Network Working Group H. Birkholz Internet-Draft Fraunhofer SIT Intended status: Standards Track M. Wiseman Expires: March 15, 2020 GE Global Research H. Tschofenig ARM Ltd. N. Smith Intel September 12, 2019 Remote Attestation Procedures Architecture draft-birkholz-rats-architecture-02 Abstract The Remote ATtestation procedureS (RATS) architecture facilitates interoperability of attestation mechanisms by defining a set of participant roles and interactions that reveal information about the trustworthiness attributes of an attester's computing environment. By making trustworthiness attributes explicit, they can be evaluated dynamically and within an operational context where risk mitigation depends on having a more complete understanding of the possible vulnerabilities germane to the attester's environment. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 15, 2020. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. Birkholz, et al. Expires March 15, 2020 [Page 1] Internet-Draft RATS Arch & Terms September 2019 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. RATS in a Nutshell . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Requirements Notation . . . . . . . . . . . . . . . . . . 4 3. Conceptual Overview . . . . . . . . . . . . . . . . . . . . . 4 3.1. Computing Environments . . . . . . . . . . . . . . . . . 5 3.2. Trustworthiness . . . . . . . . . . . . . . . . . . . . . 6 3.3. RATS Workflow . . . . . . . . . . . . . . . . . . . . . . 6 3.4. Interoperability between RATS . . . . . . . . . . . . . . 7 4. RATS Architecture . . . . . . . . . . . . . . . . . . . . . . 7 4.1. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2. Attestation Principles . . . . . . . . . . . . . . . . . 8 4.3. RATS Roles and Messages . . . . . . . . . . . . . . . . . 8 4.3.1. Roles . . . . . . . . . . . . . . . . . . . . . . . . 9 4.3.2. Role Messages . . . . . . . . . . . . . . . . . . . . 10 4.4. RATS Principals . . . . . . . . . . . . . . . . . . . . . 11 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 6.1. Normative References . . . . . . . . . . . . . . . . . . 12 6.2. Informative References . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction The long-standing Internet Threat Model [RFC3552] focuses on threats to the communication channel, as pioneered by Dolev and Yao [DOLEV-YAO] in 1983. However, threats to the endpoint [RFC5209] and system components [RFC4949] of transited communication gear (i.e. hosts) are increasingly relevant for assessing the trustworthiness properties of a communication channel. Beyond the collection and conveyance of security posture [RFC5209] about an endpoint (host), remote attestation provides believable trustworthiness claims ("Evidence") about an endpoint (host). In general, this document provides normative guidance how to use, create or adopt network protocols that facilitate RATS. Birkholz, et al. Expires March 15, 2020 [Page 2] Internet-Draft RATS Arch & Terms September 2019 1.1. RATS in a Nutshell The RATS architecture provides a basis to assess the trustworthiness of endpoints by other parties: o In remote attestation workflows, trustworthiness Claims are accompanied by a proof of veracity. Typically, this proof is a cryptographic expression such as a digital signature or message digest. Trustworthiness Claims with proof is what makes attestation Evidence believable. o A corresponding attestation provisioning workflow uses trustworthiness Claims to convey believable Endorsements and Known-Good-Values used by a Verifier to appraise Evidence. In the RATS architecture, specific content items are identified (and described in more detail below): o Evidence is provable Claims about a specific Computing Environment made by an Attester. o Known-Good-Values are reference Claims used to appraise Evidence. o Endorsements are reference Claims about the environment protecting the Attesters capabilities to create believable Evidence (e.g. the type of protection for an attestation key). It answers the question "why Evidence is believable". o Attestation Results are the output from the appraisal of Evidence, Known-Good-Values and Endorsements. Attestation Results are the output of RATS. Assessment of Attestation Results can be multi-faceted, but is out-of-scope for the RATS architecture. If appropriate Endorsements about the Attester are available, Known-Good-Values about the Attester are available, and if the Attester is capable of creating believable Evidence - then the Verifier is able to create Attestation Results that enable Relying Parties to establish a level of confidence in the trustworthiness of the Attester. 