Re: [Rats] draft-chen-rats-tee-identification-01 and IDevID
"yangpenglin@chinamobile.com" <yangpenglin@chinamobile.com> Tue, 03 August 2021 02:52 UTC
Return-Path: <yangpenglin@chinamobile.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F4153A0C38 for <rats@ietfa.amsl.com>; Mon, 2 Aug 2021 19:52:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.399
X-Spam-Level:
X-Spam-Status: No, score=-0.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N0Y5D9oDiabm for <rats@ietfa.amsl.com>; Mon, 2 Aug 2021 19:52:18 -0700 (PDT)
Received: from cmccmta2.chinamobile.com (cmccmta2.chinamobile.com [221.176.66.80]) by ietfa.amsl.com (Postfix) with ESMTP id 4DC223A0C36 for <rats@ietf.org>; Mon, 2 Aug 2021 19:52:15 -0700 (PDT)
Received: from spf.mail.chinamobile.com (unknown[172.16.121.11]) by rmmx-syy-dmz-app08-12008 (RichMail) with SMTP id 2ee86108af53e53-ef9ff; Tue, 03 Aug 2021 10:52:03 +0800 (CST)
X-RM-TRANSID: 2ee86108af53e53-ef9ff
X-RM-TagInfo: emlType=0
X-RM-SPAM-FLAG: 00000000
Received: from cmcc-PC (unknown[221.130.253.135]) by rmsmtp-syy-appsvr06-12006 (RichMail) with SMTP id 2ee66108af4feb4-7a7c6; Tue, 03 Aug 2021 10:52:01 +0800 (CST)
X-RM-TRANSID: 2ee66108af4feb4-7a7c6
Date: Tue, 03 Aug 2021 10:51:59 +0800
From: "yangpenglin@chinamobile.com" <yangpenglin@chinamobile.com>
To: Laurence Lundblade <lgl@island-resort.com>, rats <rats@ietf.org>
Cc: chenmeiling <chenmeiling@chinamobile.com>, 粟栗 <suli@chinamobile.com>
References: <0264979E-551B-41FE-BFAC-5A2A70A4C3AB@island-resort.com>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7.2.16.188[cn]
Mime-Version: 1.0
Message-ID: <2021080310515807143522@chinamobile.com>
Content-Type: multipart/related; boundary="----=_001_NextPart025683217767_=----"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/tpaBazBFZtQzpkyjgjcMuD_5fF4>
Subject: Re: [Rats] draft-chen-rats-tee-identification-01 and IDevID
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Aug 2021 02:52:23 -0000
Hello there,as one of the authors, thank you very much for your advice, and it helps a lot. I made a comparison below to make a clarification about the difference and the meaning of TEE identification.
Architecture of IDevID
Architecture of TEE Identification
In figure 1,the identity of IDevID will be exposed during the interface which is shown in arrow. In another word, there is no trusted binding between the ID and EAP-TLS server. If the attestation device is compromised, the attackers could obtain the ID and use it in other authentication scenarios.
In figure 2, all the ID related data will be encrypted by EAP-TLS handshake keys. The Inner middle layer could only export the handshake secret key encrypted certificate after verifying the credentials of EAP-TLS server. Since the EAP-TLS server will generate a random during every connection, so this architecture could also prevent replay attack.
The above is the fundamental distinction of these two architectures. This TEE identification architecture also indicates that this draft mostly focuses on the Inner middle layer and external middle layer design to provide a mechanism that could build a trusted connection between TEE and EAP-TLS Server.
In the webinar there is a question about which identity should be supported in the architecture. Because of time limitation we cannot communicate very well. I think that the draft doesn’t restrict the type of identities since it can use X509 or RPK to identify during the process of EAP-TLS establishment. Or other identities could be sent out as encrypted application layer data after the EAP-TLS establishment.
AS a summary, the meaning of this architecture is to build a trusted authentication procedure with EAP-TLS server when the TEE resource is restricted. (If the TEE resource is sufficient, the whole network stack and EAP-TLS client could be involved in TEE.) And based on the protection of TEE, the sensitive data like IDs, keys will never be exposed in REE as plaintext.
BR
Penglin Yang
China Mobile
From: Laurence Lundblade
Date: 2021-07-31 06:33
To: rats
CC: chenmeiling; suli
Subject: [Rats] draft-chen-rats-tee-identification-01 and IDevID
This is just to note that draft-chen-rats-tee-identification-01 seems conceptually similar to IDevID which is described in
IEEE Std 802.1ARTM-2018, the title of which is "Secure Device Identity”.
LL
- [Rats] draft-chen-rats-tee-identification-01 and … Laurence Lundblade
- Re: [Rats] draft-chen-rats-tee-identification-01 … yangpenglin@chinamobile.com
- Re: [Rats] draft-chen-rats-tee-identification-01 … Laurence Lundblade
- Re: [Rats] draft-chen-rats-tee-identification-01 … Meiling Chen
- Re: [Rats] draft-chen-rats-tee-identification-01 … yangpenglin@chinamobile.com