| < draft-birkholz-attestation-terminology-01.txt | draft-birkholz-attestation-terminology-02.txt > | |||
|---|---|---|---|---|
| Network Working Group H. Birkholz | Network Working Group H. Birkholz | |||
| Internet-Draft Fraunhofer SIT | Internet-Draft Fraunhofer SIT | |||
| Intended status: Informational M. Wiseman | Intended status: Informational M. Wiseman | |||
| Expires: July 8, 2018 GE Global Research | Expires: January 3, 2019 GE Global Research | |||
| H. Tschofenig | H. Tschofenig | |||
| ARM Ltd. | ARM Ltd. | |||
| January 04, 2018 | July 02, 2018 | |||
| Reference Terminology for Remote Attestation Procedures | Reference Terminology for Remote Attestation Procedures | |||
| draft-birkholz-attestation-terminology-01 | draft-birkholz-attestation-terminology-02 | |||
| Abstract | Abstract | |||
| This document is intended to illustrate and remediate the impedance | This document is intended to illustrate and remediate the impedance | |||
| mismatch of terms related to remote attestation procedures used in | mismatch of terms related to remote attestation procedures used in | |||
| different domains today. New terms defined by this document provide | different domains today. New terms defined by this document provide | |||
| a consolidated basis to support future work on attestation procedures | a consolidated basis to support future work on attestation procedures | |||
| in the IETF and beyond. | in the IETF and beyond. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 8, 2018. | This Internet-Draft will expire on January 3, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 22 ¶ | skipping to change at page 2, line 22 ¶ | |||
| 2. Basic Roles of RATS . . . . . . . . . . . . . . . . . . . . . 4 | 2. Basic Roles of RATS . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Computing Context . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Computing Context . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. Formal Semantic Relationships . . . . . . . . . . . . . . 5 | 3.1. Formal Semantic Relationships . . . . . . . . . . . . . . 5 | |||
| 3.2. Characteristics of a Computing Context . . . . . . . . . 6 | 3.2. Characteristics of a Computing Context . . . . . . . . . 6 | |||
| 4. Computing Context Identity . . . . . . . . . . . . . . . . . 7 | 4. Computing Context Identity . . . . . . . . . . . . . . . . . 7 | |||
| 5. Attestation Workflow . . . . . . . . . . . . . . . . . . . . 7 | 5. Attestation Workflow . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6. Reference Use Cases . . . . . . . . . . . . . . . . . . . . . 8 | 6. Reference Use Cases . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 6.1. The Lying Endpoint Problem . . . . . . . . . . . . . . . 10 | 6.1. The Lying Endpoint Problem . . . . . . . . . . . . . . . 10 | |||
| 6.2. Who am I a talking to? . . . . . . . . . . . . . . . . . 11 | 6.2. Who am I a talking to? . . . . . . . . . . . . . . . . . 11 | |||
| 7. Trustworthiness . . . . . . . . . . . . . . . . . . . . . . . 11 | 7. Trustworthiness . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8. Remote Attestation . . . . . . . . . . . . . . . . . . . . . 11 | 8. Remote Attestation . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 8.1. Building Block Terms . . . . . . . . . . . . . . . . . . 11 | 8.1. Building Block Terms . . . . . . . . . . . . . . . . . . 12 | |||
| 9. IANA considerations . . . . . . . . . . . . . . . . . . . . . 13 | 9. IANA considerations . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 10. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | 10. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | |||
| 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 | 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 12. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 12. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 13.1. Normative References . . . . . . . . . . . . . . . . . . 13 | 13.1. Normative References . . . . . . . . . . . . . . . . . . 14 | |||
| 13.2. Informative References . . . . . . . . . . . . . . . . . 13 | 13.2. Informative References . . . . . . . . . . . . . . . . . 14 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 1. Introduction | 1. Introduction | |||
| During its evolution, the term Remote Attestation has been used in | During its evolution, the term Remote Attestation has been used in | |||
| multiple contexts and multiple scopes and in consequence accumulated | multiple contexts and multiple scopes and in consequence accumulated | |||
| various connotations with slightly different semantic meaning. | various connotations with slightly different semantic meaning. | |||
| Correspondingly, Remote Attestation Procedures (RATS) are employed in | Correspondingly, Remote Attestation Procedures (RATS) are employed in | |||
| various usage scenarios and different environments. | various usage scenarios and different environments. | |||
| skipping to change at page 4, line 16 ¶ | skipping to change at page 4, line 16 ¶ | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in RFC | "OPTIONAL" in this document are to be interpreted as described in RFC | |||
| 2119, BCP 14 [RFC2119]. | 2119, BCP 14 [RFC2119]. | |||
| 2. Basic Roles of RATS | 2. Basic Roles of RATS | |||
| The use of the term Remote Attestation Procedures always implies the | The use of the term Remote Attestation Procedures always implies the | |||
| involvement of at least two parties that each take on a specific role | involvement of at least two parties that each take on a specific role | |||
| in corresponding RATS - the Attestee role and the Verifier role. | in corresponding RATS - the Attestor role and the Verifier role. | |||
