IETF Logo Mail Archive

Re: [Rats] FIDO TPM attestation

Schönwälder, Jürgen <J.Schoenwaelder@jacobs-university.de> Thu, 14 November 2019 10:11 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7213E1200FB for <rats@ietfa.amsl.com>; Thu, 14 Nov 2019 02:11:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qWBHzc5NTIGb for <rats@ietfa.amsl.com>; Thu, 14 Nov 2019 02:11:15 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140085.outbound.protection.outlook.com [40.107.14.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4D44120058 for <rats@ietf.org>; Thu, 14 Nov 2019 02:11:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YmDttRMEL10y+ofBu57uGxekOUgdUnv4PyudO/HyX4soXQh4wa9cJsXVJx2hO0JMfHqD1ZRk2JoOkYE8icltVYHLAZnfdWwmMV2W8vNv8iYxYLBqO0PkxYYhNZRD6uY8N23PYjmHXj7q0hMNbdvF0dTEJvX/eyN2EYs1qyy/d8T/nPdAwpUzRyfgaokbhkiUVlGMRIpkOcryVPBe9rrChluOOpW/KfxDL4p16qIjXJf7halhluaXsNWdlOTXgdSUPjmAOL8kOAPuhJKwXk6G2osc9NXyZKeumUPEDWqZueUxD97ZJIpxgnMIPT21CQw+M3w2BhghV3w6ayZ8uo1kJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=d7TBTeQbx4U/Pxxo48f8js81927KLAKK39qtaCdLBOE=; b=mx/Kg9hZeGwDDXEnUpe01I6UA8FQi+ErWfsaUn3K+izDhX1YVL7VPBjU/AXWSahJInRncqHiBqfQ99B1mLWC75Q9+7p+lcLgbVq2O8CB7y0g0suUtB32YGwv5DRkIY0bkLjkSYXjFAeN0B43WBjg/sZh7XCq4RAxj21xFBCrVT1NkRMV5CNpADruWvNsdsyyGwIg7NTdq8q5zVm9c1pQLJE9AxNK+R9Scho2Y19aS7Ht6xdnfWdc5cuQvrLAHZoHhnI1LvRmBDgMLauTKws5u8Im4mjUXaBxfBPLZR+plIH7LAn/e9xTwILbezkjaptHkjhD7Yq+dE19ylD/u9nnNQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=d7TBTeQbx4U/Pxxo48f8js81927KLAKK39qtaCdLBOE=; b=enhjZb/ZK0YJCCIP4DdM9UlHAEHketpbtymxt9az0pkVV5MT8nVmzt2T5dVehHNjZyfPZrQjKpxxYki2vJj7EEdH0dCBpvVg1n3HaZ6nDsgLYwDOlDz1WyOh9o2A3HdGFoFDeShfKPSDcp0FCtC7QLL++zqQVvSWnBnd3PHiI4I=
Received: from AM5P190MB0482.EURP190.PROD.OUTLOOK.COM (10.161.65.11) by AM5P190MB0562.EURP190.PROD.OUTLOOK.COM (10.161.81.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.22; Thu, 14 Nov 2019 10:11:11 +0000
Received: from AM5P190MB0482.EURP190.PROD.OUTLOOK.COM ([fe80::6c6c:2cd2:11dd:2aff]) by AM5P190MB0482.EURP190.PROD.OUTLOOK.COM ([fe80::6c6c:2cd2:11dd:2aff%5]) with mapi id 15.20.2451.024; Thu, 14 Nov 2019 10:11:10 +0000
From: "Schönwälder, Jürgen" <J.Schoenwaelder@jacobs-university.de>
To: "Fuchs, Andreas" <andreas.fuchs@sit.fraunhofer.de>
CC: Laurence Lundblade <lgl@island-resort.com>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] FIDO TPM attestation
Thread-Index: AQHVmdgbKKlnQ1ZLsk2cVdcDGcns46eKarF6gAAJSoA=
Date: Thu, 14 Nov 2019 10:11:10 +0000
Message-ID: <20191114101109.jap6uy3oahlusopz@anna.jacobs.jacobs-university.de>
References: <62DD1AD3-6F1A-4B2B-8236-10ECCE254443@island-resort.com> <9F48E1A823B03B4790B7E6E69430724D0163BD29CD@EXCH2010B.sit.fraunhofer.de>
In-Reply-To: <9F48E1A823B03B4790B7E6E69430724D0163BD29CD@EXCH2010B.sit.fraunhofer.de>
Reply-To: "Schönwälder, Jürgen" <J.Schoenwaelder@jacobs-university.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: AM0PR01CA0072.eurprd01.prod.exchangelabs.com (2603:10a6:208:e6::49) To AM5P190MB0482.EURP190.PROD.OUTLOOK.COM (2603:10a6:206:1d::11)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=J.Schoenwaelder@jacobs-university.de;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2001:638:709:5::7]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 95828710-81e3-4109-ba46-08d768eaf8c9
x-ms-traffictypediagnostic: AM5P190MB0562:
x-ms-exchange-purlcount: 4
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM5P190MB056265E491C3C94D71BC2A5EDE710@AM5P190MB0562.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 02213C82F8
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(376002)(39850400004)(346002)(366004)(136003)(199004)(189003)(14444005)(14454004)(76176011)(43066004)(1076003)(8676002)(256004)(229853002)(81156014)(8936002)(81166006)(966005)(786003)(316002)(6486002)(386003)(53546011)(99286004)(6436002)(6512007)(6506007)(85202003)(2906002)(3450700001)(102836004)(86362001)(5660300002)(478600001)(6306002)(71200400001)(71190400001)(486006)(6246003)(64756008)(66946007)(186003)(66476007)(66556008)(25786009)(66446008)(476003)(6116002)(7736002)(4326008)(85182001)(54906003)(46003)(52116002)(446003)(305945005)(11346002)(6916009)(777600001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5P190MB0562; H:AM5P190MB0482.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: jacobs-university.de does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IevH3jorTVwTBxWFXt2UDvsiPRITEHFcNWVMVKe/DFiuhrj9nXzkC62KJrzIpwqxyuczqIIiNtQ4rPU4IwgZY+ye1wP5XPmexstuEPHG1EKddjbU1p+x4qQDJfontiezzmTcN/1Ko28qp8nP2m8La0/FU/YfpiQjRP1chlHhJ+9eHiK0SiS8eedBHjc1ybtozy2R9DcUkIn+ycA6a283BlhoMYjUnRe6/jT3mwLXrjYgbnGx1fPSucOR1KqPrnMwyXVWP6TzB9eFHgZECdqS+fLHPvj8a6osOKaNL04BdrxzAMpueOqioGTBFipk/koPMyf2sYXNNFs4tFskpD/6Ayk79L2nHxM9GwY7ba3jWwN32U3zPd8kW9P0SYyLWs/rS7WQogvsLHhSwcJxBHTieTABLMZyzKA6toPrswcLV3/ALbviWwEOQMmAUVfVWnhhrwKnzRpJ8EoS5Qj1tDMPxgkylMtJKY4Gq09INJ+nJmk=
Content-Type: text/plain; charset="utf-8"
Content-ID: <88F63E23F0175D4C888040ACADE81B99@EURP190.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 95828710-81e3-4109-ba46-08d768eaf8c9
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Nov 2019 10:11:10.4069 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WqA/lvsRnoP+T7hR5DIKcKtlVGDcc1ry/Oc91lWS3xps22xxLJ93cDC0dmaWsOWmLnqZtiXx59Srbu+rSldEnnQE2Gzwh3oaAW35j+a3T5Y=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P190MB0562
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/mN_Cq7zyVV7CGS5Clvgpevc4eeo>
Subject: Re: [Rats] FIDO TPM attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Nov 2019 10:11:17 -0000