2. Terminology Conveyance: a mechanism for transferring RATS Evidence, Endorsements, Known-Good-Values or Attestation Results. Entity: a user, organization, device or computing environment. Birkholz, et al. Expires March 15, 2020 [Page 3] Internet-Draft RATS Arch & Terms September 2019 Principal: an Entity that implements RATS Roles and creates provable Claims or Attestation Results (see [ABLP] and [Lampson2007]). Trustworthiness: an expectation about a computing environment that it will behave in a way that is intended and nothing more. Computing Environment: a computing context consisting of system components. Attesting Computing Environment: a Computing Environment capabile of monitoring and attesting a target Computing Environment. Attested Computing Environment: a target Computing Environment that is monitored and attested by an Attesting Computing Environment. 2.1. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Conceptual Overview In network protocol exchanges, it is often the case that one entity (a Relying Party) requires an assessment of the trustworthiness of a remote entity (an Attester or specifc system components [RFC4949] thereof). Remote ATtestation procedureS (RATS) enable Relying Parties to establish a level of confidence in the trustworthiness of remote system components through the creation of attestation evidence by remote system components and a processing chain of architectural constituents towards the relying party. The corresponding trustworthiness attributes processed may not be just a finite set of values. Additionally, the system characteristics of remote components themselves have an impact on the veracity of trustworthiness attributes included in Evidence. Attester environments can vary widely ranging from those highly resistant to attacks to those having little or no resistance to attacks. Configuration options, if set poorly, can result in a highly resistant environment being operationally less resistant. Computing Environments are often malleable being constructed from re- programmable hardware, firmware, software and updatable memory. When a trustworthy environment changes, the question has to be asked whether the change transitioned the environment from a trustworthy state to an untrustworthy state. The RATS architecture provides a framework for anticipating when a relevant change with respect to a Birkholz, et al. Expires March 15, 2020 [Page 4] Internet-Draft RATS Arch & Terms September 2019 trustworthiness attribute occurs, what changed and how relevant it is. A remote attestation framework also creates a context for enabling an appropriate response by applications, system software and protocol endpoints when changes to trustworthiness attributes do occur. 3.1. Computing Environments In the RATS context, a Claim is a specific trustworthiness attribute that pertains to a particular Computing Environment of an Attester. The set of possible Claims is expected to follow the possible computing environments that support attestation. In other words, identical (i.e. same type, model, versions, components and composition) Attesting Computing Environments can create different Claim values that still compose valid Evidence due to different computing contexts. Exemplary Claims include flight vectors or learned configuration. Likely, there are a set of Claims that is widely applicable across most, if not all environments. Conversely, there are Claims that are unique to specific environments. Consequently, the RATS architecture incorporates extensible mechanisms for representing Claims. Computing Environments can be complex structurally. In general, every Attester consists of multiple components (e.g. memory, CPU, storage, networking, firmware, software). Components are computational elements that can be linked and composed to form computational pipelines, arrays and networks (e.g. a BIOS, a bootloader, or a trusted execution environment). An Attester includes at least one Computing Environment that is able to create attestation Evidence (the Attesting Computing Environment) about other Computing Environments (the Attested Computing Environments). Not every computational element of an Attester is expected to be a Computing Environment capable of remote attestation. Analogously, remote attestation capable Computing Environments may not be capable of attesting to (creating evidence about) every computational element that interacts with the Computing Environment. A Computing Environment with an attestation capability can only be endorsed by an external entity and cannot create believable evidence about itself by its own. A Computing Environment with the capability of remote attestation: o is separate