Network Working Group A. Fuchs Internet-Draft H. Birkholz Intended status: Informational Fraunhofer SIT Expires: September 22, 2016 I. McDonald High North Inc C. Bormann Universitaet Bremen TZI March 21, 2016 Time-Based Uni-Directional Attestation draft-birkholz-tuda-01 Abstract This memo documents the method and bindings used to conduct time- based uni-directional attestation between distinguishable endpoints over the network. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 22, 2016. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Fuchs, et al. Expires September 22, 2016 [Page 1] Internet-Draft tuda March 2016 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Concept . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 2. Time-Based Uni-Directional Attestation . . . . . . . . . . . 5 2.1. TUDA Information Elements Update Cycles . . . . . . . . . 7 3. REST Realization . . . . . . . . . . . . . . . . . . . . . . 9 4. SNMP Realization . . . . . . . . . . . . . . . . . . . . . . 9 4.1. Structure of TUDA MIB . . . . . . . . . . . . . . . . . . 10 4.1.1. Cycle Index . . . . . . . . . . . . . . . . . . . . . 10 4.1.2. Instance Index . . . . . . . . . . . . . . . . . . . 11 4.1.3. Fragment Index . . . . . . . . . . . . . . . . . . . 11 4.2. Relationship to Host Resources MIB . . . . . . . . . . . 11 4.3. Relationship to Entity MIB . . . . . . . . . . . . . . . 12 4.4. Relationship to Other MIBs . . . . . . . . . . . . . . . 12 4.5. Definition of TUDA MIB . . . . . . . . . . . . . . . . . 12 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 6. Security Considerations . . . . . . . . . . . . . . . . . . . 27 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27 8. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 27 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 27 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 10.1. Normative References . . . . . . . . . . . . . . . . . . 28 10.2. Informative References . . . . . . . . . . . . . . . . . 28 Appendix A. Realization with TPM 1.2 functions . . . . . . . . . 30 A.1. TPM Functions . . . . . . . . . . . . . . . . . . . . . . 30 A.1.1. Tick-Session and Tick-Stamp . . . . . . . . . . . . . 30 A.1.2. Platform Configuration Registers (PCRs) . . . . . . . 31 A.1.3. PCR restricted Keys . . . . . . . . . . . . . . . . . 32 A.1.4. CertifyInfo . . . . . . . . . . . . . . . . . . . . . 32 A.2. Protocol and Procedure . . . . . . . . . . . . . . . . . 32 A.2.1. AIK and AIK Certificate . . . . . . . . . . . . . . . 32 A.2.2. Synchronization Token . . . . . . . . . . . . . . . . 33 A.2.3. RestrictionInfo . . . . . . . . . . . . . . . . . . . 35 A.2.4. Measurement Log . . . . . . . . . . . . . . . . . . . 37 A.2.5. Implicit Attestation . . . . . . . . . . . . . . . . 38 A.2.6. Attestation Verification Approach . . . . . . . . . . 39 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41 1. Introduction Remote attestation describes the attempt to determine the integrity and trustworthiness of a computing platform or device without direct access. One way to do so is based on measurements of software Fuchs, et al. Expires September 22, 2016 [Page 2] Internet-Draft tuda March 2016 components, where the hash values of all started software components are stored (extended into) a Trust Anchor implemented as Hardware Security Module (such as TPM and similar) and reported via a signature over these measurements. Protocols that facilitate these Trust Anchor based signatures in order to provide remote attestations are usually bi-directional protocols, where one entity sends a challenge that is included inside the response to ensure the recentness of the attestation information. In many contexts and scenarios it is not feasible to deploy bi- directional protocols, due to constraints in the underlying communication schemes. Furthermore, many communication schemes do not have a notion of connection, which disallows the usage of connection context related state information. These constraints may make it impossible to deploy challenge-response based schemes to achieve freshness of messages in security protocols. Examples of these constrained environments include broadcast and multicast schemes such as automotive IEEE802.1p as well as communication models that do not maintain connection state over time, such as REST [REST] and SNMP [RFC3411]. This document describes the protocol TUDA for remote attestation that works over uni-directional communication channels whilst still providing up-to-date information about the integrity and thereby trustworthiness of the attested device. The information elements that are transported by TUDA are encoded in the Concise Binary Object Representation, CBOR [RFC7049]. In this specification, the composition of the CBOR data items that represent the information elements is described using the CBOR Data Definition Language, CDDL [I-D.greevenbosch-appsawg-cbor-cddl]. 