IETF Logo Mail Archive

Re: [Teep] Scalability of nonce-based freshness

Thomas Fossati <Thomas.Fossati@arm.com> Fri, 12 March 2021 21:09 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64F3E3A13A1 for <teep@ietfa.amsl.com>; Fri, 12 Mar 2021 13:09:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=lGi/6HRV; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=lGi/6HRV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Nhsg1CnCOFo for <teep@ietfa.amsl.com>; Fri, 12 Mar 2021 13:09:47 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2080.outbound.protection.outlook.com [40.107.22.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9F743A139B for <TEEP@ietf.org>; Fri, 12 Mar 2021 13:09:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DW0Sbk63D6oTyJaPHdevQMPcWKHWhKEEtfiDzPOwTUs=; b=lGi/6HRV23clhLNX3rtnnohI65Tr+rlD4WrQRmz7t9H/ETG2CMbMYQD3w7zFagCx7kzRYRKPP3qm+ysRN01bm8PaQbCX+ONxzITNUtJiHHI57Kdg30VBUWGQmpqEuFIXF/16/MTuZycvIJ4czXVEh9Z+d2c08U+xdsiAY17OCUI=
Received: from DB6PR07CA0103.eurprd07.prod.outlook.com (2603:10a6:6:2c::17) by PR3PR08MB5626.eurprd08.prod.outlook.com (2603:10a6:102:81::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.19; Fri, 12 Mar 2021 21:09:44 +0000
Received: from DB5EUR03FT024.eop-EUR03.prod.protection.outlook.com (2603:10a6:6:2c:cafe::d2) by DB6PR07CA0103.outlook.office365.com (2603:10a6:6:2c::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.11 via Frontend Transport; Fri, 12 Mar 2021 21:09:44 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT024.mail.protection.outlook.com (10.152.20.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.31 via Frontend Transport; Fri, 12 Mar 2021 21:09:44 +0000
Received: ("Tessian outbound ef5d1dda26b7:v71"); Fri, 12 Mar 2021 21:09:44 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 33bfc7aed122f8f7
X-CR-MTA-TID: 64aa7808
Received: from 681e25d8bce8.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id F60FFEDA-EF4B-4580-AE44-FB294E2B4BAA.1; Fri, 12 Mar 2021 21:09:38 +0000
Received: from EUR03-AM5-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 681e25d8bce8.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 12 Mar 2021 21:09:38 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=O1s49c+BMF8Br+dcTJcQXsJ24eNj7hDzcXlT+6jS0NaF4iCC9y9b7CVcvMVBdg4PcFqAMAJvjukANZe/kzBskbKIW/ydv+Ai7vC2y+Osg03m1gcjh8x7P9+QCqtMBbOPRbdSvDUgNEeeIxKDVa2+MWEMMBg61ilUkH7l1LkQsAIQ7Mimwctw6FwzgI3f9k6rig0s0dhhh/wQwd75fDAah2qBBUJ271vqXLDtDEblbv4hochBVEiwjfmmwLA0qx6rAzktSqa0M+QuT5CyxAlzRp0/wNu90tRXdjomfB/S+Hk/ICilGxyUMC1j5xNtiTGCzkFlkVsqF9BRv8ThD880rA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DW0Sbk63D6oTyJaPHdevQMPcWKHWhKEEtfiDzPOwTUs=; b=QNnCxXqxDT+4A7ynY0U9ZW5I5GTEGhctYCmqPv2hd3lqlwpqdVaR8WMMwm/5tsGKCoUb/jzXhyAK4nClKkTNXeHVNAwNextVMjWR9nv4xlh9XlVzz3aUcOg8mq4F8UVlA0OcjG9/VmztnUD/vq+h7GVrSAszqvJ9oJtsvohEm6ryEWZeE/11/eMG4dPJjOxCAwAQmJeR9FM9CeRDyD1Y1Iv2EvldsDbcMt6uth/h9dhzzED1tMSrYZkcNtDriljCPlrMnoY+7KiwTqwn34/YtmT07U1n6mn1jLxefmqGvB8lisNQhbG0EBFTdmWhIMvFEUChLlmpzC0OCItdNCKvYg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DW0Sbk63D6oTyJaPHdevQMPcWKHWhKEEtfiDzPOwTUs=; b=lGi/6HRV23clhLNX3rtnnohI65Tr+rlD4WrQRmz7t9H/ETG2CMbMYQD3w7zFagCx7kzRYRKPP3qm+ysRN01bm8PaQbCX+ONxzITNUtJiHHI57Kdg30VBUWGQmpqEuFIXF/16/MTuZycvIJ4czXVEh9Z+d2c08U+xdsiAY17OCUI=
