Re: [Rats] UEID in EAT

Laurence Lundblade <lgl@island-resort.com> Fri, 11 September 2020 17:18 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F345D3A1584 for <rats@ietfa.amsl.com>; Fri, 11 Sep 2020 10:18:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ukt_rB8AgWzt for <rats@ietfa.amsl.com>; Fri, 11 Sep 2020 10:18:32 -0700 (PDT)
Received: from p3plsmtpa12-04.prod.phx3.secureserver.net (p3plsmtpa12-04.prod.phx3.secureserver.net [68.178.252.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 936BA3A157A for <rats@ietf.org>; Fri, 11 Sep 2020 10:18:32 -0700 (PDT)
Received: from laurences-mbp.lan ([63.225.87.1]) by :SMTPAUTH: with ESMTPA id GmgwkHIh5FaTPGmgwk6okN; Fri, 11 Sep 2020 10:18:31 -0700
X-CMAE-Analysis: v=2.3 cv=KNUk82No c=1 sm=1 tr=0 a=zts2ur/HCa1gw63mIQw/Dg==:117 a=zts2ur/HCa1gw63mIQw/Dg==:17 a=IkcTkHD0fZMA:10 a=pGLkceISAAAA:8 a=48vgC7mUAAAA:8 a=NvfwTw6vbqmCeHRIDqEA:9 a=7ST5tjgnKQra7AwV:21 a=H5eOmVw78oV0NCf6:21 a=QEXdDO2ut3YA:10 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: lgl@island-resort.com
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Laurence Lundblade <lgl@island-resort.com>
In-Reply-To: <CAHbuEH6RrPYAGOKq_JvDmS1ZvP51BfWr_GpJ-Gd+r0yXuUWw-A@mail.gmail.com>
Date: Fri, 11 Sep 2020 10:18:29 -0700
Cc: rats@ietf.org, Juan Carlos Zuniga <j.c.zuniga@ieee.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D9CA73C9-5E38-41F8-9855-9C275D52EF0C@island-resort.com>
References: <CAHbuEH6RrPYAGOKq_JvDmS1ZvP51BfWr_GpJ-Gd+r0yXuUWw-A@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-CMAE-Envelope: MS4wfDAdhPc3DLG8+1KFeX4EC5a87Tz/9uBMWUoj93RAPxFSWOStqaNtHHj/B/7IIqUeJj7ENCl+Qj32QtwqdZ3zD4lW55lgtXf17v9xqFFa7D+1vUvBFT+L KQ4WpPDUaLUe7sDmOOWvAg5vrVIwunC6rN78IJLzTA54q+nOuUXyT9Dycr0EI2Y+W2wecAvPqi6EQHjPSbz55G2RXv0Eif2sQ6IaqhloRSzmDfbrmfgE2CcP 1lYh/cMiZa/mpM43cNie9Q==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/0X-LVKM4rO8itpsCHD0RWUsg3TE>
Subject: Re: [Rats] UEID in EAT
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 17:18:34 -0000

First the uniqueness and collision problem, then separately the privacy problem.

So a type 0x1 UEID is a true crypto quality random number. The theoretical problem is the one of a collision between two true random numbers, the birthday problem.

In the implementation where a true crypto quality RNG like those supported by Intel chips and Qualcomm chips these days, there is no hash function involved. So it’s not the same problem as a hash collision problem. Really it is just the birthday problem.

Uniqueness across vendors for type 0x01 UEIDs is assured because the vendors are using crypto quality RNGs. It doesn’t matter if there are million vendors or one vendor.

There may be a concern that vendors won’t use crypto quality random numbers, but that is still not a hash collision problem.

If you choose to generate UEIDs by hashing some other random data, then the quality of the hash function comes in and of course the quality or randomness of what you hash. We can recommend hash functions, maybe even DRBGs, but the real requirement is crypto quality randomness in the full solution.

The uniqueness to type 0x02 and type 0x03 UEIDs across vendors is entirely different from type 0x01 and depends on an organization like IEEE registering vendors and assigning IDs. That is just following industry practice.

Vendors can do all sorts of bad things here to break the uniqueness even for MAC addresses and IMEIs. I’m not sure we can do much about it except describe the way it should be done. (A good certification program could do something about this, but IETF doesn’t run certification programs). The good news is that crypto quality RNGs are generally available now.


Now on to privacy.

I think we should define a true globally unique UEID that is not privacy preserving and that never changes. Billions of single-use devices will be just fine with this and billions probably require this. It’s the multi-use devices like laptops and mobile phones where the big problem is, but that is only a subset of the target market.

In addition to a non-privacy-preserving UEID, we could design one or more solutions that do give privacy preservation. I didn’t do that yet because it seems hard. We could do it. Maybe it should be in EAT, maybe it should be a separate draft of even drafts if there are multiple solutions. Maybe one is based on Juan’s IEEE work.


To summarize / unpack:

#1 vendor uniqueness — Birthday problem for type 0x01; industry registry and assignment for type 0x02 and 0x03

#2 hash collision — Only an issue if a hash function is used; can recommend hashes; true issue is overall randomness quality

#3 privacy — keep the non-privacy-preserving UEID for use cases that need it; entertain proposals for privacy preserving UEIDs

LL




> On Sep 11, 2020, at 5:25 AM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
> 
> Hello,
> 
> Someone had pointed out a possible problem with the UEID, so I dug a little and wanted to poke at it.  In looking at the UEID, it relies strictly on the collision rate for hash generation, setting the number of bits high enough for the very large number of devices that could be assigned an UEID.  It also states that the UEID never changes.
> 
> The question posed to me privately is that there seems to be a conflict in the two sections on this proposal.  How do you ensure uniqueness across vendors?
> 
> Going back to an example, collision attacks have been successful even though they are highly sophisticated.  The earliest example was in one of the exploits used in the STUXNET attack.  That example resulted in deprecation of older hash functions.  Minimally, some recommendations should be provided on hash functions, pointing to a registry of maintained recommendations.  The problem across vendors is also interesting in that you can track this within a vendor, but how do you ensure uniqueness across vendors?
> 
> I am copying Juan Carlos as he and others did work within the IEEE that could be very useful here.  They standardized a method to produce randomized MAC address values.  While vendors had their own method, privacy was not assured as it was possible to detect what vendor generated a particular value due to variances in their algorithms.
> 
> IEEE has also moved to a method to allow for changing MAC addresses for increased privacy.  Should EUID remain a constant value or be able to change over time?  There's likely value in allowing change over time for privacy.  You can find IEEE information on the problems associated with changes over time, but usually that type of work can lead to answers on how to make it work.  
> 
> I am hoping Juan Caros may be able to assist a bit here and we can learn from IEEE's experience and save a bit of time.
> 
> Thank you,
> Kathleen
> 
> -- 
> 
> Best regards,
> Kathleen
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats