IETF Logo Mail Archive

Re: [Rats] Two types of secure attestation

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 20 November 2019 02:00 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7443612012C for <rats@ietfa.amsl.com>; Tue, 19 Nov 2019 18:00:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GnszLwEBBUXM for <rats@ietfa.amsl.com>; Tue, 19 Nov 2019 18:00:11 -0800 (PST)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23D2012002F for <rats@ietf.org>; Tue, 19 Nov 2019 18:00:11 -0800 (PST)
Received: by mail-ot1-x32a.google.com with SMTP id c14so12831511oth.2 for <rats@ietf.org>; Tue, 19 Nov 2019 18:00:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=emAfh9t8E0UlQNsW9M5mj+R1g53tYV6muMvR4T2SULc=; b=baCWmoobqMFe6UnBGrnSbaM89taPsUXJzP9YUSJE9p13NotkjFy87Q7SDnSyP0UgDv xyjrDSUqVosBxL5X3bwWFPHXY2TrnaC5PBsCMuE4x7EI9QKwdn4J1cddexMbOBO9jE/D I+dhvTCBaXIfGs962jJsBED7Gui9aa79ObZplSQMO6cMCESZI0Ff8u8LSXnpWAFxhGN7 UD0owfImJT1LCCpu/tjNpUp8PLT58Jrj9gAqkeCjFIEJO0p6Y+zkmxYs8e6W834mX5T5 NtoyI2ZJ/ZAQmjAmtqJif50ASL6c0T//ZbVd3BUEJ4JXFN+TAdW/qnXJkxQKTXkJWXeR AZDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=emAfh9t8E0UlQNsW9M5mj+R1g53tYV6muMvR4T2SULc=; b=qYcSCM5CPzQJ3JRvoFIHcBt4KhFNiSbnoiYWZeoFALGAH7oiJPqk4VJ5dmXw5debdQ aZSVhe5GmgJKDWufPpFynhY/0Sj2ZJq5TEYcCik9VIXBxX25xcD7S7O1NJTPgtqz7nrX 5RiNZyhdf4wkHNp/AkuNWDUXcLatFO82KRwSIe74Q/o/OnwTdL1TX+1twXbMeu6IPFF6 cRbrzQ9VgDupgJfrSBvU2GjrQF11pxF21PuZY+r1K/JhgEGEFMam71AOWUg5I263JgGl oj3gSd2Wbt04WMoV4HDgQYXMy11YDfENys7qAWtrM3Rga6DSlzZM9V7IpPydTdDQHBCx rgoA==
X-Gm-Message-State: APjAAAVrepZBRhxKgefxeKhQjvWWYLCaxQreUsTBLgywg6gtAcmkcqr7 T91L7eIiGgyA3fv3t3KK5Voji0/w/7+BYrjqvhs=
X-Google-Smtp-Source: APXvYqwYS7cKUALTMWeg5/FhPwGoxeDDWN47p9vOOwbGwvQ7Cdcaa++uxkI/TCtSPhLJVqdRICpT0FitQldQRiKsGtU=
X-Received: by 2002:a9d:17ca:: with SMTP id j68mr48637otj.250.1574215210473; Tue, 19 Nov 2019 18:00:10 -0800 (PST)
MIME-Version: 1.0
References: <B099349B-711D-4A11-9E58-0886307FB7AF@island-resort.com> <CAHbuEH6qtVbzRXUALKBrr3butc8qT8Y81X-nQ6+PjC1n08CkvA@mail.gmail.com> <5DB30E08-9AB2-452A-B8D6-55BFD0AE5264@island-resort.com>
In-Reply-To: <5DB30E08-9AB2-452A-B8D6-55BFD0AE5264@island-resort.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 19 Nov 2019 20:59:33 -0500
Message-ID: <CAHbuEH4R4GZQCq9E1Nza8uPC=jxiM-FkV4tMrv9B==GsjvCLtw@mail.gmail.com>
To: Laurence Lundblade <lgl@island-resort.com>
Cc: rats@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006b9e260597bd8a8f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/UesAj5A82ROqeU_L-juJxoKqDYQ>
Subject: Re: [Rats] Two types of secure attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 02:00:13 -0000

Hi Laurence,

I read your message as there only being 2 types of attestation as opposed
to what you stated in your follow on email, which better maps to the
restricted set in your first message.