Received: from AS8PR08MB6517.eurprd08.prod.outlook.com (2603:10a6:20b:31b::8) by AM5PR0802MB2386.eurprd08.prod.outlook.com (2603:10a6:203:9b::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Fri, 12 Mar 2021 21:09:31 +0000
Received: from AS8PR08MB6517.eurprd08.prod.outlook.com ([fe80::b5e4:1338:b6a5:7c3a]) by AS8PR08MB6517.eurprd08.prod.outlook.com ([fe80::b5e4:1338:b6a5:7c3a%3]) with mapi id 15.20.3933.031; Fri, 12 Mar 2021 21:09:31 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>, "TEEP@ietf.org" <TEEP@ietf.org>, Dave Thaler <dthaler@microsoft.com>
CC: Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [Teep] Scalability of nonce-based freshness
Thread-Index: AQHXF4P+HIop/qsalEeISWuq+4TOqg==
Date: Fri, 12 Mar 2021 21:09:31 +0000
Message-ID: <8B31EDA0-20DB-4611-B5D8-F7A60B390684@arm.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
Authentication-Results-Original: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=arm.com;
x-originating-ip: [82.12.10.179]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 55414350-b69b-49af-78a7-08d8e59b28f0
x-ms-traffictypediagnostic: AM5PR0802MB2386:|PR3PR08MB5626:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <PR3PR08MB56265EFF7209AB4903FB39AE9C6F9@PR3PR08MB5626.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: WUJKWVrMj6pTr0g3OEKyWafLkD5l5ozsbMrKl8PV0EFIic6S00vDFsyE7JNJ0EoAxmXdrlm46k/9x8F0cJ2Fj2nYDxfQmIfb7DaLj/gzQyJEKTnK7FLDauXJXbeX2SG8PDPgrNLmJmF7+Fl3szk/nw7/wZ+fA8S14KJoZGj0WrYks7PUrH4wev7Nb0peLPoC29cW7S2MfLYbf71Mf78dUzTVPLM8ISza1sGYAmzauwquazZJUcV1M7RPLUioffj3Y2y0JgB4gy53kqJkr465JwfxamJAQpn261W09RYuCL8KWRs8ObVAC4vtiLRry0+TpA6hV6XneexGOnl4Vwqbi0VsP5g9OZGQDKWrffE8SOjG2l9Z59IdcluaYu+ilu+rvEo+SjKGgPD4qyGHr/qfj5mca3E/JO0iZmps7y2wPtzzKbl016qV1taRWqGP2XPrVSLNc8ba2Ih7R588zUJi3MCQ+Sdqk4glgqjOOWY6rkv108vFocOBype25xYtGu1QBnfqteRNEiMwZR2GYEL/1cFt1slHubyDo2CpSNBtASNpTIQkGCYD4bcCYktc86uyQW7NWYZ0prcQoFgf55qdYg==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8PR08MB6517.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(396003)(376002)(136003)(39860400002)(6506007)(53546011)(316002)(91956017)(76116006)(2906002)(33656002)(186003)(66946007)(4326008)(86362001)(66446008)(66476007)(83380400001)(2616005)(64756008)(66556008)(66574015)(8676002)(5660300002)(26005)(8936002)(478600001)(6486002)(71200400001)(6512007)(36756003)(110136005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: