IETF Logo Mail Archive

Re: [Rats] Android comments on EAT draft

Jeremy O'Donoghue <jodonogh@qti.qualcomm.com> Fri, 17 May 2019 07:53 UTC

Return-Path: <jodonogh@qti.qualcomm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51BCE1201A3 for <rats@ietfa.amsl.com>; Fri, 17 May 2019 00:53:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=qti.qualcomm.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7RuFAut1ibDb for <rats@ietfa.amsl.com>; Fri, 17 May 2019 00:53:25 -0700 (PDT)
Received: from alexa-out-ams-02.qualcomm.com (alexa-out-ams-02.qualcomm.com [185.23.61.163]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83659120157 for <rats@ietf.org>; Fri, 17 May 2019 00:53:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1558079604; x=1589615604; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=aZe66/+yCTSJCG9K43iBIxJbfh1yYJiqOabyPnj0tFg=; b=bkcphyLQy3q7Z04PwxT2CPb4tF5SIfiiHrPwbFpNCW/xYlny/jXGM8tQ CsF5ihJNYv2IQ723FlhVlRaallqVWNiDgQv8ORzFxKL4/MVCEwO12phII vzy4bI54vi5tzuHupZ/YbvLxFarIJeaWgoGF5zbKZLXZo8XF/gVEdkANE E=;
Received: from ironmsg02-ams.qualcomm.com ([10.251.56.3]) by alexa-out-ams-02.qualcomm.com with ESMTP; 17 May 2019 09:53:20 +0200
X-IronPort-AV: E=McAfee;i="5900,7806,9259"; a="8144457"
Received: from euamsexm01b.eu.qualcomm.com ([10.251.127.41]) by ironmsg02-ams.qualcomm.com with ESMTP/TLS/AES256-SHA; 17 May 2019 09:53:20 +0200
Received: from euamsexm01a.eu.qualcomm.com (10.251.127.40) by euamsexm01b.eu.qualcomm.com (10.251.127.41) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 17 May 2019 09:53:17 +0200
Received: from euamsexm01a.eu.qualcomm.com ([10.251.127.40]) by euamsexm01a.eu.qualcomm.com ([10.251.127.40]) with mapi id 15.00.1395.000; Fri, 17 May 2019 09:53:17 +0200
From: Jeremy O'Donoghue <jodonogh@qti.qualcomm.com>
To: Shawn Willden <swillden=40google.com@dmarc.ietf.org>
CC: Simon Frost <Simon.Frost@arm.com>, "rats@ietf.org" <rats@ietf.org>, Laurence Lundblade <lgl@island-resort.com>
Thread-Topic: [Rats] Android comments on EAT draft
Thread-Index: AQHVC4B9pNHWJdcAQkKTElalgfWFNqZs5PyAgACT9wCAAKZ4gIAAAOWAgACyVIA=
Date: Fri, 17 May 2019 07:53:17 +0000
Message-ID: <E5AEF90D-D0A4-4F64-AA60-090167A31725@qti.qualcomm.com>
References: <CAFyqnhVJ-ps4bdhsyQDOHdzHVZsXeK7_kCDXxUVUcuyDzWS3uA@mail.gmail.com> <35459D73-3D08-4E0B-814B-780AD60DD600@island-resort.com> <HE1PR0801MB1643AA2E129098E2C65F9163EF0A0@HE1PR0801MB1643.eurprd08.prod.outlook.com> <CAFyqnhX9f5s21roZvz_VcfR+sd3E89SYmunZKX-2JMC4Rqy_cw@mail.gmail.com> <CAFyqnhXzoo9+2pu1qboPSiHr7YTzfRjOcJj3oEpOX_uFWbRyKA@mail.gmail.com>
In-Reply-To: <CAFyqnhXzoo9+2pu1qboPSiHr7YTzfRjOcJj3oEpOX_uFWbRyKA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.251.52.12]
Content-Type: multipart/alternative; boundary="_000_E5AEF90DD0A44F64AA60090167A31725qtiqualcommcom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/V_y3zQTHRn4wA6qqOdA5biIU3z8>
Subject: Re: [Rats] Android comments on EAT draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2019 07:53:29 -0000

This specific point is one for which GlobalPlatform has a solution in our TEE/SE related claim definitions. It is possible that this solution may be more general, although it had not previously occurred to me that this could be the case.

The problem with having a device self-attest security is that some certifications change e.g. due to discovered vulnerabilities / have variable duration etc. For low-end devices (and, frankly even for high-end) managing revocations is tricky, so GlobalPlatform created the Digital Letter of Approval. This is simpler than it sounds.

It starts from the perspective that while the manufacturer is necessarily trusted in respect of keys injected during manufacturing, it is not really the most trustworthy entity when it comes to security certification. It this makes sense to separate verification of claims about a device (or key, or whatever) and claims about certification. It further assumes that certification status may change over time in ways that could be difficult for devices with low-bandwidth connectivity to track.

