[Suit] Trust Anchor Store definition in arch doc

Dave Thaler <dthaler@microsoft.com> Mon, 25 March 2019 12:24 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 23F6F1203C3 for <suit@ietfa.amsl.com>; Mon, 25 Mar 2019 05:24:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id oet2cSjEFp1f for <suit@ietfa.amsl.com>; Mon, 25 Mar 2019 05:24:11 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0718.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe48::718]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21F89120390 for <suit@ietf.org>; Mon, 25 Mar 2019 05:24:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HoSs7xzWoydXPg4+C+c1hS7eWcKNukiML6uAOb85rNc=; b=dSeZNFPySi/M5C30AL6hp32YnIGIItLFRZlb6Q76TShCXXktyBs7PAvp9hnO+qlLerN5AWQl06Iuv5LVqxBlRCiYeNVvQpm9QtauAqqqd3tfadRRB0cDeJqlwAbR6AFH/MWKhFfcMXD4qxu7E1X532Bnf3LVAhiWrCNHbIEi/uo=
Received: from CY4PR21MB0168.namprd21.prod.outlook.com ( by CY4PR21MB0854.namprd21.prod.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.4; Mon, 25 Mar 2019 12:24:09 +0000
Received: from CY4PR21MB0168.namprd21.prod.outlook.com ([fe80::e4d9:80f9:fab1:345c]) by CY4PR21MB0168.namprd21.prod.outlook.com ([fe80::e4d9:80f9:fab1:345c%10]) with mapi id 15.20.1771.002; Mon, 25 Mar 2019 12:24:09 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: "suit@ietf.org" <suit@ietf.org>
Thread-Topic: Trust Anchor Store definition in arch doc
Thread-Index: AdTjBNd6xSglwDJFQCWGvNTd/DgAqA==
Date: Mon, 25 Mar 2019 12:24:08 +0000
Message-ID: <CY4PR21MB01682507A61342DBCDFDD134A35E0@CY4PR21MB0168.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=dthaler@ntdev.microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-03-25T08:12:04.6201210Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=35848b81-54e7-440d-89cc-a06b23ddec14; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
x-originating-ip: [2001:67c:1232:144:59f:8af1:1157:c36a]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 63e2ed76-9998-48b7-f962-08d6b11cc819
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:CY4PR21MB0854;
x-ms-traffictypediagnostic: CY4PR21MB0854:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <CY4PR21MB0854B77C4E604A786B2C09DAA35E0@CY4PR21MB0854.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0987ACA2E2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(396003)(346002)(39860400002)(376002)(366004)(189003)(199004)(6436002)(8676002)(86612001)(5640700003)(81156014)(33656002)(54896002)(6916009)(7736002)(81166006)(8936002)(1730700003)(790700001)(5660300002)(6346003)(8990500004)(606006)(53936002)(68736007)(53546011)(2501003)(9686003)(6116002)(74316002)(2906002)(97736004)(10090500001)(6306002)(256004)(236005)(22452003)(71200400001)(55016002)(52536014)(14444005)(10290500003)(99286004)(86362001)(6506007)(478600001)(46003)(71190400001)(476003)(105586002)(7696005)(106356001)(486006)(25786009)(186003)(316002)(2351001)(966005)(102836004)(14454004); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0854; H:CY4PR21MB0168.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 0JwP5l7sSqhnFkOI/9T9MTI8cRlvw3PYZENluxZJ/7R4VP6GP+S2wthH2mgYNmAULlyDss1Fm8AZvGFErUkfdZEZEtjedqazfqrCe0EmZeZVunTOfObB1/d1DlxKYBV5muvioaEoeL0dkhSggr3lW84XDCPtHnRIMpr1Ho4vPWPZvPBsN4OmHAdF1pOsX0UhjvRXoE8fUpTztOXm8pX1gvsIOVLqFxEOsQRWf8FVBpQq5mJcLcHtGnMYv6/SCEt+NcmUZcfCWW8erxKqehVsrd6qWDqFS/NGh6otV44kKyxslqU0Z2R8sj2pMLb0DEiwxrtVszCtMw979+T7gfI2fqehZS1gH2r4/jV6saNanvQqj9A5ENf0KbVeOPi5qlnIoiRh3aWd70b5xoooihKCsH4RaCjIuQE1nXkDsb2cUFk=
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB01682507A61342DBCDFDD134A35E0CY4PR21MB0168namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 63e2ed76-9998-48b7-f962-08d6b11cc819
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2019 12:24:09.2358 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0854
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/BiuwYIQIs5WZUHyyoDDEVyZ_Ulw>
Subject: [Suit] Trust Anchor Store definition in arch doc
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 12:24:14 -0000

