IETF Logo Mail Archive

Re: [Teep] [Rats] Potential attestation attack

Laurence Lundblade <lgl@island-resort.com> Mon, 13 March 2023 17:20 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C84FFC1524D3; Mon, 13 Mar 2023 10:20:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id It5eszesbLHx; Mon, 13 Mar 2023 10:20:35 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on20700.outbound.protection.outlook.com [IPv6:2a01:111:f400:7eae::700]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E9A4C152565; Mon, 13 Mar 2023 10:20:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oJBleIsXxEbAE8Qp1OfTNVQ+9MGv5RZulT5tvXpIjK3wqUh3YUX05UARlengQyettD4vMyu10MIRZKN7hoS9SszUzm156eR4ok3sqidbBVXadBzQnqCorwEOsrxcwkM7hNEhMmrVzk3JBKBLl+CJFnz9RRIiQxojKYxkjlDexYqEIHD7IPjT3E1EiPSdgZsURMiuYIh5LPwCuIrut7r3I3KKtK0yzhSIyjNXowGzflow4aeLLn2j+/S1u1tFY81lfQWE2TJRJm4j2vJWBFpZ2bgNv7S5gn7HZUNRbp/kfStkZ7IgMJj1IxHjvXBsQ85Wja0cB0VMkOBhiDTyVx2i4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GxgTF4wWEZFVgvcCldptlkU91dLJpwtUsR53HQZ568Y=; b=I0Zd2xkSMb5zy4plA3pa15+pTfx0qFv7ZhJirH39LoTLa+37XZGJvEvXxM2L9Z/YnkLRzv8f0N7SsbCU3o+VXuTIvdiCeuK1unl2/iXXEm1hEWTmEoXsq40ao50VWDWDYxD9u5xsr3xbKTkcDyAmvVdxekIZFCnArDlZFzTK2LYhhzCUxOOaK4+iBGfobnxY7BR8IHUhPxFV65KbwITFrfBmL9VpodpS39BMZfOzqIzIt4JszieuEuc+sY6rEBPHig9otqODrV86dmGtTdiU+075fHadf3iVoqIcfRbhmu9Mat9Gtj0OsbTwawoXFUPDZRoFOY3qfClhzSW+uAKiqQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=island-resort.com; dmarc=pass action=none header.from=island-resort.com; dkim=pass header.d=island-resort.com; arc=none
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=island-resort.com;
Received: from PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8) by SN7PR22MB3977.namprd22.prod.outlook.com (2603:10b6:806:35c::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.24; Mon, 13 Mar 2023 17:20:31 +0000
Received: from PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::1aae:283a:d7b:3d58]) by PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::1aae:283a:d7b:3d58%3]) with mapi id 15.20.6178.024; Mon, 13 Mar 2023 17:20:30 +0000
Content-Type: text/plain; charset="utf-8"
From: Laurence Lundblade <lgl@island-resort.com>
In-Reply-To: <CAObGJnNHuQhSaz9-+Aa1JiPmd8rBe_5fBjAmyn_Zr=h7zhuU=Q@mail.gmail.com>
Date: Mon, 13 Mar 2023 10:20:28 -0700
