| Internet-Draft | Network Device Attestation Workflow | June 2019 |
| Fedorkow & Fitzgerald-McKay | Expires 1 January 2020 | [Page] |
This document describes a workflow for network device attestation.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 3 December 2019.¶
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
There are many components to consider in fielding a trusted computing device, from operating systems to applications. Part of that is a trusted supply chain, where manufacturers can certify that the product they intended to build is actually the one that was installed at a customer's site.¶
Attestation is defined here as the process of creating, conveying and appraising assertions about Platform trustworthiness characteristics, including Roots of Trust, supply chain trust, identity, platform provenance, shielded locations, protected capabilities, software configuration, hardware configuration, platform composition, compliance to test suites, functional and assurance evaluations, etc.¶
The supply chain itself has many elements, from validating suppliers of electronic components, to ensuring that shipping procedures protect against tampering through many stages of distribution and warehousing. One element that helps maintain the integrity of the supply chain after manufacturing is Attestation.¶
Within the Trusted Computing Group context, attestation is the process by which an independent Verifier can obtain cryptographic proof as to the identity of the device in question, evidence of the integrity of software loaded on that device when it started up, and then verify that what's there is what's supposed to be there. For networking equipment, a verifier capability can be embedded in a Network Management Station (NMS), a posture collection server, or other network analytics tool (such as a software asset management solution, or a threat detection and mitigation tool, etc.). While informally referred to as attestation, this document focuses on a subset defined here as Remote Integrity Verification (RIV). RIV takes a network equipment centric perspective that includes a set of protocols and procedures for determining whether a particular device was launched with untampered software, starting from Roots of Trust. While there are many ways to accomplish attestation, RIV sets out a specific set of protocols and tools that work in environments commonly found in Networking Equipment. RIV does not cover other platform characteristics that could be attested, although it does provide evidence of a secure infrastructure to increase the level of trust in other platform characteristics attested by other means.¶
This profile outlines the RIV problem, and then identifies components that are necessary to get the complete attestation procedure working in a scalable solution using commercial products.¶
This document focuses primarily on software integrity verification using the Trusted Platform Module (TPM) as a root of trust.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The RIV attestation workflow outlined in this document is intended to meet the following high-level goals:¶
This document itself is non-normative; the document does not define protocols, but rather identifies protocols that can be used together to achieve the goals above, and in some cases, highlights gaps in existing protocols.¶
RIV is a procedure that assures a network operator that the equipment on their network can be reliably identified, and that untampered software of a known version is installed on each endpoint. In this context, endpoint might include the conventional endpoints like servers and laptops, but also network equipment itself, such as routers, switches and firewalls.¶
RIV can be viewed as a link in a trusted supply chain, and includes three major processes:¶
* Platform Identity refers to the mechanism assuring the
attestation verifier (typically a network administrator)
that the equipment on their network can be reliably identified,
and that its manufacturer is certified by a trusted authority.
This certification provides the verifier with assurance that
the Root of Trust elements of the device were verified by the
manufacturer before the device was shipped.
* Software used to boot a platform can be described as a chain
of measurements, starting from a Root of Trust for Measurement,
that normally ends when the system software is loaded.
Measurement records the identity, integrity and version of each
software component registered with the TPM, so that the
subsequent appraisal stage can determine whether the software
installed is authentic and free of tampering. Clearly the second
part of the problem, attesting the state of mutable components
of a given device, is of little value without the first part,
reliable identification of the device in question. By the
same token, unambiguous identity of a device is necessary,
but is insufficient to assure the operator of the provenance
of the device through the supply chain, or that the device is
configured to behave properly.