| Depending on the object characteristics attested and the nature of | Depending on the object characteristics attested and the nature of | |||
| the parties, information is exchanged via specific types of | the parties, information is exchanged via specific types of | |||
| Interconnects between them. The type of interconnect ranges from GIO | Interconnects between them. The type of interconnect ranges from GIO | |||
| pins, to a bus component, to the Internet, or from a direct physical | pins, to a bus component, to the Internet, or from a direct physical | |||
| connection, to a wireless association, to a world wide mesh of peers. | connection, to a wireless association, to a world wide mesh of peers. | |||
| In other words, virtually every kind communication path | In other words, virtually every kind communication path | |||
| (Interconnect) can be used by system entities that take on the role | (Interconnect) can be used by system entities that take on the role | |||
| of Attestee and Verifier (in fact, a single party can take on both | of Attestor and Verifier (in fact, a single party can take on both | |||
| roles at the same time, but there is only a limited use to this | roles at the same time, but there is only a limited use to this | |||
| architecture). | architecture). | |||
| Attestee: The role that designates the subject of the remote | Attestor: The role that designates the subject of the remote | |||
| attestation. A system entity that is the provider of evidence | attestation. A system entity that is the provider of evidence | |||
| takes on the role of an Attestee. | takes on the role of an Attestor. | |||
| Verifier: The role that designates the system entity that is the | Verifier: The role that designates the system entity that is the | |||
| appraiser of the evidence provided by the Attestee. A system | appraiser of the evidence provided by the Attestor. A system | |||
| entity that is the consumer of evidence takes on the role of a | entity that is the consumer of evidence takes on the role of a | |||
| Verifier. | Verifier. | |||
| Interconnect: A channel of communication between Attestee and | Interconnect: A channel of communication between Attestor and | |||
| Verifier that enables the appraisal of evidence created by the | Verifier that enables the appraisal of evidence created by the | |||
| Attestee by a remote Verifier. | Attestor by a remote Verifier. | |||
| 3. Computing Context | 3. Computing Context | |||
| This section introduces the term Computing Context in order to | This section introduces the term Computing Context in order to | |||
| simplify the definition of RATS terminology. | simplify the definition of RATS terminology. | |||
| The number of approaches and solutions to create things that provide | The number of approaches and solutions to create things that provide | |||
| the same capabilities as a "simple physical device" continuously | the same capabilities as a "simple physical device" continuously | |||
| increases. Examples include but are not limited to: the | increases. Examples include but are not limited to: the | |||
| compartmentalization of physical resources, the separation of | compartmentalization of physical resources, the separation of | |||
| software instances with different dependencies in dedicated | software instances with different dependencies in dedicated | |||
| containers, and the nesting of virtual components via hardware-based | containers, and the nesting of virtual components via hardware-based | |||
| and software-based solutions. | and software-based solutions. | |||
| System entities are composed of system entities. In essence, every | System entities are composed of system entities. In essence, every | |||
| physical or logical device is a composite of system entities. In | physical or logical device is a composite of system entities. In | |||
| consequence, a composite device also constitutes a system entity. | consequence, a composite device also constitutes a system entity. | |||
| Every component in that composite is a potential Computing Context | Every component in that composite is a potential Computing Context | |||
| capable of taking on the roles of Attestee or Verifier. The scope | capable of taking on the roles of Attestor or Verifier. The scope | |||
| and application of these roles can range from: | and application of these roles can range from: | |||
| o continuous mutual attestation procedures of every system entity | o continuous mutual attestation procedures of every system entity | |||
| inside a composite device, to | inside a composite device, to | |||
| o sporadic remote attestation of unknown parties via heterogeneous | o sporadic remote attestation of unknown parties via heterogeneous | |||
| Interconnects. | Interconnects. | |||
| Analogously, the increasing number of features and functions that | Analogously, the increasing number of features and functions that | |||
| constitute components of a device start to blur the lines that are | constitute components of a device start to blur the lines that are | |||
| required to categorize each solution and approach precisely. To | required to categorize each solution and approach precisely. To | |||
| address this increasingly challenging categorization, the term | address this increasingly challenging categorization, the term | |||
| Computing Context defines the characteristics of the system entities | Computing Context defines the characteristics of the system entities | |||
| that can take on the role of an Attestee and/or the role of a | that can take on the role of an Attestor and/or the role of a | |||
