Re: [Rats] regarding rats-network-device-attestation; michael's comments
Guy Fedorkow <gfedorkow@juniper.net> Tue, 01 October 2019 21:31 UTC
Return-Path: <gfedorkow@juniper.net>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB62112008C for <rats@ietfa.amsl.com>; Tue, 1 Oct 2019 14:31:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y9egnbMzx862 for <rats@ietfa.amsl.com>; Tue, 1 Oct 2019 14:31:02 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17C29120089 for <rats@ietf.org>; Tue, 1 Oct 2019 14:31:02 -0700 (PDT)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x91LQg0d028002; Tue, 1 Oct 2019 14:30:59 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : content-type : mime-version; s=PPS1017; bh=phWOzTJGJsAxvqEJnRlj/wUfK36VUKioshX++rsxZvc=; b=mWhmaqPfFqWWUf6Uc7W7IbLFLnloICZLyiLoSpZPqilz6icI6/QxNuSwK5gqpFmtFu03 KN55JeBu1p5O3vH2ldIJMqkczCCLTY+jDj2lGQuw42xitiQqoZyFXxnG9ZOqt7El5Y0G bb9dZ+r4vqkvyp+XZDDSYv1iAaAtsz6i4mME4LrMtSAAVVh+hPd6X4/wYG4BirmlUn+O KABxITjUMVkveH3a4Pil8cMqHdSXRUyrqt3dUDFWZwDyP4e2hP+MJHAduld5uL51slCQ i7UHPYybJ6PuNkDj7SPN07ZzFI7JKfPLE3DULp+Jvl9RhzGq3GDNZ9WY4iuglgK2gb1c KQ==
Received: from nam05-by2-obe.outbound.protection.outlook.com (mail-by2nam05lp2058.outbound.protection.outlook.com [104.47.50.58]) by mx0a-00273201.pphosted.com with ESMTP id 2vc7je8st0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 01 Oct 2019 14:30:59 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bcXGuIDaH9YiYxqKv0ACl3eMft6Ru+3NE6PXGid9idIuEuGfi7oS0SNMs8hvMb9yAKmqrCqgdGUjyv1QRBPCuC1XnV0lLql3QP31qI2aS36tEBEQX/rlmugA7wB2EOHY6Cuv3i+caWbgBrTodS+iBaTq4j9tx+BshnbyUCXRWZoDHaM/vcRoV7Gv2AId1FbeDd/A6I9iUIM943wGorD5hGGkg146lRnIk64BS/39r4mfdKsIl7sJ873eIwc/E/rH0UyT0VH4IvR9Ie9pURbaIhBIeytuJIdBwuLbHcl+UJ2ywcqEcyu4mV9DRrwN+ToAsPD2B3ORYqPlVZ9bZUt0gg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=phWOzTJGJsAxvqEJnRlj/wUfK36VUKioshX++rsxZvc=; b=WRcO14YcTGFnvR64xCAzJsJNYFRz/gqoMcEGRpuVKYqDNwKI9WuEtX1Gl+Z+VUcL8S1Wz2cHubyUU/JjRbW2Epw6pjRkY8LK/WFpUVlNnxo3FjyERmr5gGf8+kihf9OHFORD2xskxtjfb4Lc9c6OX6vdQdCGIdRi0WBkzPOzNVZrUIeZBmmsP3w3QXbJtrIRk5flxHADKeAtbPzzlE+wttTd71XDoqqJZoJHOM4LcaYTSbMyrtpSylBAQ0DQJ78HX66Rv4I6RoDTDlMnpdKG9o8IsUfbAlL8jJ5Lugql1WFtlgUTtH1X6mXSQV8ByQaFyfpE0d0aZVt8HQvo62mOfw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
Received: from SN6PR05MB4253.namprd05.prod.outlook.com (52.135.73.15) by SN6PR05MB5279.namprd05.prod.outlook.com (20.177.248.76) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.15; Tue, 1 Oct 2019 21:30:52 +0000
Received: from SN6PR05MB4253.namprd05.prod.outlook.com ([fe80::b4c1:1dd0:bd02:21c8]) by SN6PR05MB4253.namprd05.prod.outlook.com ([fe80::b4c1:1dd0:bd02:21c8%7]) with mapi id 15.20.2305.017; Tue, 1 Oct 2019 21:30:52 +0000
From: Guy Fedorkow <gfedorkow@juniper.net>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "rats@ietf.org" <rats@ietf.org>, Jessica Fitzgerald-McKay <jmfmckay@gmail.com>, "Birkholz, Henk" <henk.birkholz@sit.fraunhofer.de>
Thread-Topic: re: [Rats] regarding rats-network-device-attestation; michael's comments
Thread-Index: AdV4n3Yq486Z87hcTDaX8JA9y3kNDw==
Content-Class:
Date: Tue, 01 Oct 2019 21:30:52 +0000
Message-ID: <SN6PR05MB4253701358C96430B7795B2EBA9D0@SN6PR05MB4253.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Owner=gfedorkow@juniper.net; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2019-10-01T21:30:45.8680893Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=Juniper Business Use Only; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Application=Microsoft Azure Information Protection; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=3861ffc5-1964-4e95-89a1-bfb8b57a8e11; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Extended_MSFT_Method=Automatic
dlp-product: dlpe-windows
dlp-version: 11.3.2.8
dlp-reaction: no-action
x-mcafeedlp-tagged: True
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 04f34504-7875-49d3-c9f7-08d746b6a2e3
x-ms-office365-filtering-ht: Tenant
x-ms-traffictypediagnostic: SN6PR05MB5279:
x-microsoft-antispam-prvs: <SN6PR05MB52797AF55D8F4B755BEB5001BA9D0@SN6PR05MB5279.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0177904E6B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(39860400002)(136003)(346002)(396003)(366004)(51914003)(199004)(189003)(13464003)(74316002)(14454004)(99286004)(6436002)(7696005)(55016002)(478600001)(52536014)(9686003)(6306002)(71190400001)(71200400001)(5660300002)(229853002)(4326008)(53546011)(6506007)(66446008)(86362001)(8936002)(66476007)(102836004)(186003)(64756008)(66556008)(66946007)(8676002)(76116006)(54906003)(486006)(6116002)(790700001)(3846002)(2906002)(7736002)(33656002)(256004)(476003)(316002)(14444005)(66066001)(6246003)(9326002)(81166006)(81156014)(25786009)(26005); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR05MB5279; H:SN6PR05MB4253.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JS1z9FESC/giPWV9a3tyHNolrqjBk4QRwZbfIDN0lFa65ZcF+As0GzkBCkDYp/x5FF6SFiwoLhHNABiRxpid71uUZ90QtioClRC9XrolXOH7h8g86B+6NH6fXtiRJjvJSGuE2Or9za23TZ1PKUXa+5MHimulCXBKjxxpVQBTBpm0qpb6xacAhUw5fc97e6KV/mveYWD0WkWGpAf6E2K82J9gICy3rAtUSFeLWp5RmhFm3PCInlyuZg6Of0JfsZjd5yIYKa0cKGImA84uVm7NiMMFuakRz/4ktOUysbNbJ4FZKjqBTotfN6nbKHjNdrvt4QspHb7KX1zn64/6R1y3vFkCER73BeuS37tbqhQNgkcK9PAZi950ci7L89YU42lKX/WXFDy2y+wGbXIKhs//30JkaZAhVULtyVsfDSP4aBk=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SN6PR05MB4253701358C96430B7795B2EBA9D0SN6PR05MB4253namp_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 04f34504-7875-49d3-c9f7-08d746b6a2e3
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Oct 2019 21:30:52.4094 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AncAt73ITqORQc7uQDmPdBpGSlBrlcYL0IysuaMfrmm1INhjpWSnpR0r+AGVx9TdKSzBkUaHquo4l8Mn59dlLg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR05MB5279
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-01_09:2019-10-01,2019-10-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 spamscore=0 priorityscore=1501 adultscore=0 mlxlogscore=999 mlxscore=0 suspectscore=0 clxscore=1015 lowpriorityscore=0 malwarescore=0 impostorscore=0 bulkscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1910010177
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/Y_JNoc9Dj-fwbnyWq_sst3y16T0>
Subject: Re: [Rats] regarding rats-network-device-attestation; michael's comments
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2019 21:31:05 -0000
Hi Michael, Thanks for the review comments. I've addressed them in my copy, along with a bunch of other changes. I hope to have the rest of the updates done soon so I can post a new rev. Enclosed are responses to your comments, marked by [guy] /guy -----Original Message----- From: RATS <rats-bounces@ietf.org> On Behalf Of Michael Richardson Sent: Tuesday, September 10, 2019 7:05 AM To: rats@ietf.org Subject: [Rats] regarding rats-network-device-attestation I have read through this document, and it is now the publicly available reference on the TCG work for the use-case document. I have sent some edits directly to the authors. [guy] Yes, the original TCG version of this doc is posted on the TCG site. We haven't gone back to push changes into the TCG version since the IETF draft got under way, so the pictures in the TCG version are nicer, but the words are more up to date in the IETF draft. I like the use of the term "Remote Integrity Verification". I'm not too crazy about "RIV" as a TLA in a field with way too many TLAs already though, but okay. I found this text difficult: * Platform Identity refers to the mechanism assuring the attestation verifier (typically a network administrator) that the equipment on their network can be reliably identified, and that its manufacturer is certified by a trusted authority. } This certification provides the verifier with assurance that } the Root of Trust elements of the device were verified by the } manufacturer before the device was shipped. I'm not sure if the device is actually identified to the verifier (network admin). Or that there is a *meta* claim that the device could be identified. Is this a claim that a claim was made, but the contents of the claim is not revealed for privacy reasons? If that is the intent, then can we be more explicit? (And that's actually a new use case). If