I just read this morning about <http://tpm.fail/>.

/js

On Thu, Nov 14, 2019 at 09:46:04AM +0000, Fuchs, Andreas wrote:
> The reason for this is that a TEE is a touring-complete execution environment for arbitrary code,
> whilst the TPM further has a well-define precise functional logic instead of arbitrary code.
> Thus only protocols that have the TPM's functional logic in mind can leverage it to the fullest and
> FIDO unfortunately did not do so.
> 
> However, this fact that the TPM is well-define and precise proposes the big advantage since it provides
> a much higher level of assurance. Not only the execution environment (i.e. TEE vs TPM chip) is
> standardized and CC-evaluated, but the function logic (i.e. TPM command set) as well. The FIDO code
> running inside a TEE is not standardized (to the level of TPM) and most certainly not CC-evaluated.
> 
> Therefore, the TPM is the preferred solution for anchoring trust with high assurance levels and it is the
> duty of attestation protocols to account for its well-defined functional logic in order to establish maximum
> trust in a device or statement.
> 
> Best regards,
> Andreas
> ________________________________________
> From: RATS [rats-bounces@ietf.org] on behalf of Laurence Lundblade [lgl@island-resort.com]
> Sent: Wednesday, November 13, 2019 05:08
> To: rats@ietf.org
> Subject: [Rats] FIDO TPM attestation
> 
> Here’s evidence that remote TPM attestation is not just for routers and is used in non-YANG environments: https://fidoalliance.org/specs/fido-v2.0-ps-20150904/fido-key-attestation-v2.0-ps-20150904.html#tpm-attestation.
> 
> In non-TPM FIDO attestation, the whole attester is in the TEE or such. In TPM FIDO attestation only the key storage and signing is in the TPM. There is reliance on components outside of the TPM for the security of the attestation, so it isn’t the preferred form.
> 
> This is a reason to consider the TPM Token I’ve mentioned. It would allow remote TPM-based attestation to be used anywhere there is a TPM for use cases beyond routers and YANG.
> 
> LL
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email