| Verifier. This approach is intended to provide a stable basis of | Verifier. This approach is intended to provide a stable basis of | |||
| definitions for future solutions that continuous to remain viable | definitions for future solutions that continuous to remain viable | |||
| long-term. | long-term. | |||
| Computing Context : An umbrella term that combines the scope of the | Computing Context : An umbrella term that combines the scope of the | |||
| definitions of endpoint [ref NEA], device [ref 1ar], and thing | definitions of endpoint [ref NEA], device [ref 1ar], and thing | |||
| [ref t2trg], including hardware-based and software-based sub- | [ref t2trg], including hardware-based and software-based sub- | |||
| contexts that constitute independent, isolated and distinguishable | contexts that constitute independent, isolated and distinguishable | |||
| slices of a Computing Context created by compartmentalization | slices of a Computing Context created by compartmentalization | |||
| mechanisms, such as Trusted Execution Environments (TEE), Hardware | mechanisms, such as Trusted Execution Environments (TEE), Hardware | |||
| skipping to change at page 7, line 29 ¶ | skipping to change at page 7, line 29 ¶ | |||
| Examples include: a smart phone, a nested virtual machine, a | Examples include: a smart phone, a nested virtual machine, a | |||
| virtualized firewall function running distributed on a cluster of | virtualized firewall function running distributed on a cluster of | |||
| physical and virtual nodes, or a trust-zone. | physical and virtual nodes, or a trust-zone. | |||
| 4. Computing Context Identity | 4. Computing Context Identity | |||
| The identity of a Computing Context provides the basis for creating | The identity of a Computing Context provides the basis for creating | |||
| evidence about data origin authenticity. Confidence in the identity | evidence about data origin authenticity. Confidence in the identity | |||
| assurance level [NIST SP-800-63-3] or the assurance levels for | assurance level [NIST SP-800-63-3] or the assurance levels for | |||
| identity authentication [RFC4949] impacts the confidence in the | identity authentication [RFC4949] impacts the confidence in the | |||
| evidence an Attestee provides. | evidence an Attestor provides. | |||
| 5. Attestation Workflow | 5. Attestation Workflow | |||
| This section introduces terms and definitions that are required to | This section introduces terms and definitions that are required to | |||
| illustrate the scope and the granularity of RATS workflows in the | illustrate the scope and the granularity of RATS workflows in the | |||
| domain of security automation. Terms defined in the following | domain of security automation. Terms defined in the following | |||
| sections will be based on this workflow-related definitions. | sections will be based on this workflow-related definitions. | |||
| In general, RATS are composed of iterative activities that can be | In general, RATS are composed of iterative activities that can be | |||
| conducted in intervals. It is neither a generic set of actions nor | conducted in intervals. It is neither a generic set of actions nor | |||
| skipping to change at page 9, line 29 ¶ | skipping to change at page 9, line 29 ¶ | |||
| been implemented correctly and that the protection-relevant | been implemented correctly and that the protection-relevant | |||
| elements of the system do, indeed, accurately mediate and enforce | elements of the system do, indeed, accurately mediate and enforce | |||
| the intent of that policy. By extension, assurance must include a | the intent of that policy. By extension, assurance must include a | |||
| guarantee that the trusted portion of the system works only as | guarantee that the trusted portion of the system works only as | |||
| intended." | intended." | |||
| Confidence: The definition of correctness integrity in [RFC4949] | Confidence: The definition of correctness integrity in [RFC4949] | |||
| notes that "source integrity refers to confidence in data values". | notes that "source integrity refers to confidence in data values". | |||
| Hence, confidence in an attestation procedure is referring to the | Hence, confidence in an attestation procedure is referring to the | |||
| degree of trustworthiness of an attestation activity that produces | degree of trustworthiness of an attestation activity that produces | |||
| evidence (attestee), of an conveyance activity that transfers | evidence (Attestor), of an conveyance activity that transfers | |||
| evidence (interconnect), and of a verification activity that | evidence (interconnect), and of a verification activity that | |||
| appraises evidence (verifier), in respect to correctness | appraises evidence (Verifier), in respect to correctness | |||
| integrity. | integrity. | |||
| Identity: [pull relevant rfc4949 parts here] | Identity: Defined by [RFC4949] as the collective aspect of a set of | |||
| attribute values (i.e., a set of characteristics) by which a | ||||
| system user or other system entity is recognizable or known. | ||||
| (See: authenticate, registration. Compare: identifier.) | ||||
| There are different scopes an identity can apply to: | ||||
| Singular identity: An identity that is registered for an entity | ||||
| that is one person or one process. | ||||
| Shared identity: An identity that is registered for an entity that | ||||
| is a set of singular entities in which each member is authorized | ||||
| to assume the identity individually, and for which the registering | ||||
| system maintains a record of the singular entities that comprise | ||||
