Re: [Suit] suit-firmware-encryption-00
Dick Brooks <dick@reliableenergyanalytics.com> Mon, 31 May 2021 19:56 UTC
Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E97FF3A2499 for <suit@ietfa.amsl.com>; Mon, 31 May 2021 12:56:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w28P18U3-b4W for <suit@ietfa.amsl.com>; Mon, 31 May 2021 12:56:30 -0700 (PDT)
Received: from forward3-smtp.messagingengine.com (forward3-smtp.messagingengine.com [66.111.4.237]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91BF13A2481 for <suit@ietf.org>; Mon, 31 May 2021 12:56:30 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailforward.nyi.internal (Postfix) with ESMTP id 362861940431; Mon, 31 May 2021 15:56:28 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Mon, 31 May 2021 15:56:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :reply-to:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=l0KJ/BqFbUgpuvQcuwvHnhEWlnJ5U p4A2MYu5lKIK94=; b=Ce5hmxnvyjD5nCYIKndQzHjo+2eWou+WQdny23EvXoamP qAJJXGeCHL7JXrLLzBj5JWQcb5LQmzSxJHt4XFkRBaXgmFPbAoW3gHu9fsLfrwvW nQmYf4TXiOP6QAC3E6B8bC7iVlrBPlNDhEf8Zc8sGWdqgbRmlBxcR3wE2RiESAF1 WW2okkyuNsSifjy1aJfRVdNvErSVEb7BMebtTOweKR9/7hKyhmgcpZyqUM52OPOy mmTFn7eAQh44vdvzHKx5vAn55Ug1tHOZFL3YH+fd4hFSUI0KddqjrHadGdOwrToW RDeurTVuWVZeOGvV2xrEPjSrmm7i+HiBBD9Qg8r4w==
X-ME-Sender: <xms:az-1YNfmPMSQwuv612lI2elais5FSnRx-m1BT1r2-tIo91xgCrVOBQ> <xme:az-1YLOPfc0uPImonsaTHpkszV4BwEu3VgRV3wXltf3HTYclYPTicd2qZTB5yWrmX GdKzwUD44rjrbNTNg>
X-ME-Received: <xmr:az-1YGhZ9fdreQKXe6Q69YUmVb8NwA8yM764-aBZ5tQlEf-2tuCskQY>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdelfedgudeggecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpehrhffvfhgjufffohfkgggtgffothesthejghdtvddtvdenucfhrhhomhep fdffihgtkhcuuehrohhokhhsfdcuoeguihgtkhesrhgvlhhirggslhgvvghnvghrghihrg hnrghlhihtihgtshdrtghomheqnecuggftrfgrthhtvghrnhephefgleegffduhfetfffg udffgffftefghfejvdeljeeuveffhfffheduieeihfeknecuffhomhgrihhnpehrvghlih grsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhmpdhivghtfhdrohhrghenucev lhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpeguihgtkhesrh gvlhhirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomh
X-ME-Proxy: <xmx:az-1YG_tjeJU0ecGn9voCSYN3pUG97lg_jJaaIh0VyR91Ntd51qW-Q> <xmx:az-1YJuWV1oa8IGNsE3DtSHLduUlTPZhw_njm4NXyjwKDkjt-Y0TiQ> <xmx:az-1YFH-ZOoe5fDkZc-lIr5Y5XXABof0n_0rmWNuHMqoB8zdR7YH5w> <xmx:bD-1YKWXJbj28cGjnM2TdsavsZNRJdGjiK5R1XqD4lO2dY4X6J4cJQ>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 31 May 2021 15:56:26 -0400 (EDT)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'Hannes Tschofenig' <Hannes.Tschofenig@arm.com>, 'Michael Richardson' <mcr+ietf@sandelman.ca>, 'Russ Housley' <housley@vigilsec.com>, suit@ietf.org
References: <19586.1622075797@localhost> <DBBPR08MB5915CEC125579D78C108D540FA3F9@DBBPR08MB5915.eurprd08.prod.outlook.com> <F6C86CC2-3AF8-4CC5-BB47-AC6579DAA0C4@vigilsec.com> <13894.1622479289@localhost> <DBBPR08MB59153D31EE75D565A64B4F79FA3F9@DBBPR08MB5915.eurprd08.prod.outlook.com>
In-Reply-To: <DBBPR08MB59153D31EE75D565A64B4F79FA3F9@DBBPR08MB5915.eurprd08.prod.outlook.com>
Date: Mon, 31 May 2021 15:56:23 -0400
Organization: Reliable Energy Analytics LLC
Message-ID: <186901d75657$0ab645a0$2022d0e0$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQI/QDB0THmT0m+iwpMcIJ7U5AyVWwGeOG6MAhV23QADMtNZAgFLDFHUqeygyiA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/0Q0x1ahn4t0Q7eSLOsTyMe-7y9o>
Subject: Re: [Suit] suit-firmware-encryption-00
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 May 2021 19:56:46 -0000
