IETF Logo Mail Archive

[Rats] 3 Use cases

"Oliver, Ian (Nokia - FI/Espoo)" <ian.oliver@nokia-bell-labs.com> Mon, 15 July 2019 08:57 UTC

Return-Path: <ian.oliver@nokia-bell-labs.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A4F212006E for <rats@ietfa.amsl.com>; Mon, 15 Jul 2019 01:57:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eNwZFXrHeogL for <rats@ietfa.amsl.com>; Mon, 15 Jul 2019 01:57:26 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-ve1eur03on071e.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe09::71e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5B4212004D for <rats@ietf.org>; Mon, 15 Jul 2019 01:57:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ahm36cLiNt2Rg9oMSsGYitgOzCN6XF8vKYatm6Mct3CNattk3BZm+fnAIm7iU2cPJjwycMH2+b857hlabh+UUBCVK5QkTUeQCCQHDCjt85xtbu48aDv4d3LTJ53JqlP5uYeWE8VV77tHpSleLk8BPPIJmbSqAeL6ap29LYky9cYJ+9vlc7TpOzISe3T4kkdxzfQ33mjo+a9rIaJtwwnXptBbg42c+WFKU4auczNdyEAFPrrlYCSlF4jQMudemtmTLBPI4rqjkrSHjUh0osmsq4QQFRhlk5RIfJfG+JMA8SkLpwBGMZiuWP22CSZ7SZK7i5Q9b++48zA0N2f1WUoaAQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yQkUBTmVdBJ8NQEJzSxA0gIsWf7yl0QRTonoGkCs41Y=; b=gzKVwzrM/Q9p/s7GOHOe2K8Wml88YiIRZjLpg1fgC4owTkB0wkoZcD5ZtYj+6u06695iC9qK3yd6io74eW8yGUnuN0uWsL2JvoWLcNJSv9kH7wb6ZRYqTHmJrK8aEFsIOKYmKRJi7Q2n106tAaNCxDZ7NQa6+c0FJx0wkUtQIrlqnU19dV/2OLSC1Zr/4NXT+9/D/5pCsK/AgFiRcTT0WGoY5wJCTzODEDLWgWTvWkymR5twGImsV4QqzObVOhIhnqK+SzDa/supP88KsaYPukAvkaUBywfDHOyv/B64dvaVYekLedDrW2vT/wmD5xpkMhcuzrJ6zlLHtxhgRsQDFw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=nokia-bell-labs.com;dmarc=pass action=none header.from=nokia-bell-labs.com;dkim=pass header.d=nokia-bell-labs.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yQkUBTmVdBJ8NQEJzSxA0gIsWf7yl0QRTonoGkCs41Y=; b=Zx4NUucePnhArgOnmgncH2Dmk71RF7rWvn3QKaP3F6TGoc321kpR7oxrUL7aDobByJVAP1N771gaKhHyakYIsmdooaGBEatIeo3Sp0J6OpNQaSSJ5lV4PuxQ9cHYQMATUt7zMX8u0dqdGJ9V4T1p0Zr0uNeOEIsGVX4V6TZl02w=
Received: from HE1PR0701MB2267.eurprd07.prod.outlook.com (10.168.35.143) by HE1PR0701MB2156.eurprd07.prod.outlook.com (10.168.36.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2094.8; Mon, 15 Jul 2019 08:57:23 +0000
Received: from HE1PR0701MB2267.eurprd07.prod.outlook.com ([fe80::cd2f:edd8:c1ee:f091]) by HE1PR0701MB2267.eurprd07.prod.outlook.com ([fe80::cd2f:edd8:c1ee:f091%11]) with mapi id 15.20.2094.009; Mon, 15 Jul 2019 08:57:23 +0000
From: "Oliver, Ian (Nokia - FI/Espoo)" <ian.oliver@nokia-bell-labs.com>
To: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: 3 Use cases
Thread-Index: AQHVOutRhw639TMETEyILpbQfS/JXg==
Date: Mon, 15 Jul 2019 08:57:23 +0000
Message-ID: <HE1PR0701MB2267E23FFE8FF91F5DAC6FD58FCF0@HE1PR0701MB2267.eurprd07.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ian.oliver@nokia-bell-labs.com;
x-originating-ip: [131.228.2.8]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2613f276-50c2-48e2-eac2-08d709027402
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:HE1PR0701MB2156;
x-ms-traffictypediagnostic: HE1PR0701MB2156:
x-microsoft-antispam-prvs: <HE1PR0701MB2156EF27B245660A478E07CC8FCF0@HE1PR0701MB2156.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 00997889E7
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(39860400002)(376002)(396003)(346002)(136003)(366004)(199004)(189003)(25786009)(71200400001)(71190400001)(105004)(7696005)(2501003)(99286004)(66066001)(7116003)(6506007)(74316002)(3846002)(6116002)(26005)(186003)(316002)(66946007)(14454004)(81166006)(54896002)(8936002)(256004)(68736007)(2351001)(86362001)(486006)(6436002)(52536014)(19627405001)(476003)(1730700003)(55016002)(5640700003)(7736002)(478600001)(6916009)(2906002)(33656002)(5660300002)(53936002)(81156014)(9686003)(102836004)(8676002)(76116006)(66556008)(64756008)(66446008)(66476007); DIR:OUT; SFP:1102; SCL:1; SRVR:HE1PR0701MB2156; H:HE1PR0701MB2267.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: nokia-bell-labs.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 2KWSCuaESFxMRYwFn3ugHb9KRS1QWNxZgxuVNBVlrkecpPG9SsRdjLncvPX/3vABeH8nF41CBznh0L+vFJSGlO1FX21jzTiOIPXh/iJn1uFddVbc/9n0NEwIeFKQB1qYXx5Bw6j8dpfyDZ+JvpDicFvMHoDhOHqLXBdrB0ylN01XsImmgURHVjI42qmlZ+DMxdld7qfSPKoW6oLxMnQRI9a0ExRhHAKGjxcQoNQsUdDJVPA/3mAyAqQn3uYfYO+aSXMwF/Vm5fCxhvLP0VGIXWUjHZ+WJnCD2LD4wX2GodbrY7FijGJ60Ij+OHxnoZnxyG7EUuSlTZUXPE2IHxi9P6SwzKNYytgu7NIWIMRKDzXgixvhFC3Os6sTY86KsJnNQwh14MvwDkRXd4B3QYg3+lMIGQWzBuxa1t0oLTKmOnw=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB2267E23FFE8FF91F5DAC6FD58FCF0HE1PR0701MB2267_"
MIME-Version: 1.0
X-OriginatorOrg: nokia-bell-labs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2613f276-50c2-48e2-eac2-08d709027402
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jul 2019 08:57:23.5358 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ian.oliver@nokia-bell-labs.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2156
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/lkiDl_aXwlbKp-VbFuW4LenxYeA>
Subject: [Rats] 3 Use cases
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 08:57:28 -0000

