Re: [Rats] 3 Use cases
"Panwei (William)" <william.panwei@huawei.com> Mon, 15 July 2019 11:40 UTC
Return-Path: <william.panwei@huawei.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F389120106 for <rats@ietfa.amsl.com>; Mon, 15 Jul 2019 04:40:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYii2TMwLJUI for <rats@ietfa.amsl.com>; Mon, 15 Jul 2019 04:40:11 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97E06120018 for <rats@ietf.org>; Mon, 15 Jul 2019 04:40:11 -0700 (PDT)
Received: from LHREML713-CAH.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 367A8B9DDCB79FF58A9A for <rats@ietf.org>; Mon, 15 Jul 2019 12:40:09 +0100 (IST)
Received: from NKGEML412-HUB.china.huawei.com (10.98.56.73) by LHREML713-CAH.china.huawei.com (10.201.108.36) with Microsoft SMTP Server (TLS) id 14.3.408.0; Mon, 15 Jul 2019 12:40:08 +0100
Received: from NKGEML513-MBS.china.huawei.com ([169.254.2.51]) by nkgeml412-hub.china.huawei.com ([10.98.56.73]) with mapi id 14.03.0439.000; Mon, 15 Jul 2019 19:40:03 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: "Oliver, Ian (Nokia - FI/Espoo)" <ian.oliver@nokia-bell-labs.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: 3 Use cases
Thread-Index: AQHVOutRhw639TMETEyILpbQfS/JXqbLavdQ
Date: Mon, 15 Jul 2019 11:40:03 +0000
Message-ID: <30E95A901DB42F44BA42D69DB20DFA6A69FC00C1@nkgeml513-mbs.china.huawei.com>
References: <HE1PR0701MB2267E23FFE8FF91F5DAC6FD58FCF0@HE1PR0701MB2267.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR0701MB2267E23FFE8FF91F5DAC6FD58FCF0@HE1PR0701MB2267.eurprd07.prod.outlook.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.134.37.117]
Content-Type: multipart/alternative; boundary="_000_30E95A901DB42F44BA42D69DB20DFA6A69FC00C1nkgeml513mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/t344qRF-QufHUkoKzZD0sbBsEaU>
Subject: Re: [Rats] 3 Use cases
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 11:40:14 -0000
Hi Ian, Thanks, please see inline. Regards & Thanks! 潘伟 Wei Pan 华为技术有限公司 Huawei Technologies Co., Ltd. From: RATS [mailto:rats-bounces@ietf.org] On Behalf Of Oliver, Ian (Nokia - FI/Espoo) Sent: Monday, July 15, 2019 4:57 PM To: rats@ietf.org Subject: [Rats] 3 Use cases Supply Chain Attestation A device is shipped from an OEM via some delivery mechanism and is received by a customer. The customer requires assurance that the device has not been tampered with. This differs from the usual attestation scenarios between a device/element and attestation server/verifier in that this requires knowledge of the partial or full configuration of the device being shipped and configured before introduction into the customer's environment. This use case then requires interaction between two attestation points to ensure that the integrity of the device has not changed with regards to a) the device, b) the original [possibly partial] configuration, c) the device manufacturer's measurements and d) the receiver - customer's - measurements. [Wei] I have the same feeling with Thomas. The OEM is the Asserter in the RATS architecture, it can publish the Attestation Assertions to the Verifier (And this is out of scope of RATS). What makes this a different use case? Dynamic Systems All current integrity mechanism assume a certain degree of fixed properties, eg: TPM's CRTM/SRTM, and known configurations. A case exists where a set of, say, IoT devices each with integrity measurements are attested by some Edge node. The Edge node may combine the IoT device measurements into a single measurement (eg: Merkel Tree). If the configuration of IoT device changes, particuarly in relation to availability of device, then this combined measurement will change. This changed measurement however may be a valid configuration. For example, in a medical case, the set of measurement devices may be rapidly changing due to necessity of network provisioning, device availabiltiy etc, but the permutations of devices may still be valid. [Wei] Sorry, I didn’t get this very clearly, can you elaborate this? I’m confused about what’s the use of this combined measurement. Data Attestation A piece of data received from a trusted element may itself contain information about the configuration of that device when that data was received.. This might be a single measurement or a combination of measurements over time bounded by a session or transacition. In this use case we continue the chain-of-trust up from the device firmware/operating environment to the data. This enables that once a data packet is received, it's integrity can be checked (cf: JWT) and this information also be traced to the device that produced that data. The data and device then can be attested together.. [Wei] This is interesting. It looks like that sending the attestation claims and the data together to attest the device and the data simultaneously. I think the claims discussed in the WG so far are not very simple (many informations need to be conveyed to show the device’s integrity), is this use case a operational one? -- Dr. Ian Oliver Cybersecurity Research Distinguished Member of Technical Staff Nokia Bell Labs +358 50 483 6237
- [Rats] 3 Use cases Oliver, Ian (Nokia - FI/Espoo)
- Re: [Rats] 3 Use cases Thomas Fossati
- Re: [Rats] 3 Use cases Panwei (William)
- Re: [Rats] 3 Use cases Oliver, Ian (Nokia - FI/Espoo)
- [Rats] Dynamic Systems in IETF RATS (was Re: 3 Us… Michael Richardson
- [Rats] Supply Chain Attestation (was Re: 3 Use ca… Michael Richardson
- [Rats] Data Attestation (was Re: 3 Use cases) Michael Richardson
- Re: [Rats] Supply Chain Attestation (was Re: 3 Us… Kathleen Moriarty
- Re: [Rats] Supply Chain Attestation (was Re: 3 Us… Smith, Ned
- Re: [Rats] Supply Chain Attestation (was Re: 3 Us… Henk Birkholz
- Re: [Rats] Supply Chain Attestation (was Re: 3 Us… Laurence Lundblade
- Re: [Rats] Supply Chain Attestation (was Re: 3 Us… Michael Richardson
- Re: [Rats] Supply Chain Attestation (was Re: 3 Us… Henk Birkholz
- Re: [Rats] Supply Chain Attestation (was Re: 3 Us… Henk Birkholz
- Re: [Rats] Supply Chain Attestation (was Re: 3 Us… Kathleen Moriarty
- Re: [Rats] Supply Chain Attestation (was Re: 3 Us… Laurence Lundblade
- Re: [Rats] Supply Chain Attestation (was Re: 3 Us… Smith, Ned
- Re: [Rats] Dynamic Systems in IETF RATS (was Re: … Oliver, Ian (Nokia - FI/Espoo)
- Re: [Rats] Data Attestation (was Re: 3 Use cases) Oliver, Ian (Nokia - FI/Espoo)
- Re: [Rats] Supply Chain Attestation (was Re: 3 Us… Michael Richardson
- Re: [Rats] Supply Chain Attestation (was Re: 3 Us… Smith, Ned