IETF Logo Mail Archive

Re: [Rats] Two types of secure attestation

Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 21 November 2019 04:11 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D074120831 for <rats@ietfa.amsl.com>; Wed, 20 Nov 2019 20:11:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.997
X-Spam-Level:
X-Spam-Status: No, score=-0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0UTZ9fOWeHyb for <rats@ietfa.amsl.com>; Wed, 20 Nov 2019 20:11:55 -0800 (PST)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70274120220 for <rats@ietf.org>; Wed, 20 Nov 2019 20:11:54 -0800 (PST)
Received: by mail-wr1-x429.google.com with SMTP id b18so2582987wrj.8 for <rats@ietf.org>; Wed, 20 Nov 2019 20:11:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=1XQwpJPlrpzwRjnwpatI8sqVqccOurvGY3wlb0tgsgY=; b=EyufH8S+8Ejw1u8NlimRrCQJJ9G/BdlbCmFStXTBrIvc7mjn7rl0OSJz4tx4yutP1K DdXECie5oaMhnXDD31/eOdcjTC5L48ip0j7Q2K/9AzG3snAOFjD7Gl/GFfJ8p4Phbe4Q kFGTZZaF1ERICjPOuqq6xpl3pPCoBKYftkM9KWYklUjAxsjWwyJLAMEpxha33B6E5RDo GG9LKYUhjJifFRU+lUsW1/YUtUD3dCiyNUq+ytTDtEHYRe7DeNpnwHfka1pSMYOZeeTe hRx46LSY1l9Q9pdzeyiPgvYsa5L4UayEg2jMLPGvUHWJdF66ccqfzrMGdHnlFKNWgeUX o5Rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=1XQwpJPlrpzwRjnwpatI8sqVqccOurvGY3wlb0tgsgY=; b=iqK1dfcZ7w1hwfzURWhIiVdOQ/wFa98q+yYnH3SdyJDMGVwePCWiv6wrkSUovLp404 m4wjCHizykY/lfn+EslcIDb+wSexqymgxvJzkPDNRjFv6P7S9yrTGtzSGVz350lru9ps 8oDfZz33tRF3zRcSXKcWwvpD3yeYThiuDn9G5Ix86IVykYY70l3VFNnJFpTJsJj66xko Di73yz452AGhfmUHBLo9zj9R2jM9nK+1hsPdKgCz7Pw3G8KqcL+XgFABDHSQN7uKDfkP iCpUoQ4Y2mF1edphdAfItEUwuVfk+RQ/YXT1eJy48B/HK6uPRRTkW0qnFMSGGovZz7tH +Evg==
X-Gm-Message-State: APjAAAXwFZUXIBvM7YIKBidwDYUPANyWnD6IgBh9G0XAwvIfHDSXGBTo qlBZqd/jBy1rC8z28LOPHEwSm4TEo94=
X-Google-Smtp-Source: APXvYqwColxrurtECpn0Q4Q0Y1E9U5Qh4WADwy0tWtDPxoyN8SEHcjaEpO5Zgmpwi+J8h2jLDBXt3Q==
X-Received: by 2002:adf:f290:: with SMTP id k16mr8281171wro.224.1574309512619; Wed, 20 Nov 2019 20:11:52 -0800 (PST)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id 16sm8151251wmf.0.2019.11.20.20.11.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Nov 2019 20:11:51 -0800 (PST)
To: "Smith, Ned" <ned.smith@intel.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Laurence Lundblade <lgl@island-resort.com>
Cc: "rats@ietf.org" <rats@ietf.org>
References: <B099349B-711D-4A11-9E58-0886307FB7AF@island-resort.com> <CAHbuEH6qtVbzRXUALKBrr3butc8qT8Y81X-nQ6+PjC1n08CkvA@mail.gmail.com> <5DB30E08-9AB2-452A-B8D6-55BFD0AE5264@island-resort.com> <CAHbuEH4R4GZQCq9E1Nza8uPC=jxiM-FkV4tMrv9B==GsjvCLtw@mail.gmail.com> <34EB67FD-E76A-4132-87C4-C89EA70C9365@intel.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <30effd67-f6ab-3899-808e-db724a33b9b0@gmail.com>
Date: Thu, 21 Nov 2019 05:11:47 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <34EB67FD-E76A-4132-87C4-C89EA70C9365@intel.com>
Content-Type: multipart/alternative; boundary="------------225D22B5243C7A81A112B539"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/BaVjrKY5n-mSt1On564_ewWLpjg>
Subject: Re: [Rats] Two types of secure attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 04:11:57 -0000

And then you have the outcome/action of an attestation which I guess currently is "Pass" or "Fail".