¶
As a part of a trusted supply chain, RIV attestation provides two important benefits:¶
An implementation of RIV requires three technologies¶
Network operators benefit from a trustworthy attestation mechanism that provides assurance that their comprises authentic equipment, and has loaded software free of known vulnerabilities and unauthorized tampering.¶
An Attestation solution must meet a number of requirements to make it simple to deploy at scale.¶
This document includes a number of assumptions to limit the scope:¶
Remote Integrity Verification can go a long way to solving the "Lying Endpoint" problem, in which malicious software on an endpoint may both subvert the intended function, and also prevent the endpoint from reporting its compromised status. Man-in-the Middle attacks are also made more difficult through a strong focus on device identity¶
Attestation data can be used for asset management, vulnerability and compliance assessment, plus configuration management.¶
There have been demonstrations of attestation using TPMs for years, accompanied by compelling security reasons for adopting attestation. Despite this, the technology has not been widely adopted, in part, due to the difficulties in deploying TPM-based attestation. Some of those difficulties are:¶
None of these issues are insurmountable, but together, they've made deployment of attestation a major challenge. The intent of this document is to outline an attestation profile that's simple enough to deploy, while yielding enough security to be useful.¶
Even in embedded systems, adding Attestation at the OS level (e.g. Linux IMA, Integrity Measurement Architecture [IMA]) increases the number of objects to be attested by one or two orders of magnitude, involves software that's updated and changed frequently, and introduces processes that complete in unpredictable order.¶
TCG and others (including the Linux community) are working on methods and procedures for attesting the operating system and application software, but standardization is still in process.¶
RIV Attestation is a process for determining the identity of software running on a specifically-identified device. Remote Attestation is broken into two phases, shown in Figure 1:¶
The result is that the Verifier can verify the device's identity by checking the certificate corresponding to the TPM's attestation private key, and can validate the software that was launched by comparing digests in the log with known-good values, and verifying their correctness by comparing with the signed digests from the TPM.¶
It should be noted that attestation and identity are inextricably linked; signed evidence that a particular version of software was loaded is of little value without cryptographic proof of the identity of the device producing the evidence.¶
+-------------------------------------------------------+
| +--------+ +--------+ +--------+ +---------+ |
| | BIOS |--->| Loader |-->| Kernel |--->|Userland | |
| +--------+ +--------+ +--------+ +---------+ |
| | | | |
| | | | |
| +------------+-----------+-+ |
| Step 1 | |
| V |
| +--------+ |
| | TPM | |
| +--------+ |
| Router | |
+--------------------------------|----------------------+
|
| Step 2
| +-----------+
+--->| Verifier |
+-----------+
Reset---------------flow-of-time-during-boot--...------->
In Step 1, measurements are "extended" into the TPM as processes start. In Step 2, signed PCR digests are retreived from the TPM for offbox analysis after the system is operational.¶
TPM 1.2 and TPM 2.0 have a variety of rules separating the functions of identity and attestation, allowing for use-cases where software configuration must be attested, but privacy must be maintained.¶
To accommodate these rules in an environment where device privacy is not normally a requirement, the TCG Guidance for Securing Network Equipment [NetEq] suggests using separate keys for Identity (i.e., DevID) and Attestation (i.e., signing a quote of the contents of the PCRs).¶
In this case, the device manufacturer should provision an Initial Attestation Key (IAK) and x.509 certificate that parallels the IDevID, with the same device ID information as the IDevID certificate (i.e., the same Subject Name and Subject Alt Name, even though the key pairs are different). This allows a quote from the device, signed by the IAK, to be linked directly to the device that provided it, by examining the corresponding IAK certificate.¶
Inclusion of an IAK by a vendor does not preclude a mechanism whereby an Administrator can define Local Attestation Keys (LAKs) if desired.¶
RIV workflow for networking equipment is organized around a simple use-case, where a network operator wishes to verify the integrity of software installed in specific, fielded devices. This use-case implies several components:¶
These components are illustrated in Figure 2.¶
A more-detailed taxonomy of terms is given in [I-D.birkholz-rats-architecture]¶
+---------------+ +-------------+ +---------+--------+
| | | Attester | Step 1 | Verifier| |
| Asserter | | (Device |<-------| (Network| Relying|
| (Device | | under |------->| Mngmt | Party |
| Manufacturer | | attestation)| Step 2 | Station)| |
| or other | | | | | |
| authroity) | | | | | |
+---------------+ +-------------+ +---------+--------+
| /\
| Step 0 |
-----------------------------------------------