1.1. Concept The protocols usually employed for Remote Attestations using the Trusted Platform Module (TPM) - such as the Platform Trust Service (PTS) Protocol [PTS] - as specified by the Trusted Computing Group (TCG) are based upon the TPM_Quote() function. It consists of the sending of a nonce-challenge that is then used within TPM_Quote()'s signature to prove the freshness of the Attestation response. This scheme requires bi-directional communication. The TUDA protocol specification describes a new scheme for remote attestations based upon a combination of TPM_CertifyInfo() and TPM_TickStampBlob() to implement a time-based attestation scheme.The approach is based upon the work described in [MTAF] and [SFKE2008]. The freshness properties of a challenge-response based protocol define the time-frame between the transmission of the nonce and the Fuchs, et al. Expires September 22, 2016 [Page 3] Internet-Draft tuda March 2016 reception of the response as the point in time of attestation. Given the time-based attestation scheme, the point in time of attestation lies within the time-frame given by the accuracy of the time- synchronization and the drift of clocks. If the point in time is within the range of the typical round-trip of a challenge response attestation, the freshness property of TUDA is equivalent to that of classic challenge response attestation. Even if the typical round- trip time is exceeded slightly, the TUDA attestation statements provide sufficiently fresh proofs for most scenarios. In contrast to classical attestations, TUDA attestations can serve as proof of integrity in audit logs with point in time guarantees. Also, it can be used via uni-directional and connection-less communication channels. Appendix A contains a realization of TUDA using TPM 1.2 primitives. A realization of TUDA using TPM 2.0 primitives will be added with the next iteration of this document. 1.2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119, BCP 14 [RFC2119]. This specification makes use of the terminology defined in [RFC4949] and uses CDDL as defined in [I-D.greevenbosch-appsawg-cbor-cddl] to define the composition of the TUDA information elements. The data structures defined by this protocol specification (for use by other specifications) introduce TUDA-specific terminology: tuda = [TUDA-Synctoken, TUDA-Verifytoken, TUDA-RestrictionInfo, TUDA-Cert, TUDA-Measurement-Log] Common types used in these are: Cert = bytes ; an X.509 certificate PCR-Hash = Hash Hash = bytes The roles used in the TUDA protocol are: Attestee: the endpoint that is the subject of the attestation to another endpoint. Fuchs, et al. Expires September 22, 2016 [Page 4] Internet-Draft tuda March 2016 Verifier: the endpoint that consumes the attestation of another endpoint. TSA: Time Stamp Authority [RFC3161]. Types of certificates that are essential to the TUDA protocol: TSA-CA: a Certificate Authority, that provides the certificate for the TSA. AIK-CA: The Attestation Identity Key (AIK) is a special key type used within TPMs for identity-related operations (such as TPM_Certify or TPM_Quote). Such an AIK can be established in many ways, using either a combination of TPM_MakeIdentity and TPM_ActivateIdentity with a so-called PrivacyCA [AIK-Enrollment] or by means of TPM_CreateWrapKey, readout in a secure environment and regular certification by a custom CA similar to IDevIDs or LDevIDs in [IEEE802.1AR]. AIK-CA is a placeholder for any CA and AIK-Cert is a placeholder for the corresponding Certificate, depending on what protocol was used. The specific protocols are out of scope for this document. Terms that are commonly used in this document and not necessarily self-explaining: PCR: a Platform Configuration Register that is part of a Trusted Platform Module and is used to securely store and report measurements about security posture. In this specification, the term "byte" is used in its now customary sense as a synonym for "octet". 2. Time-Based Uni-Directional Attestation A Time-Based Uni-Directional Attestation (TUDA) consists of the following seven information elements. They are used to gain assurance of the Attestee's platform configuration at a certain point in time: o TSA Certificate The certificate of the Time Stamp Authority that is used in a subsequent synchronization protocol token. This certificate is signed by the TSA-CA. o AIK Certificate ([AIK-Credential], [AIK-Enrollment]; see Appendix A.2.1). Fuchs, et al. Expires September 22, 2016 [Page 5] Internet-Draft tuda March 2016 A certificate about the Attestation Identity Key (AIK) used. This may or may not also be an [IEEE802.1AR] IDevID or LDevID, depending on their setting of the corresponding identity property. o Synchronization Token The reference for Attestations are the Tick-Sessions of the TPM. In order to put Attestations into relation with a Real Time Clock (RTC), it is necessary to provide a cryptographic synchronization between the tick session and the RTC. To do so, a synchronization protocol is run with a Time Stamp Authority (TSA). o Restriction Info The attestation relies on the capability of the TPM to operate on restricted keys. Whenever the PCR values for the machine to be attested change, a new restricted key is created that can only be operated as