As shown in https://cyberphone.github.io/doc/research/session-based-remote-attestation.pdf "Pass" may very well return a more sophisticated result, enabling a protected API in a session a bit similar to TLS.

Anders

On 2019-11-20 22:11, Smith, Ned wrote:
>
> There are some misrepresentations in the analysis below (I’ll comment inline below using [nms] delimiters). In general, I don’t see attestation types as being binary. Dave Thaler’s chart / truth table in another thread seems to suggest this as well given there are many different types of attesting environments (aka roots of trust).
>
> It might make sense to have discussion around claims that apply to attesting environments vs. claims that apply to attested environments? The important security property of attesting environments is they often are regarded as “trusted” meaning there isn’t some other attesting environment that vouches for it.
>
> Associating claims to attesting environments often takes a different from attestation (as represented by the roles / arch models); namely using certificates issued by product vendors (what the arch has called ‘asserters’). Certificates typically contain identity claims but could contain additional claims. Vendors could also sign assert claims by signing a document that asserts them. These could be manifests, attribute certs, identity certs with claims extensions and possibly even JWT/CWT (tokens). I haven’t seen a use case for vendor issued tokens however. Possibly PKI will transition from X.509 based to Token based at some point in the future, but I expect it will take a while. Vendors issuing (signing) manifests seems reasonable since many already create manifests for software distribution also called packages / bundles. The workflow for ‘reference values’ would not be much different than for creating a SW update manifest.
>
> *From: *RATS <rats-bounces@ietf.org> on behalf of Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
> *Date: *Tuesday, November 19, 2019 at 6:00 PM
> *To: *Laurence Lundblade <lgl@island-resort.com>
> *Cc: *"rats@ietf.org" <rats@ietf.org>
> *Subject: *Re: [Rats] Two types of secure attestation
>
> Hi Laurence,
>
> I read your message as there only being 2 types of attestation as opposed to what you stated in your follow on email, which better maps to the restricted set in your first message.
>
> Thanks,
>
> Kathleen
>
> On Tue, Nov 19, 2019 at 8:07 PM Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>> wrote:
>
>     Hi Kathleen,
>
>     Not sure I’m following your thought completely.
>
>     From what I know of Authenticated Boot, the code signing formats are usually proprietary and idiosyncratic. The first stages of it are likely in true ROM (chip metal layer) and can be very architecture and system specific and would not use CoSWID or EAT.
>
>     My comments below are about getting a system booted up to state where it known to behave as desired.
>
>     Once it is up then signed CoSWIDs in EATs would come into play. They can be trusted because the attester and system SW known to have booted up correctly. Knowing who signed some SW listed in a CoSWID is only of value if you know the system SW did signature checking when it loaded the SW it listed. For example, everyone knows how Android app signing works, so listing the signer of an Android app is good useful information.
>
>     Hope that makes sense in relation to your comment.
>
>     LL
>
>
>
>         On Nov 19, 2019, at 10:35 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com <mailto:kathleen.moriarty.ietf@gmail.com>> wrote:
>
>         Hi Laurence,
>
>         Where does the code signing example fit in that you gave as it's not really an attestation, but could be useful in the format of an EAT/CWT?   This questions considers the CoSWID discussion as well as another example you had in your slides later (which was really the same) on just validating the code was signed by the expected private key? Should that be called an attestation or just using the format for signing?  You might add claims in above what's in the CoSWID and use the nesting of EAT/subdomains as well as perform remote verification.
>
>         Thanks,
>
>         Kathleen
>
>         On Tue, Nov 19, 2019 at 8:26 AM Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort..com>> wrote:
>
>             Fundamentally, I think there are two ways that an attestation verifier comes to know that a device / entity is running approved SW and will behave as desired.
>
>             *TPM based*
>
>             ·Originates in the PC world where the end user had to be able to choose the system SW
