IETF Logo Mail Archive

[Rats] TUDA. Re: Two types of secure attestation

Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 21 November 2019 05:03 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F094712096E for <rats@ietfa.amsl.com>; Wed, 20 Nov 2019 21:03:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GzExUAEDQXRt for <rats@ietfa.amsl.com>; Wed, 20 Nov 2019 21:03:00 -0800 (PST)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9E92120959 for <rats@ietf.org>; Wed, 20 Nov 2019 21:02:59 -0800 (PST)
Received: by mail-wm1-x332.google.com with SMTP id y5so2168055wmi.5 for <rats@ietf.org>; Wed, 20 Nov 2019 21:02:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=EbFN6fNsjymrqR7YHOGEBkDM+hV7CHLLpXBxaN2aKks=; b=c0VJgTPe9fq82nMQIQkOewAkE5L+S5Pp3hpN1vXwjf1ZwRan6x+meTKnB4KlvshYy1 2p2zL3Jua/yBmTHUVd4l3Js7SkuO/esKJiDED9IbM6Ut2R0FwDCAT9HpV+cuUmMz5tL/ +94/PKNrwzPnjG/gL2McX6iDBSEOcDtI6J1YANsioCNDfMGVNHU2eTih35NdbPw8uo+l 87z6jyZKmj+7MB/PMyKK0sQY5FQzABySJfjLdEvByczAOUb+K5M3Az83Z+JhTbayXPWb Bd/1p/c7cMoOgP9BnDmuIiwPe4nvLiNobopCQns672vSzKM0HKpW0vh9ZzbSZv/OeVl7 dfYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=EbFN6fNsjymrqR7YHOGEBkDM+hV7CHLLpXBxaN2aKks=; b=oPETAVjThwCcxfc2sljlX6IRShagL2boLf7b5kQjJl1uREQ7ATvfndguH6S3ENqbLU 0Si23ROUHHAwt5ht2aIFbAU4IUspUjVUcGZoviwwOyeaILDCe9i9O6oML8wHtvYD3aEF DKaYKeVqfo5AXW5cUQVSXSQWKAUFjB54vQjl8mjklYPzAEGCDcQ7k4EICbGvwdim8uzF 3MROk28f4U3oRc/kj+Z1MfXPj0Qqqb+T8IUCZDpVEL4F4i7/G65d07A0YPqbghtNCd8v LRcNs8bkI5UK8Vf4V8/6iDPHji46jpOzAsdslizVCThhq7hHqISmHJQjnMuSpOTRIeMA 9LWA==
X-Gm-Message-State: APjAAAWy4ow3T17jWvIU6OLWWW4O15/dr139o7CfBzZJLuMlam9QS1Rc yi5oMeBjq2J1VG2TA2Gea77XUVVannM=
X-Google-Smtp-Source: APXvYqwlZuRGmT4rJxRCjdvyno19j2mzNSC/smEDFl5CPCfkd1wwiJpZOij/g4efO77MvGfqNF9j9w==
X-Received: by 2002:a1c:6854:: with SMTP id d81mr7814218wmc.75.1574312577653; Wed, 20 Nov 2019 21:02:57 -0800 (PST)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id d11sm1829727wrn.28.2019.11.20.21.02.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Nov 2019 21:02:56 -0800 (PST)
To: "Smith, Ned" <ned.smith@intel.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Laurence Lundblade <lgl@island-resort.com>
Cc: "rats@ietf.org" <rats@ietf.org>
References: <B099349B-711D-4A11-9E58-0886307FB7AF@island-resort.com> <CAHbuEH6qtVbzRXUALKBrr3butc8qT8Y81X-nQ6+PjC1n08CkvA@mail.gmail.com> <5DB30E08-9AB2-452A-B8D6-55BFD0AE5264@island-resort.com> <CAHbuEH4R4GZQCq9E1Nza8uPC=jxiM-FkV4tMrv9B==GsjvCLtw@mail.gmail.com> <34EB67FD-E76A-4132-87C4-C89EA70C9365@intel.com> <30effd67-f6ab-3899-808e-db724a33b9b0@gmail.com> <BFECEE8E-3E83-475A-9C3A-8033F4A9E9F4@intel.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <4c5c2bd7-ac04-3234-803b-74d429632cf9@gmail.com>
Date: Thu, 21 Nov 2019 06:02:55 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <BFECEE8E-3E83-475A-9C3A-8033F4A9E9F4@intel.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/WFvWQZVnB-05UBP5R8pDz5Pp24o>
Subject: [Rats] TUDA. Re: Two types of secure attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 05:03:02 -0000

On 2019-11-21 05:33, Smith, Ned wrote:
> The TUDA draft might satisfy session attestation semantics. There may be others.

