idnits 2.17.1 

draft-birkholz-tuda-02.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (July 08, 2016) is 2842 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  == Missing Reference: 'AIK-Cert' is mentioned on line 1574, but not defined

  == Missing Reference: 'TSA-Cert' is mentioned on line 1574, but not defined

  == Unused Reference: 'AIK-Credential' is defined on line 1357, but no
     explicit reference was found in the text

  == Outdated reference: A later version (-01) exists of
     draft-birkholz-sacm-coswid-00

  == Outdated reference: A later version (-11) exists of
     draft-greevenbosch-appsawg-cbor-cddl-08

  == Outdated reference: A later version (-18) exists of
     draft-ietf-netconf-restconf-15

  -- Obsolete informational reference (is this intentional?): RFC 7049
     (Obsoleted by RFC 8949)

  -- Obsolete informational reference (is this intentional?): RFC 7230
     (Obsoleted by RFC 9110, RFC 9112)

  -- Obsolete informational reference (is this intentional?): RFC 7320
     (Obsoleted by RFC 8820)

  -- Obsolete informational reference (is this intentional?): RFC 7540
     (Obsoleted by RFC 9113)


     Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 6 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	Network Working Group                                           A. Fuchs
3	Internet-Draft                                               H. Birkholz
4	Intended status: Informational                            Fraunhofer SIT
5	Expires: January 9, 2017                                     I. McDonald
6	                                                          High North Inc
7	                                                              C. Bormann
8	                                                 Universitaet Bremen TZI
9	                                                           July 08, 2016

11	                 Time-Based Uni-Directional Attestation
12	                         draft-birkholz-tuda-02

14	Abstract

16	   This memo documents the method and bindings used to conduct time-
17	   based uni-directional attestation between distinguishable endpoints
18	   over the network.

20	Status of This Memo

22	   This Internet-Draft is submitted in full conformance with the
23	   provisions of BCP 78 and BCP 79.

25	   Internet-Drafts are working documents of the Internet Engineering
26	   Task Force (IETF).  Note that other groups may also distribute
27	   working documents as Internet-Drafts.  The list of current Internet-
28	   Drafts is at http://datatracker.ietf.org/drafts/current/.

30	   Internet-Drafts are draft documents valid for a maximum of six months
31	   and may be updated, replaced, or obsoleted by other documents at any
32	   time.  It is inappropriate to use Internet-Drafts as reference
33	   material or to cite them other than as "work in progress."

35	   This Internet-Draft will expire on January 9, 2017.

37	Copyright Notice

39	   Copyright (c) 2016 IETF Trust and the persons identified as the
40	   document authors.  All rights reserved.

42	   This document is subject to BCP 78 and the IETF Trust's Legal
43	   Provisions Relating to IETF Documents
44	   (http://trustee.ietf.org/license-info) in effect on the date of
45	   publication of this document.  Please review these documents
46	   carefully, as they describe your rights and restrictions with respect
47	   to this document.  Code Components extracted from this document must
48	   include Simplified BSD License text as described in Section 4.e of
49	   the Trust Legal Provisions and are provided without warranty as
50	   described in the Simplified BSD License.

52	Table of Contents

54	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
55	     1.1.  Requirements Notation . . . . . . . . . . . . . . . . . .   4
56	     1.2.  Concept . . . . . . . . . . . . . . . . . . . . . . . . .   4
57	     1.3.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   5
58	       1.3.1.  Roles . . . . . . . . . . . . . . . . . . . . . . . .   5
59	       1.3.2.  General Types . . . . . . . . . . . . . . . . . . . .   6
60	       1.3.3.  TPM-Specific Terms  . . . . . . . . . . . . . . . . .   6
61	       1.3.4.  Certificates  . . . . . . . . . . . . . . . . . . . .   6
62	   2.  Time-Based Uni-Directional Attestation  . . . . . . . . . . .   6
63	     2.1.  TUDA Information Elements Update Cycles . . . . . . . . .   8
64	   3.  REST Realization  . . . . . . . . . . . . . . . . . . . . . .  10
65	   4.  SNMP Realization  . . . . . . . . . . . . . . . . . . . . . .  10
66	     4.1.  Structure of TUDA MIB . . . . . . . . . . . . . . . . . .  11
67	       4.1.1.  Cycle Index . . . . . . . . . . . . . . . . . . . . .  11
68	       4.1.2.  Instance Index  . . . . . . . . . . . . . . . . . . .  12
69	       4.1.3.  Fragment Index  . . . . . . . . . . . . . . . . . . .  12
70	     4.2.  Relationship to Host Resources MIB  . . . . . . . . . . .  12
71	     4.3.  Relationship to Entity MIB  . . . . . . . . . . . . . . .  12
72	     4.4.  Relationship to Other MIBs  . . . . . . . . . . . . . . .  13
73	     4.5.  Definition of TUDA MIB  . . . . . . . . . . . . . . . . .  13
74	   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  28
75	   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  28
76	   7.  Change Log  . . . . . . . . . . . . . . . . . . . . . . . . .  28
77	   8.  Contributors  . . . . . . . . . . . . . . . . . . . . . . . .  29
78	   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  29
79	     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  29
80	     9.2.  Informative References  . . . . . . . . . . . . . . . . .  29
81	   Appendix A.  Realization with TPM 1.2 functions . . . . . . . . .  32
82	     A.1.  TPM Functions . . . . . . . . . . . . . . . . . . . . . .  32
83	       A.1.1.  Tick-Session and Tick-Stamp . . . . . . . . . . . . .  32
84	       A.1.2.  Platform Configuration Registers (PCRs) . . . . . . .  32
85	       A.1.3.  PCR restricted Keys . . . . . . . . . . . . . . . . .  33
86	       A.1.4.  CertifyInfo . . . . . . . . . . . . . . . . . . . . .  33
87	     A.2.  Protocol and Procedure  . . . . . . . . . . . . . . . . .  33
88	       A.2.1.  AIK and AIK Certificate . . . . . . . . . . . . . . .  33
89	       A.2.2.  Synchronization Token . . . . . . . . . . . . . . . .  34
90	       A.2.3.  RestrictionInfo . . . . . . . . . . . . . . . . . . .  36
91	       A.2.4.  Measurement Log . . . . . . . . . . . . . . . . . . .  38
92	       A.2.5.  Implicit Attestation  . . . . . . . . . . . . . . . .  39
93	       A.2.6.  Attestation Verification Approach . . . . . . . . . .  40
94	   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  42
95	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  42

97	1.  Introduction

99	   Remote attestation describes the attempt to determine the integrity
100	   and trustworthiness of an endpoint -- the attestee -- over a network
101	   to another endpoint -- the verifier -- without direct access.  One
102	   way to do so is based on measurements of software components running
103	   on the attestee, where the hash values of all started software
104	   components are stored (extended into) a Trust Anchor implemented as a
105	   Hardware Security Module (e.g. a Trusted Platform Module or similar)
106	   and reported via a signature over these measurements.  Protocols that
107	   facilitate these Trust Anchor based signatures in order to provide
108	   remote attestations are usually bi-directional protocols [PTS], where
109	   one entity sends a challenge that is included inside the response to
110	   ensure the recentness -- the freshness -- of the attestation
111	   information.

113	   In many contexts and scenarios it is not feasible to deploy bi-
114	   directional protocols, due to constraints in the underlying
115	   communication schemes.  Furthermore, many communication schemes do
116	   not have a notion of connection, which disallows the usage of
117	   connection context related state information.  These constraints may
118	   make it impossible to deploy challenge-response based schemes to
119	   achieve freshness of messages in security protocols.  Examples of
120	   these constrained environments include broadcast and multicast
121	   schemes such as automotive IEEE802.11p as well as communication
122	   models that do not maintain connection state over time, such as REST
123	   [REST] and SNMP [RFC3411].