>
>             [nms] Not sure what relevance to attestation should be ascribed because of how TPMs originated.
>
>             ·Has a TPM that performs a general measuring function
>
>                       + Has an attestation signing key for signing measurements that is kept secret by the TPM
>
>             oTPM is generic as it can be used for PC’s, routers, IoT devices
>
>             [nms] Profiles for how to adapt TPM for use in specific platform classes is generally required.
>
>             ·Authenticated boot is optional
>
>             [nms] I think the industry also uses the term ‘secure boot’. TPM supports attestation (of the boot sequence) while a secure boot approach doesn’t imply attestation is needed/used.
>
>             [nms] Boot behavior is more a property of the Root of Trust for Measurement (RTM) than a TPM. There are many types of RTM technology most simply it is a boot ROM.
>
>             ·Uses a staged boot architecture where each stage must measure (hash) the following stage
>
>             [nms] Boot architecture is determined by the type of device / platform not the TPM. Staged boot sequences are fairly common across the industry. Hence the term ‘bootstrap’.
>
>             oHashes fed into the TPM
>
>             oTPM generates the attestation of the registers holding the hashes
>
>             ·Device cost raised by cost of TPM part
>
>             [nms] Not sure how this is relevant to RATS
>
>             ·The verifier must run a parallel set of measurements (hashes)
>
>             oVerifier is complex
>
>             [nms] as compared to what?
>
>             *Authenticated Boot based*
>
>             ·Origins in mobile phone, TEE and DRM world where the user can NOT choose the system SW
>
>             ·Authenticated boot is required
>
>             oUses a boot ROM that really is a ROM, probably in silicon (not flash), that can NOT be changed
>
>             [nms] This is true for platforms using a TPM as well.
>
>             oBoot ROM verifies the SW that is loaded, particular the top privilege (e.g. kernel) SW
>
>             [nms] Verification implies the ability to determine boot code integrity. This is common to platforms that use a TPM.
>
>             oA good implementation has anti-rollback to prevent old versions of SW from being run
>
>             ·Has an attestation signing key that is programmed in fuses or possibly in flash
>
>             [nms] This is commonly true for TPM based attestation implementations.
>
>             oHas a HW block that prevents access to the attestation key unless authenticated boot succeeds
>
>             [nms] This is also true for solutions that wish to implement secure boot using a TPM.
>
>             oOnly top privilege SW can use it
>
>             [nms] TPM attestation keys have restrictions on use as well.
>
>             ·Attestations are created in the top-privilege SW
>
>             oSimply signing a nonce proves the device is running approved SW
>
>             [nms] The security properties of the signing key (attestation key) are a function of the claims that the manufacturers make about the environment that protects the key. This is true for TPM as well as any other root of trust / attesting environment.
>
>             oEasy to add other claims in —> EAT
>
>             [nms] relative to what?
>
>             ·Device cost raised by need for secure key provisioning in the factory
>
>             ·Verifier is very simple
>
>             oJust needs to verify the signature and nonce
>
>             [nms] The verifier is also integrated into the boot code. These verifiers need to be provisioned with boot state policies and so forth. Secure boot is an example of the combining of Attester and Verifier roles.
>
>             Both provide acceptable security for their use cases and are broadly in use.
>
>             RATS needs to support both.
>
>             [nms] In what ways does RATS not support both?
>
>             LL
>
>             _______________________________________________
>             RATS mailing list
>             RATS@ietf.org <mailto:RATS@ietf.org>
>             https://www.ietf.org/mailman/listinfo/rats
>
>
>         -- 
>
>         Best regards,
>
>         Kathleen
>
>         _______________________________________________
>         RATS mailing list
>         RATS@ietf.org <mailto:RATS@ietf.org>
>         https://www.ietf.org/mailman/listinfo/rats
>
>
> -- 
>
> Best regards,
>
> Kathleen
>
>
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email