| the set. In this case, we would expect each member entity to be | ||||
| registered with a singular identity before becoming associated | ||||
| with the shared identity. | ||||
| Group identity: An identity that is registered for an entity that | ||||
| is a set of entities (2) for which the registering system does not | ||||
| maintain a record of singular entities that comprise the set. | ||||
| Identity Proofing: A process that vets and verifies the information | Identity Proofing: A process that vets and verifies the information | |||
| that is used to establish the identity of a system entity. | that is used to establish the identity of a system entity. | |||
| Source Integrity: The property that data is trustworthy (i.e., | Source Integrity: The property that data is trustworthy (i.e., | |||
| worthy of reliance or trust), based on the trustworthiness of its | worthy of reliance or trust), based on the trustworthiness of its | |||
| sources and the trustworthiness of any procedures used for | sources and the trustworthiness of any procedures used for | |||
| handling data in the system. | handling data in the system. | |||
| Data Integrity: (a) The property that data has not been changed, | Data Integrity: (a) The property that data has not been changed, | |||
| skipping to change at page 10, line 19 ¶ | skipping to change at page 10, line 39 ¶ | |||
| by data is accurate and consistent. | by data is accurate and consistent. | |||
| Verification: (a) The process of examining information to establish | Verification: (a) The process of examining information to establish | |||
| the truth of a claimed fact or value. | the truth of a claimed fact or value. | |||
| (b) The process of comparing two levels of system specification | (b) The process of comparing two levels of system specification | |||
| for proper correspondence, such as comparing a security model with | for proper correspondence, such as comparing a security model with | |||
| a top-level specification, a top-level specification with source | a top-level specification, a top-level specification with source | |||
| code, or source code with object code. | code, or source code with object code. | |||
| Forward Authenticity (FA): A property of secure communication | ||||
| protocols, in which later compromise of the long-term keys of a | ||||
| data origin does not compromise past authentication of data from | ||||
| that origin. FA is achieved by timely recording of assessments of | ||||
| the authenticity from entities (via "audit logs" during "audit | ||||
| sessions") that are authorized for this purpose, in a time frame | ||||
| much shorter than that expected for the compromise of the long- | ||||
| term keys. | ||||
| 6.1. The Lying Endpoint Problem | 6.1. The Lying Endpoint Problem | |||
| A very prominent goal of attestation procedures - and therefore a | A very prominent goal of attestation procedures - and therefore a | |||
| suitable example used as reference in this document - is to address | suitable example used as reference in this document - is to address | |||
| the "lying endpoint problem". | the "lying endpoint problem". | |||
| Information created, relayed, or, in essence, emitted by a computing | Information created, relayed, or, in essence, emitted by a computing | |||
| context does not have to be correct. There can be multiple reasons | context does not have to be correct. There can be multiple reasons | |||
| why that is the case and the "lying endpoint problem" represents a | why that is the case and the "lying endpoint problem" represents a | |||
| scenario, in which the reason is the compromization of computing | scenario, in which the reason is the compromization of computing | |||
| skipping to change at page 11, line 29 ¶ | skipping to change at page 12, line 8 ¶ | |||
| Trusted System: A system that operates as expected, according to | Trusted System: A system that operates as expected, according to | |||
| design and policy, doing what is required - despite environmental | design and policy, doing what is required - despite environmental | |||
| disruption, human user and operator errors, and attacks by hostile | disruption, human user and operator errors, and attacks by hostile | |||
| parties - and not doing other things. | parties - and not doing other things. | |||
| Trustworthy: pull in text here | Trustworthy: pull in text here | |||
| 8. Remote Attestation | 8. Remote Attestation | |||
| Attestation: An object integrity authentication facilitated via the | Attestation: An object integrity authentication facilitated via the | |||
| creation of a claim about the properties of an attestee, such that | creation of a claim about the properties of an Attestor, such that | |||
| the claim can be used as evidence. | the claim can be used as evidence. | |||
| Conveyance: The transfer of evidence from the attestee to the | Conveyance: The transfer of evidence from the Attestor to the | |||
| verifier. | Verifier. | |||
| Verification: The appraisal of evidence by evaluating it against | Verification: The appraisal of evidence by evaluating it against | |||
| declarative guidance. | declarative guidance. | |||
| Remote Attestation: A procedure composed of the activities | Remote Attestation: A procedure composed of the activities | |||
| attestation, conveyance and verification. | attestation, conveyance and verification. | |||
| 8.1. Building Block Terms | 8.1. Building Block Terms | |||
| [working title, pulled from various sources, vital] | [working title, pulled from various sources, vital] | |||
| End of changes. 22 change blocks. | ||||
| 25 lines changed or deleted | 54 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||