Re: [Teep] [Rats] Potential attestation attack
Thomas Fossati <tho.ietf@gmail.com> Mon, 13 March 2023 16:16 UTC
Return-Path: <tho.ietf@gmail.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC9E0C14CE5E; Mon, 13 Mar 2023 09:16:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2xpb7G6L-HOO; Mon, 13 Mar 2023 09:16:11 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DB5FC14F747; Mon, 13 Mar 2023 09:16:11 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id u16so859769vso.1; Mon, 13 Mar 2023 09:16:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678724170; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=EZSRfvVTouQnUTFEkso50+/snbqwQvqygvCsDTzGLkA=; b=lWcLTxvPTV7PL9L1lzZOTVH7D/ZYBDC8ft5vrifzZzwdeElJ0yqYiKjbfyi/FSuUzX E+vJSWdz+/81iZe21jH4RvJNbmIA0gxWWAYKPnBmdPipem5+RSbgHncI/K6ia6uDOCPR PbjrXB+M9xYa2MQOIFj2sfJIdtEodtg/pMNTJbcJ5//q9dqNLaUPPNao89LCUmOr9KUS 97844A09vRH3WD/IFrU0fBwD7oif0DuLhgdHsumD5uP2l8hkk6bxI4e5lmsLroRjyuOu O7ptZnZ289mTcFi9VFBcOzXmvhfWvvVMF8p5i7MZBnQlBwOXTww5DzFaz0ej1VqH79cZ dtfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678724170; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EZSRfvVTouQnUTFEkso50+/snbqwQvqygvCsDTzGLkA=; b=kp2PHNxRoQAEdfJBX9xmtCESs7n/uI4nWhPzMnAKeKSg9xCr1hhWHz4mO8JIv94UY6 W/RQGRpzbH08XwQXANZJeSvkuP7SczVON2QLNMdHeRLdTp5NeTVDt2UtIMgFCCBwULcc xz6b7mQkD2HigeKb/Ck+JcJeX0PZn+eRrAYBJxFF5JXa6oiSr8bLa5RkzD2OzAgprYDT WiSgRpWPrtEJFUtQi5Jdol9NtcsbhQezI74f/rVKZKPgzB44hJVrAxfubcROgkQdoxI8 ifTZDi+nXJdXVehrO7at9Ej9DpCzp8iANC4KFgpvMJ4127CSNHISCo1j10eBjsbc6Jxc NPqw==
X-Gm-Message-State: AO0yUKX3tt3ONkJuXI20YVkP/kEyZBocY9NtCpWOK7WLWN8ljnPX7nSf rATY65iSnkjbRMHFpyoKn1fk+MZTRbFikiOM5VQ=
X-Google-Smtp-Source: AK7set/+wTO+WfjYuJt6GDVVb6C7Eeq393uyBNZvux40pURmmxUECA2iwyfYu4Gr3oNTOHHnOTJmcNLH+wkTh6+jFeE=
X-Received: by 2002:a67:edcb:0:b0:402:9b84:1be0 with SMTP id e11-20020a67edcb000000b004029b841be0mr22610287vsp.2.1678724170610; Mon, 13 Mar 2023 09:16:10 -0700 (PDT)
MIME-Version: 1.0
References: <PH7PR21MB38787B32FBFFD320C48AF644A3B89@PH7PR21MB3878.namprd21.prod.outlook.com> <SJ0PR02MB8353F2D66944611E971CB4BB81B99@SJ0PR02MB8353.namprd02.prod.outlook.com> <SN7PR21MB3884E3410BDFBD238E224690A3B99@SN7PR21MB3884.namprd21.prod.outlook.com>
In-Reply-To: <SN7PR21MB3884E3410BDFBD238E224690A3B99@SN7PR21MB3884.namprd21.prod.outlook.com>
From: Thomas Fossati <tho.ietf@gmail.com>
Date: Mon, 13 Mar 2023 16:15:59 +0000
Message-ID: <CAObGJnNHuQhSaz9-+Aa1JiPmd8rBe_5fBjAmyn_Zr=h7zhuU=Q@mail.gmail.com>
To: Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>
Cc: Giridhar Mandyam <mandyam@qti.qualcomm.com>, "rats@ietf.org" <rats@ietf.org>, "TEEP@ietf.org" <teep@ietf.org>, Carl Wallace <carl@redhoundsoftware.com>, "orie@transmute.industries" <orie@transmute.industries>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/nA6yioLP9tRWAoLCkwb8FIrjlAo>
Subject: Re: [Teep] [Rats] Potential attestation attack
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2023 16:16:15 -0000
Hi Dave, all, There seems to be two dimensions here: 1. RATS as a collection of primitives, 2. how to use RATS primitives in other protocols. For case 1. I am not sure there's anything special to say. If so, we should have done it in the architecture. For case 2. we could have a new applicability document to explain the caveats of using RATS primitives in application protocols. In particular, documenting the basic binding problem that pops up everywhere the attestation and the authentication channel need to be composed. We have discussed this thoroughly in the CCC attestation SIG last year when surveying a number of attested secure channel protocols, and we could draw from that experience. And if we see the solutions are similar enough we could come up with a generic mechanism / claim. BTW, we are doing that in our attested TLS prototype: and we came up with a "binder" claim that we think could easily scale out to other channels (e.g., SSH, IPsec, ...). Glad to participate in drafting if there's interest. cheers, t On Mon, Mar 13, 2023 