[Rats] Re: Security considerations of remote attestation (RFC9334)

John Kemp <stable.pseudonym@gmail.com> Fri, 31 January 2025 19:47 UTC

Return-Path: <stable.pseudonym@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCF4EC169422 for <rats@ietfa.amsl.com>; Fri, 31 Jan 2025 11:47:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tmM9IMMp2Lxt for <rats@ietfa.amsl.com>; Fri, 31 Jan 2025 11:47:53 -0800 (PST)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15E9DC14F6AA for <rats@ietf.org>; Fri, 31 Jan 2025 11:47:53 -0800 (PST)
Received: by mail-qk1-x72c.google.com with SMTP id af79cd13be357-7b6e9db19c8so202564685a.3 for <rats@ietf.org>; Fri, 31 Jan 2025 11:47:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738352872; x=1738957672; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=fC/IAZdhoyN0KnBg3us9MUdDTXb+wzoJlGJOJU9tBiI=; b=WaSUbDtj5oBCPq4q2rbpzHbwbKXGG2uQfIi6g+S30qEYV8lsUxDmuThkZZYO4/eY9t vvZCZkgpwvzXRQv5rfOzK1TE0TkKdNMYwRRdGqPSg9z3t0noDsiD/URGLmnsUrPmhQ3W FmQDAqxw5wyzpnLH94hBJZH5b8d+60mCul38wq4TX6pXvvvyVpobCL2UGy7lY3UHjvxl OZB+llakEKGENRC7Gdiz/LCA+jIQr/PpRMaF8nOwO9XUABaqrjlHfKqapA/DDDOZJzvG aUu0h5sBvguHzqjAAIU/kVI4okZv3ZrfQnNvqgRQ6ZGg+Nk/DrZnIUaNeIibhcWYrWst V7tQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738352872; x=1738957672; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fC/IAZdhoyN0KnBg3us9MUdDTXb+wzoJlGJOJU9tBiI=; b=BnOlb42gxXfVSHanPEGYZNf/Zj9gzronrX5Za8Mb0z33e2NvVDsHP6D+lgBAQGpbOe L8RiCT8/bjmQbNjGfNJgMKYLAXrwrWToGf83bUGc+TPD4p5G6Zmv95qMtkior/ISHeo3 6gMngfaTfwWffutaNVnFcxpcSfCsq5QzHRtVhTfa7nAWf7zGD/LpkqN5vydjL67AuJgT zZcCXc5KOBJbiOiZ3UmwB9FFNObXhPtRfQttmxwxFpGls9b9Y2FsugY757IO3M22kXtK t2O1IGQh9Te4C2jJd0r6DTeQcufN1POynMflQVKhUc1MDLJRSt76pxtu++haXG0XIct5 r0ug==
X-Forwarded-Encrypted: i=1; AJvYcCXznjs63vk5v9z++98supePOcuwpB8RfTonMzgW+zf9oXy003eUOhMy1g9mDRHItLd/mSlg@ietf.org
X-Gm-Message-State: AOJu0YymPG9hiEkRWqUVXxduLZ+dRKUUDAVrSCBO52qIUaP7oygQB8JJ Ts1xBf/uev9LyXw9NDVCYq+vetdrkapT6aCj0SpckImxb/02nqVj
X-Gm-Gg: ASbGncu2BNxbE05be10JV++L4BqBhoKy3k0YBHuRul4RGkEZSvwS30iVvYqaYAkh9Eb tgrq3bj5K9uvdCNUO90876p4Q5fXccW1FZoIc0k9ecVyoeL8RKnXso9/rN/L524Jbp5Fv5EaJq1 +nOq3X7KCEINtwSLP704TwJne71I+LIEI/GZSaSFueyixkbb8xPFkHlVXca3Vd6bV4fI5oLM+TG OQ18r+he1cS7nFuSV0ECdpoGCoII8D7ZePxb0uydB3qUd4e/GBk82avNoeY7/2C+cVfmESWq+/4 M5o1Qa7lo1Xwu3SXAfSwO14DgBV4+D12/NDiRQcsqYB8RqFwsB1GZ6HJEZMOHLQeY6k=
X-Google-Smtp-Source: AGHT+IELU2T378/3NwMv5a8g5+wJTYRxObm23SIk4DTRP38+9i9u6lwu4B3EyxRbluEPYJbhyl1cRw==
X-Received: by 2002:a05:620a:6015:b0:7b7:2e7:7a88 with SMTP id af79cd13be357-7bffcd92727mr1969135185a.44.1738352871964; Fri, 31 Jan 2025 11:47:51 -0800 (PST)
Received: from [192.168.1.157] (syn-066-066-241-066.res.spectrum.com. [66.66.241.66]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7c00a9047a4sm222679085a.80.2025.01.31.11.47.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 31 Jan 2025 11:47:51 -0800 (PST)
Message-ID: <61aaa24b-ff05-46b0-8f9b-16d695b18ca0@gmail.com>
Date: Fri, 31 Jan 2025 14:47:50 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Henk Birkholz <henk.birkholz@ietf.contact>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
References: <360c6c29-2548-4895-92e8-7e34e56c2d34@gmail.com> <E0336C45-0BDA-40D6-849C-4D6E9D037125@gmail.com> <b46705bf-8f0a-ef0a-1c5f-3e46641be49b@ietf.contact>
Content-Language: en-US
From: John Kemp <stable.pseudonym@gmail.com>
In-Reply-To: <b46705bf-8f0a-ef0a-1c5f-3e46641be49b@ietf.contact>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 73K6V7AS6NSIRDWKYNOEOZH24RJNLRQG
X-Message-ID-Hash: 73K6V7AS6NSIRDWKYNOEOZH24RJNLRQG
X-MailFrom: stable.pseudonym@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Dave Thaler <dthaler1968@googlemail.com>, Ned Smith <ned.smith@intel.com>, Panwei <william.panwei@huawei.com>, rats@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: Security considerations of remote attestation (RFC9334)
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/8i6RNiRM1D3BLDefL-iH-fbjReE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Hi Henk,