In Step 0, The Asserter (the device manufacturer) provides a Software Image accompanied by Reference Integrity Measurements (RIMs) to the Attester (the device under attestation) signed by the asserter. In Step 1, the Verifier (Network Management Station), on behalf of a Relying Party, requests Identity, Measurement Values (and possibly RIMs) from the Attester. In Step 2, the Attester responds to the request by providing a DevID, Quotes (measured values), and optionally RIMs, signed by the Attester.¶
See Section 3.1.1 for more narrowly defined terms related to Attestation¶
This document makes the following simplifying assumptions to reduce complexity:¶
Some situations may have privacy-sensitive requirements that preclude shipping every device with an Initial Device ID installed. In these cases, the IDevID can be installed remotely using the TCG Platform Certificate [Platform-Certificates].¶
Some security-sensitive administrators may want to install their own identity credentials to certify platform identity and attestation results. IEEE 802.1AR [IEEE-802-1AR] allows for both Initial Device Identity credentials, installed by the manufacturer, or Local Device Identity credentials installed by the administrator of the platform. TCG TPM 2.0 Keys documents [Platform-DevID-TPM-2.0] and [PC-Client-BIOS-TPM-2.0] specifies analogous Initial and Local Attestation Keys (IAK and LAK), and contains figures showing the relationship between IDevID, LDevID, IAK and LAK keys.¶
Platform administrators are free to use any number of criteria to judge authenticity of a platform before installing local identity keys, as part of an on-boarding process. The TCG TPM 2.0 Keys document [Platform-DevID-TPM-2.0] also outlines procedures for creating Local Attestation Keys and Local Device IDs (LDevIDs) rooted in the manufacturer's IDevID as a check to reduce the chances that counterfeit devices are installed in the network.¶
Note that many networking devices are expected to self-configure (aka Zero Touch Provisioning). Current standardized zero-touch mechanisms such as [RFC8572] assume that identity keys are already in place before network on-boarding can start.¶
The Platform Attribute Credential [Platform-Certificates] can also be used to convey additional information about a platform from the manufacturer or other entities in the supply chain. While outside the scope of RIV, the Platform Attribute Credential can deliver information such as lists of serial numbers for components embedded in a device or security assertions related to the platform, signed by the manufacturer, system integrator or value-added-reseller.¶
The measurements needed for attestation require that the device being attested is equipped with a Root of Trust for Measurement, i.e., some trustworthy mechanism that can take the first measurement in the chain of trust required to attest that each stage of system startup is verified, and a Root of Trust for Reporting to report the results [Roots-of-Trust].¶
While there are many complex aspects of a Root of Trust, two aspects that are important in the case of attestation are:¶
The first measurement can't be checked by a code that's been previously checked by something further back up the chain (it's the first, after all); if that first measurement can be subverted, none of the remaining measurements can be trusted. (See [NIST-SP-800-155]¶
Much of attestation focuses on collecting and transmitting 'evidence' in the form of PCR measurements and attestation logs. But the critical part of the process is enabling the verifier to decide whether the measured hashes are "the right ones" or not.¶
While it must be up to network administrators to decide what they want on their networks, the software supplier should supply the Reference Integrity Measurements, (aka Golden Measurements or "known good" hash digests) that may be used by a verifier to determine if evidence shows known good, known bad or unknown software configurations.¶
In general, there are two kinds of reference measurements:¶
In both cases, the expected values can be expressed as signed CoSWID tags, but the SWID structure in the second case is somewhat more complex. An example of how CoSWIDs could be incorporated into a reference manifest can be found in the IETF Internet-Draft "A SUIT Manifest Extension for Concise Software Identifiers" [I-D.birkholz-suit-coswid-manifest].¶
The TCG has done exploratory work in defining formats for reference integrity manifests under the working title TCG Reference Integrity Manifest [RIM].¶
Quotes from a TPM can provide evidence of the state of a device at the time the quote was requested, but to make sense of the quote in most cases an event log of what software modules contributed which values to the quote during startup must also be provided. The log needs not be secured, but it is essential that the logs contain enough information to exactly reconstruct the state of whatever went into the quote (e.g., PCR values).¶
TCG has defined several event log formats:¶
It should be noted that a given device might use more than one event log format (e.g., a UEFI log during initial boot, switching to Canonical Log when the host OS launches).¶
The TCG SNMP Attestation MIB [SNMP-Attestation-MIB] will support any record-oriented log format, including the three TCG-defined formats, but it currently leaves figuring out which log(s) are in what format up to the Verifier.¶
Initial work at IETF defines remote attestation as follows:¶
The following diagram illustrates a common information flow between a Verifier and an Attester, specified in [I-D.birkholz-rats-reference-interaction-model]:¶