Cc: Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>, Giridhar Mandyam <mandyam@qti.qualcomm.com>, "rats@ietf.org" <rats@ietf.org>, "TEEP@ietf.org" <teep@ietf.org>, Carl Wallace <carl@redhoundsoftware.com>, "orie@transmute.industries" <orie@transmute.industries>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Content-Transfer-Encoding: quoted-printable
Message-Id: <870BEEDF-61F0-437F-AACB-EFF9F77C155B@island-resort.com>
References: <PH7PR21MB38787B32FBFFD320C48AF644A3B89@PH7PR21MB3878.namprd21.prod.outlook.com> <SJ0PR02MB8353F2D66944611E971CB4BB81B99@SJ0PR02MB8353.namprd02.prod.outlook.com> <SN7PR21MB3884E3410BDFBD238E224690A3B99@SN7PR21MB3884.namprd21.prod.outlook.com> <CAObGJnNHuQhSaz9-+Aa1JiPmd8rBe_5fBjAmyn_Zr=h7zhuU=Q@mail.gmail.com>
To: Thomas Fossati <tho.ietf@gmail.com>
X-Mailer: Apple Mail (2.3445.104.21)
X-ClientProxiedBy: BYAPR05CA0071.namprd05.prod.outlook.com (2603:10b6:a03:74::48) To PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: PH7PR22MB3092:EE_|SN7PR22MB3977:EE_
X-MS-Office365-Filtering-Correlation-Id: 7769f2a9-1f60-4ae4-8a81-08db23e73f1a
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: hAMIjIU8d2JgSv61AQxwh+al6R6XMTGprtIhPQdRbF7DfSLbyxCO88czlxcg3SgufOCRaK1gnYnfW7piga2QS4Q1L7qWLanfOMDNwgE9gmJ7FLhjUR2zbHr61rp0DI96aKeAsov7bimGMbAbr6iSSKp3CjcqQDD8eE5fBNuERzz3d6rT56F0zDu5tA/Z9k1v1tX/MKzSnqugnSgUEKjqpoWQLXYcerZyiRovdk5ghuBT2FnvwgBDpV02mpnUeqmaehVZ5dqqlBqH7xJrqdNkJqOVkHhJKnbf65IeNkufcN+xcZjEhOf4c0Uz5J9gebClTMo2ZtYA6XU/jyVHESVRF6L6rqVCM7dv23dnFXb1QF8q3icVvp+WX/tx5bihiIprtULIVewgiuBjzaDdB/pugQG+roL3gfnqISeXzGzmXsjmeklsHLBvWFhQ55bPL6XiJLaj7++CW0Ul/2AyD/ArwXGmzN2oHF2E0MVxDiFDUEeWr8WLpl6LoHyUpd8O2RmZXIMt2QDgIBqvXKrFHRXRfaNVPhwH5Ohw107ruaetJiF3ndLbzTOZ1GTaKQ0X7GKq8fmtFnbagNM38zboS4LJHrh30nESjFIlZPv479jzBUqv7i50V1FwTrVkJ3ad2//zGjfZqQQnIWgTIpltA7kldxPpD6D1tYpMvAkF0nupVNqz9FUInw38QR+Yak1lbE/vGlTBJCqCEIlRcGjXgqAuWxqY9nMkwuICz52nWTPnIlo=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR22MB3092.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(376002)(39830400003)(366004)(346002)(396003)(136003)(451199018)(6486002)(966005)(2906002)(83380400001)(52116002)(36756003)(5660300002)(6512007)(53546011)(6506007)(8936002)(33656002)(186003)(86362001)(41300700001)(2616005)(66556008)(6916009)(4326008)(8676002)(66946007)(66476007)(45080400002)(478600001)(26005)(38350700002)(38100700002)(316002)(54906003)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: h9ybfRUIZiH3gq5OwxEaS/q7VGWzfP84UiYO8ASqkOnHwP+vzvrRjyImOkmBTFup+agB6XFenbmhY7JSBYiC7o05+jXL6jxBjdIcRh3waVJu/xtzlPC+HWL23MSD+VWH99tL9y+sQy+SkGpFOBX4ePQbQyeHUhFXO4kOSl+YOL8Xat/LAK8nFSGhDdjcz72V5FKXEoJ2PxHc8/aN63RsZH23/+Du6GnVJ8trdtyoZI4oVzT/XTCsdvvcNZcgIlz69ew08B4tVr1BxRuOG2uLwGbkXcwgUFQ9Ocn6v0Y0BgkaVZ/I37bhsV9HVtb2LFLexPmZMyJSyG1HWyAy204pkCU5iIz899bLlNhdNgKkrDkrYQRmtEZ3o/HdAwtck/iYUGgahxJDckuO2FzKUZvWKq76c/pYTLr5s9nuJT0MTTcr6FQkToY+TDVvhWsCxduoNRV9/4CKm8QgfnvkMYHcrs/MihjeZeOCDkMSPSCMz5pJGExdG0jt7jQH+9sRdcmR5pmm51/On51nQpSYxIleuECpGMx9kBurBv/Y6kYmMA9c6b43+q/ycDuBhRa3VqxfczvQlmZO7fxpEthmIy0bGw4qkU7mKa028L4UwJoyKy130umKRAwFyQ4L/9oX8COAVNNIwrWyoo2k/Klq1psqvRAPnJqQzCFMV8Kue5rPN6WhUviTytU6Fk/r2w8d8DkXBHImF93Lv4JNUOD3X5R7uvmrmQ0G5dDfq8dIIco4PS1RO+F/fc+H3AXioeTfMe9CMcYhrwGJ8oTuHHvvwiED62/FU29nIiUjQDkjnqfAU3bmaE/EVB7SKAzUDvLhZKUI07EPJVzZ3wbUFLz+eKAzKsSPUO5C3Kkmh2MSNKOtVMHpLHNPo4cWFskTzzO4uAJT1xqXfYXOPxINi5SIOwFJ0D4z6gzXdUhZGeSVtzXiwD6gzo+sG4vNh1Co5XIhb6Ew3jRx/gCWaBdh3fOUtHtKDRSGMC6Rv0Dfk4hYZVCYgzvqT2QoseGj5T80ePg4N1aQi3QnuBVdmMC+i6bKd8PPZdhVrg4QO86nFTgZHQVIFe5Yn1jVH1UkymvBECuLzfCE13aGNg9Le+yDG5F72fSrIbvjVusUcNzt9FDrmrhJPDUMWAoYBgwYRbGaU0D2bhoyFWZbCXp4lgW0Mv+ZH8X9D1UZ5f+OkwvlcfdnmQEzcMYZeBR30TrawCLUFxfvDGRMmUSjFRIqQ0FdHbvKh/9llEzefLU2I/6CJs1tSy6N5LduwRSdvCo1c1zLVSYcpIMoVk3QuH1Z52k2NVMtihuUSyQQeHGQqNGS2AQaSjp73BqXVSd4xOcn0jJ/ANfvxJf/1vBWYAK3pfSSSVjEZy1+LsQQ+MCBTUQnxsoS83a9/QSem3t83ux2lE04xZctJ6Qp3ZUaD+IgW/2AXCw4XnOUagN8L6R/8+2CMVqIPJhtuo3Z+oTx9v3auC5IKHodj8dWbxwd5qRF7JmI7t836bahxUaaajpzWXSM5vtErGpC3xBWiFUl0X3JuRL+KwsL0Tj6xekFVv1wuDkj2M7QsqUWObA64FzkMX+qEh+2dOeNd3jLe7O3qGvGiuplq3QwINQYYaBgt7hE4GOd8WO7Dp0Mzg==
X-OriginatorOrg: island-resort.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7769f2a9-1f60-4ae4-8a81-08db23e73f1a
X-MS-Exchange-CrossTenant-AuthSource: PH7PR22MB3092.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Mar 2023 17:20:30.8521 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: ad4b5b91-a549-4435-8c42-a30bf94d14a8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: d1c2hTPl4pDPRxpbCKDHkfZ3pqPnHWfH/bAThUNR6W2AMyQp5PuoPGCAvntwwipz6F50cbfQFBTR5JRybE36tA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR22MB3977
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/Bk-o59TNRxqUpOkhxrEXIm3KZxc>
Subject: Re: [Teep] [Rats] Potential attestation attack
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2023 17:20:39 -0000