125	   This document describes the time-based uni-directional attestation
126	   protocol -- TUDA -- that requires only uni-directional communication
127	   channels between verifier and attestee.  whilst still providing up-
128	   to-date information about the integrity and thereby trustworthiness
129	   of the attested device.  There are two important prerequisites next
130	   to the Hardware Security Module (HSM) itself:

132	   o  a source of (relative) time (i.e. a tick counter) integrated in
133	      the HSM, and

135	   o  network access to a trusted time stamp authority (TSA) [RFC3161].

137	   Both prerequisites are mandatory to attest the appropriate freshness
138	   of the remotes attestation without bi-directional communication.  The
139	   attestation scheme of TUDA is based on a set of TUDA information
140	   elements that are generated on the attestee and transported to the
141	   verifier.  TUDA information elements are encoded in the Concise
142	   Binary Object Representation, CBOR [RFC7049].  In this document, the
143	   composition of the CBOR data items that represent the information
144	   elements is described using the CBOR Data Definition Language, CDDL
145	   [I-D.greevenbosch-appsawg-cbor-cddl].

147	   The binding of the attestation scheme used by TUDA to generate the
148	   TUDA information elements is specific to the methods provided by the
149	   HSM used.  As a reference, this document includes pseudo-code that
150	   illustrates the production of TUDA information elements using a TPM
151	   1.2 and the corresponding TPM commands specified in [TPM12] as an
152	   example.  The references to TPM 1.2 commands and corresponding
153	   pseudo-code only serves as guidance to enable a better understanding
154	   of the attestation scheme and does not imply the use of a specific
155	   HSM (excluding, of course, the requirements highlighted above).

157	1.1.  Requirements Notation

159	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
160	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
161	   "OPTIONAL" in this document are to be interpreted as described in RFC
162	   2119, BCP 14 [RFC2119].

164	1.2.  Concept

166	   There are significant differences between conventional bi-directional
167	   attestation and TUDA regarding both the information elements
168	   transmitted between attestee and verifier and the time-frame, in
169	   which an attestation can be considered to be fresh (and therefore
170	   trustworthy).

172	   In general, remote attestation using a bi-directional communication
173	   scheme includes sending a nonce-challenge within a signed attestation
174	   token.  Using the TPM 1.2 as an example, a corresponding nonce-
175	   challenge would be included within the signature created by the
176	   TPM_Quote command in order to prove the freshness of the attestation
177	   response, see e.g.  [PTS].

179	   In contrast, the TUDA protocol would use a combination output of
180	   TPM_CertifyInfo and TPM_TickStampBlob.  The former provides a proof
181	   about the platform's state by attesting that a certain key is bound
182	   to said state.  The latter provides proof that the platform was in
183	   the specified state by using the bound key in a time operation.  This
184	   combination enables a time-based attestation scheme.  This approach
185	   is based on the concepts introduced in [SCALE] and [SFKE2008].

187	   The payload of information elements transmitted is based on different
188	   methods, because the time-frame, in which an attestation is
189	   considered to be fresh (and therefore trustworthy), is defined
190	   differently.

192	   The freshness properties of a challenge-response based protocol
193	   define the point-of-time of attestation between:

195	   o  the time of transmission of the nonce, and

197	   o  the reception of the response

199	   Given the time-based attestation scheme, the freshness property of
200	   TUDA is equivalent to that of bi-directional challenge response
201	   attestation, if the point-in-time of attestation lies between:

203	   o  the transmission of a TUDA time-synchronization token, and

205	   o  the typical round-trip time between the verifier and the attestee,

207	   The accuracy of this time-frame is defined by two factors:

209	   o  the time-synchronization between the attestee and the TSA.  The
210	      time between the two TPM tickstamps give the maximum drift (left
211	      and right) to the TSA timestamp, and

213	   o  the drift of local TPM clocks

215	   Since TUDA attestations do not rely upon a verifier provided value
216	   (i.e. the nonce), the security guarantees of the protocol only
217	   incorporate the TSA and the TPM.  As a consequence TUDA attestations
218	   can even serve as proof of integrity in audit logs with point in time
219	   guarantees, in contrast to classical attestations.

