IETF Logo Mail Archive

Re: [Secdispatch] [lamps] IDevID considerations document to secdispatch

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Wed, 22 July 2020 08:56 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D79843A03FF; Wed, 22 Jul 2020 01:56:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7fAjZipvjS1w; Wed, 22 Jul 2020 01:56:16 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2061.outbound.protection.outlook.com [40.107.22.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01B323A03F3; Wed, 22 Jul 2020 01:56:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cTG5R3uo2IpKhT8kq3psXUyrbwStwjFlUP3ZRNdn1MVzk1AFHE4IH+F3Kjx5TUKpV69nIf0yUp/a9EDB9NEhsB/7C7UN4kGrYH+pajJk3zbGAEva6nhjVigHTgj/YegjEwqyb3g30PA8c5ooHnWl59QGh/ARJiyC/6fZZb328HAI0LpnmRYjqvy2LmxTVxmovhxVo6LUnoLRED/0TKZ/OEM1RRDD+tu2z/LWXytTsydirno0pkpeZUkAZosZhkKWFF0bp3usYu9em85ONRzNZKVHx9MWeAssUdRh6oHx2kCF3b3cR4v6D8t38t4TUPnj2F7x13FusAU+YdYb198I1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iSWQZK6CT+BT6bvxdxhLk2rf9uj5DwjITaxcfOVQBrk=; b=TCkzDnfvutquuO6ce76m+94GTe2m0xPzWRCW7RX+QQ3YiUiY41xDZCAPulw5fSRH7babyybQLZzpKeX4yjBgG+sqSHMn832HQRQafvpGBYf+CX/078EIQ5mqGy1MW2q4Zmp0+tMaFu1pDsH84S74M6cuTan0SzHn3vJzCyYkd75h0xPpeM88tB5Q/de8miHdyRUNFoXblrngFVxqwQ1YAQU39UrRRYfkU1yKevhXjIKrSnZVxB4tScvws3jDjpytEbGQPUtTSHOMOeXYp+Ez4jFfHoI9o+10LyoeDYoCNA2MG7Hcdwch3qf0CUF1u1q+V0g89vO0rd/HVGkH2JfoGQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iSWQZK6CT+BT6bvxdxhLk2rf9uj5DwjITaxcfOVQBrk=; b=oUDRdZgLX93Ro2o6Q0BeAU0R0MD8Sb1aBJCNrYKXPOcIdTcFqLL5VJsUsgzVzR92RE0Hu/nM6QtNX8wlpOSgJ0sRX5mL78g4Zh6E+fw+w4F7MW4bsDMFMg6zBA2lgpYd5b3EXwKl1Z9QZdUzJc6H/grVMxyeAfG4tdUbBjvoa+U=
Received: from AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:184::10) by AM0PR10MB3457.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:154::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.22; Wed, 22 Jul 2020 08:56:13 +0000
Received: from AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM ([fe80::288b:3b52:cf90:8fc0]) by AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM ([fe80::288b:3b52:cf90:8fc0%9]) with mapi id 15.20.3195.028; Wed, 22 Jul 2020 08:56:13 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Tomas Gustavsson <tomas@primekey.se>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: "secdispatch@ietf.org" <secdispatch@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] IDevID considerations document to secdispatch
Thread-Index: AQHWP8N6k88ddaiq9U6Bs/QsBzthBajTsr2AgAV/EICAFWp0gIAAvESAgCOWHwCAAGIVgIAAOgCg
Date: Wed, 22 Jul 2020 08:56:13 +0000
Message-ID: <AM0PR10MB3153C1550CE5E7E7EBFACBD9FE790@AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM>
References: <159176190855.9169.7350787463977998504@ietfa.amsl.com> <10463.1591763623@localhost> <13107.1591804306@localhost> <f7cdd360-7ab7-28f6-86b9-9f8c4ae04aaf@primekey.com> <5843.1591897975@localhost> <092308c1-dc44-4989-e3a5-1a248a3c361e@primekey.com> <20595.1593377487@localhost> <841240ae-f610-dcf8-1e29-c73371ae976b@primekey.com> <22303.1595374300@localhost> <08ab938b-deee-09f2-697b-657049cc4192@primekey.se>
In-Reply-To: <08ab938b-deee-09f2-697b-657049cc4192@primekey.se>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=564c554f-cedb-425c-a34c-0000f7674392; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2020-07-22T08:50:19Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
x-document-confidentiality: NotClassified
authentication-results: primekey.se; dkim=none (message not signed) header.d=none;primekey.se; dmarc=none action=none header.from=siemens.com;
x-originating-ip: [165.225.200.158]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 9614d11e-53da-4fa0-c0cb-08d82e1d1679
x-ms-traffictypediagnostic: AM0PR10MB3457:
x-microsoft-antispam-prvs: <AM0PR10MB3457A49EA3E17152F86257EDFE790@AM0PR10MB3457.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LHgzG0IpzzKjliD8tqIzURGiolA3ozxnCjZT1fc6C8RrUFbJcCgqX2oVsyJcsxbgkg7xfJcc9EVwjP3PuuJXWhvUr5mie3Yya47eDfY/fSX7rtHrqrIN54ZCyMdNxJrfvp1JHGCsvKopR4mhfRPFtzaRDpwJ6ErojfBDPE4TpI38KvUQ4J1W4f3vN4zNK/j+Y9aP82itpmUKCUo3/onZoM+xj2ppGlwG9pYyN/mk15wLD+52JDIv2U3q2M8Vz0gN4GpobJ6cToVM9NW6xB8uXSYR9Jbr0Eg1pjUSGXuoGJ1YAA43n84b/ILjRYru/wM7uxTOTtMXC8jK1392R9yUxg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(136003)(366004)(396003)(39860400002)(376002)(52536014)(8676002)(186003)(83380400001)(6506007)(316002)(71200400001)(2906002)(26005)(8936002)(5660300002)(478600001)(66476007)(66946007)(55236004)(76116006)(66556008)(7696005)(9686003)(55016002)(53546011)(110136005)(54906003)(86362001)(4326008)(33656002)(64756008)(66446008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: gWK2EenDW8O9O1ZslEEzVPd99JKCFbcZjbp5kfiyIPw0FbsqossLaEw68x7Ymp5SPxp2WxBEQO7ZCFwkye0l3fS0vi4djCXZcLUBDaaOlpfcomwk5fmDLvKEGiFrj90SFn/ydewYk0r7DW+8VfjD6z1i5XLQyJS9XpPVc/Jg8jdd9GC4Rbru+loWGPJg0HURyCgUgcCI7YL6/DRmZKSOl5eWyOh+5VayDvsgGe6afp1ZuuomvWtaseb18sDfTgTtCnaVUfIypdzso/e3nalnyzguwYz0GizQWHYgX4l7mXIG5vYrMgtS1T5p0K1YkTZUBCs0M3yg7hnFopdIbQTQY1yA35JuzDiqBRyVeQGnQnwEpblX0FdMubnqWaZXVAtfS23UQgMxRSSUZeUyhtr7AZw21o9FxZa++ToMRm/k5Mm8OnnGqwofRNlrvx2pnuupZUPVPfewBMC0flC9E5HsUdkhAG6pHbcrPizgFjjw48RiTrTr/NB/ZnVQcucVPnIE
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 9614d11e-53da-4fa0-c0cb-08d82e1d1679
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jul 2020 08:56:13.7737 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: V2fnxPjgE5a0ErMcsyfGxwumNwySeYteJz74bLOt3WxNkrLqWnc6BSkgewke44ZW6Sgfz18/v9bsL8I/kMnud5BAamScBMV7ZPHOH1f447Q=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB3457
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/02RM2SbiC7VQofZ5iE9b-Nd2YLw>
Subject: Re: [Secdispatch] [lamps] IDevID considerations document to secdispatch
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2020 08:56:18 -0000

> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Tomas Gustavsson
> 
> On 2020-07-22 01:31, Michael Richardson wrote:
> >
> > Tomas Gustavsson <tomas.gustavsson@primekey.com> wrote:
> >
> >     > On 2020-06-28 22:51, Michael Richardson wrote:
> >     > 2.1.2.  Off-device private key generation
> >     > Typically CA-generates-keystore process. Some protocols, i.e.
> >     > CMP/RFC4210 have standard support for encrypting the private key sent
> >     > back to the client
> >
> > I have named this:
> >    a) _factory-generated_ / _mechanically-transfered_
> >       Like a serial console connection, or a JTAG flash writer.
> >
> > for b) _factory-generated_/ _network-transfered_
> >
> > yes, but what key would you use? :-)
> > The device has nothing....
> 
> Very good question, I thought the same.
> In the case I see, the device don't talk directly with the PKI.
> There can be a secure HW device in the factory interacting with production line
> on one side, and the CA on the other. It can talk something device specific,
> direct connect, with the device on the production line, and make the CMP calls
> to the PKI. The private key generated (by the CA) is then encrypted with the
> gateways public key (where the private key is kept in an HSM/TPM/SmartCard).
> Yes, the "gateway" becomes a point where the private key is decrypted and
> vulnerable for a short time, so it's not for every scenario.

I wrote down some thoughts on central key generation in tools.ietf.org/html/draft-ietf-lamps-lightweight-cmp-profile-02#section-4.1.6.

   There are some cases where an EE is not able or not willing to
   locally generate the new key pair.  Reasons for this may be the
   following:

   o  Lack of sufficient initial entropy.

   Note: Good random numbers are not only needed for key generation, but
   also for session keys and nonces in any security protocol.
   Therefore, we believe that a decent security architecture should
   anyways support good random number generation on the EE side or
   provide enough entropy for the RNG seed during manufacturing to
   guarantee good initial pseudo-random number generation.

   o  Due to lack of computational resources, e.g., in case of RSA keys.

   Note: As key generation can be performed in advance to the
   certificate enrollment communication, it is typical not time
   critical.

   Note: Besides the initial enrollment right after the very first
   bootup of the device, where entropy available on the device may be
   insufficient, we do not see any good reason for central key
   generation.

   Note: As mentioned in Section 2.1 central key generation may be
   required in a push model, where the certificate response message is
   transferred by the PKI management entity to the EE without receiving
   a previous request message.

- Hendrik

v2.23.0 | Report a Bug | By Email