Re: [Rats] Out-of-band key material set up in architecture document

Dave Thaler <dthaler@microsoft.com> Tue, 05 November 2019 23:41 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3E7E120112 for <rats@ietfa.amsl.com>; Tue, 5 Nov 2019 15:41:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTnr28v9b96F for <rats@ietfa.amsl.com>; Tue, 5 Nov 2019 15:41:01 -0800 (PST)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-eopbgr820129.outbound.protection.outlook.com [40.107.82.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E798D120072 for <rats@ietf.org>; Tue, 5 Nov 2019 15:40:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jm7d5XNyosmSqC4LKJkZQ4Q0zRlYF5caI4tbVKcU4AcTC5DvCO8dEhnNs1/dPlKtiM8SQ6nMyhWmWQKKnDtxlGCuVaNB1tZiwwVxYo2ILGEWB775ldgPdJydN3e1Z198+BRJHIJbeduLily56FnZrtOeRrFOarJUpek9/HFb80ZfVn6oXhw5i3PiUC2P+q1yLtAlOrhTYQJ+gZyJOF/p5F7x1siE3zkH396Pkk1pu/GB0AmRQADkb7I49IwuitCInyNFQJHExNwloMvrBZJ8CnFTs+m5cejSo4bIIQ7ekItaqjRfp8/zdeCJjf02fHgFrUhRTic/lSOcBFEpgrVBaQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JIsWEMIGTsFuDQEyrf8bsj4iy1aMaCnB0fHDgQZ6sb4=; b=jVZQKQj4cnQSdbx9MRiI8dEp+gdOBlnIZ4NMDI+9wXb2OhS1BAxqryD4mh7DwON9oTCtea7bdo4EsjvfvenWVnpLMFRtdW44nGsZtsYJAhDL2C/5XMIuzAsVzFXRtd3SVWFe1u0AN4BbJ22kvRtXCcCMoAtcdWC3qeSPTf2UjRc3jpeotuOJu+ymZ4/EFicU5ecxFBucsycgKqQdH+AEbEgS2VQEVS/pdnPyZ9VF+TbKSVT0w4XGdowZYPbGtNpl18g9+XNbEXblZCszJK4eg/9gFVV/25Ye0ZzTTNQlRLzeq2yoxyLCgXc5/zhp8IDJM41DikrVjeUqdcNrBIA3/A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JIsWEMIGTsFuDQEyrf8bsj4iy1aMaCnB0fHDgQZ6sb4=; b=S+OpHgJCGim99KxYWiRkg4HK7q0a1qAAUa5mSYt5bcGNtyORLUuuDBipvpJWBTmymLvOEqw2XTF2J8LVAMfYqFD4w0sEL/Exo2orDE9B9PYtjUZwqvTEemR3TPRPMi/DGZPuPjvIVUNg0+jUARVyhTpTTp10cJSLIwz/34gpgzg=
Received: from MWHPR21MB0784.namprd21.prod.outlook.com (10.173.51.150) by MWHPR21MB0701.namprd21.prod.outlook.com (10.175.142.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.7; Tue, 5 Nov 2019 23:40:58 +0000
Received: from MWHPR21MB0784.namprd21.prod.outlook.com ([fe80::8d41:8f86:8654:8439]) by MWHPR21MB0784.namprd21.prod.outlook.com ([fe80::8d41:8f86:8654:8439%11]) with mapi id 15.20.2430.017; Tue, 5 Nov 2019 23:40:58 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Laurence Lundblade <lgl@island-resort.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Out-of-band key material set up in architecture document
Thread-Index: AQHVlBYMBOQaoAnhtEytoHyJqQWVrad9Nxtg
Date: Tue, 5 Nov 2019 23:40:58 +0000
Message-ID: <MWHPR21MB0784D3762243B2D09E0E6DC8A37E0@MWHPR21MB0784.namprd21.prod.outlook.com>
References: <9B93F41C-3707-4822-B3F5-5F9978872786@island-resort.com>
In-Reply-To: <9B93F41C-3707-4822-B3F5-5F9978872786@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=dthaler@ntdev.microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-11-05T23:40:54.3516743Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=d26190c7-09c3-4aa3-8a84-91bc793e9e65; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-originating-ip: [2001:4898:80e8:a:64e2:1981:30de:6ca2]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 3a2f71d9-d6be-432f-1996-08d762499be6
x-ms-traffictypediagnostic: MWHPR21MB0701:
x-microsoft-antispam-prvs: <MWHPR21MB070146CFFA5B8E88CD423B33A37E0@MWHPR21MB0701.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0212BDE3BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(366004)(346002)(39860400002)(396003)(376002)(15404003)(199004)(189003)(11346002)(486006)(256004)(14444005)(316002)(9686003)(54896002)(5660300002)(6246003)(33656002)(790700001)(476003)(86362001)(8936002)(81166006)(8676002)(446003)(81156014)(46003)(186003)(4326008)(6116002)(74316002)(64756008)(66946007)(10090500001)(7736002)(66476007)(478600001)(66446008)(66556008)(6306002)(76116006)(6436002)(6506007)(53546011)(99286004)(7696005)(14454004)(2906002)(8990500004)(76176011)(229853002)(6916009)(25786009)(55016002)(22452003)(52536014)(71190400001)(71200400001)(102836004)(10290500003); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR21MB0701; H:MWHPR21MB0784.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rz/TKGDRPUsOyJBYrLD8Mgng1bI1AdLbvUZS3JpDdaOIwnesyrz1pV40dEEhkRRH7TW2rxXjEZT8EYoqj8WEf2VtdvugPV9B7A/OpDLqbEcnO8d864nuDlTXjw4bDiQANR63RwmXwtVYkSMPjK+Obk9IDXb5JexjTecSb9nPGbscugBOTJnJzq0Sn0bMXoV6GINczgg+O9pt11p6xsuLOuFvutMzE3+ct4amupm3oKWiM2O/EhlBYe8ARBIVs3T2Y7bCc7N7Zua5uDinNYQp1gI3Q6jlD13fmvpHogfrwEMcuE1CNKDoQ9js/J/Fkg/mAG5FIKupt0F2jn/bqMdblMuQSpyT9QF2XmcZmX2Y+aL0JYlb2R6LoftPvJLa7LSTigCj+JEpd9+xu3gjCn8hGVPSmEwQUqzRpUMKfxngiwMujxU5zCV10xgDvkVcEGBE
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MWHPR21MB0784D3762243B2D09E0E6DC8A37E0MWHPR21MB0784namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3a2f71d9-d6be-432f-1996-08d762499be6
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2019 23:40:58.3487 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: O3bITGuIxuGHYbwz3GSC5hTBBjo6bXa5AzQJp3DGVJT8VcXkFfTEY7kBacK+D+YlcugxXaVEyQzgHw9qRJgR6DVVGZz+bogF8Y9aXej4Hb4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR21MB0701
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/LuA5RbPRt9eSBk90XMWoBm1Id_w>
Subject: Re: [Rats] Out-of-band key material set up in architecture document
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 23:41:05 -0000