Attester Verifier | | | <------- requestAttestation(nonce, authSecID, claimSelection) | | | collectAssertions(assertionsSelection) | | => assertions | | | signAttestationEvidence(authSecID, assertions, nonce) | | => signedAttestationEvidence | | | | signedAttestationEvidence ----------------------------------> | | | | verifyAttestationEvidence(signedAttestationEvidence, refassertions) | attestationResult <= | | |
The RIV approach outlined in this document aligns with the RATS reference model.¶
The overall flow for an attestation session is shown in Figure 4. In this diagram:¶
+---------------+ +-------------+ +---------+
| | | | Step 1 | |
| | | Attester |<------>| Verifier|
| Asserter | | (Device |<------>| (Network|
|(Configuration |------->| under | Step 2 | Mngmt |
| Authority) | Step 0A| attestation)| | Station)|
| | | |------->| |
+---------------+ +-------------+ Step 3 +---------+
| /|\
| |
----------------------------------------------
Step 0B
Either CoSWID-encoded reference measurements are signed by a trusted authority and retrieved directly prior to attestation (as shown in Step 0A), or CoSWID-encoded reference measurements are signed by the device manufacturer, installed on the device by a proprietary installer, and delivered during attestation (as shown in Step 0B). In Step 1, the Verifier initiates a connection for attestation. The Attester's identity is validated using DevID with TLS. In Step 2, a nonce, quotes (measured values) and measurement log are conveyed via TAP with a protocol-specific binding (e.g. SNMP). Logs are sent in the Canonical Log Format In Step 3, CoSWID-encoded reference measurements are retrieved from the Attester using the YANG ([I-D.birkholz-yang-swid]. .¶
The following components are used:¶
Retrieval of identity and attestation state uses one protocol stack, while retrieval of Reference Measurements uses a different set of protocols. Figure 5 shows the components involved.¶
+-----------------------+ +-------------------------+
| | | |
| Attester |<-------------| Verifier |
| (Device) |------------->| (Management Station) |
| | | | |
+-----------------------+ | +-------------------------+
|
-------------------- --------------------
| |
---------------------------------- ---------------------------------
|Reference Integrity Measurements| | Attestation |
---------------------------------- ---------------------------------
********************************************************************
* IETF Attestation Reference Interaction Diagram *
********************************************************************
....................... .......................
. Reference Integrity . . TAPS (PTS2.0) Info .
. Measurement . . Model and Canonical .
. Manifest . . Log Format .
....................... .......................
************************* .............. **********************
* YANG SWID Module * . TCG . * YANG Attestation *
* I-D.birkholz-yang-swid* . Attestation. * Module *
* * . MIB . * I-D.birkholz-yang- *
* * . . * basic-remote- *
* * . . * attestation *
************************* .............. **********************
************************* ************ ************************
* XML, JSON, CBOR (etc) * * UDP * * XML, JSON, CBOR (etc)*
************************* ************ ************************
************************* ************************
* RESTCONF/NETCONF * * RESTCONF/NETCONF *
************************ *************************
************************* ************************
* TLS, SSH * * TLS, SSH *
************************* ************************
IETF documents are captured in boxes surrounded by asterisks. TCG documements are shown in boxes surrounded by dots. The IETF Attestation Reference Interaction Diagram, Reference Intefrity Measurment Manifest, TAPS Information Model and Canonical Log Format, and both YANG modules are works in progress. Information Model layers describe abstract data objects that can be requested, and the corresponding response SNMP is still widely used, but the industry is transitioning to YANG, so in some cases, both will be required. TLS Authentication with TPM has been shown to work; SSH authentication using TPM-protected keys is not as easily done [as of 2019]¶
TCG technologies can play an important part in the implementation of Remote Integrity Verification. Standards for many of the components needed for implementation of RIV already exist:¶
Gaps still exist for implementation in Network Equipment (as of May 2019):¶
Table 1 summarizes many of the actions needed to complete an Attestation system, with links to relevant documents. While documents are controlled by a number of standards organizations, the implied actions required for implementation are all the responsibility of the manufacturer of the device, unless otherwise noted.¶