Thanx Ned,

I took a peek in
https://datatracker.ietf.org/doc/draft-birkholz-rats-tuda/
and I had a hard time finding similarities.

Session based attestation is not targeting constrained devices but rather powerful environments like mobile phones.
The multi-step "Protected API" and transactional operation is the core.  The session time is typically limited to 10 minutes.

Although it wasn't considered, TEEP could have been a candidate for this scheme as well:
https://cyberphone.github.io/doc/research/unified-tee-management-api.pdf

Anders

> 
> *From: *Anders Rundgren <anders.rundgren.net@gmail.com>
> *Date: *Wednesday, November 20, 2019 at 8:11 PM
> *To: *"Smith, Ned" <ned.smith@intel.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Laurence Lundblade <lgl@island-resort.com>
> *Cc: *"rats@ietf.org" <rats@ietf.org>
> *Subject: *Re: [Rats] Two types of secure attestation
> 
> And then you have the outcome/action of an attestation which I guess currently is "Pass" or "Fail".
> 
> As shown in https://cyberphone.github.io/doc/research/session-based-remote-attestation.pdf "Pass" may very well return a more sophisticated result, enabling a protected API in a session a bit similar to TLS.
> 
> Anders
> 
> On 2019-11-20 22:11, Smith, Ned wrote:
> 
>     There are some misrepresentations in the analysis below (I’ll comment inline below using [nms] delimiters). In general, I don’t see attestation types as being binary. Dave Thaler’s chart / truth table in another thread seems to suggest this as well given there are many different types of attesting environments (aka roots of trust).
> 
>     It might make sense to have discussion around claims that apply to attesting environments vs. claims that apply to attested environments? The important security property of attesting environments is they often are regarded as “trusted” meaning there isn’t some other attesting environment that vouches for it.
> 
>     Associating claims to attesting environments often takes a different from attestation (as represented by the roles / arch models); namely using certificates issued by product vendors (what the arch has called ‘asserters’). Certificates typically contain identity claims but could contain additional claims. Vendors could also sign assert claims by signing a document that asserts them. These could be manifests, attribute certs, identity certs with claims extensions and possibly even JWT/CWT (tokens). I haven’t seen a use case for vendor issued tokens however. Possibly PKI will transition from X.509 based to Token based at some point in the future, but I expect it will take a while. Vendors issuing (signing) manifests seems reasonable since many already create manifests for software distribution also called packages / bundles. The workflow for ‘reference values’ would not be much different than for creating a SW update manifest.
> 
>     *From: *RATS <rats-bounces@ietf.org> <mailto:rats-bounces@ietf.org> on behalf of Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> <mailto:kathleen.moriarty.ietf@gmail.com>
>     *Date: *Tuesday, November 19, 2019 at 6:00 PM
>     *To: *Laurence Lundblade <lgl@island-resort.com> <mailto:lgl@island-resort.com>
>     *Cc: *"rats@ietf.org" <mailto:rats@ietf.org> <rats@ietf.org> <mailto:rats@ietf.org>
>     *Subject: *Re: [Rats] Two types of secure attestation
> 
>     Hi Laurence,
> 
>     I read your message as there only being 2 types of attestation as opposed to what you stated in your follow on email, which better maps to the restricted set in your first message.
> 
>     Thanks,
> 
>     Kathleen
> 
>     On Tue, Nov 19, 2019 at 8:07 PM Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>> wrote:
> 
>         Hi Kathleen,
> 
>         Not sure I’m following your thought completely.
> 
>          From what I know of Authenticated Boot, the code signing formats are usually proprietary and idiosyncratic. The first stages of it are likely in true ROM (chip metal layer) and can be very architecture and system specific and would not use CoSWID or EAT.
> 
>         My comments below are about getting a system booted up to state where it known to behave as desired.
> 
>         Once it is up then signed CoSWIDs in EATs would come into play. They can be trusted because the attester and system SW known to have booted up correctly. Knowing who signed some SW listed in a CoSWID is only of value if you know the system SW did signature checking when it loaded the SW it listed. For example, everyone knows how Android app signing works, so listing the signer of an Android app is good useful information.
> 
>         Hope that makes sense in relation to your comment.
> 
>         LL
> 
> 
> 
> 
>             On Nov 19, 2019, at 10:35 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com <mailto:kathleen.moriarty.ietf@gmail.com>> wrote:
> 
>             Hi Laurence,
> 
>             Where does the code signing example fit in that you gave as it's not really an attestation, but could be useful in the format of an EAT/CWT?   This questions considers the CoSWID discussion as well as another example you had in your slides later (which was really the same) on just validating the code was signed by the expected private key?  Should that be called an attestation or just using the format for signing?  You might add claims in above what's in the CoSWID and use the nesting of EAT/subdomains as well as perform remote verification.
> 
>             Thanks,