I believe encryption would "get in the way of" a malware scan performed during a software supply chain risk assessment. Thanks, Dick Brooks Never trust software, always verify and report! T http://www.reliableenergyanalytics.com Email: dick@reliableenergyanalytics.com Tel: +1 978-696-1788 -----Original Message----- From: Suit <suit-bounces@ietf.org> On Behalf Of Hannes Tschofenig Sent: Monday, May 31, 2021 3:47 PM To: Michael Richardson <mcr+ietf@sandelman.ca>; Russ Housley <housley@vigilsec.com>; suit@ietf.org Subject: Re: [Suit] suit-firmware-encryption-00 Hi Michael, > > SUIT is using signature for the authentication and integrity of the > > firmware. If the signature remains in place, a party in the middle of > > the distribution cannot insert any malware. > The encryption of the firmware keeps third parties from auditing the software updates to determine if malware has been inserted at the "factory" > Both white and black hats are currently using binary diff systems to look at patches. Black hats use this to develop exploits in the gap between 9am EST and 9am PST! > I am suggesting that this is a "Security Consideration" A description of the software is contained in the COSWID and, as Brendan suggests, in a MUD file that is included with the manifest (see https://datatracker.ietf.org/doc/html/draft-moran-suit-mud). Furthermore, I can imagine that those authorized to audit the software can do so either based on the source code or by giving them access to the binary. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ Suit mailing list Suit@ietf.org https://www.ietf.org/mailman/listinfo/suit
- Re: [Suit] suit-firmware-encryption-00 Russ Housley
- [Suit] suit-firmware-encryption-00 Michael Richardson
- Re: [Suit] suit-firmware-encryption-00 Carsten Bormann
- Re: [Suit] suit-firmware-encryption-00 Russ Housley
- Re: [Suit] suit-firmware-encryption-00 Laurence Lundblade
- Re: [Suit] suit-firmware-encryption-00 Hannes Tschofenig
- Re: [Suit] suit-firmware-encryption-00 Russ Housley
- Re: [Suit] suit-firmware-encryption-00 Michael Richardson
- Re: [Suit] suit-firmware-encryption-00 Russ Housley
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks
- Re: [Suit] suit-firmware-encryption-00 Russ Housley
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks
- Re: [Suit] suit-firmware-encryption-00 Hannes Tschofenig
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks
- Re: [Suit] suit-firmware-encryption-00 Hannes Tschofenig
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks
- Re: [Suit] suit-firmware-encryption-00 Hannes Tschofenig
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks
- Re: [Suit] suit-firmware-encryption-00 Hannes Tschofenig
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks
- Re: [Suit] suit-firmware-encryption-00 Hannes Tschofenig
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks
- Re: [Suit] suit-firmware-encryption-00 Brendan Moran
- Re: [Suit] suit-firmware-encryption-00 Brendan Moran
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks
- Re: [Suit] suit-firmware-encryption-00 Brendan Moran
- Re: [Suit] suit-firmware-encryption-00 Hannes Tschofenig
- Re: [Suit] suit-firmware-encryption-00 Brendan Moran
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks
- Re: [Suit] suit-firmware-encryption-00 Brendan Moran
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks
- Re: [Suit] suit-firmware-encryption-00 Brendan Moran
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks
- Re: [Suit] suit-firmware-encryption-00 Brendan Moran
- Re: [Suit] suit-firmware-encryption-00 Brendan Moran
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks
- Re: [Suit] suit-firmware-encryption-00 Brendan Moran
- Re: [Suit] suit-firmware-encryption-00 Brendan Moran
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks
- Re: [Suit] suit-firmware-encryption-00 Dick Brooks