IETF Logo Mail Archive

Re: [Rats] Two types of secure attestation

Laurence Lundblade <lgl@island-resort.com> Wed, 20 November 2019 01:07 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C882C12010F for <rats@ietfa.amsl.com>; Tue, 19 Nov 2019 17:07:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fKtWPLeZlxm9 for <rats@ietfa.amsl.com>; Tue, 19 Nov 2019 17:07:02 -0800 (PST)
Received: from p3plsmtpa09-02.prod.phx3.secureserver.net (p3plsmtpa09-02.prod.phx3.secureserver.net [173.201.193.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C999120144 for <rats@ietf.org>; Tue, 19 Nov 2019 17:07:02 -0800 (PST)
Received: from dhcp-9fd9.meeting.ietf.org ([31.133.159.217]) by :SMTPAUTH: with ESMTPA id XESRigM9tPKeXXESTiPNnr; Tue, 19 Nov 2019 18:07:02 -0700
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <5DB30E08-9AB2-452A-B8D6-55BFD0AE5264@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_50F4386F-32D1-49A7-9DFE-7CE59C43E490"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 20 Nov 2019 09:06:58 +0800
In-Reply-To: <CAHbuEH6qtVbzRXUALKBrr3butc8qT8Y81X-nQ6+PjC1n08CkvA@mail.gmail.com>
Cc: rats@ietf.org
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
References: <B099349B-711D-4A11-9E58-0886307FB7AF@island-resort.com> <CAHbuEH6qtVbzRXUALKBrr3butc8qT8Y81X-nQ6+PjC1n08CkvA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-CMAE-Envelope: MS4wfIYPPFc1UDkPU6qteQqefW0JLj6r7f5w5ZwMkdgvg08MXCrGTmEm12lmbEQDJDIXdsHyCq6HSj7Gq+zwYylYKpBww7QEs8rIFIEZlnJtl7d+GECvD1wy WsBDZPj6/kMtOl1eczZyvLywFDFt41a1+caHKX8uOlvypF1WcrpB6AtzgRhqOYQlNL5mZr3BILE1MM0a1wQJJiI6kbAQ93WFYsBuOj2g26+uWpQTyElsAMwM
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/E1UEoIIEXcQySmtV4Q6ZdYZTCz0>
Subject: Re: [Rats] Two types of secure attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 01:07:06 -0000

Hi Kathleen,

Not sure I’m following your thought completely. 

From what I know of Authenticated Boot, the code signing formats are usually proprietary and idiosyncratic. The first stages of it are likely in true ROM (chip metal layer) and can be very architecture and system specific and would not use CoSWID or EAT. 

My comments below are about getting a system booted up to state where it known to behave as desired.

Once it is up then signed CoSWIDs in EATs would come into play. They can be trusted because the attester and system SW known to have booted up correctly. Knowing who signed some SW listed in a CoSWID is only of value if you know the system SW did signature checking when it loaded the SW it listed. For example, everyone knows how Android app signing works, so listing the signer of an Android app is good useful information.

Hope that makes sense in relation to your comment.

LL


> On Nov 19, 2019, at 10:35 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
> 
> Hi Laurence,
> 
> Where does the code signing example fit in that you gave as it's not really an attestation, but could be useful in the format of an EAT/CWT?   This questions considers the CoSWID discussion as well as another example you had in your slides later (which was really the same) on just validating the code was signed by the expected private key?  Should that be called an attestation or just using the format for signing?  You might add claims in above what's in the CoSWID and use the nesting of EAT/subdomains as well as perform remote verification.
> 
> Thanks,
> Kathleen
> 
> On Tue, Nov 19, 2019 at 8:26 AM Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>> wrote:
> Fundamentally, I think there are two ways that an attestation verifier comes to know that a device / entity is running approved SW and will behave as desired.
> 
> TPM based
> Originates in the PC world where the end user had to be able to choose the system SW
> Has a TPM that performs a general measuring function
> Has an attestation signing key for signing measurements that is kept secret by the TPM
> TPM is generic as it can be used for PC’s, routers, IoT devices
> Authenticated boot is optional
> Uses a staged boot architecture where each stage must measure (hash) the following stage
> Hashes fed into the TPM
> TPM generates the attestation of the registers holding the hashes
> Device cost raised by cost of TPM part
> The verifier must run a parallel set of measurements (hashes)
> Verifier is complex
> 
> Authenticated Boot based
> Origins in mobile phone, TEE and DRM world where the user can NOT choose the system SW
> Authenticated boot is required
> Uses a boot ROM that really is a ROM, probably in silicon (not flash), that can NOT be changed
> Boot ROM verifies the SW that is loaded, particular the top privilege (e.g. kernel) SW
> A good implementation has anti-rollback to prevent old versions of SW from being run
> Has an attestation signing key that is programmed in fuses or possibly in flash
> Has a HW block that prevents access to the attestation key unless authenticated boot succeeds
> Only top privilege SW can use it
> Attestations are created in the top-privilege SW
> Simply signing a nonce proves the device is running approved SW
> Easy to add other claims in —> EAT
> Device cost raised by need for secure key provisioning in the factory
> Verifier is very simple
> Just needs to verify the signature and nonce
> 
> Both provide acceptable security for their use cases and are broadly in use.
> 
> RATS needs to support both.
> 
> LL
> _______________________________________________
> RATS mailing list
> RATS@ietf.org <mailto:RATS@ietf.org>
> https://www.ietf.org/mailman/listinfo/rats <https://www.ietf.org/mailman/listinfo/rats>
> 
> 
> -- 
> 
> Best regards,
> Kathleen
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email