Re: [Rats] FIDO TPM attestation

["Fuchs, Andreas" <andreas.fuchs@sit.fraunhofer.de>]

We were talking about FIDO as one of many applications running in a TEE.
They rely on correctness of other TEE-apps and/or the TEE kernel
(or should I rather say TEE operating system). Thus a turing complete solution
(maybe even with loadable apps) and OS cannot be as secure as a special-purpose
functional logic security provider.

Also, by design an on-chip TEE offering cannot be as secure as a physically
separated chip that incorporates smartcard technologies. You also highlight
this by providing yubikey as example which is both; a separate SC-like chip
and fixed functional logic (similar to TPMs).

To conclude: fixed functional logic and separate chips have higher assurance
levels than turing-complete (loadable) areas of the main cpu.

And to your original point: TPMs are the preferred solution for attestation
in contrast to to a TEE-based approach, just as YubiKeys et al are preferred
for FIDO in contrast to a TEE-based approach.

________________________________
From: Laurence Lundblade [lgl@island-resort.com]
Sent: Thursday, November 14, 2019 16:51
To: Fuchs, Andreas
Cc: rats@ietf.org
Subject: Re: [Rats] FIDO TPM attestation


On Nov 14, 2019, at 1:46 AM, Fuchs, Andreas <andreas.fuchs@sit.fraunhofer.de<mailto:andreas.fuchs@sit.fraunhofer.de>> wrote:

The FIDO code running inside a TEE is not standardized (to the level of TPM) and most certainly not CC-evaluated.

That’s not true.

The FIDO L3 and L3+ Certification program<https://fidoalliance.org/certification/authenticator-certification-levels/authenticator-level-3/> is CC (Common Criteria) based (AVA_VAN.3 and AVA_VAN.4).

Many FIDO authenticators run on secure elements which provides roughly equivalent security to a TPM, however since the full authenticator protocol runs on the turing-complete secure element the full FIDO protocol is secured, not just the key storage. Here’s one<https://www.yubico.com/products/yubikey-hardware/yubikey%20neo/>.

Global Platform offers a CC-based certification program for TEE’s<https://www.commoncriteriaportal.org/files/ppfiles/anssi-profil_PP-2014_01.pdf>. FIDO is working on a certification program that will make use of that.

BSI has published a CC-based protection profile for FIDO<https://www.commoncriteriaportal.org/files/ppfiles/pp0096a_pdf.pdf>.

Android Keystore’s now supports StrongBox<https://proandroiddev.com/android-keystore-what-is-the-difference-between-strongbox-and-hardware-backed-keys-4c276ea78fd0>, which puts the keys in a secure element.

Qualcomm’s Snapdragon mobile phone chip has a secure-element like subsystem<https://www.qualcomm.com/news/releases/2019/06/25/qualcomm-snapdragon-855-becomes-first-mobile-soc-receive-smart-card> (not the TEE) that is CC-certified.

TEE and TEE-like offerings are stronger than they used to be, particular by supporting memory encryption.

Turing complete security products come in a range of security levels all the way up the security level offered by a TPM. EAT implementations can be just as secure and certified as TPM attestation.

LL