long as the PCRs remain in their current state. In order to prove to the Verifier that this restricted temporary key actually has these properties and also to provide the PCR value that it is restricted, the TPM command TPM_CertifyInfo is used. It creates a signed certificate using the AIK about the newly created restricted key. o Measurement Log Similarly to regular attestations, the Verifier needs a way to reconstruct the PCRs' values in order to estimate the trustworthiness of the device. As such, a list of those elements that were extended into the PCRs is reported. Note though that for certain environments, this step may be optional if a list of valid PCR configurations exists and no measurement log is required. o Implicit Attestation The actual attestation is then based upon a TPM_TickStampBlob operation using the restricted temporary key that was certified in the steps above. The TPM_TickStampBlob is executed and thereby provides evidence that at this point in time (with respect to the TPM internal tick-session) a certain configuration existed (namely the PCR values associated with the restricted key). Together with the synchronization token this tick-related timing can then be related to the real-time clock. o Concise SWID tags Fuchs, et al. Expires September 22, 2016 [Page 6] Internet-Draft tuda March 2016 As an option to better assess the trustworthiness of an Attestee, a Verifier can request the reference hashes (often referred to as golden measurements) of all started software components to compare them with the entries in the measurement log. References hashes regarding installed (and therefore running) software can be provided by the manufacturer via SWID tags. SWID tags are provided by the Attestee using the Concise SWID representation [I-D-birkholz-sacm-coswid] and bundled into a CBOR array. Ideally, the reference hashes include a signature created by the manufacturer of the software. These information elements could be sent en bloc, but it is recommended to retrieve them separately to save bandwidth, since these elements have different update cycles. In most cases, retransmitting all seven information elements would result in unnecessary redundancy. Furthermore, in some scenarios it might be feasible not to store all elements on the Attestee endpoint, but instead they could be retrieved from another location or pre-deployed to the Verifier. It is also feasible to only store public keys at the Verifier and skip the whole certificate provisioning completely in order to save bandwidth and computation time for certificate verification. 2.1. TUDA Information Elements Update Cycles An endpoint can be in various states and have various information associated with it during its life cycle. For TUDA, a subset of the states (which can include associated information) that an endpoint and its TPM can be in, is important to the attestation process. o Some states are persistent, even after reboot. This includes certificates that are associated with the endpoint itself or with services it relies on. o Some states are more volatile and change at the beginning of each boot cycle. This includes the TPM-internal Tick-Session which provides the basis for the synchronization token and implicit attestation. o Some states are even more volatile and change during an uptime cycle (the period of time an endpoint is powered on, starting with its boot). This includes the content of PCRs of a TPM and thereby also the PCR-restricted keys used during attestation. Depending on this "lifetime of state", data has to be transported over the wire, or not. E.g. information that does not change due to Fuchs, et al. Expires September 22, 2016 [Page 7] Internet-Draft tuda March 2016 a reboot typically has to be transported only once between the Attestee and the Verifier. There are three kinds of events that require a renewed attestation: o The Attestee completes a boot-cycle o A relevant PCR changes o Too much time has passed since the last attestation statement The third event listed above is variable per application use case and can therefore be set appropriately. For usage scenarios, in which the device would periodically push information to be used in an audit-log, a time-frame of approximately one update per minute should be sufficient in most cases. For those usage scenarios, where verifiers request (pull) a fresh attestation statement, an implementation could use the TPM continuously to always present the most freshly created results. To save some utilization of the TPM for other purposes, however, a time-frame of once per ten seconds is recommended, which would leave 80% of utilization for applications. Attestee Verifier | | Boot | | | Create Sync-Token | | | Create Restricted Key | Certify Restricted Key | | | | AIK-Cert ---------------------------------------------> | | Sync-Token -------------------------------------------> | | Certify-Info -----------------------------------------> | | Measurement Log --------------------------------------> | | Attestation ------------------------------------------> | | Verify Attestation | | |