at 1:36 AM Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org> wrote: > > I agree, the cnf claim in RFC8747 looks like what we want in EAT. > > > > I will reference it in the EAT profile for TEEP, though I still think it might be helpful > to mention in Security Considerations of EAT. > > > > Thanks Giri! > > > > Dave > > > > From: Giridhar Mandyam <mandyam@qti.qualcomm.com> > Sent: Sunday, March 12, 2023 5:27 PM > To: Dave Thaler <dthaler@microsoft.com>; rats@ietf.org > Cc: TEEP@ietf.org > Subject: RE: Potential attestation attack > > > > Hi Dave, > > > > The cnf claim seems to fit the purpose for what you are proposing: see https://www.rfc-editor.org/rfc/rfc7800.html#section-3.1, CBOR equivalent in https://www.rfc-editor.org/rfc/rfc8747.html. For the latter (CWT), there is a suggestion to send the hash of the PK in the cnf field as a kid (sec. 3.4). > > > > If this is not suitable, then I would like to know why. > > > > -Giri > > > > From: RATS <rats-bounces@ietf.org> On Behalf Of Dave Thaler > Sent: Sunday, March 12, 2023 4:24 PM > To: rats@ietf.org > Cc: TEEP@ietf.org > Subject: [Rats] Potential attestation attack > > > > In a TEEP github issue (https://github.com/ietf-teep/teep-protocol/issues/310) > > Kohei Isobe poised an impersonation attack scenario that I will summarize as follows, which is not specific to TEEP: > > > > Consider an attestation solution using the Passport model. The victim does remote > attestation normally, and presents the Attestation Results (e.g., in EAT format) > > to various Relying Parties. The attacker gets a copy of said Attestation Results, > > e.g., from one of said Relying Parties (and it may even be one of them). > > > > The attacker then presents the Attestation Results to other Relying Parties as > > if the Attestation Results were its own, when doing its own remote attestation, > > in order to trick Relying Parties into believing it is trustworthy. > > > > To prevent such an impersonation attack, I believe that what is needed is a > way to cryptographically bind the Attestation Results to a key only the attester > knows and not some attacker trying to impersonate it. So in the above attack, > if (say) the Attestation Results contained a hash of a public key of the victim, > and the protocol between the attacker and another Relying Party required > a message to be signed with the corresponding private key, then that Relying > Party would know the Attestation Results didn’t match and could reject the > request. > > > > I believe the same attack could be mounted in a Background Check model, > using Evidence instead of Attestation Results. > > > > I could not, however, find any claims in draft-ietf-rats-eat or draft-ietf-rats-ar4si > that could be used to provide such a cryptographic binding to an EAT, nor could > I find any mention of this threat in the Security Considerations section of > either document. > > > > Since this class of attack would seem to be generic, possibly applying to all > EAT profiles and protocols using RATS, one could argue that a discussion > > (at least of the Security Consideration) would be appropriate in the EAT > document even if a solution is left to a separate document. > > > > Anyone else already have a solution or do we need to quickly write up > a draft that adds another claim for EAT profiles (including TEEP) to use? > > > > Dave > > > > > > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats -- Thomas
- [Teep] Potential attestation attack Dave Thaler
- Re: [Teep] Potential attestation attack Giridhar Mandyam
- Re: [Teep] Potential attestation attack Dave Thaler
- Re: [Teep] [Rats] Potential attestation attack Henk Birkholz
- Re: [Teep] [Rats] Potential attestation attack Thomas Fossati
- Re: [Teep] [Rats] Potential attestation attack Laurence Lundblade
- Re: [Teep] [Rats] Potential attestation attack Michael Richardson
- Re: [Teep] [Rats] Potential attestation attack Eric Voit (evoit)
- Re: [Teep] [Rats] Potential attestation attack Guy Fedorkow