Remote Attestation Procedures Architecture
draft-birkholz-rats-architecture-02
The information below is for an old version of the document.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Henk Birkholz , Monty Wiseman , Hannes Tschofenig , Ned Smith | ||
| Last updated | 2019-09-11 (Latest revision 2019-03-11) | ||
| Replaces | draft-birkholz-attestation-terminology | ||
| Stream | (None) | ||
| Formats | plain text xml htmlized pdfized bibtex | ||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-birkholz-rats-architecture-02
Network Working Group H. Birkholz
Internet-Draft Fraunhofer SIT
Intended status: Standards Track M. Wiseman
Expires: March 15, 2020 GE Global Research
H. Tschofenig
ARM Ltd.
N. Smith
Intel
September 12, 2019
Remote Attestation Procedures Architecture
draft-birkholz-rats-architecture-02
Abstract
The Remote ATtestation procedureS (RATS) architecture facilitates
interoperability of attestation mechanisms by defining a set of
participant roles and interactions that reveal information about the
trustworthiness attributes of an attester's computing environment.
By making trustworthiness attributes explicit, they can be evaluated
dynamically and within an operational context where risk mitigation
depends on having a more complete understanding of the possible
vulnerabilities germane to the attester's environment.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 15, 2020.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
Birkholz, et al. Expires March 15, 2020 [Page 1]
Internet-Draft RATS Arch & Terms September 2019
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. RATS in a Nutshell . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Requirements Notation . . . . . . . . . . . . . . . . . . 4
3. Conceptual Overview . . . . . . . . . . . . . . . . . . . . . 4
3.1. Computing Environments . . . . . . . . . . . . . . . . . 5
3.2. Trustworthiness . . . . . . . . . . . . . . . . . . . . . 6
3.3. RATS Workflow . . . . . . . . . . . . . . . . . . . . . . 6
3.4. Interoperability between RATS . . . . . . . . . . . . . . 7
4. RATS Architecture . . . . . . . . . . . . . . . . . . . . . . 7
4.1. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2. Attestation Principles . . . . . . . . . . . . . . . . . 8
4.3. RATS Roles and Messages . . . . . . . . . . . . . . . . . 8
4.3.1. Roles . . . . . . . . . . . . . . . . . . . . . . . . 9
4.3.2. Role Messages . . . . . . . . . . . . . . . . . . . . 10
4.4. RATS Principals . . . . . . . . . . . . . . . . . . . . . 11
5. Security Considerations . . . . . . . . . . . . . . . . . . . 12
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
6.1. Normative References . . . . . . . . . . . . . . . . . . 12
6.2. Informative References . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction
The long-standing Internet Threat Model [RFC3552] focuses on threats
to the communication channel, as pioneered by Dolev and Yao
[DOLEV-YAO] in 1983. However, threats to the endpoint [RFC5209] and
system components [RFC4949] of transited communication gear (i.e.
hosts) are increasingly relevant for assessing the trustworthiness
properties of a communication channel. Beyond the collection and
conveyance of security posture [RFC5209] about an endpoint (host),
remote attestation provides believable trustworthiness claims
("Evidence") about an endpoint (host). In general, this document
provides normative guidance how to use, create or adopt network
protocols that facilitate RATS.
Birkholz, et al. Expires March 15, 2020 [Page 2]
Internet-Draft RATS Arch & Terms September 2019
1.1. RATS in a Nutshell
The RATS architecture provides a basis to assess the trustworthiness
of endpoints by other parties:
o In remote attestation workflows, trustworthiness Claims are
accompanied by a proof of veracity. Typically, this proof is a
cryptographic expression such as a digital signature or message
digest. Trustworthiness Claims with proof is what makes
attestation Evidence believable.
o A corresponding attestation provisioning workflow uses
trustworthiness Claims to convey believable Endorsements and
Known-Good-Values used by a Verifier to appraise Evidence.
In the RATS architecture, specific content items are identified (and
described in more detail below):
o Evidence is provable Claims about a specific Computing Environment
made by an Attester.
o Known-Good-Values are reference Claims used to appraise Evidence.
o Endorsements are reference Claims about the environment protecting
the Attesters capabilities to create believable Evidence (e.g. the
type of protection for an attestation key). It answers the
question "why Evidence is believable".
o Attestation Results are the output from the appraisal of Evidence,
Known-Good-Values and Endorsements.
