IETF Logo Mail Archive

[Rats] Re: Security considerations of remote attestation (RFC9334)

Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Mon, 25 November 2024 13:11 UTC

Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B01CC169413 for <rats@ietfa.amsl.com>; Mon, 25 Nov 2024 05:11:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RuB2gSnqr_Ef for <rats@ietfa.amsl.com>; Mon, 25 Nov 2024 05:11:39 -0800 (PST)
Received: from mailout3.zih.tu-dresden.de (mailout3.zih.tu-dresden.de [141.30.67.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD0E8C1654F2 for <rats@ietf.org>; Mon, 25 Nov 2024 05:11:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:In-Reply-To:From:References:CC:To :Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=nWV/YysYfT1f98BDszCrzg3L26240/C4q5v7GjKG9qU=; b=hr8z2MIJH07ZrpJTN+2qQQBOIV RmdaHnOOsU65szBGpalKvIAxUi3D0L3w4uYLgawUGMVkAzLUx4r+xsVaewdLQHOGlPTjlx6g17D1y QDJADpKMpLHR6KkFihmZMpg4dHFclGjQRLXDLjqooHaeNsvO0R4j7rIVWNI47qwPcD4znMRSo451l Ns4CZVYY3lF7USRwpSgp0PXYKD73tUMgZJKZ/PPUjRwZ1uViUjREJuQ1ikjnxnYy1OJsPQNbysWL/ yVcT7eLH4hghzaQaZhZJd5y6B/K45zzpQId1IspfuEvm0qAtEJYs5Se49ED+vFFAg7SJYxmzEJZCh DBq+Rv6w==;
Received: from [172.26.35.112] (helo=msx.tu-dresden.de) by mailout3.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1tFYsH-0077R3-VN; Mon, 25 Nov 2024 14:11:34 +0100
Received: from msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) by MSX-T312.msx.ad.zih.tu-dresden.de (172.26.35.112) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Mon, 25 Nov 2024 14:11:30 +0100
Received: from [192.168.1.2] (77.191.53.8) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Mon, 25 Nov 2024 14:11:30 +0100
Message-ID: <c7808768-35ce-4783-bece-124d8748ec0c@tu-dresden.de>
Date: Mon, 25 Nov 2024 14:11:29 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Giridhar Mandyam <giridhar.mandyam@gmail.com>
References: <4ffdd034-05ec-4565-9cad-b40ff82f83fc@tu-dresden.de> <9EAF6A12-77D4-40A6-9C16-091FCC2085D1@island-resort.com> <2061c4b5-ce88-47ff-b3d4-253c76bfa998@tu-dresden.de> <CAHAF5K0Ho_v5EgCSogMjhE5AsN6oYnnHgvVbAu7iyGp3stXzMw@mail.gmail.com>
Content-Language: en-US
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
In-Reply-To: <CAHAF5K0Ho_v5EgCSogMjhE5AsN6oYnnHgvVbAu7iyGp3stXzMw@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms060301030001050204050609"
X-ClientProxiedBy: msx-l319.msx.ad.zih.tu-dresden.de (172.26.34.119) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout3.zih.tu-dresden.de
Message-ID-Hash: AUWWVFNOT2J35BRDFXERXC75ISFOC7KG
X-Message-ID-Hash: AUWWVFNOT2J35BRDFXERXC75ISFOC7KG
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "lgl island-resort.com" <lgl@island-resort.com>, "rats@ietf.org" <rats@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: Security considerations of remote attestation (RFC9334)
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/jcAv9FKbYSIVtUNQ8ggEHL8lrmM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

On 24.11.24 23:01, Giridhar Mandyam wrote:

> >I am struggling to understand what would be the benefit of the device 
> generating a nonce itself?
>
> When there is no return channel from the verifier, then a nonce 
> generated on the device could provide some level of assurance (as 
> imperfect as it is). For instance, several years ago when we were 
> developing ATSC 3.0 (an IP over Broadcast technology), we were looking 
> into whether the rendering device could be attestable. Unfortunately, 
> the transport (https://datatracker.ietf.org/doc/rfc9223/) does not 
> provide for a return channel.
>
Not sure if get the term "return channel" right. RFC9223 does not define 
it. RFC4949 does not define it either. Here is my thought:

  * How would a device know when to send the attestation? The verifier
    would somehow request the attestation. The same channel over which
    it sends the request, it could also send the nonce within that request.

  * The attester still has to send over the evidence; the same channel
    over which it sends the evidence, it could send the evidence
    containing that signed nonce.

So why is a "return channel" required?

> A device-generated nonce provides the same kind of replay protection 
> as a jti (https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7) 
> in my opinion.
>
I disagree with the following statement in that section unless the 
Verifier keeps a state of all the jti's:

"The "jti" claim can be used

    to prevent the JWT from being replayed."

Is jti signed as well? Even then, nothing stops the adversary from reordering. Here is a sample issue (simple Attester-Verifier interaction):

  * t=1: Verifier requests attestation
  * t=2: Attester in good state generates JWT1 with jti = "xyz"
  * t=3: Adversary stores this JWT1 and does not forward to Verifier
  * t=4: Adversary compromises the Attester
  * t=5: Verifier requests attestation again
  * t=6: Adversary sends JWT1 from t=2.

Verifier believes attester is in good state whereas it is not.

I don't believe the security considerations of RFC7519 are good enough.

> -Giri
>
> -Giri
>
> On Sun, Nov 24, 2024 at 12:14 PM Muhammad Usama Sardar 
> <muhammad_usama.sardar@tu-dresden.de> wrote:
>
>     On 11.11.24 22:21, lgl island-resort.com
>     <http://island-resort.com> wrote:
>
>>     There’s some framing in the EAT introduction that contrasts
>>     attestation security with authentication security. It discusses
>>     key life cycles which are very different for attestation. That
>>     seems important to discuss in the context of using TLS for
>>     attestation security.
>
>     The second paragraph of intro was an interesting read. Since it
>     states: "To give an example of one aspect of the difference", I
>     would naturally assume there are more differences in the minds of
>     editors. I would like to read more about it. Is there any
>     issue/thread/meeting where this was discussed?
>
>     Reading through the privacy and security considerations, I have a
>     couple of questions:
>
>       * Sec. 8.4 states (emphasis my own)
>
>     > The nonce claim is based on a value *usually*  derived remotely (outside of the entity).
>
>     I am struggling to understand what would be the benefit of the
>     device generating a nonce itself? How would the verifier/relying
>     party make sense of this value? Moreover, this directly
>     contradicts Sec. 10.2 which states: (emphasis my own)
>
>     > In this approach, an unpredictable nonce is sent by the
>     *appraising entity* and the nonce is then signed and included
>     along with the Claims in the Evidence or Attestation Result.
>
>       * Sec. 9.3 states: (emphasis my own)
>
>     > All EAT use MUST provide a freshness mechanism to prevent replay and *related attacks*.
>
>     What are the related attacks?
>
>     Thanks,
>     Usama
>
>     _______________________________________________
>     RATS mailing list -- rats@ietf.org
>     To unsubscribe send an email to rats-leave@ietf.org
>

v2.45.0 | Report a Bug | By Email | System Status