Inline below…

From: RATS <rats-bounces@ietf.org> On Behalf Of Laurence Lundblade
Sent: Tuesday, November 5, 2019 12:17 PM
To: rats@ietf.org
Subject: [Rats] Out-of-band key material set up in architecture document

An issue I have with both the current architecture documents is that they do not discuss the need for some out of band key material set up to make verification work.

The manufacturer of the device must put some private key into each device so that the device can sign attestation evidence. Most likely the manufacturer also creates the verifying key material, but they may or may not be the verifier.  If they are not the verifier, somehow the verifier of attestation evidence must have corresponding key material to verify the signature.

This paragraph could be a start of the text. I think this is a critical part of the architecture because attestation doesn’t work without it.

I agree that a private key is needed in each device for attestation to work (at least using any techniques
I’m aware of). Saying “the manufacturer must put it there”, is however I think too narrow, as it implies the
manufacturer actually knows the key. In some arguably more secure designs, the device itself creates the
key pair and the manufacturer per se never knows the private key, only the public key, so it would be
confusing to say the manufacturer “put” it there, or that the “manufacturer creates” the key material.

As you say below, we want the arch doc to stay at a high level and not over-specify details like whether the
manufacturer creates a key and installs it on a device, vs the device creating a key pair and the manufacturer
extracting the public (but not private) key from the device.   In my view, those are both fine to mention as
helpful examples, but not to constrain it to one case or the other.

Furthermore, the RATS charter does not constrain attestation to only *hardware* based roots of trust.
There are some cases where it may be in a hypervisor or bios or firmware or whatever, and only attest
things above that, with obviously a weaker level of security than hardware-rooted attestation.   But any
protocol mechanisms should still work (mainly because it’s almost impossible to rule them out except via
a security policy that says which keys to trust), even if it’s not the primary focus we care most about.  The
point here being that in such a case it may not be the “manufacturer”, but may be another entity.  That’s
actually true in some cases even for hardware-based roots of trust.

As for your comment “somehow the verifier of attestation evidence must have corresponding key material
to verify the signature”, that’s true.  My text has a section on Trust Model that covers this at a high level,
without explaining the key material (and I get your point that it should), saying:


Ø  The Verifier trusts (or more specifically, the Verifier's security

Ø  policy is written in a way that configures the Verifier to trust) a

Ø  manufacturer, or the manufacturer's hardware, so as to be able to

Ø  evaluate the health of that manufacturer's devices.  In solutions

Ø  with weaker security, a Verifier might be configured to implicitly

Ø  trust firmware or even software (e.g., a hypervisor).

In order to trust something in a protocol sense, we require the ability to cryptographically verify
that trust using key material.   I agree with your point that that should be stated explicitly.

Thanks for raising this,
Dave

I do NOT want to specify any details for how this happens in the architecture doc. It needs to stay at a high level. It stays at a high level in other places. For example it discusses claims, but doesn’t defined individual claims.

I think there’s a large parallel with HTTPS. HTTPS wouldn’t work without some out-of-band distribution of certs/keys for verification.

Just like with HTTPS, there are a lot of different business models, protocols and end-end systems that this out-of-band set can be done. Here’s a few that are real today and publicly described:

- Intel EPID (no X.509, the ECDAA algorithm, a service run exclusively by Intel for Intel chips for fee)
- Android Attestation (buckets of keys distributed to phone makers, X.509, a verification service run exclusively by Google)
- FIDO Metadata service (a 3rd party doing X.509 certificate distribution for many FIDO vendors)

I also know of some that are not publicly described that do not use X.509, some even using symmetric key material.

I think business models will drive architecture in some cases. I also think the cost of putting keys into chips and devices is a another driver. A third driver is big IoT back-end service providers like Amazon and Google.

I mention all these only illustrate the variety and thus the futility of trying to come up with one standard way.

However, I think to help the world get their heads around how attestation works; leaving this out of the architecture would be leaving a critical part out.

LL