Attestation Results are the output of RATS. Assessment of
Attestation Results can be multi-faceted, but is out-of-scope for the
RATS architecture. If appropriate Endorsements about the Attester
are available, Known-Good-Values about the Attester are available,
and if the Attester is capable of creating believable Evidence - then
the Verifier is able to create Attestation Results that enable
Relying Parties to establish a level of confidence in the
trustworthiness of the Attester.
2. Terminology
Conveyance: a mechanism for transferring RATS Evidence,
Endorsements, Known-Good-Values or Attestation Results.
Entity: a user, organization, device or computing environment.
Birkholz, et al. Expires March 15, 2020 [Page 3]
Internet-Draft RATS Arch & Terms September 2019
Principal: an Entity that implements RATS Roles and creates provable
Claims or Attestation Results (see [ABLP] and [Lampson2007]).
Trustworthiness: an expectation about a computing environment that
it will behave in a way that is intended and nothing more.
Computing Environment: a computing context consisting of system
components.
Attesting Computing Environment: a Computing Environment capabile of
monitoring and attesting a target Computing Environment.
Attested Computing Environment: a target Computing Environment that
is monitored and attested by an Attesting Computing Environment.
2.1. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Conceptual Overview
In network protocol exchanges, it is often the case that one entity
(a Relying Party) requires an assessment of the trustworthiness of a
remote entity (an Attester or specifc system components [RFC4949]
thereof). Remote ATtestation procedureS (RATS) enable Relying
Parties to establish a level of confidence in the trustworthiness of
remote system components through the creation of attestation evidence
by remote system components and a processing chain of architectural
constituents towards the relying party.
The corresponding trustworthiness attributes processed may not be
just a finite set of values. Additionally, the system
characteristics of remote components themselves have an impact on the
veracity of trustworthiness attributes included in Evidence.
Attester environments can vary widely ranging from those highly
resistant to attacks to those having little or no resistance to
attacks. Configuration options, if set poorly, can result in a
highly resistant environment being operationally less resistant.
Computing Environments are often malleable being constructed from re-
programmable hardware, firmware, software and updatable memory. When
a trustworthy environment changes, the question has to be asked
whether the change transitioned the environment from a trustworthy
state to an untrustworthy state. The RATS architecture provides a
framework for anticipating when a relevant change with respect to a
Birkholz, et al. Expires March 15, 2020 [Page 4]
Internet-Draft RATS Arch & Terms September 2019
trustworthiness attribute occurs, what changed and how relevant it
is. A remote attestation framework also creates a context for
enabling an appropriate response by applications, system software and
protocol endpoints when changes to trustworthiness attributes do
occur.
3.1. Computing Environments
In the RATS context, a Claim is a specific trustworthiness attribute
that pertains to a particular Computing Environment of an Attester.
The set of possible Claims is expected to follow the possible
computing environments that support attestation. In other words,
identical (i.e. same type, model, versions, components and
composition) Attesting Computing Environments can create different
Claim values that still compose valid Evidence due to different
computing contexts. Exemplary Claims include flight vectors or
learned configuration.
Likely, there are a set of Claims that is widely applicable across
most, if not all environments. Conversely, there are Claims that are
unique to specific environments. Consequently, the RATS architecture
incorporates extensible mechanisms for representing Claims.
Computing Environments can be complex structurally. In general,
every Attester consists of multiple components (e.g. memory, CPU,
storage, networking, firmware, software). Components are
computational elements that can be linked and composed to form
computational pipelines, arrays and networks (e.g. a BIOS, a
bootloader, or a trusted execution environment).
An Attester includes at least one Computing Environment that is able
to create attestation Evidence (the Attesting Computing Environment)
about other Computing Environments (the Attested Computing
Environments). Not every computational element of an Attester is
expected to be a Computing Environment capable of remote attestation.
Analogously, remote attestation capable Computing Environments may
not be capable of attesting to (creating evidence about) every
computational element that interacts with the Computing Environment.
A Computing Environment with an attestation capability can only be
endorsed by an external entity and cannot create believable evidence
about itself by its own.
A Computing Environment with the capability of remote attestation:
o is separate from other Attested Computing Environments (about
which attestation evidence is created), and
o is enabling the role of an Attester in the RATS architecture.
