[TLS] Impersonation attacks on protocol in draft-fossati-tls-attestation (Identity crisis in Attested TLS) for Confidential Computing
Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Wed, 26 February 2025 22:23 UTC
Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 452C1253F99; Wed, 26 Feb 2025 14:23:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.297
X-Spam-Level:
X-Spam-Status: No, score=-4.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_SBL_A=0.1] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietfa.org (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietfa.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cB8-1VB-3Esa; Wed, 26 Feb 2025 14:23:02 -0800 (PST)
Received: from mailout4.zih.tu-dresden.de (mailout4.zih.tu-dresden.de [141.30.67.75]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 71693253F55; Wed, 26 Feb 2025 14:23:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:CC:To:Subject:From:MIME-Version: Date:Message-ID:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=xCsidzFMGJHQNbC/TzK323YaJE7JACDtwz86Y20EQuc=; b=lKchzItjj4fHIPq9BsSb+NIb8C 96cNH868b+YAJn61Vdbgj0y/E7ejwYDoYNnGcf9lUqtMyVkBeadvcg6BHh8X0tAvQ6E4y3vXeUeQ6 NBYIzSQF0PhCRgwQN9bli1lFmnpIq73pxd28Kx77m7oDiRxHfFGy6nAVVBxNyg3jnszNy+4wGL7sC dYfBoudbXS4+fGTj57gA0F3vAYbO9fpr4NpywQJTeSnaYilUv4T4Qk3AYSE8MR1QBz+uOCH6mNJKl N5in4SCzdDYPZWdZH/rdPwM7Qs5YxjIjlcqVLVmnFsDYB/CiG+AuqoU0DsVzhxUbrDQ0YXJef9ez0 VurfAsYA==;
Received: from [172.26.35.139] (helo=msx.tu-dresden.de) by mailout4.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1tnPnx-003rdh-4R; Wed, 26 Feb 2025 23:23:01 +0100
Received: from [192.168.1.2] (78.54.103.51) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Wed, 26 Feb 2025 23:22:57 +0100
Message-ID: <e423ae2b-eb06-4342-b105-c06608371c30@tu-dresden.de>
Date: Wed, 26 Feb 2025 23:22:57 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms040008080204050000010609"
X-ClientProxiedBy: MSX-L420.msx.ad.zih.tu-dresden.de (172.26.34.140) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout4.zih.tu-dresden.de
Message-ID-Hash: 4ZOH2LKVOVRIHYVLNE66EAZIVYPMMRAC
X-Message-ID-Hash: 4ZOH2LKVOVRIHYVLNE66EAZIVYPMMRAC
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-fossati-tls-attestation@ietf.org" <draft-fossati-tls-attestation@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Impersonation attacks on protocol in draft-fossati-tls-attestation (Identity crisis in Attested TLS) for Confidential Computing
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Jx_yPoYWMIKaqXmPsytKZBDq23o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi all,
*Context*:
At IETF 121, Hannes presented draft-fossati-tls-attestation [1]
mentioning Confidential Computing as the priority (slide 3 in [2]) and
asked for adoption (slide 4 in [2]).
*Findings of Formal Analysis*:
In collaboration with the /active/ editors of the draft, we have been
doing the formal analysis of this draft and we believe that the protocol
as applied to Confidential Computing (Sec. 9.1 in [1]) breaks the very
fundamental property namely "Server Authentication" even under ideal
conditions (i.e., assuming all remote attestation mechanisms to be
perfect [See Attack 1 below]).
*Background on Remote Attestation (RA):
*
See RFC 9334 [3]. Disclaimer: Don't worry if you find it very ambiguous,
because it definitely is :) RATS WG defines vague terminology as the
characteristic of the WG [8]. This has been part of the challenge for me
for the last 5 years or so.
*Threat model of Confidential Computing:
*
Cloud Service Provider (CSP) is fully untrusted. Only the hardware (CPU)
and guest VM is trusted.
*Overview of formal model*:
Figure 13 in [1] shows TLS Handshake mysteriously covering all the
entities namely Client, Verifier, Server and Attestation Service. An
issue [4] requesting clarification on that is celebrating its first
anniversary today. Since that remains a mystery, as agreed with the
editors, as a starting point, we model Client and Verifier as one entity
calling it Verifying Relying Party. Please note that this leads to only
a subset of the attacks which are actually possible on the proposed
protocol.