Supply Chain Attestation

A device is shipped from an OEM via some delivery mechanism and is received by a customer. The customer requires assurance that the device has not been tampered with. This differs from the usual attestation scenarios between a device/element and attestation server/verifier in that this requires knowledge of the partial or full configuration of the device being shipped and configured before introduction into the customer's environment.

This use case then requires interaction between two attestation points to ensure that the integrity of the device has not changed with regards to a) the device, b) the original [possibly partial] configuration, c) the device manufacturer's measurements and d) the receiver - customer's - measurements.


Dynamic Systems

All current integrity mechanism assume a certain degree of fixed properties, eg: TPM's CRTM/SRTM, and known configurations. A case exists where a set of, say, IoT devices each with integrity measurements are attested by some Edge node. The Edge node may combine the IoT device measurements into a single measurement (eg: Merkel Tree). If the configuration of IoT device changes, particuarly in relation to availability of device, then this combined measurement will change. This changed measurement however may be a valid configuration.

For example, in a medical case, the set of measurement devices may be rapidly changing due to necessity of network provisioning, device availabiltiy etc, but the permutations of devices may still be valid.


Data Attestation

A piece of data received from a trusted element may itself contain information about the configuration of that device when that data was received. This might be a single measurement or a combination of measurements over time bounded by a session or transacition.

In this use case we continue the chain-of-trust up from the device firmware/operating environment to the data. This enables that once a data packet is received, it's integrity can be checked (cf: JWT) and this information also be traced to the device that produced that data. The data and device then can be attested together.


--

Dr. Ian Oliver

Cybersecurity Research

Distinguished Member of Technical Staff

Nokia Bell Labs

+358 50 483 6237

v2.23.0 | Report a Bug | By Email