Birkholz, et al. Expires March 15, 2020 [Page 5]
Internet-Draft RATS Arch & Terms September 2019
A Computing Environment with the capability of remote attestation and
taking on the role of an Attester has the following duties in order
to create Evidence:
o monitoring trustworthiness attributes of other Computing
Environments,
o collecting trustworthiness attributes and create Claims about
them,
o serialize Claims using interoperable representations,
o provide integrity protection for the sets of Claims, and
o add appropriate attestation provenance attributes about the sets
of Claims.
3.2. Trustworthiness
The trustworthiness of remote attestation capabilities is also a
consideration for the RATS architecture. It should be possible to
understand the trustworthiness properties of the remote attestation
capability for any set of claims of a remote attestation flow via
verification operations. The RATS architecture anticipates recursive
trustworthiness properties and the need for termination. Ultimately,
a portion of a computing environment's trustworthiness is established
via non-automated means. For example, design reviews, manufacturing
process audits and physical security. For this reason, trustworthy
RATS depend on trustworthy manufacturing and supply chain practices.
3.3. RATS Workflow
The basic function of RATS is creation, conveyance and appraisal of
attestation Evidence. An Attester creates attestation Evidence that
are conveyed to a Verifier for appraisal. The appraisals compare
Evidence with expected Known-Good-Values called obtained from
Asserters (e.g. Prinicipals that are Supply Chain Entities). There
can be multiple forms of appraisal (e.g., software integrity
verification, device composition and configuration verification,
device identity and provenance verification). Attestation Results
are the output of appraisals. Attestation Results are signed and
conveyed to Relying Parties. Attestation Results provide the basis
by which the Relying Party may determine a level of confidence to
place in the application data or operations that follow.
RATS architecture defines attestation Roles (i.e., Attester,
Verifier, Asserter and Relying Party), the messages they exchange,
their structure and the various legal ways in which Roles may be
Birkholz, et al. Expires March 15, 2020 [Page 6]
Internet-Draft RATS Arch & Terms September 2019
hosted, combined and divided (see Principals below). RATS messages
are defined by an information model that defines Claims, environment
and protocol semantics. Information Model representations are
realized as data structure and conveyance protocol binding
specifications.
3.4. Interoperability between RATS
The RATS architecture anticipates use of information modeling
techniques that describe computing environment structures - their
components/computational elements and corresponding capabilities - so
that verification operations may rely on the information model as an
interoperable way to navigate the structural complexity.
4. RATS Architecture
4.1. Goals
RATS architecture has the following goals:
o Enable semantic interoperability of attestation semantics through
information models about computing environments and
trustworthiness.
o Enable data structure interoperability related to claims, endpoint
composition / structure, and end-to-end integrity and
confidentiality protection mechanisms.
o Enable programmatic assessment of trustworthiness. (Note:
Mechanisms that manage risk, justify a level of confidence, or
determine a consequence of an attestation result are out of
scope).
o Provide the building blocks, including Roles and Principals that
enable the composition of service-chains/hierarchies and workflows
that can create and appraise evidence about the trustworthiness of
devices and services.
o Use-case driven architecture and design (RATS use cases are
summarized in [I-D.richardson-rats-usecases]).
o Terminology conventions that are consistently applied across RATS
specifications.
o Reinforce trusted computing principles that include attestation.
Birkholz, et al. Expires March 15, 2020 [Page 7]
Internet-Draft RATS Arch & Terms September 2019
4.2. Attestation Principles
Specifications developed by the RATS working group apply the
following principles:
o Freshness - replay of previously asserted Claims about an Attested
Computing Environment can be detected.
o Identity - the Attesting Computing Environment is identifiable
(non-anonymous).
o Context - the Attested Computing Environment is well-defined
(unambiguous).
o Provenance - the origin of Claims with respect to the Attested and
Attesting Computing Environments are known.
o Validity - the expected lifetime of Claims about an Attested
Computing Environment is known.
o Relevance - the Claims associated with the Attested Computing
Environment pertain to trustworthiness metrics.
o Veracity - the believability (level of confidence) of Claims is
based on verifiable proofs.
4.3. RATS Roles and Messages
The RATS Roles (roles) are performed by RATS Principals.