El 01/31/25 a las 11:10, Henk Birkholz escribió:
> Hi Kathleen,
> Hi John,
> 
> I am not entirely sure how the previous messages relate to "the Thaler 
> Conjecture" exactly,

I said directly in my initial response:

>>>> I guess, in specific response to this discussion that:
>>>>
>>>> i) I don't know if it matters whether every attestation use-case is 
>>>> an authentication use-case.
>>>> ...

BUT:

>>>> ii) However, it _does_ matter how we define these terms, and the 
>>>> relationships between them, as regards the RATS entities/roles

(whether we take or adapt NIST definitions, or define them specifically 
for RATS entities)

We do still need a better answer for Usama's original questions around 
the distinctions as they apply to RATS, I think.

More inline below...

> but please find some comments below, inline.
> 
> 
> Viele Grüße,
> 
> Henk
> 
> On 30.01.25 23:12, Kathleen Moriarty wrote:
>>
>> Sent from my mobile device
>>
>>> On Jan 30, 2025, at 4:52 PM, John Kemp <stable.pseudonym@gmail.com> 
>>> wrote:
>>>
>>> El 01/30/25 a las 16:03, Dave Thaler escribió:
>>>> The logic behind the conjecture is the belief that
>>>> authentication without attestation is weak (i.e., how do you know 
>>>> it's not an adversary,
>>>> like malware on the same device, claiming to be the identity being 
>>>> authenticated?)
>>>> compared to authentication with attestation which provides a 
>>>> stronger level of assurance
>>>> of actual identity.
>>>
>>> At the lowest level, authentication is _only_ the ability for an 
>>> entity to prove that it possesses something _assumed_ to be 
>>> "secret" ("three can keep a secret if two of them are dead").
>>>
>>> It is assumed to be secret because (for example):
>>>
>>> a) it is derived from a cryptographically-secure random number and 
>>> thus cannot be guessed,
>>> b) it is not shared with anything other than the entity claiming 
>>> possession
>>> c) it is used in a cryptographic protocol in such a way as to not 
>>> reveal the secret
>>>
>>> These assumptions, rather more often than we would like, do not hold.
>>>
>>> "identity" is a set of attributes regarding an entity that may be 
>>> claimed by the entity.
> 
> That would be a self-asserted identity, right?