Thanks,
Kathleen

On Tue, Nov 19, 2019 at 8:07 PM Laurence Lundblade <lgl@island-resort.com>
wrote:

> Hi Kathleen,
>
> Not sure I’m following your thought completely.
>
> From what I know of Authenticated Boot, the code signing formats are
> usually proprietary and idiosyncratic. The first stages of it are likely in
> true ROM (chip metal layer) and can be very architecture and system
> specific and would not use CoSWID or EAT.
>
> My comments below are about getting a system booted up to state where it
> known to behave as desired.
>
> Once it is up then signed CoSWIDs in EATs would come into play. They can
> be trusted because the attester and system SW known to have booted up
> correctly. Knowing who signed some SW listed in a CoSWID is only of value
> if you know the system SW did signature checking when it loaded the SW it
> listed. For example, everyone knows how Android app signing works, so
> listing the signer of an Android app is good useful information.
>
> Hope that makes sense in relation to your comment.
>
> LL
>
>
> On Nov 19, 2019, at 10:35 PM, Kathleen Moriarty <
> kathleen.moriarty.ietf@gmail.com> wrote:
>
> Hi Laurence,
>
> Where does the code signing example fit in that you gave as it's not
> really an attestation, but could be useful in the format of an EAT/CWT?
>  This questions considers the CoSWID discussion as well as another example
> you had in your slides later (which was really the same) on just validating
> the code was signed by the expected private key?  Should that be called an
> attestation or just using the format for signing?  You might add claims
> in above what's in the CoSWID and use the nesting of EAT/subdomains as well
> as perform remote verification.
>
> Thanks,
> Kathleen
>
> On Tue, Nov 19, 2019 at 8:26 AM Laurence Lundblade <lgl@island-resort.com>
> wrote:
>
>> Fundamentally, I think there are two ways that an attestation verifier
>> comes to know that a device / entity is running approved SW and will behave
>> as desired.
>>
>> *TPM based*
>>
>>    - Originates in the PC world where the end user had to be able to
>>    choose the system SW
>>    - Has a TPM that performs a general measuring function
>>       - Has an attestation signing key for signing measurements that is
>>       kept secret by the TPM
>>       - TPM is generic as it can be used for PC’s, routers, IoT devices
>>    - Authenticated boot is optional
>>    - Uses a staged boot architecture where each stage must measure
>>    (hash) the following stage
>>       - Hashes fed into the TPM
>>       - TPM generates the attestation of the registers holding the hashes
>>    - Device cost raised by cost of TPM part
>>    - The verifier must run a parallel set of measurements (hashes)
>>       - Verifier is complex
>>
>>
>> *Authenticated Boot based*
>>
>>    - Origins in mobile phone, TEE and DRM world where the user can NOT
>>    choose the system SW
>>    - Authenticated boot is required
>>       - Uses a boot ROM that really is a ROM, probably in silicon (not
>>       flash), that can NOT be changed
>>       - Boot ROM verifies the SW that is loaded, particular the top
>>       privilege (e.g. kernel) SW
>>       - A good implementation has anti-rollback to prevent old versions
>>       of SW from being run
>>    - Has an attestation signing key that is programmed in fuses or
>>    possibly in flash
>>       - Has a HW block that prevents access to the attestation key
>>       unless authenticated boot succeeds
>>       - Only top privilege SW can use it
>>    - Attestations are created in the top-privilege SW
>>       - Simply signing a nonce proves the device is running approved SW
>>       - Easy to add other claims in —> EAT
>>    - Device cost raised by need for secure key provisioning in the
>>    factory
>>    - Verifier is very simple
>>       - Just needs to verify the signature and nonce
>>
>>
>> Both provide acceptable security for their use cases and are broadly in
>> use.
>>
>> RATS needs to support both.
>>
>> LL
>> _______________________________________________
>> RATS mailing list
>> RATS@ietf.org
>> https://www.ietf.org/mailman/listinfo/rats
>>
>
>
> --
>
> Best regards,
> Kathleen
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>
>
>

-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email