from other Attested Computing Environments (about which attestation evidence is created), and o is enabling the role of an Attester in the RATS architecture. Birkholz, et al. Expires March 15, 2020 [Page 5] Internet-Draft RATS Arch & Terms September 2019 A Computing Environment with the capability of remote attestation and taking on the role of an Attester has the following duties in order to create Evidence: o monitoring trustworthiness attributes of other Computing Environments, o collecting trustworthiness attributes and create Claims about them, o serialize Claims using interoperable representations, o provide integrity protection for the sets of Claims, and o add appropriate attestation provenance attributes about the sets of Claims. 3.2. Trustworthiness The trustworthiness of remote attestation capabilities is also a consideration for the RATS architecture. It should be possible to understand the trustworthiness properties of the remote attestation capability for any set of claims of a remote attestation flow via verification operations. The RATS architecture anticipates recursive trustworthiness properties and the need for termination. Ultimately, a portion of a computing environment's trustworthiness is established via non-automated means. For example, design reviews, manufacturing process audits and physical security. For this reason, trustworthy RATS depend on trustworthy manufacturing and supply chain practices. 3.3. RATS Workflow The basic function of RATS is creation, conveyance and appraisal of attestation Evidence. An Attester creates attestation Evidence that are conveyed to a Verifier for appraisal. The appraisals compare Evidence with expected Known-Good-Values called obtained from Asserters (e.g. Prinicipals that are Supply Chain Entities). There can be multiple forms of appraisal (e.g., software integrity verification, device composition and configuration verification, device identity and provenance verification). Attestation Results are the output of appraisals. Attestation Results are signed and conveyed to Relying Parties. Attestation Results provide the basis by which the Relying Party may determine a level of confidence to place in the application data or operations that follow. RATS architecture defines attestation Roles (i.e., Attester, Verifier, Asserter and Relying Party), the messages they exchange, their structure and the various legal ways in which Roles may be Birkholz, et al. Expires March 15, 2020 [Page 6] Internet-Draft RATS Arch & Terms September 2019 hosted, combined and divided (see Principals below). RATS messages are defined by an information model that defines Claims, environment and protocol semantics. Information Model representations are realized as data structure and conveyance protocol binding specifications. 3.4. Interoperability between RATS The RATS architecture anticipates use of information modeling techniques that describe computing environment structures - their components/computational elements and corresponding capabilities - so that verification operations may rely on the information model as an interoperable way to navigate the structural complexity. 4. RATS Architecture 4.1. Goals RATS architecture has the following goals: o Enable semantic interoperability of attestation semantics through information models about computing environments and trustworthiness. o Enable data structure interoperability related to claims, endpoint composition / structure, and end-to-end integrity and confidentiality protection mechanisms. o Enable programmatic assessment of trustworthiness. (Note: Mechanisms that manage risk, justify a level of confidence, or determine a consequence of an attestation result are out of scope). o Provide the building blocks, including Roles and Principals that enable the composition of service-chains/hierarchies and workflows that can create and appraise evidence about the trustworthiness of devices and services. o Use-case driven architecture and design (RATS use cases are summarized in [I-D.richardson-rats-usecases]). o Terminology conventions that are consistently applied across RATS specifications. o Reinforce trusted computing principles that include attestation. Birkholz, et al. Expires March 15, 2020 [Page 7] Internet-Draft RATS Arch & Terms September 2019 4.2. Attestation Principles Specifications developed by the RATS working group apply the following principles: o Freshness - replay of previously asserted Claims about an Attested Computing Environment can be detected. o Identity - the Attesting Computing Environment is identifiable (non-anonymous). o Context - the Attested Computing Environment is well-defined (unambiguous). o Provenance - the origin of Claims with respect to the Attested and Attesting Computing Environments are known. o Validity - the expected lifetime of Claims about an Attested Computing Environment is known. o Relevance - the Claims associated with the Attested Computing Environment pertain to trustworthiness metrics. o Veracity - the believability (level of confidence) of Claims is based on verifiable proofs. 