There’s a discussion on the TEEP WG list, where David Wheeler provided feedback that applies to the SUIT architecture document text.
Forwarding his feedback to SUIT, with his permission.  (Most recent response, with said feedback, at top, with older responses following,
since that’s what github did with them…)


--------------------- feedback follows -----------------------

From: Dave W <notifications@github.com>
To: ietf-teep/architecture <architecture@noreply.github.com>
Sent: Monday, March 25, 2019 9:34 AM

I agree with the definition as posted, but I believe that there is a requirement missing.

Specifically, a trsut anchor store must resist modification against unauthorized insertion, deletion, and modification. Without such a requirement, a plain-text file on my file system containing X.509 certificates would be a trust anchor store. Any attacker on the platform can add new trusted certificates and remove other trusted certificates. This does not meet the minimal requirements for TEEP, because if any modification is performed to the trust anchor store that can change the management of the TAs.

Perhaps there is an underlying assumption that the trust anchor store is kept within the TEE. But that is not stated in the discussion. However, mandating the store be inside the TEE is restrictive of implementations. In some renditions I am aware of, the trust anchor store is kept by a separate entity outside the TEE, and there is a trusted channel between the TEE and the store.

Therefore, I think the definition @DaveThaler provided needs to be updated to include security requirements on the protection and management of the store.

From: Dave Thaler
Sent: Monday, March 25, 2019 9:12 AM
To: ietf-teep/architecture <reply+0063e94802a8defb98ba39e69635dd4d9fba698110c13de492cf0000000118b04ada92a169ce1951090e@reply.github.com>om>; ietf-teep/architecture <architecture@noreply.github.com>

Here’s what https://tools.ietf.org/html/draft-ietf-suit-architecture-03 currently says:

   The terms 'trust anchor' and 'trust anchor store' are defined in

   -  "A trust anchor represents an authoritative entity via a public
      key and associated data.  The public key is used to verify digital
      signatures, and the associated data is used to constrain the types
      of information for which the trust anchor is authoritative."

   -  "A trust anchor store is a set of one or more trust anchors stored
      in a device.  A device may have more than one trust anchor store,
      each of which may be used by one or more applications."

As co-chair of both WG’s, I’d suggest that the teep arch doc and the suit arch doc be consistent.


From: Dave W <notifications@github.com<mailto:notifications@github.com>>
Sent: Monday, March 25, 2019 8:53 AM
To: ietf-teep/architecture <architecture@noreply.github.com<mailto:architecture@noreply.github.com>>

In my view, a Trust Anchor is a

  *   a unique identifier for a trusted entity that is used to select a verification key for that entity
  *   a trust anchor resists replacement, modification or corruption by an adversary

An X.509 certificate by itself does not fulfill the second criteria, as by itself it cannot resist replacement.
Some mechanism to protect the key must be used. A typical example is fuses - a hash of the public exponent and modulus of an RSA key is put in fuses. Then either an X.509 certificate or even just a raw RSA key, can be used as the trust anchor. The fuses are set during manufacturing or some post manufacturing process, by a trusted entity (manufacturer, device admin, device owner, etc.).
The hash of the public key and modulus is typically referred to as a FINGERPRINT.

One recommended approach to a trust anchor list is for the device manufacturer to provision a hash of the RAW RSA key into fuses (it can be any type of key, ECDSA if you prefer, but we will use RSA for the example). The private RSA key is held by the trusted entity. Trusted keys can be issued at any time by the trusted entity by putting the new trusted key into an X.509 certificate and signing that certificate with the Trust Anchor key. The device can check if this new key it receives is trustable, by verifying the certificate is signed by a key whose hash matches the hash in fuses.

We must be clear that there are can many ways to create a Trust Anchor list. X.509 certificates are not required. Fuses are not required. I can use locked Flash blocks. I could also use encrypted battery-backed RAM. I could use separate flash accessible only to a TEE. Many, Many ways are possible.

We must identify ONLY the REQUIREMENTS for the trust anchor, and their usage. Examples are fine to provide, but the requirements are the basis, so we allow different implementations.