IETF Logo Mail Archive

Re: [Rats] Two types of secure attestation

"Smith, Ned" <ned.smith@intel.com> Thu, 21 November 2019 04:33 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8E5C12095D for <rats@ietfa.amsl.com>; Wed, 20 Nov 2019 20:33:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qZOyA2olpaRW for <rats@ietfa.amsl.com>; Wed, 20 Nov 2019 20:33:51 -0800 (PST)
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71DD7120963 for <rats@ietf.org>; Wed, 20 Nov 2019 20:33:51 -0800 (PST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Nov 2019 20:33:51 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.69,224,1571727600"; d="scan'208,217";a="200988051"
Received: from orsmsx105.amr.corp.intel.com ([10.22.225.132]) by orsmga008.jf.intel.com with ESMTP; 20 Nov 2019 20:33:50 -0800
Received: from orsmsx109.amr.corp.intel.com ([169.254.11.161]) by ORSMSX105.amr.corp.intel.com ([169.254.2.158]) with mapi id 14.03.0439.000; Wed, 20 Nov 2019 20:33:50 -0800
From: "Smith, Ned" <ned.smith@intel.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Laurence Lundblade <lgl@island-resort.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Two types of secure attestation
Thread-Index: AQHVntzp4M6ZJzqVJUiVsZ6c2vuAXaeTFYmAgACwdgCAAA6xgIAAu9YAgAD7cYD//4AMgA==
Date: Thu, 21 Nov 2019 04:33:49 +0000
Message-ID: <BFECEE8E-3E83-475A-9C3A-8033F4A9E9F4@intel.com>
References: <B099349B-711D-4A11-9E58-0886307FB7AF@island-resort.com> <CAHbuEH6qtVbzRXUALKBrr3butc8qT8Y81X-nQ6+PjC1n08CkvA@mail.gmail.com> <5DB30E08-9AB2-452A-B8D6-55BFD0AE5264@island-resort.com> <CAHbuEH4R4GZQCq9E1Nza8uPC=jxiM-FkV4tMrv9B==GsjvCLtw@mail.gmail.com> <34EB67FD-E76A-4132-87C4-C89EA70C9365@intel.com> <30effd67-f6ab-3899-808e-db724a33b9b0@gmail.com>
In-Reply-To: <30effd67-f6ab-3899-808e-db724a33b9b0@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
x-originating-ip: [10.251.3.188]
Content-Type: multipart/alternative; boundary="_000_BFECEE8E3E83475A9C3A8033F4A9E9F4intelcom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/c0vecPecuh1P8lK-G8ne6ujU2KM>
Subject: Re: [Rats] Two types of secure attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 04:33:55 -0000

The TUDA draft might satisfy session attestation semantics. There may be others.

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wednesday, November 20, 2019 at 8:11 PM
To: "Smith, Ned" <ned.smith@intel.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Laurence Lundblade <lgl@island-resort.com>
Cc: "rats@ietf.org" <rats@ietf.org>
Subject: Re: [Rats] Two types of secure attestation

And then you have the outcome/action of an attestation which I guess currently is "Pass" or "Fail".

As shown in https://cyberphone.github.io/doc/research/session-based-remote-attestation.pdf "Pass" may very well return a more sophisticated result, enabling a protected API in a session a bit similar to TLS.

Anders

On 2019-11-20 22:11, Smith, Ned wrote:
There are some misrepresentations in the analysis below (I’ll comment inline below using [nms] delimiters). In general, I don’t see attestation types as being binary. Dave Thaler’s chart / truth table in another thread seems to suggest this as well given there are many different types of attesting environments (aka roots of trust).

It might make sense to have discussion around claims that apply to attesting environments vs. claims that apply to attested environments? The important security property of attesting environments is they often are regarded as “trusted” meaning there isn’t some other attesting environment that vouches for it.

Associating claims to attesting environments often takes a different from attestation (as represented by the roles / arch models); namely using certificates issued by product vendors (what the arch has called ‘asserters’). Certificates typically contain identity claims but could contain additional claims. Vendors could also sign assert claims by signing a document that asserts them. These could be manifests, attribute certs, identity certs with claims extensions and possibly even JWT/CWT (tokens). I haven’t seen a use case for vendor issued tokens however. Possibly PKI will transition from X.509 based to Token based at some point in the future, but I expect it will take a while. Vendors issuing (signing) manifests seems reasonable since many already create manifests for software distribution also called packages / bundles. The workflow for ‘reference values’ would not be much different than for creating a SW update manifest.

From: RATS <rats-bounces@ietf.org><mailto:rats-bounces@ietf.org> on behalf of Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com><mailto:kathleen.moriarty.ietf@gmail.com>
Date: Tuesday, November 19, 2019 at 6:00 PM
To: Laurence Lundblade <lgl@island-resort.com><mailto:lgl@island-resort.com>
Cc: "rats@ietf.org"<mailto:rats@ietf.org> <rats@ietf.org><mailto:rats@ietf.org>
Subject: Re: [Rats] Two types of secure attestation

Hi Laurence,

I read your message as there only being 2 types of attestation as opposed to what you stated in your follow on email, which better maps to the restricted set in your first message.

