IETF Logo Mail Archive

Re: [Rats] Two types of secure attestation

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Sun, 24 November 2019 15:31 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44B701200D5 for <rats@ietfa.amsl.com>; Sun, 24 Nov 2019 07:31:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H_hD5zKWuGxQ for <rats@ietfa.amsl.com>; Sun, 24 Nov 2019 07:31:18 -0800 (PST)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2CA41200C5 for <rats@ietf.org>; Sun, 24 Nov 2019 07:31:16 -0800 (PST)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id xAOFVD3B024461 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Sun, 24 Nov 2019 16:31:14 +0100
Received: from [172.17.29.118] (5.148.85.20) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.468.0; Sun, 24 Nov 2019 16:31:07 +0100
To: "Smith, Ned" <ned.smith@intel.com>, "rats@ietf.org" <rats@ietf.org>
References: <B099349B-711D-4A11-9E58-0886307FB7AF@island-resort.com> <CAHbuEH6qtVbzRXUALKBrr3butc8qT8Y81X-nQ6+PjC1n08CkvA@mail.gmail.com> <5DB30E08-9AB2-452A-B8D6-55BFD0AE5264@island-resort.com> <CAHbuEH4R4GZQCq9E1Nza8uPC=jxiM-FkV4tMrv9B==GsjvCLtw@mail.gmail.com> <34EB67FD-E76A-4132-87C4-C89EA70C9365@intel.com> <DC9F1051-E33A-477F-A855-2FBA33F8E8DF@island-resort.com> <cbb5f662-b073-5b5b-e504-56ea66b72744@sit.fraunhofer.de> <5A3105EA-8E54-4BB9-B266-96B6645811A1@island-resort.com> <c4967ed2-e484-d8c9-406b-8e1bb1b3b88d@sit.fraunhofer.de> <FF6F2CEE-1049-4B6C-8E12-9E21FE92D2F2@island-resort.com> <3285c3da-0748-5607-90ed-ac024ac826d0@sit.fraunhofer.de> <0384FAEE-6C5B-4A99-BBA0-F080DD27AA9B@island-resort.com> <def7a722-e357-a12a-1467-8ff8c442337e@sit.fraunhofer.de> <A9E1ED3A-80D1-4585-9029-A49CA5AE3AB6@island-resort.com> <52AC3EB5-1BD0-4A41-8EAD-5A779E125BF8@intel.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <06543a46-8218-fa9c-827f-8a0e2d364963@sit.fraunhofer.de>
Date: Sun, 24 Nov 2019 16:31:06 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <52AC3EB5-1BD0-4A41-8EAD-5A779E125BF8@intel.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [5.148.85.20]
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/lnxZDwIncEkAp_rDSLDUo4Agd9o>
Subject: Re: [Rats] Two types of secure attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Nov 2019 15:31:20 -0000

Hi all,

in a nutshell, one of the things I tried to express is that the 
following quite is simply not correct wrt to what is called here the 
"TPM-style" (I would really like to not use the words "TPM-style" and 
not to mixing authenticated & secure boot. Authenticated Boot is fine):
  > Primarily the difference between TPM-style that doesn’t rely on 
secure boot and non-TPM-style that does rely on secure boot.

It is never possible to create TPM structures that are signed 
Attestation Evidence, if a device that is explicitly intended to conduct 
"secure boot" did actually not do so successfully. That is one of the 
key-features of TPM/TSS remote attestation procedures.

On the other hand, what leaves me puzzled is the following. If these 
three quotes are all correct...

> You cannot create an EAT unless the authenticated boot was successful. The key material with which to sign the EAT is inaccessible if authenticated boot fails (or else the device just won’t boot at all).

draft-ietf-rats-eat-01:

> All claims are optional

and draft-ietf-rats-eat-01 again:

> 3.7.  Secure Boot and Debug Enable State Claims (boot_state)
> 
>    This claim is an array of five Boolean values indicating the boot and
>    debug state of the entity.

... one is allowed either to omit that Claim in an EAT or set some 
values of the Claim members to false. Therefore indicating that the boot 
state is, e.g. "secure_boot_enabled=> false", and still be able to 
create the EAT. Is that correct? If not, why include this member of the 
boot_state Claim at all? It always made me think until now that it 
allows for a device to not conduct "secure boot" and still be able to 
create an EAT.

Besides that, what I think we are actually talking about is implicit and 
explicit attestation.

The "non-TPM-style" RATS Laurence is talking about seem to be implicit 
remote attestation and that if of course of "equal stature" to the 
implicit remote attestation that uses a TPM. I am not arguing with that 
- I am agreeing with that! :)

Viele Grüße,

Henk

On 23.11.19 20:20, Smith, Ned wrote:
> @laurence - By “this” you mean the difference between implicit and 
> explicit attestation?
> 
> *From: *RATS <rats-bounces@ietf.org> on behalf of Laurence Lundblade 
> <lgl@island-resort.com>
> *Date: *Saturday, November 23, 2019 at 8:44 AM
> *To: *Henk Berkholz <henk.birkholz@sit.fraunhofer.de>
> *Cc: *"rats@ietf.org" <rats@ietf.org>, Kathleen Moriarty 
> <kathleen.moriarty.ietf@gmail.com>, "Smith, Ned" <ned.smith@intel.com>
> *Subject: *Re: [Rats] Two types of secure attestation
> 
>     On Nov 21, 2019, at 6:26 PM, Henk Birkholz
>     <henk.birkholz@sit.fraunhofer.de
>     <mailto:henk.birkholz@sit.fraunhofer.de>> wrote:
> 
>     There are no semantic difference between the "simple non-TPM EAT"
>     scenario and the TPM-based implicit remote attestation scenario.
>     They are if fact the "same types of secure attestation”.
> 
> I don’t have any need to drive taxonomic distinction when unnecessary, 
> but note that the YANG module has to have explicit different facilities 
> to be able to handle both.
> 
> The verifier implementations for these two types are also very 
> different. in the "non-TPM EAT” scenario no known-good-values for SW 
> hashes are need to be supplied to the verifier.
> 
> I don’t think these are the only differences that we’ll encounter in 
> real implementations.
> 
> This should probably all be described the architecture document. Seems 
> as significant as the passport vs background check distinction.
> 
> LL
> 
> 
> 
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>

v2.23.0 | Report a Bug | By Email