221	   Appendix A contains a realization of TUDA using TPM 1.2 primitives.
222	   A realization of TUDA using TPM 2.0 primitives will be added with the
223	   next iteration of this document.

225	1.3.  Terminology

227	   This document introduces roles, information elements and types
228	   required to conduct TUDA and uses terminology (e.g. specific
229	   certificate names) typically seen in the context of attestation or
230	   hardware security modules.

232	1.3.1.  Roles

234	   Attestee:  the endpoint that is the subject of the attestation to
235	      another endpoint.

237	   Verifier:  the endpoint that consumes the attestation of another
238	      endpoint.

240	   TSA:  a Time Stamp Authority [RFC3161]

242	1.3.2.  General Types

244	   Byte:  the now customary synonym for octet

246	   Cert:  an X.509 certificate represented as a byte-string

248	   PCR-Hash:  a hash value of the security posture measurements stored
249	      in a TPM Platform Configuration Register (e.g. regarding running
250	      software instances) represented as a byte-string

252	1.3.3.  TPM-Specific Terms

254	   AIK:  an Attestation Identity Key, a special key type used within a
255	      TPM for identity-related operations (such as TPM_Certify or
256	      TPM_Quote)

258	   PCR:  a Platform Configuration Register that is part of a TPM and is
259	      used to securely store and report measurements about security
260	      posture

262	1.3.4.  Certificates

264	   TSA-CA:  the Certificate Authority that provides the certificate for
265	      the TSA represented as a Cert

267	   AIK-CA:  the Certificate Authority that provides the certificate for
268	      the attestation identity key of the TPM.  This is the client
269	      platform credential for this protocol.  It is a placeholder for a
270	      specific CA and AIK-Cert is a placeholder for the corresponding
271	      certificate, depending on what protocol was used.  The specific
272	      protocols are out of scope for this document, see also
273	      [AIK-Enrollment] and [IEEE802.1AR].

275	2.  Time-Based Uni-Directional Attestation

277	   A Time-Based Uni-Directional Attestation (TUDA) consists of the
278	   following seven information elements.  They are used to gain
279	   assurance of the Attestee's platform configuration at a certain point
280	   in time:

282	   TSA Certificate:  The certificate of the Time Stamp Authority that is
283	      used in a subsequent synchronization protocol token.  This
284	      certificate is signed by the TSA-CA.

286	   AIK Certificate (<xref target="AIK-Credential"/>, <xref target="AIK-
287	   Enrollment"/>; see <xref target="aik"/>):

289	      A certificate about the Attestation Identity Key (AIK) used.  This
290	      may or may not also be an [IEEE802.1AR] IDevID or LDevID,
291	      depending on their setting of the corresponding identity property.

293	   Synchronization Token:  The reference for Attestations are the Tick-
294	      Sessions of the TPM.  In order to put Attestations into relation
295	      with a Real Time Clock (RTC), it is necessary to provide a
296	      cryptographic synchronization between the tick session and the
297	      RTC.  To do so, a synchronization protocol is run with a Time
298	      Stamp Authority (TSA).

300	   Restriction Info:  The attestation relies on the capability of the
301	      TPM to operate on restricted keys.  Whenever the PCR values for
302	      the machine to be attested change, a new restricted key is created
303	      that can only be operated as long as the PCRs remain in their
304	      current state.

306	      In order to prove to the Verifier that this restricted temporary
307	      key actually has these properties and also to provide the PCR
308	      value that it is restricted, the TPM command TPM_CertifyInfo is
309	      used.  It creates a signed certificate using the AIK about the
310	      newly created restricted key.

312	   Measurement Log:  Similarly to regular attestations, the Verifier
313	      needs a way to reconstruct the PCRs' values in order to estimate
314	      the trustworthiness of the device.  As such, a list of those
315	      elements that were extended into the PCRs is reported.  Note
316	      though that for certain environments, this step may be optional if
317	      a list of valid PCR configurations exists and no measurement log
318	      is required.