Thanks,
Kathleen

On Tue, Nov 19, 2019 at 8:07 PM Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>> wrote:
Hi Kathleen,

Not sure I’m following your thought completely.

From what I know of Authenticated Boot, the code signing formats are usually proprietary and idiosyncratic. The first stages of it are likely in true ROM (chip metal layer) and can be very architecture and system specific and would not use CoSWID or EAT.

My comments below are about getting a system booted up to state where it known to behave as desired.

Once it is up then signed CoSWIDs in EATs would come into play. They can be trusted because the attester and system SW known to have booted up correctly. Knowing who signed some SW listed in a CoSWID is only of value if you know the system SW did signature checking when it loaded the SW it listed. For example, everyone knows how Android app signing works, so listing the signer of an Android app is good useful information.

Hope that makes sense in relation to your comment.

LL




On Nov 19, 2019, at 10:35 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> wrote:

Hi Laurence,

Where does the code signing example fit in that you gave as it's not really an attestation, but could be useful in the format of an EAT/CWT?   This questions considers the CoSWID discussion as well as another example you had in your slides later (which was really the same) on just validating the code was signed by the expected private key?  Should that be called an attestation or just using the format for signing?  You might add claims in above what's in the CoSWID and use the nesting of EAT/subdomains as well as perform remote verification.

Thanks,
Kathleen

On Tue, Nov 19, 2019 at 8:26 AM Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort..com>> wrote:
Fundamentally, I think there are two ways that an attestation verifier comes to know that a device / entity is running approved SW and will behave as desired.

TPM based
·         Originates in the PC world where the end user had to be able to choose the system SW
[nms] Not sure what relevance to attestation should be ascribed because of how TPMs originated.
·         Has a TPM that performs a general measuring function
§  Has an attestation signing key for signing measurements that is kept secret by the TPM
o    TPM is generic as it can be used for PC’s, routers, IoT devices
[nms] Profiles for how to adapt TPM for use in specific platform classes is generally required.
·         Authenticated boot is optional
[nms] I think the industry also uses the term ‘secure boot’. TPM supports attestation (of the boot sequence) while a secure boot approach doesn’t imply attestation is needed/used.
[nms] Boot behavior is more a property of the Root of Trust for Measurement (RTM) than a TPM. There are many types of RTM technology most simply it is a boot ROM.
·         Uses a staged boot architecture where each stage must measure (hash) the following stage
[nms] Boot architecture is determined by the type of device / platform not the TPM. Staged boot sequences are fairly common across the industry. Hence the term ‘bootstrap’.
o    Hashes fed into the TPM
o    TPM generates the attestation of the registers holding the hashes
·         Device cost raised by cost of TPM part
[nms] Not sure how this is relevant to RATS
·         The verifier must run a parallel set of measurements (hashes)
o    Verifier is complex
[nms] as compared to what?

Authenticated Boot based
·         Origins in mobile phone, TEE and DRM world where the user can NOT choose the system SW
·         Authenticated boot is required
o    Uses a boot ROM that really is a ROM, probably in silicon (not flash), that can NOT be changed
[nms] This is true for platforms using a TPM as well.
o    Boot ROM verifies the SW that is loaded, particular the top privilege (e.g. kernel) SW
[nms] Verification implies the ability to determine boot code integrity. This is common to platforms that use a TPM.
o    A good implementation has anti-rollback to prevent old versions of SW from being run
·         Has an attestation signing key that is programmed in fuses or possibly in flash
[nms] This is commonly true for TPM based attestation implementations.
o    Has a HW block that prevents access to the attestation key unless authenticated boot succeeds
[nms] This is also true for solutions that wish to implement secure boot using a TPM.
o    Only top privilege SW can use it
[nms] TPM attestation keys have restrictions on use as well.
·         Attestations are created in the top-privilege SW
o    Simply signing a nonce proves the device is running approved SW
[nms] The security properties of the signing key (attestation key) are a function of the claims that the manufacturers make about the environment that protects the key. This is true for TPM as well as any other root of trust / attesting environment.
o    Easy to add other claims in —> EAT
[nms] relative to what?
·         Device cost raised by need for secure key provisioning in the factory
·         Verifier is very simple
o    Just needs to verify the signature and nonce
[nms] The verifier is also integrated into the boot code. These verifiers need to be provisioned with boot state policies and so forth. Secure boot is an example of the combining of Attester and Verifier roles.

Both provide acceptable security for their use cases and are broadly in use.

RATS needs to support both.
[nms] In what ways does RATS not support both?

LL
_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats


--

Best regards,
Kathleen
_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats



--

Best regards,
Kathleen



_______________________________________________

RATS mailing list

RATS@ietf.org<mailto:RATS@ietf.org>

https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email