The RATS Architecture provides the building blocks to compose various
RATS roles by leveraging existing and new protocols. It defines
architecture for composing RATS roles with principals and models
their interactions.
Figure Figure 1 provides an overview of the relationships between
RATS Roles and the messages they exchange.
Birkholz, et al. Expires March 15, 2020 [Page 8]
Internet-Draft RATS Arch & Terms September 2019
+----------------+ +-----------------+
| | Known-Good-Values | |
| Asserter(s) |-------------------->| Verifier |
| | Endorsements /-->| |
+----------------+ | +-----------------+
| |
| |
| |
| |Attestation
| |Results
| |
| |
| v
+----------------+ | +-----------------+
| | Evidence | | |
| Attester |-----------------/ | Relying Party |
| | | |
+----------------+ +-----------------+
Figure 1: RATS Roles
4.3.1. Roles
RATS roles are implemented by principals that possess cryptographic
keys used to protect and authenticate Claims or Results.
Attester: An Attestation Function that creates Evidence by
collecting, formatting and protecting (e.g., signing) Claims. It
presents Evidence to a Verifier using a conveyance mechanism or
protocol.
Verifier: An Attestation Function that accepts Evidence from an
Attester using a conveyance mechanism or protocol. It also
accepts Known-Good-Values and Endorsments from an Asserter using a
conveyance mechanism or protocol. It verifies the protection
mechanisms, parses and appraises Evidence according to good-known
valid (or known-invalid) Claims and Endorsments. It produces
Attestation Results that are formatted and protected (e.g.,
signed). It presents Attestation Results to a Relying Party using
a conveyance mechanism or protocol.
Asserter: An Attestation Function that generates reference Claims
about both the Attesting Computing Environment and the Attested
Computing Environment. The manufacturing and development
processes are presumed to be trustworthy processes. In other
words the Asserter is presumed, by a Verifier, to produce valid
Claims. The function collects, formats and protects (e.g. signs)
Birkholz, et al. Expires March 15, 2020 [Page 9]
Internet-Draft RATS Arch & Terms September 2019
valid Claims known as Endorsements and Known-Good-Values. It
presents provable Claims to a Verifier using a conveyance
mechanism or protocol.
Relying Party: An Attestation Function that accepts Attestation
Results from a Verifier using a conveyance mechanism or protocol.
It assesses Attestation Results protections, parses and assesses
Attestation Results according to an assessent context (Note:
definition of the assessment context is out-of-scope).
4.3.2. Role Messages
Claims: Statements about trustworthiness characteristics of an
Attested Computing Environment.
The veracity of a Claim is determined by the reputation of the
entity making the Claim. (Note: Reputation may involve
identifying, authenticating and tracking transactions associated
with an entity. RATS may be used to establish entity reputation,
but not exclusively. Other reputation mechanisms are out-of-
scope).
Evidence: Claims that are formatted and protected by an Attester.
Evidence SHOULD satisfy Verifier expectations for freshness,
identity, context, provenance, validity, relevance and veracity.
Known-Good-Values: Claims about the Attested Computing Environment.
Typically, KGV Claims are message digests of firmware, software or
configuration data supplied by various vendors. If an Attesting
Computing Environment implements cryptography, they include Claims
about key material.
Like Claims, Known-Good-Values SHOULD satisfy a Verifier's
expectations for freshness, identity, context, provenance,
validity, relevance and veracity. Known-Good-Values are reference
Claims that are - like Evidence - well formatted and protected
(e.g. signed).
Endorsements: Claims about immutable and implicit characteristics of
the Attesting Computing Environment. Typically, endorsement
Claims are created by manufacturing or supply chain entities.
Endorsements are intended to increase the level of confidence with
respect to Evidence created by an Attester.
Attestation Results: Statements about the output of an appraisal of
Evidence that are created, formatted and protected by a Verifier.
Birkholz, et al. Expires March 15, 2020 [Page 10]
Internet-Draft RATS Arch & Terms September 2019
Attestation Results provide the basis for a Relying Party to
establsh a level of confidence in the trustworthiness of an
Attester. Attestation Results SHOULD satisfy Relying Party
expectations for freshness, identity, context, provenance,
validity, relevance and veracity.
4.4. RATS Principals
RATS Principals are entities, users, organizations, devices and
computing environments (e.g., devices, platforms, services,
peripherals).