In short, the case we have modeled is:
* TLS Server as Attester
* TLS Client as Verifying Relying Party (where Verifying Relying Party
= combination of Verifier and Relying Party roles of RATS)
*Fundamental Issue:
*
The proposed protocol /replaces/ authentication with attestation rather
than /augmenting/ authentication with attestation.
*Overview of Attack 1:
*
/High-level idea/: If a client wants to connect to www.deutsche-bank.de
for example, the protocol no longer provides this guarantee that it is
actually connecting to the desired bank. What the client is instead
provided with is that the computing environment and platform is as
expected. What would a client do that?
/Technical details/: Rather than using long-term identity (ID, e.g.,
hostname) and its corresponding long-term key (LTK) signed by the
Certification Authority (CA), the protocol uses measurements (m) and
Ephemeral Key (EK) signed by the Attestation Key (AK). That is, ID is
now completely gone from the protocol leading to MITM.
*Overview of Attack 2:
*
/High-level idea: /Server authentication fails if there is even a single
compromised Confidential Computing machine in the world (i.e., AK is
compromised) whose certificate has not yet been revoked. Transient
execution attacks like Foreshadow [5] have already shown the compromise
to be practical. Moreover, with the confidential computing threat model,
a hostile adversary (e.g., CSP) has no incentive to announce to the
world to revoke the key of compromised machine.
/Technical details/: The adversary can divert the TLS connection to the
compromised machine which then impersonates the server. Since the
adversary has AK on compromised machine, it can sign any desired
measurements which are acceptable by the client, while it may run the VM
of its own in order to get the secrets from the client (e.g., the login
credentials of the client).
*Recommendation:*
We recommend combining web PKI and RA rather than replacing one with
another.
In short:
* Web PKI cert provides (ID,pubLTK) signed by CA.
* RA provides (m,pubEK) signed by AK
/Attack1/: Using Web PKI cert (in combination with RA) covers the first
attack.
/Attack2/: Combining web PKI with RA ensures that the adversary has to
break that specific machine rather than any machine in the world.
However, this seems to be a challenge since the CertificateVerify
message is not extensible and can provide Proof-of-Possession of only
one key. *
*
*Paper:*
A paper covering this is currently under submission. We will make it
public later on.
*Alternative solutions:*
* We have explored alternative protocols. We have also formally
analyzed a widely used Interoperable RA-TLS protocol [6] and it is
vulnerable to the same attacks mentioned above.
* According to my notes of IETF 120, Chris Patton proposed to look in
to RFC 9261. Hannes kindly put together an initial draft [7] on
this. While not yet formally analyzed, we believe it is apparently
vulnerable to both attacks.
*Open Questions:*
A couple of challenges to augment authentication with attestation are:
1. What is the "long-term identity" of Virtual Machine (VM)-based
Trusted Execution Environments (TEEs)? Which entity provisions (and
signs) this "long-term identity"? How is that provisioning entity
trusted?
2. How is CA-certified Long-Term Key (LTK) injected in the Confidential
Computing workload in the first place?
*Discussion/Question to WG:
*
Is it acceptable to make significant changes to the messages in the TLS
handshake protocol?
*Clarification:
*
The formal model has been analyzed under Confidential Computing threat
model. The attacks may or may not apply to other scenarios (e.g., IoT).
I just don't know yet. I will happily give the chance to others to get
their hands (and bodies) dirty with muddy RATS on non-confidential
computing scenarios.
Thanks,
Usama
*
*
[1] https://www.ietf.org/archive/id/draft-fossati-tls-attestation-08.html
[2]
https://datatracker.ietf.org/meeting/121/materials/slides-121-tls-tls-and-attestation-00.pdf
[3] https://www.rfc-editor.org/rfc/rfc9334.html
[4] https://github.com/tls-attestation/draft-tls-attestation/issues/40
[5] https://foreshadowattack.eu/
[6] https://github.com/CCC-Attestation/interoperable-ra-tls
[7]
https://hannestschofenig.github.io/exported-attestation/draft-fossati-rats-exported-attestation.html
[8] https://mailarchive.ietf.org/arch/msg/rats/PIuGlghjjuysRUFjxYq9SdOV37A/
- [TLS] Impersonation attacks on protocol in draft-… Muhammad Usama Sardar
- [TLS] Re: Impersonation attacks on protocol in dr… Muhammad Usama Sardar