> 
>             Kathleen
> 
>             On Tue, Nov 19, 2019 at 8:26 AM Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort..com>> wrote:
> 
>                 Fundamentally, I think there are two ways that an attestation verifier comes to know that a device / entity is running approved SW and will behave as desired.
> 
>                 *TPM based*
> 
>                 ·Originates in the PC world where the end user had to be able to choose the system SW
> 
>                 [nms] Not sure what relevance to attestation should be ascribed because of how TPMs originated.
> 
>                 ·Has a TPM that performs a general measuring function
> 
>                 §Has an attestation signing key for signing measurements that is kept secret by the TPM
> 
>                 oTPM is generic as it can be used for PC’s, routers, IoT devices
> 
>                 [nms] Profiles for how to adapt TPM for use in specific platform classes is generally required.
> 
>                 ·Authenticated boot is optional
> 
>                 [nms] I think the industry also uses the term ‘secure boot’. TPM supports attestation (of the boot sequence) while a secure boot approach doesn’t imply attestation is needed/used.
> 
>                 [nms] Boot behavior is more a property of the Root of Trust for Measurement (RTM) than a TPM. There are many types of RTM technology most simply it is a boot ROM.
> 
>                 ·Uses a staged boot architecture where each stage must measure (hash) the following stage
> 
>                 [nms] Boot architecture is determined by the type of device / platform not the TPM. Staged boot sequences are fairly common across the industry. Hence the term ‘bootstrap’.
> 
>                 oHashes fed into the TPM
> 
>                 oTPM generates the attestation of the registers holding the hashes
> 
>                 ·Device cost raised by cost of TPM part
> 
>                 [nms] Not sure how this is relevant to RATS
> 
>                 ·The verifier must run a parallel set of measurements (hashes)
> 
>                 oVerifier is complex
> 
>                 [nms] as compared to what?
> 
>                 *Authenticated Boot based*
> 
>                 ·Origins in mobile phone, TEE and DRM world where the user can NOT choose the system SW
> 
>                 ·Authenticated boot is required
> 
>                 oUses a boot ROM that really is a ROM, probably in silicon (not flash), that can NOT be changed
> 
>                 [nms] This is true for platforms using a TPM as well.
> 
>                 oBoot ROM verifies the SW that is loaded, particular the top privilege (e.g. kernel) SW
> 
>                 [nms] Verification implies the ability to determine boot code integrity. This is common to platforms that use a TPM.
> 
>                 oA good implementation has anti-rollback to prevent old versions of SW from being run
> 
>                 ·Has an attestation signing key that is programmed in fuses or possibly in flash
> 
>                 [nms] This is commonly true for TPM based attestation implementations.
> 
>                 oHas a HW block that prevents access to the attestation key unless authenticated boot succeeds
> 
>                 [nms] This is also true for solutions that wish to implement secure boot using a TPM.
> 
>                 oOnly top privilege SW can use it
> 
>                 [nms] TPM attestation keys have restrictions on use as well.
> 
>                 ·Attestations are created in the top-privilege SW
> 
>                 oSimply signing a nonce proves the device is running approved SW
> 
>                 [nms] The security properties of the signing key (attestation key) are a function of the claims that the manufacturers make about the environment that protects the key. This is true for TPM as well as any other root of trust / attesting environment.
> 
>                 oEasy to add other claims in —> EAT
> 
>                 [nms] relative to what?
> 
>                 ·Device cost raised by need for secure key provisioning in the factory
> 
>                 ·Verifier is very simple
> 
>                 oJust needs to verify the signature and nonce
> 
>                 [nms] The verifier is also integrated into the boot code. These verifiers need to be provisioned with boot state policies and so forth. Secure boot is an example of the combining of Attester and Verifier roles.
> 
>                 Both provide acceptable security for their use cases and are broadly in use.
> 
>                 RATS needs to support both.
> 
>                 [nms] In what ways does RATS not support both?
> 
>                 LL
> 
>                 _______________________________________________
>                 RATS mailing list
>                 RATS@ietf.org <mailto:RATS@ietf.org>
>                 https://www.ietf.org/mailman/listinfo/rats
> 
> 
>             -- 
> 
>             Best regards,
> 
>             Kathleen
> 
>             _______________________________________________
>             RATS mailing list
>             RATS@ietf.org <mailto:RATS@ietf.org>
>             https://www.ietf.org/mailman/listinfo/rats
> 
> 
>     -- 
> 
>     Best regards,
> 
>     Kathleen
> 
> 
> 
>     _______________________________________________
> 
>     RATS mailing list
> 
>     RATS@ietf.org  <mailto:RATS@ietf.org>
> 
>     https://www.ietf.org/mailman/listinfo/rats
> 
> 
>

v2.23.0 | Report a Bug | By Email