that's not the intent, then perhaps the passive language that is confusing could be changed. [guy] no Meta Claim, just clumsy wording. I've tried to simplify it > o Processor Sleep Modes: Embedded equipment typically does not > "sleep", so sleep and hibernate modes are not considered. why is this a consideration? lots of embedded systems go into low power mode all the time. [guy] I suppose. I changed it to Network Equipment, which I don't think ever sleeps. It's not that attestation can't be done after sleep mode, but it sure gets harder when the device is sort-of-but-not-quite rebooted. TCG has various process flow charts for this, but for NetEq it's easier to leave it out. re: 2.4.1: DevID Alternatives. I don't find the use of LDevID to be a credible solution here. It seems that LDevID have to get installed manually, via some privacy preserving mechanism. Privacy preserving against who? The person or entity that installs the LDevID surely gets to learn the identity of the device. I don't think we can do zero-touch provisioning without the IDevID. I would like this section to clarify the privacy threat here. [guy] Hmm, I didn't mean to imply privacy-preserving. I've revised the section a bit to try to say more clearly what they're for. Short answer: it's like an asset tag placed by the owner of the device. If the revised draft still implies 'privacy' let me know and I'll try again. > The TCG TPM 2.0 Keys > document [Platform-DevID-TPM-2.0] also outlines procedures for > creating Local Attestation Keys and Local Device IDs (LDevIDs) rooted > in the manufacturer's IDevID as a check to reduce the chances that > counterfeit devices are installed in the network. [Platform-DevID-TPM-2.0] <-- seems to be a draft, and so probably not public? [guy] Sadly yes, still a draft. > whether the measured hashes are "the right ones" or not. up to now, you've carefully said "measurements", rather than measured hashes. Do you want to stick with measurement, or was there a reason to change? [guy] nope, sloppy language. I've fixed it. > Quotes from a TPM can provide evidence of the state of a device at > the time the quote was requested, but to make sense of the quote in > most cases an event log of what software modules contributed which > values to the quote during startup must also be provided. The log As I understand it, the problem of the multi-process (and multi-processor) boot is that the hash values arrive in non-deterministic orders, and so would contribute to a straight sequential hash differently. Why aren't the different contributions either just listed, or just filled into a table with a canonical order? I'm sure you have thought of this, so there must be something I don't understand about why this solution can't work. [guy] I think Ned would say that the log file *is* the primary record of which process started in what order, and the quote from the TPM is just a way of 'signing' the log. In the easy case, all the verifier has to do is to read the log from first to last entry, and compute the digest of all the hashes in the log. The result should equal what's in the PCR. If it doesn't, you should look for corruption in the log mechanism. If it does, you can look at each entry in the log to see whether it's filename and path line up with the measured hash for that object. If not, you've found the corrupted object. The harder case is when the log and the quote are out of sync, i.e., you ask for a quote in between the time that a digest was extended into a PCR and the corresponding log entry written out. Careful ordering and maybe a second quote will fix the problem. If one expects ten processes, A->J to be running, have a table that is ten items long. If one needs to be sure that there are no other processes running, then some measurement of a canonicalized process table seems to be in order. That would omit the PID for instance, or canonicalize the PID into some abstract namespace if relationships between processes were also important. Juniper Business Use Only
- Re: [Rats] regarding rats-network-device-attestat… Guy Fedorkow