xrhaEcAum6jQqo4nkwMGM4a2rO5FH9VED4FvUuJkeZZ2Yn4Z9Zaf97T5XmcExHWGZt96uTGAitq7stUF0iV4g19krRwz57xCwu+ASrylS01l5WrJXnKgvBNJGD+rjwmRuVtYokjjXHqilH7w2jIc4a/VEg0GLPRYwvXiJvq10KzcfsvANvN/xZMeqm6BJQ8xx2zFQF3stsu1/Z/Ew5sn4pRI4O59z5Cw/ySFRPUqDGfAgfKYv5iNq9SRD8GGOYhS71eZ/8ZTadFUrqhTvEBwBIa/8zIBl7LXXLYrSbymXUFi4oVk+Jfhvt0SFK3as5mMI4Lx9tknQmBzfwGHsxSh98Xh/Mmom7jFyroP87rrW+9Ov+NffxgEbMpZFSQGWERJwTdnP9rL4Uk5EVyipF4TgKsFmCfQ85ZAZ2ePjQKJQ+7Wkr3cWcyArsG8rDlFLq3RWxrXk3MeK1SwNgG/y3eHxeXBaxXHg6o2CeRRQ9YSa/VaVNBL+a7HQKLASt1p+NN8okpURgUVdHGA8XQMuOB1EONM7PlorzZPy8AaF/Pxue/mdPzqD4mCUmAbCMDyAvFRqxIkg24YdoHmCkFKv/CQVaCRXuJLM/WMU7S2EhYAC9AU8KcHvlSGDJtgFl8yOGHafUmeaELkIsW+2Mro1QOLiRFxxWIBAQS640waanKEWsCUriMn4G5VxouFF2A/LVMOmdQl+gZV+Y/i6yQpPpgjZ8kq6VH5LDy989lhmQ0+n7uA+KRtuF4L7chlMlfhbwUWvA/qiZ7E58c8X9DIcFpyY1I3SS7PUS5dTLjdDbFVmXfNwQ+MQJ9RyrqvVj5pb08AmJluH+faPBfgKQjRF2n4ORUKxe7ywscmJeHQm8UUhTAgUaKqqJIUqiYc4SxFvLZupe7heyJ4BY+DZQZ+R8PgEKK+PzdwA0bbiLNOsxAyHVR1ZvgoDlZ27/ElQCfUA4JOJ7lrowUOn0JvDEYiHdSuoJKmhDy0xkTRJCPpf/YrC35A9CxKD1Bx5CnRIjF+4JeCCB6G0R3FPWL2bJh3E+gf8/PDwo5zOuQOH05FqOBnveVXEa2NSwACswpvxI3ODs7RDqa0dvtJFjXCF6YdWhYeLFdu/jUeTpFRM32aTuZybQjIItX1O+pVWXuHVnaUBjWuuQjoKW8tYm3XSoygP8txcCE1k/oBtpt5S6IyP0oP4n/zNHuyUdQ4VJSzUNnwDAJbYnlF8f0vUgw3FR+NIiJCUkLnkQWbd2kEHp5rRA0p4kUM6gnBY1qOFR1ljCLg4MteB9R6tZ6VaHc7pRD4pgvfue5sVGxIaTB7TMvZE5eIP7VGV4yB2qx8iK+TjAjK3l2o
Content-Type: text/plain; charset="utf-8"
Content-ID: <086B2D08FBFBF448B795B2225267DAC8@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0802MB2386
Original-Authentication-Results: dmarc.ietf.org; dkim=none (message not signed) header.d=none; dmarc.ietf.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT024.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 51910da8-26b5-4608-6399-08d8e59b2151
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: +fnwDnVcrEiYHTQMLNeqDKWdgis0FYaCgzFd31R8E9TMuMSO/3qznW/SYRtR0EAFOSZbVmeOwPPs9kWMN2g5xE/yxr2UTtCtzD40XB5kq0XZo9rD04QDnYbzNqAYzlFa1b9HUuLpXQStrcQpD5a+xmQ6ibsqZ+LvN3MZXrxcM2ApfolBmkRLaZwa5GYiBl221lYiSvs5VE/6FCYYBoGQCeNq8hIzfW2B3t4T5kuvwENMMntY5W/BIiFS3EhoAiRG5YGcRkTBCD1k1twx3tkXC5ldwop6xv86B0OA6evbE/0o3wq660sXY+Lhi3Rlq/hDq6JftMERL+7yfKsFxdI+BdBqVD1TiA1elIMPs4scOz6nXguDwzMG16t8e5prthowvFXmBnVaFALmElHIrBo3G9eN8yhXlsZP1MsOBWbsCdf+JWNZnZpNo89NnYzmSLTD9Ni5nQlNHWyEHLGqo9/uZRM8KhDylGY9xyFlcSq6VVtQSUOW1lS/JsY+M6SiZpNtRo1eHwrpHgwlEsUyZzkrB2JecnZIok4ltu/s1fk2yrIMlmpW4UQL2bJb4EekGa6adj1EUxrLfNPutHLGjyB0zLowgc4UB7n4C+pZ6Nh0TaY8LPtahtGhxd2mkKnvJQ/g8hiCPJqNVMBm+RSpvN9oiw==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(376002)(39860400002)(396003)(136003)(346002)(46966006)(36840700001)(4326008)(8676002)(478600001)(5660300002)(33656002)(6512007)(82740400003)(336012)(2906002)(82310400003)(6486002)(53546011)(47076005)(8936002)(36860700001)(26005)(70586007)(83380400001)(356005)(70206006)(81166007)(186003)(86362001)(6506007)(36756003)(66574015)(316002)(2616005)(110136005); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Mar 2021 21:09:44.2394 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 55414350-b69b-49af-78a7-08d8e59b28f0
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT024.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR08MB5626
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/GrTzYEgKCUow7W0h3T5WTZQhfpE>
Subject: Re: [Teep] Scalability of nonce-based freshness
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 21:09:49 -0000

