IETF Logo Mail Archive

Re: [Rats] Two types of secure attestation

Anders Rundgren <anders.rundgren.net@gmail.com> Tue, 19 November 2019 15:25 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C99A6120105 for <rats@ietfa.amsl.com>; Tue, 19 Nov 2019 07:25:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sOo03NLb2UD1 for <rats@ietfa.amsl.com>; Tue, 19 Nov 2019 07:25:07 -0800 (PST)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CFAC1200F4 for <rats@ietf.org>; Tue, 19 Nov 2019 07:25:07 -0800 (PST)
Received: by mail-wr1-x42b.google.com with SMTP id b18so22889434wrj.8 for <rats@ietf.org>; Tue, 19 Nov 2019 07:25:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=48FI9PCOSBhdlg3qALRDbe19wHyA98u0cr3pWwgqEIs=; b=DDoup4RW3oN9VfNJ7scn194miTp6eT9EHPBAlCCosEzvm3imljxWXTb27zbfSM1zB3 MLTR15g/C93gRbDMCFckpcgo9YjCYnXzgTZIeYkL1rrbrTJZ6g4QFCVwctHgSe20cNoE WjRHBBOVZi+r3P1VKm2do9fAPCauAJDZh+ACLt/ElxTpSyg7eQx9jjS2I/LrPNiwZhml vopn59rB7sb6ZLRvO7Ln3Ww8jHsFDqJfHY3++o55zvwspmcletnbKmrYrcF7XxvLLBl+ CF5eBj74NxwTDqNV9wHN1HNrgEmkZzEB36SYLXB+agp0N9GhRH8TSVkoAQ6TEkVzPehr eYKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=48FI9PCOSBhdlg3qALRDbe19wHyA98u0cr3pWwgqEIs=; b=YhlLVctJdIks3fhmQlcewN8Gz/iPwNyXrC7JD/fSVLy9anT8EGLt9zAjPAAGKwoVlQ n9Gu+K6X+xJRijCmz2bwgdXVN0uQAzTEobc/DWElwn87PWXhrPkg4xzphwF5zb55Y4ta lDMMm12ko3uJW1+EzEMl3cl6lZ2R/wunEqblYSnT5gr+zBU3fQc0OxtgAMgQRY7Cfox2 akUjwIwK0zviZL2gEebbMKC9au9PEs3ZsaoHL2CxmaZn9J0FrzqxCZ9jf+MZae5poUuK KPZi1d2K14YrU+o6uO8/cEu72XlbmPnlOXu9/ySVodYhlqoKPbbEU+E6KPnZgjwaGowu BYrA==
X-Gm-Message-State: APjAAAVIlLq134er2Dy/Y5RiaJuTY9uXGN2vUN4xxBTmDvHjf6aLB3cR rkFdsTTIM2cYDn5CNhP8n6TmnLL3zJY=
X-Google-Smtp-Source: APXvYqxQSYf6LFvTh4r8ZHSI8Zmj3d2J8pkaGr4SgER3RqTfo/t/4BBpphXPZ8R3Nrra8XcCADA7QQ==
X-Received: by 2002:adf:b1cb:: with SMTP id r11mr1568982wra.246.1574177105105; Tue, 19 Nov 2019 07:25:05 -0800 (PST)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id a206sm3567889wmf.15.2019.11.19.07.25.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Nov 2019 07:25:04 -0800 (PST)
To: Laurence Lundblade <lgl@island-resort.com>, rats@ietf.org
References: <B099349B-711D-4A11-9E58-0886307FB7AF@island-resort.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <e3143846-77f7-740e-65f9-c6530471b5d2@gmail.com>
Date: Tue, 19 Nov 2019 16:25:01 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <B099349B-711D-4A11-9E58-0886307FB7AF@island-resort.com>
Content-Type: multipart/alternative; boundary="------------F67B58567BC9FCAE97472E71"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/veS17GWtViTeT36aLZv0IbsV4D4>
Subject: Re: [Rats] Two types of secure attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 15:25:12 -0000

On 2019-11-19 14:26, Laurence Lundblade wrote:
> Fundamentally, I think there are two ways that an attestation verifier comes to know that a device / entity is running approved SW and will behave as desired.

Yes, it seems that the IETF activity around trusted computing for unknown reasons intends ignoring the attested-session-key-scheme where sub-attestations are based on rolling MACs.
FWIW, this is one of the pillars of the Open Banking Wallet concept although it is not mentioned in this writeup:
https://github.com/cyberphone/doc/blob/gh-pages/payments/dual-mode-open-banking-api.md#background

Thanx,
Anders
https://github.com/ietf-teep/architecture/issues/52

>
> *TPM based*
>
>   * Originates in the PC world where the end user had to be able to choose the system SW
>   * Has a TPM that performs a general measuring function
>       o Has an attestation signing key for signing measurements that is kept secret by the TPM
>       o TPM is generic as it can be used for PC’s, routers, IoT devices
>   * Authenticated boot is optional
>   * Uses a staged boot architecture where each stage must measure (hash) the following stage
>       o Hashes fed into the TPM
>       o TPM generates the attestation of the registers holding the hashes
>   * Device cost raised by cost of TPM part
>   * The verifier must run a parallel set of measurements (hashes)
>       o Verifier is complex
>
>
> *Authenticated Boot based*
>
>   * Origins in mobile phone, TEE and DRM world where the user can NOT choose the system SW
>   * Authenticated boot is required
>       o Uses a boot ROM that really is a ROM, probably in silicon (not flash), that can NOT be changed
>       o Boot ROM verifies the SW that is loaded, particular the top privilege (e.g. kernel) SW
>       o A good implementation has anti-rollback to prevent old versions of SW from being run
>   * Has an attestation signing key that is programmed in fuses or possibly in flash
>       o Has a HW block that prevents access to the attestation key unless authenticated boot succeeds
>       o Only top privilege SW can use it
>   * Attestations are created in the top-privilege SW
>       o Simply signing a nonce proves the device is running approved SW
>       o Easy to add other claims in —> EAT
>   * Device cost raised by need for secure key provisioning in the factory
>   * Verifier is very simple
>       o Just needs to verify the signature and nonce
>
>
> Both provide acceptable security for their use cases and are broadly in use.
>
> RATS needs to support both.
>
> LL
>
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email