as perform remote verification.

Thanks,
Kathleen

On Tue, Nov 19, 2019 at 8:26 AM Laurence Lundblade <lgl@island-resort.com>
wrote:

> Fundamentally, I think there are two ways that an attestation verifier
> comes to know that a device / entity is running approved SW and will behave
> as desired.
>
> *TPM based*
>
>    - Originates in the PC world where the end user had to be able to
>    choose the system SW
>    - Has a TPM that performs a general measuring function
>       - Has an attestation signing key for signing measurements that is
>       kept secret by the TPM
>       - TPM is generic as it can be used for PC’s, routers, IoT devices
>    - Authenticated boot is optional
>    - Uses a staged boot architecture where each stage must measure (hash)
>    the following stage
>       - Hashes fed into the TPM
>       - TPM generates the attestation of the registers holding the hashes
>    - Device cost raised by cost of TPM part
>    - The verifier must run a parallel set of measurements (hashes)
>       - Verifier is complex
>
>
> *Authenticated Boot based*
>
>    - Origins in mobile phone, TEE and DRM world where the user can NOT
>    choose the system SW
>    - Authenticated boot is required
>       - Uses a boot ROM that really is a ROM, probably in silicon (not
>       flash), that can NOT be changed
>       - Boot ROM verifies the SW that is loaded, particular the top
>       privilege (e.g. kernel) SW
>       - A good implementation has anti-rollback to prevent old versions
>       of SW from being run
>    - Has an attestation signing key that is programmed in fuses or
>    possibly in flash
>       - Has a HW block that prevents access to the attestation key unless
>       authenticated boot succeeds
>       - Only top privilege SW can use it
>    - Attestations are created in the top-privilege SW
>       - Simply signing a nonce proves the device is running approved SW
>       - Easy to add other claims in —> EAT
>    - Device cost raised by need for secure key provisioning in the factory
>    - Verifier is very simple
>       - Just needs to verify the signature and nonce
>
>
> Both provide acceptable security for their use cases and are broadly in
> use.
>
> RATS needs to support both.
>
> LL
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>


-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email