+------------------------------------------------------------------+ | Component | Controlling | | | Specification | -------------------------------------------------------------------- | Make a Secure execution environment | TCG RoT | | o Attestation depends entirely on a secure | UEFI.org | | root of trust for measurement. | | | o Refer to TCG Root of Trust for Measurement.| | | o NIST SP 800-193 also provides guidelines | | | on Roots of Trust | | -------------------------------------------------------------------- | Get a TPM properly provisioned as described in | TCG TPM DevID | | TCG documents. | TCG Platform | | | Certificate | -------------------------------------------------------------------- | Put a DevID or Platform Cert in the TPM | TCG TPM DevID | | o Install an Initial Attestation Key at the | TCG Platform | | same time so that Attestation can work out | Certificate | | of the box |----------------- | o Equipment suppliers and owners may want to | IEEE 802.1AR | | implement Local Device ID as well as | | | Initial Device ID | | -------------------------------------------------------------------- | Connect the TPM to the TLS stack | Vendor TLS | | o Use the DevID in the TPM to authenticate | stack (This | | TAP connections, identifying the device | action is | | | simply | | | configuring TLS| | | to use the | | | DevID as its | | | trust anchor.) | -------------------------------------------------------------------- | Make CoSWID tags for BIOS/LoaderLKernel objects | IETF CoSWID | | o Add reference measurements into SWID tags | ISO/IEC 19770-2| | o Manufacturer should sign the SWID tags | NIST IR 8060 | | o This should be covered in a new TCG | TagVault SWID | | Reference Integrity Manifest document | Tag Signing | | - IWG should define the literal SWID | Guidance | | format |----------------- | - IWG should evaluate whether IETF SUIT | TCG RIM | | is a suitable manifest when multiple | | | SWID tags are involved | | | - There could be a proof-of-concept | | | project to actually make sample SWID | | | tags (a gap might appear in the | | | process) | | -------------------------------------------------------------------- | Package the SWID tags with a vendor software | There is no | | release | need to specify| | o A tag-generator plugin could help | where the tags | | (i.e., a plugin for common development | are stored in a| | environments. NIST has something that | vendor OS, as | | plugs into Maven Build Environment) | long as there | | | is a standards-| | | based mechanism| | | to retrieve | | | them. | | |----------------- | | TCG RIM | -------------------------------------------------------------------- | BIOS SWIDs might be hard to manage on an OS | | | disk-- maybe keep them in the BIOS flash? | TCG RIM | | o Maybe a UEFI Var? Would its name have to be| | | specified by UEFI.org? | | | o How big is a BIOS SWID tag? Do we need to | | | use a tag ID instead of an actual tag? | | | o Note that the presence of Option ROMs turns | | | the BIOS reference measurements into a | | | multi-vendor interoperability problem | | -------------------------------------------------------------------- | Use PC Client measurement definitions as a | TCG PC Client | | starting point to define the use of PCRs | BIOS | | (although Windows OS is rare on Networking |----------------- | Equipment) | There have been| | | proposals for | | | non-PC-Client | | | allocation of | | | PCRs, although | | | no specific | | | document exists| | | yet. | -------------------------------------------------------------------- | Use TAP to retrieve measurements | | | o Map TAP to SNMP | TCG SNMP MIB | | o Map to YANG | YANG Module for| | o Complete Canonical Log Format | Basic | | | Attestation | | | TCG Canonical | | | Log Format | -------------------------------------------------------------------- | Posture Collection Server (as described in IETF | | | SACMs ECP) would have to request the | | | attestation and analyze the result | | | The Management application might be broken down | | | to several more components: | | | o A Posture Manager Server | | | which collects reports and stores them in | | | a database | | | o One or more Analyzers that can look at the| | | results and figure out what it means. | | --------------------------------------------------------------------
Some components of an Attestation system have been implemented for end-user machines such as PCs and laptops. Figure 7 shows the corresponding protocol stacks.¶
+-----------------------+ +-------------------------+
| | | |
| Attester |<-------------| Verifier |
| (Device) |------------->| (Management Station) |
| | | | |
+-----------------------+ | +-------------------------+
|
-------------------- --------------------
| |
---------------------------------- ---------------------------------
|Reference Integrity Measurements| | Attestation |
---------------------------------- ---------------------------------
--------------------------------------------------------------------
| IETF Attestation Reference Interaction Diagram |
-------------------------------------------------------------------
....................... --------------------------------
. No Existing . | TAPS (PTS2.0) Info Model and|
. Reference Integrity . | Canonical Log Format |
. Measurement Manifest. | |
. Protocols Exist . --------------------------------
. .
. . ---------------------- ----------
. . | YANG Attestation | |IETF NEA|
. . | Module | | Msg and|
. . | I-D.birkholz-yang- | | Attrib.|
. . | basic-remote- | | for PA-|
. . | attestation | | TNC |
. . ---------------------- ----------
. . ---------------------- ----------
. . | XML, JSON, CBOR | | PT-TLS |
. . ---------------------- | (for |
. . ---------------------- |endpoint|
. . | NETCONF, RESTCONF, | |mcahines|
. . | COAP | | |
....................... ---------------------- ----------
----------------------------------------------------------------
| TLS, SSH |
----------------------------------------------------------------
This memo includes no request to IANA.¶