RATS Principals may implement one or more RATS Roles. Role
interactions occurring within the same RATS Principal are out-of-
scope.
The methods whereby RATS Principals may be identified, discovered,
authenticated, connected and trusted, though important, are out-of-
scope.
Principal operations that apply resiliency, scaling, load balancing
or replication are generally believed to be out-of-scope.
+------------------+ +------------------+
| Principal 1 | | Principal 2 |
| +------------+ | | +------------+ |
| | | | | | | |
| | Role 1 |<-|---|->| Role 2 | |
| | | | | | | |
| +------------+ | | +------------+ |
| | | |
| +-----+------+ | | +-----+------+ |
| | | | | | | |
| | Role 2 |<-|---|->| Role 3 | |
| | | | | | | |
| +------------+ | | +------------+ |
| | | |
+------------------+ +------------------+
Figure 2: RATS Principals-Role Composition
RATS Principals have the following properties:
o Multiplicity - Multiple instances of RATS Principals that possess
the same RATS Roles can exist.
o Composition - RATS Principals possessing different RATS Roles can
be combined into a singleton RATS Principal possessing the union
Birkholz, et al. Expires March 15, 2020 [Page 11]
Internet-Draft RATS Arch & Terms September 2019
of RATS Roles. RATS Interactions between combined RATS Principals
is uninteresting.
o Decomposition - A singleton RATS Principal possessing multiple
RATS Roles can be divided into multiple RATS Principals.
RATS Interactions may occur between them.
5. Security Considerations
RATS Evidence, Verifiable Assertions and Results SHOULD use formats
that support end-to-end integrity protection and MAY support end-to-
end confidentiality protection. Replay attack prevention MAY be
supported if a Nonce Claim is included. Nonce Claims often piggy-
back other information and can convey attestation semantics that are
of essence to RATS, e.g. the last four bytes of a challenge nonce
could be replaced by the IPv4 address-value of the Attester in its
response.
All other attacks involving RATS structures are not explicitly
addressed by RATS architecture. Additional security protections MAY
be required of conveyance mechanisms. For example, additional means
of authentication, confidentiality, integrity, replay, denial of
service and privacy protection of RATS payloads and Principals may be
needed.
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
6.2. Informative References
[ABLP] Abadi, M., Burrows, M., Lampson, B., and G. Plotkin, "A
Calculus for Access Control in Distributed Systems",
Springer Annual International Cryptology Conference,
page 1-23, DOI 10.1.1.36.691, 1991.
Birkholz, et al. Expires March 15, 2020 [Page 12]
Internet-Draft RATS Arch & Terms September 2019
[DOLEV-YAO]
Dolev, D. and A. Yao, "On the security of public key
protocols", IEEE Transactions on Information Theory Vol.
29, pp. 198-208, DOI 10.1109/tit.1983.1056650, March 1983.
[I-D.richardson-rats-usecases]
Richardson, M., Wallace, C., and W. Pan, "Use cases for
Remote Attestation common encodings", draft-richardson-
rats-usecases-04 (work in progress), July 2019.
[Lampson2007]
Lampson, B., "Practical Principles for Computer Security",
IOSPress Proceedings of Software System Reliability and
Security, page 151-195, DOI 10.1.1.63.5360, 2007.
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552,
DOI 10.17487/RFC3552, July 2003,
<https://www.rfc-editor.org/info/rfc3552>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>.
[RFC5209] Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J.
Tardo, "Network Endpoint Assessment (NEA): Overview and
Requirements", RFC 5209, DOI 10.17487/RFC5209, June 2008,
<https://www.rfc-editor.org/info/rfc5209>.
Authors' Addresses
Henk Birkholz
Fraunhofer SIT
Rheinstrasse 75
Darmstadt 64295
Germany
Email: henk.birkholz@sit.fraunhofer.de
Monty Wiseman
GE Global Research
USA
Email: monty.wiseman@ge.com
Birkholz, et al. Expires March 15, 2020 [Page 13]
Internet-Draft RATS Arch & Terms September 2019
Hannes Tschofenig
ARM Ltd.
110 Fulbourn Rd
Cambridge CB1 9NJ
UK
Email: hannes.tschofenig@gmx.net
Ned Smith
Intel Corporation
USA
Email: ned.smith@intel.com
Birkholz, et al. Expires March 15, 2020 [Page 14]