The Digital Letter of Approval is a published specification, available for free (of charge) download behind a click-through license at https://globalplatform.org/specs-library/?filter-committee=tps. I am aware that some RATS participants may be unable/unwilling to access this document, so I paste the outline DLOA format information below:


The Digital Letter of Approval (DLOA) is an XML file containing the minimum fields required to:

  *   • Identify the platform – the combination of the application and the platform – this DLOA corresponds to

  *   • Identify the Authority that issued the corresponding Letter of Approval

  *   • Provide the expiration date of the corresponding Letter of Approval

  *   • Identify the Letter of Approval from which this DLOA has been generated (i.e. include the identifier of the Letter of Approval issued by the Authority)

  *   • Ensure authenticity and integrity of the DLOA thanks to a digital signature computed by the Authority

  *   • Provide additional information such as the date of issuance of the corresponding Letter of Approval or

a URL where the original Letter of Approval can be retrieved

The work to incorporate this in an EAT is ongoing, and will be shared at Public Review time, but basically you need two claims: one is a platform identifier and the second is the URL of a web service where certification details can be retrieved.

The web service is generally operated by a Certification Body (GlobalPlatform in the case of GlobalPlatform compliance secretariat) and allows retrieval of complete certification information which is valid at the time of retrieval.

If an approach based on an external registrar service is of more general interest, I can arrange a more detailed explanation.

Best regards
Jeremy

On 16 May 2019, at 22:15, Shawn Willden <swillden=40google.com@dmarc.ietf.org<mailto:swillden=40google.com@dmarc.ietf.org>> wrote:


CAUTION: This email originated from outside of the organization.

Oh, I should also mention that in R I think we're going to add a claim to present security certifications, for example Common Criteria Secure IC Profile PP84, probably in multiple assurance levels (though PP84 is EAL4 plus AVA_VAN.5), and perhaps some others.

From: Shawn Willden <swillden@google.com<mailto:swillden@google.com>>
Date: Thu, May 16, 2019 at 3:11 PM
To: Simon Frost
Cc: Laurence Lundblade, rats@ietf.org<mailto:rats@ietf.org>

From: Simon Frost <Simon.Frost@arm.com<mailto:Simon.Frost@arm.com>>
As an example, have a look at the draft ‘profile’ we put together for an Arm PSA attestation (https://www.ietf.org/id/draft-tschofenig-rats-psa-token-01.txt) and let us know where that does or doesn’t cover your software needs.

I'll do that.

I would be very interested in reading your set of claims necessary to describe a key as that use case has also been expressed for our usage.

Sure, here's a list of everything currently included in Android key attestations (excluding device info items and some elements that are redundant, also specified in the enclosing X.509 certificate):


  *   Purpose:  one or more of SIGN, ENCRYPT and WRAP_KEY.
  *   Digest: one or more of MD5, SHA1, SHA-256, SHA-324, SHA-512; which digest(s) can be used for message digesting (MD5 and SHA1 are only for legacy compatibility).
  *   Padding:  (RSA only) one or more of RSA_PKCS1_1_5_ENCRYPT, RSA_OAEP, RSA_PKCS1_1_5_SIGN and RSA_PSS
  *   Rollback resistance: Boolean, if true, indicates that when the key is deleted it is guaranteed never to be usable again
  *   No auth required:  Indicates key can be used without user authentication.  If this is present, user auth type and auth timeout must not be present.
  *   User auth type:  Indicates type of required user authentication (password/biometric)
  *   Auth timeout: Indicates time in seconds during which key can be used after user authentication (absence indicates key requires authentication for each key usage).
  *   Allow while on body: Applicable only to wearables, and only for keys that require authentication with a timeout.  Indicates that the key immediately becomes unusable when the device is removed from the body, even if timeout has not yet expired.
  *   Origin:  Where the key originated, one of GENERATED (in device; exists nowhere else), DERIVED (in device, but also derivable by some off-device entity), IMPORTED (imported in plaintext), SECURELY_IMPORTED (imported in encrypted form), UNKNOWN
  *   Application ID:  Which Android app created the key
A note about purpose, digest, padding: the idea is that AndroidKeyStore only allows keys to be used in the mode(s) that were declared when the key was created.  Any attempt to use the keys in any other way (e.g. sign with a n RSA key that has only the ENCRYPT purpose) will be rejected by the TEE/SE.

I think Android R will add support for ECDH, so that will add some associated claims, and we may also add an option for secure export of key material, assuming the key was configured to allow it at creation/import time.  That will add some associated claims as well, including the public key(s) to which exports may be encrypted.

--
Shawn Willden | Staff Software Engineer | swillden@google.com<mailto:swillden@google.com> | 720-924-6645


--
Shawn Willden | Staff Software Engineer | swillden@google.com<mailto:swillden@google.com> | 720-924-6645
_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email