Yes.

> 
>>>
>>> "attestation" is a set of relationships of the form "is-known-by".
> 
> I assume that could be one of the definitions of attestation out there. 
> Do you imply that's the RATS WG use of the bare word "attestation"?

I'm not implying that, no. It's more by way of teasing out the actual 
differences between attestation and authentication.

> The closest that NIST defines "attestation" as used in the RATS comes from 
> NIST SP 1800-19B: "The process of providing a digital signature for a 
> set of measurements securely stored in hardware, and then having the 
> requester validate the signature and the set of measurements." where the 
> securely stored in hardware sometimes leads to discussions, I think.

The "measurements" are signed with a key, and without any other context 
would be equivalent to a self-signed claim of some attributes related to 
the claimant. However, because they're signed with a key that has been 
blessed by (for example) the provider of the hardware (via AK/EK or 
similar), we are saying with the attestation:

1. The measurements represent my best knowledge of the state that I am 
running in.
2. I (my key) is "known by" ("vouched for"?) this other entity.
3. The measurements can be trusted by the entity vouching for me because 
they know "how I've been securely built and are willing to take a risk 
on me" (roughly-speaking ;)

1. is authenticating the device making the measurement claims
2. is providing "trusted", relational context around that authentication 
(I vouch for the key that signed these measurements) and also the 
measurements themselves will provide additional context (e.g. hash of 
firmware) that can theoretically (depending on some variables) make me 
more trustworthy to the recipient.

> 
>>>
>>> So one might imagine an entity claiming a set of identity attributes, 
>>> authenticating itself by holder-of-key signature of something, and 
>>> "attesting" these attributes by signing _those_ possibly 
>>> authenticating and attesting (itself) at the same time.
>>>
>>> Attestation is often used to _avoid_ doing actual entity 
>>> authentication (since key management is hard at scale).
>>>
>>> I guess, in specific response to this discussion that:
>>>
>>> i) I don't know if it matters whether every attestation use-case is 
>>> an authentication use-case.
>>> ii) However, it _does_ matter how we define these terms, and the 
>>> relationships between them, as regards the RATS entities/roles
>>
>> I’m in agreement with John. I used higher level terminology to the 
>> same point and NIST SP 800-63 series is the key source for reference.
> 
> NIST SP 800-63-3 is one of many NIST documents that include a glossary 
> definition of "authentication", I think.
> 
> There are others: https://csrc.nist.gov/glossary/term/authentication
> 
> NIST SP 800-63-3's definition is: "Verifying the identity of a user, 
> process, or device, often as a prerequisite to allowing access to a
> system’s resources."
> 
> I am absolutely okay with that definition of authentication. I'd just 
> like to point out that NIST alone provides more than 20 additional 
> definitions.

Yes, this is a problem I've seen with relying on NIST (or other) 
definitions before. So clearly, we always need definition n+1 and one 
can never have enough standards, right? ;)

- johnk

> And for comparison, RFC4949 has: "The process of verifying 
> a claim that a system entity or system resource has a certain attribute 
> value."
> 
> The special publication series 800-63 does not cover topics related to 
> "attestation", I think.
> 
>>
>> Thank you, John.
>>
>> Kathleen
>>
>>>
>>> Regards,
>>>
>>> - johnk
>>>
>>> -- 
>>> John Kemp
>>> Independent Security Architect
>>> t: +1.413.645.4169
>>> e: stable.pseudonym@gmail.com
>>>
>>> https://www.linkedin.com/in/johnk-am9obmsk/
>>> https://github.com/frumioj
>>>
>>
>> _______________________________________________
>> RATS mailing list -- rats@ietf.org
>> To unsubscribe send an email to rats-leave@ietf.org

-- 
Independent Security Architect
t: +1.413.645.4169
e: stable.pseudonym@gmail.com

https://www.linkedin.com/in/johnk-am9obmsk/
https://github.com/frumioj