IETF Logo Mail Archive

Re: [Suit] suit-firmware-encryption-00

Russ Housley <housley@vigilsec.com> Mon, 31 May 2021 16:23 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 657AD3A1D9E for <suit@ietfa.amsl.com>; Mon, 31 May 2021 09:23:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZlXrXc7b-e06 for <suit@ietfa.amsl.com>; Mon, 31 May 2021 09:23:11 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9056C3A1D9B for <suit@ietf.org>; Mon, 31 May 2021 09:23:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 3CDF8300B88 for <suit@ietf.org>; Mon, 31 May 2021 12:23:10 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id AN_DWu03qugb for <suit@ietf.org>; Mon, 31 May 2021 12:23:04 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 96BE1300B66; Mon, 31 May 2021 12:23:04 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.20\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <DBBPR08MB5915CEC125579D78C108D540FA3F9@DBBPR08MB5915.eurprd08.prod.outlook.com>
Date: Mon, 31 May 2021 12:23:04 -0400
Cc: "suit@ietf.org" <suit@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F6C86CC2-3AF8-4CC5-BB47-AC6579DAA0C4@vigilsec.com>
References: <19586.1622075797@localhost> <DBBPR08MB5915CEC125579D78C108D540FA3F9@DBBPR08MB5915.eurprd08.prod.outlook.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3445.104.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/wmoTTPayekIhjWnV6WLGjI7TMBE>
Subject: Re: [Suit] suit-firmware-encryption-00
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 May 2021 16:23:15 -0000

Michael:

Building on Hannes' response to three of your questions.

> 2) "This might be done to protect
>   confidential information or prevent discovery of vulnerabilities
>   through reverse engineering."
> 
>   this screams security through obscurity.   I know that some people still
>   think that this is important, so I guess I would just drop the claim.
>   There are also some significant public policy issues around declining
>   access to review and audit code, including defending against insertion
>   of malware at the source, or by National Security Letter.
>   (consider SolarWind situation)
>   I would like some text in the Security Considerations about this.
> 
> [Hannes] There may be many reasons why encryption is useful but in the referenced sentence we have been thinking about ROP. I changed the text.
> 
> The issues you mention are also important but are probably unrelated to encryption itself. If you manage to compromise a company that is responsible for distributing software/firmware updates then there will be a problem.
> 
> I agree that there are also challenges with certification schemes that prevent developers from seeing the source code (or from publishing the source code). That's yet another issue.

SUIT is using signature for the authentication and integrity of the firmware.  If the signature remains in place, a party in the middle of the distribution cannot insert any malware.

> 5) We had a discussion about how to have a complete CDDL during the meeting
>   yesterday.   I think that this version has the complete CDDL shown?
>   There isn't that much copy and pasted from 8152(bis), and I think it's
>   clearer like it is.  It just needs to be noted what is coming from 8152.
>   If 8152bis-bis *CHANGED* COSE_Encrypt in an incompatible way, then we'd
>   still be pointing at 8152bis until we updated this document.
> 
> [Hannes] I have followed the suggestion Henk provided at the last IETF meeting and copied the CDDL from COSE and then removed the parts that are not needed by this specification. When Russ reviewed the CDDL he made further suggestions on how to improve the structure because the nested structure (whereby the same names are used for the structures) made it difficult to refer to the relevant elements.

Please let us know if you see ways to add further clarity.

> 9) [snip]
> 
>   Can an ECDH be part of an IDevID?
> 
> [Hannes] You should be able to answer that question...

Are you aware of anyone that is putting key agreement public keys in the IDevID?  I thought everyone was using signature keys.

Russ

v2.8.7 | Report a Bug | By Email