Hi Göran,

On 12/03/2021, 19:00, "Göran Selander" <goran.selander@ericsson.com> wrote:
> Hi Dave, and all,
>
> Referring to the TEEP protocol presentation at the WG meeting, there
> was a discussion about the use of tokens and what method of freshness
> to apply in TEEP (slides 11-16 in the presentation).
>
> If I understood right the main argument against the nonce-based method
> (slide 15) is the question of scalability: "Receivers have to keep
> state to remember each nonce supplied until it’s used"
>
> If I'm not mistaken, this condition on the receiver could be relaxed
> by the receiver generating nonces as encrypted time stamps. This would
> only require the receiver to remember an encryption context used to
> encrypt/decrypt the time stamps used as nonces. The encryption context
> can be small (say, less than 50 bytes for key, IV and counter) and
> doesn't grow with the number of TAs (but would typically be updated
> for each nonce generated, e.g. stepping the counter).
>
> Note that the receiver needs a clock but it need not be synced because
> the time stamps are only used by receiver; once when nonces are
> generated, and then again when freshness is determined from the nonce
> received back in the evidence. Such a clock coincides with the
> assumption of this method according to slide 15: "Receivers need a
> clock to “expire” nonces, but need not be synced".
>
> Perhaps this should be an input to RATS rather than TEEP. But since
> this seemed to be the main argument against the nonce-based method I
> just wanted to share my 2 cents to the discussion.

I think this is all correct.  (BTW, that's what I meant when I said the
TAM should make this a verifier problem as there is no need for the
nonce to be stored at the TAM.)

With your nonce generation scheme:

A. Verifier is initialised with secret key k

B.1: TAM asks Verifier for a nonce;
B.2: Verifier generates nonce n = E(t_req, k) and sends it to TAM;

C: TAM runs the challenge-response protocol with the Attester, sending
   N and obtaining Evidence(n) in return;

D.1: TAM forwards Evidence(n) to Verifier for verification;
D.2: Verifier extract n and does D(n, k):
  D.2.1: If decryption fails, goto drop;
  D.2.2: If decryption succeeds, extract t_req
D.3: Verifier checks |now - t_req| < acceptable_recentness_threshold:
  D.3.1: If so, proceed with verification of Evidence;
  D.3.2: If not, return ESTALE

Note that if B.* is done once every "period", thus avoiding the extra
round-trip per nonce / attestation session, this scheme falls back to
the epoch-id based model.

cheers!






IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email