4.3. RATS Roles and Messages The RATS Roles (roles) are performed by RATS Principals. The RATS Architecture provides the building blocks to compose various RATS roles by leveraging existing and new protocols. It defines architecture for composing RATS roles with principals and models their interactions. Figure Figure 1 provides an overview of the relationships between RATS Roles and the messages they exchange. Birkholz, et al. Expires March 15, 2020 [Page 8] Internet-Draft RATS Arch & Terms September 2019 +----------------+ +-----------------+ | | Known-Good-Values | | | Asserter(s) |-------------------->| Verifier | | | Endorsements /-->| | +----------------+ | +-----------------+ | | | | | | | |Attestation | |Results | | | | | v +----------------+ | +-----------------+ | | Evidence | | | | Attester |-----------------/ | Relying Party | | | | | +----------------+ +-----------------+ Figure 1: RATS Roles 4.3.1. Roles RATS roles are implemented by principals that possess cryptographic keys used to protect and authenticate Claims or Results. Attester: An Attestation Function that creates Evidence by collecting, formatting and protecting (e.g., signing) Claims. It presents Evidence to a Verifier using a conveyance mechanism or protocol. Verifier: An Attestation Function that accepts Evidence from an Attester using a conveyance mechanism or protocol. It also accepts Known-Good-Values and Endorsments from an Asserter using a conveyance mechanism or protocol. It verifies the protection mechanisms, parses and appraises Evidence according to good-known valid (or known-invalid) Claims and Endorsments. It produces Attestation Results that are formatted and protected (e.g., signed). It presents Attestation Results to a Relying Party using a conveyance mechanism or protocol. Asserter: An Attestation Function that generates reference Claims about both the Attesting Computing Environment and the Attested Computing Environment. The manufacturing and development processes are presumed to be trustworthy processes. In other words the Asserter is presumed, by a Verifier, to produce valid Claims. The function collects, formats and protects (e.g. signs) Birkholz, et al. Expires March 15, 2020 [Page 9] Internet-Draft RATS Arch & Terms September 2019 valid Claims known as Endorsements and Known-Good-Values. It presents provable Claims to a Verifier using a conveyance mechanism or protocol. Relying Party: An Attestation Function that accepts Attestation Results from a Verifier using a conveyance mechanism or protocol. It assesses Attestation Results protections, parses and assesses Attestation Results according to an assessent context (Note: definition of the assessment context is out-of-scope). 4.3.2. Role Messages Claims: Statements about trustworthiness characteristics of an Attested Computing Environment. The veracity of a Claim is determined by the reputation of the entity making the Claim. (Note: Reputation may involve identifying, authenticating and tracking transactions associated with an entity. RATS may be used to establish entity reputation, but not exclusively. Other reputation mechanisms are out-of- scope). Evidence: Claims that are formatted and protected by an Attester. Evidence SHOULD satisfy Verifier expectations for freshness, identity, context, provenance, validity, relevance and veracity. Known-Good-Values: Claims about the Attested Computing Environment. Typically, KGV Claims are message digests of firmware, software or configuration data supplied by various vendors. If an Attesting Computing Environment implements cryptography, they include Claims about key material. Like Claims, Known-Good-Values SHOULD satisfy a Verifier's expectations for freshness, identity, context, provenance, validity, relevance and veracity. Known-Good-Values are reference Claims that are - like Evidence - well formatted and protected (e.g. signed). Endorsements: Claims about immutable and implicit characteristics of the Attesting Computing Environment. Typically, endorsement Claims are created by manufacturing or supply chain entities. Endorsements are intended to increase the level of confidence with respect to Evidence created by an Attester. Attestation Results: Statements about the output of an appraisal of Evidence that are created, formatted and protected by a Verifier. Birkholz, et al. Expires March 15, 2020 [Page 10] Internet-Draft RATS Arch & Terms September 2019 Attestation Results provide the basis for a Relying Party to establsh a level of confidence in the trustworthiness of an Attester. Attestation Results SHOULD satisfy Relying Party expectations for freshness, identity, context, provenance, validity, relevance and veracity. 