Re: [Rats] Out-of-band key material set up in architecture document

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Wed, 06 November 2019 17:14 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27B90120875 for <rats@ietfa.amsl.com>; Wed, 6 Nov 2019 09:14:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gxx_QB0MVZZC for <rats@ietfa.amsl.com>; Wed, 6 Nov 2019 09:14:15 -0800 (PST)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EFF2120869 for <rats@ietf.org>; Wed, 6 Nov 2019 09:14:14 -0800 (PST)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id xA6HEBP8012671 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Wed, 6 Nov 2019 18:14:12 +0100
Received: from [192.168.178.8] (134.102.43.219) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.468.0; Wed, 6 Nov 2019 18:14:06 +0100
To: Laurence Lundblade <lgl@island-resort.com>, Dave Thaler <dthaler@microsoft.com>
CC: "rats@ietf.org" <rats@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
References: <9B93F41C-3707-4822-B3F5-5F9978872786@island-resort.com> <MWHPR21MB0784D3762243B2D09E0E6DC8A37E0@MWHPR21MB0784.namprd21.prod.outlook.com> <5050A16A-68D3-4D6A-859F-EAFF74FAF096@island-resort.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <c4977362-1bf5-7da3-3b62-e27d612f5d04@sit.fraunhofer.de>
Date: Wed, 6 Nov 2019 18:14:06 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <5050A16A-68D3-4D6A-859F-EAFF74FAF096@island-resort.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [134.102.43.219]
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/52141rS8POVn6SGQhbg51eQS0jQ>
Subject: Re: [Rats] Out-of-band key material set up in architecture document
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 17:14:18 -0000

Hi Dave,
hi list,

the scope of the architecture was discussed a lot. It is okay to provide 
a bigger picture here, as the "phasing approach" will allow to talk 
about the attestation provisioning flows later on. Ben accompanied that 
decision process and I think he might be able to restate that :)

I think we are all in wild agreement here wrt to:

> "the manufacturer must put it there”, is however I think too narrow

We do not have to be prescriptive about any things here anyways, but to 
be descriptive or illustrative is very helpful.

In this quite prominent scenario:

> In some arguably more secure designs, the device itself creates the key pair and the manufacturer per se never knows the private key, only the public key,

the manufacturer provisioned something that made this happen (and 
therefore took measures to render the public key meaningful).

Viele Grüße,

Henk

On 06.11.19 17:58, Laurence Lundblade wrote:
> 
> 
>> On Nov 5, 2019, at 3:40 PM, Dave Thaler <dthaler@microsoft.com 
>> <mailto:dthaler@microsoft.com>> wrote:
>>
>> Inline below…
>> *From:*RATS <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>>*On 
>> Behalf Of*Laurence Lundblade
>> *Sent:*Tuesday, November 5, 2019 12:17 PM
>> *To:*rats@ietf.org <mailto:rats@ietf.org>
>> *Subject:*[Rats] Out-of-band key material set up in architecture document
>> An issue I have with both the current architecture documents is that 
>> they do not discuss the need for some out of band key material set up 
>> to make verification work.
>>
>>     The manufacturer of the device must put some private key into each
>>     device so that the device can sign attestation evidence. Most
>>     likely the manufacturer also creates the verifying key material,
>>     but they may or may not be the verifier.  If they are not the
>>     verifier, somehow the verifier of attestation evidence must have
>>     corresponding key material to verify the signature.
>>
>> This paragraph could be a start of the text. I think this is a 
>> critical part of the architecture because attestation doesn’t work 
>> without it.
>> I agree that a private key is needed in each device for attestation to 
>> work (at least using any techniques
>> I’m aware of). Saying “the manufacturer must put it there”, is however 
>> I think too narrow, as it implies the
>> manufacturer actually knows the key. In some arguably more secure 
>> designs, the device itself creates the
>> key pair and the manufacturer per se never knows the private key, only 
>> the public key, so it would be
>> confusing to say the manufacturer “put” it there, or that the 
>> “manufacturer creates” the key material.
> 
> We could say “establish the signing key”? Certainly don’t want to 
> exclude those more secure designs.
> 
>> ...
>> Furthermore, the RATS charter does not constrain attestation to only 
>> **hardware** based roots of trust.
>> There are some cases where it may be in a hypervisor or bios or 
>> firmware or whatever, and only attest
>> things above that, with obviously a weaker level of security than 
>> hardware-rooted attestation.   But any
>> protocol mechanisms should still work (mainly because it’s almost 
>> impossible to rule them out except via
>> a security policy that says which keys to trust), even if it’s not the 
>> primary focus we care most about.  The
>> point here being that in such a case it may not be the “manufacturer”, 
>> but may be another entity.  That’s
>> actually true in some cases even for hardware-based roots of trust.
> 
> Yes, the “manufacturer” could be a SW vendor or even the author of a 
> dumb Android app. We need a much broader term or description.
> 
> LL
> 
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>