Agreed that this is a general problem — “the attestation binding problem”?

Pretty sure there is not *one* general solution.

Seems like nonce can work in some use cases and cnf can work in others. I think there are other solutions too.

One solution I haven’t seen mentioned is binding the attestation to whatever the task at hand is — a financial transaction, a SW update, admission to a network…  Some of these will have idempotency built in, and others will have other cryptographic material similar to cnf built in.

One way to bind to the task at hand is to put data for the task at hand in the attestation itself. For example, you could put the bank account, amount to transfer and a transaction ID in some proprietary EAT claims (or a hash of the data). Another way of binding might have the EAT and the data bound together via a TLS session or a COSE_Sign. FIDO does a variant of this.

I think the solution is highly dependent on the task-at-hand and its system architecture. Some might have the key material (equivalent to cnf) already, some might add cnf and some might choose a different solution. For some there might already be a transaction nonce. Others will bind in application specific ways. Some will have a spot in their protocol where attestation evidence/result can drop right in, others might have to redesign in a big way.

If there’s anything to do here, it is probably to write up a general security consideration. This probably belongs in a RATS Architecture follow-on or such because it is not specific to EAT.

LL



> On Mar 13, 2023, at 9:15 AM, Thomas Fossati <tho.ietf@gmail.com> wrote:
> 
> Hi Dave, all,
> 
> There seems to be two dimensions here:
> 1. RATS as a collection of primitives,
> 2. how to use RATS primitives in other protocols.
> 
> For case 1. I am not sure there's anything special to say. If so, we
> should have done it in the architecture.
> 
> For case 2. we could have a new applicability document to explain the
> caveats of using RATS primitives in application protocols.   In
> particular, documenting the basic binding problem that pops up
> everywhere the attestation and the authentication channel need to be
> composed.  We have discussed this thoroughly in the CCC attestation
> SIG last year when surveying a number of attested secure channel
> protocols, and we could draw from that experience.
> 
> And if we see the solutions are similar enough we could come up with a
> generic mechanism / claim.
> BTW, we are doing that in our attested TLS prototype: and we came up
> with a "binder" claim that we think could easily scale out to other
> channels (e.g., SSH, IPsec, ...).
> 
> Glad to participate in drafting if there's interest.
> 
> cheers, t
> 
> On Mon, Mar 13, 2023 at 1:36 AM Dave Thaler
> <dthaler=40microsoft.com@dmarc.ietf.org> wrote:
>> 
>> I agree, the cnf claim in RFC8747 looks like what we want in EAT.
>> 
>> 
>> 
>> I will reference it in the EAT profile for TEEP, though I still think it might be helpful
>> to mention in Security Considerations of EAT.
>> 
>> 
>> 
>> Thanks Giri!
>> 
>> 
>> 
>> Dave
>> 
>> 
>> 
>> From: Giridhar Mandyam <mandyam@qti.qualcomm.com>
>> Sent: Sunday, March 12, 2023 5:27 PM
>> To: Dave Thaler <dthaler@microsoft.com>; rats@ietf.org
>> Cc: TEEP@ietf.org
>> Subject: RE: Potential attestation attack
>> 
>> 
>> 
>> Hi Dave,
>> 
>> 
>> 
>> The cnf claim seems to fit the purpose for what you are proposing:  see  https://www.rfc-editor.org/rfc/rfc7800.html#section-3.1, CBOR equivalent in https://www.rfc-editor.org/rfc/rfc8747.html.  For the latter (CWT), there is a suggestion to send the hash of the PK in the cnf field as a kid (sec. 3.4).
>> 
>> 
>> 
>> If this is not suitable, then I would like to know why.
>> 
>> 
>> 
>> -Giri
>> 
>> 
>> 
>> From: RATS <rats-bounces@ietf.org> On Behalf Of Dave Thaler
>> Sent: Sunday, March 12, 2023 4:24 PM
>> To: rats@ietf.org
>> Cc: TEEP@ietf.org
>> Subject: [Rats] Potential attestation attack
>> 
>> 
>> 
>> In a TEEP github issue (https://github.com/ietf-teep/teep-protocol/issues/310)
>> 
>> Kohei Isobe poised an impersonation attack scenario that I will summarize as follows, which is not specific to TEEP:
>> 
>> 
>> 
>> Consider an attestation solution using the Passport model.  The victim does remote
>> attestation normally, and presents the Attestation Results (e.g., in EAT format)
>> 
>> to various Relying Parties.  The attacker gets a copy of said Attestation Results,
>> 
>> e.g., from one of said Relying Parties (and it may even be one of them).
>> 
>> 
>> 
>> The attacker then presents the Attestation Results to other Relying Parties as
>> 
>> if the Attestation Results were its own, when doing its own remote attestation,
>> 
>> in order to trick Relying Parties into believing it is trustworthy.
>> 
>> 
>> 
>> To prevent such an impersonation attack, I believe that what is needed is a
>> way to cryptographically bind the Attestation Results to a key only the attester
>> knows and not some attacker trying to impersonate it.  So in the above attack,
>> if (say) the Attestation Results contained a hash of a public key of the victim,
>> and the protocol between the attacker and another Relying Party required
>> a message to be signed with the corresponding private key, then that Relying
>> Party would know the Attestation Results didn’t match and could reject the
>> request.
>> 
>> 
>> 
>> I believe the same attack could be mounted in a Background Check model,
>> using Evidence instead of Attestation Results.
>> 
>> 
>> 
>> I could not, however, find any claims in draft-ietf-rats-eat or draft-ietf-rats-ar4si
>> that could be used to provide such a cryptographic binding to an EAT, nor could
>> I find any mention of this threat in the Security Considerations section of
>> either document.
>> 
>> 
>> 
>> Since this class of attack would seem to be generic, possibly applying to all
>> EAT profiles and protocols using RATS, one could argue that a discussion
>> 
>> (at least of the Security Consideration) would be appropriate in the EAT
>> document even if a solution is left to a separate document.
>> 
>> 
>> 
>> Anyone else already have a solution or do we need to quickly write up
>> a draft that adds another claim for EAT profiles (including TEEP) to use?
>> 
>> 
>> 
>> Dave
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> RATS mailing list
>> RATS@ietf.org
>> https://www.ietf.org/mailman/listinfo/rats
> 
> 
> 
> -- 
> Thomas
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email