4.4. RATS Principals RATS Principals are entities, users, organizations, devices and computing environments (e.g., devices, platforms, services, peripherals). RATS Principals may implement one or more RATS Roles. Role interactions occurring within the same RATS Principal are out-of- scope. The methods whereby RATS Principals may be identified, discovered, authenticated, connected and trusted, though important, are out-of- scope. Principal operations that apply resiliency, scaling, load balancing or replication are generally believed to be out-of-scope. +------------------+ +------------------+ | Principal 1 | | Principal 2 | | +------------+ | | +------------+ | | | | | | | | | | | Role 1 |<-|---|->| Role 2 | | | | | | | | | | | +------------+ | | +------------+ | | | | | | +-----+------+ | | +-----+------+ | | | | | | | | | | | Role 2 |<-|---|->| Role 3 | | | | | | | | | | | +------------+ | | +------------+ | | | | | +------------------+ +------------------+ Figure 2: RATS Principals-Role Composition RATS Principals have the following properties: o Multiplicity - Multiple instances of RATS Principals that possess the same RATS Roles can exist. o Composition - RATS Principals possessing different RATS Roles can be combined into a singleton RATS Principal possessing the union Birkholz, et al. Expires March 15, 2020 [Page 11] Internet-Draft RATS Arch & Terms September 2019 of RATS Roles. RATS Interactions between combined RATS Principals is uninteresting. o Decomposition - A singleton RATS Principal possessing multiple RATS Roles can be divided into multiple RATS Principals. RATS Interactions may occur between them. 5. Security Considerations RATS Evidence, Verifiable Assertions and Results SHOULD use formats that support end-to-end integrity protection and MAY support end-to- end confidentiality protection. Replay attack prevention MAY be supported if a Nonce Claim is included. Nonce Claims often piggy- back other information and can convey attestation semantics that are of essence to RATS, e.g. the last four bytes of a challenge nonce could be replaced by the IPv4 address-value of the Attester in its response. All other attacks involving RATS structures are not explicitly addressed by RATS architecture. Additional security protections MAY be required of conveyance mechanisms. For example, additional means of authentication, confidentiality, integrity, replay, denial of service and privacy protection of RATS payloads and Principals may be needed. 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 6.2. Informative References [ABLP] Abadi, M., Burrows, M., Lampson, B., and G. Plotkin, "A Calculus for Access Control in Distributed Systems", Springer Annual International Cryptology Conference, page 1-23, DOI 10.1.1.36.691, 1991. Birkholz, et al. Expires March 15, 2020 [Page 12] Internet-Draft RATS Arch & Terms September 2019 [DOLEV-YAO] Dolev, D. and A. Yao, "On the security of public key protocols", IEEE Transactions on Information Theory Vol. 29, pp. 198-208, DOI 10.1109/tit.1983.1056650, March 1983. [I-D.richardson-rats-usecases] Richardson, M., Wallace, C., and W. Pan, "Use cases for Remote Attestation common encodings", draft-richardson- rats-usecases-04 (work in progress), July 2019. [Lampson2007] Lampson, B., "Practical Principles for Computer Security", IOSPress Proceedings of Software System Reliability and Security, page 151-195, DOI 10.1.1.63.5360, 2007. [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003, . [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, . [RFC5209] Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J. Tardo, "Network Endpoint Assessment (NEA): Overview and Requirements", RFC 5209, DOI 10.17487/RFC5209, June 2008, . Authors' Addresses Henk Birkholz Fraunhofer SIT Rheinstrasse 75 Darmstadt 64295 Germany Email: henk.birkholz@sit.fraunhofer.de Monty Wiseman GE Global Research USA Email: monty.wiseman@ge.com Birkholz, et al. Expires March 15, 2020 [Page 13] Internet-Draft RATS Arch & Terms September 2019 Hannes Tschofenig ARM Ltd. 110 Fulbourn Rd Cambridge CB1 9NJ UK Email: hannes.tschofenig@gmx.net Ned Smith Intel Corporation USA Email: ned.smith@intel.com Birkholz, et al. Expires March 15, 2020 [Page 14]