320	   Implicit Attestation:  The actual attestation is then based upon a
321	      TPM_TickStampBlob operation using the restricted temporary key
322	      that was certified in the steps above.  The TPM_TickStampBlob is
323	      executed and thereby provides evidence that at this point in time
324	      (with respect to the TPM internal tick-session) a certain
325	      configuration existed (namely the PCR values associated with the
326	      restricted key).  Together with the synchronization token this
327	      tick-related timing can then be related to the real-time clock.

329	   Concise SWID tags:  As an option to better assess the trustworthiness
330	      of an Attestee, a Verifier can request the reference hashes (often
331	      referred to as golden measurements) of all started software
332	      components to compare them with the entries in the measurement
333	      log.  References hashes regarding installed (and therefore
334	      running) software can be provided by the manufacturer via SWID
335	      tags.  SWID tags are provided by the Attestee using the Concise
336	      SWID representation [I-D-birkholz-sacm-coswid] and bundled into a
337	      CBOR array.  Ideally, the reference hashes include a signature
338	      created by the manufacturer of the software.

340	   These information elements could be sent en bloc, but it is
341	   recommended to retrieve them separately to save bandwidth, since
342	   these elements have different update cycles.  In most cases,
343	   retransmitting all seven information elements would result in
344	   unnecessary redundancy.

346	   Furthermore, in some scenarios it might be feasible not to store all
347	   elements on the Attestee endpoint, but instead they could be
348	   retrieved from another location or pre-deployed to the Verifier.  It
349	   is also feasible to only store public keys at the Verifier and skip
350	   the whole certificate provisioning completely in order to save
351	   bandwidth and computation time for certificate verification.

353	2.1.  TUDA Information Elements Update Cycles

355	   An endpoint can be in various states and have various information
356	   associated with it during its life cycle.  For TUDA, a subset of the
357	   states (which can include associated information) that an endpoint
358	   and its TPM can be in, is important to the attestation process.

360	   o  Some states are persistent, even after reboot.  This includes
361	      certificates that are associated with the endpoint itself or with
362	      services it relies on.

364	   o  Some states are more volatile and change at the beginning of each
365	      boot cycle.  This includes the TPM-internal Tick-Session which
366	      provides the basis for the synchronization token and implicit
367	      attestation.

369	   o  Some states are even more volatile and change during an uptime
370	      cycle (the period of time an endpoint is powered on, starting with
371	      its boot).  This includes the content of PCRs of a TPM and thereby
372	      also the PCR-restricted keys used during attestation.

374	   Depending on this "lifetime of state", data has to be transported
375	   over the wire, or not.  E.g. information that does not change due to
376	   a reboot typically has to be transported only once between the
377	   Attestee and the Verifier.

379	   There are three kinds of events that require a renewed attestation:

381	   o  The Attestee completes a boot-cycle

383	   o  A relevant PCR changes
384	   o  Too much time has passed since the last attestation statement

386	   The third event listed above is variable per application use case and
387	   can therefore be set appropriately.  For usage scenarios, in which
388	   the device would periodically push information to be used in an
389	   audit-log, a time-frame of approximately one update per minute should
390	   be sufficient in most cases.  For those usage scenarios, where
391	   verifiers request (pull) a fresh attestation statement, an
392	   implementation could use the TPM continuously to always present the
393	   most freshly created results.  To save some utilization of the TPM
394	   for other purposes, however, a time-frame of once per ten seconds is
395	   recommended, which would leave 80% of utilization for applications.

397	   Attestee                                                 Verifier
398	      |                                                         |
399	    Boot                                                        |
400	      |                                                         |
401	    Create Sync-Token                                           |
402	      |                                                         |
403	    Create Restricted Key                                       |
404	    Certify Restricted Key                                      |
405	      |                                                         |
406	      | AIK-Cert ---------------------------------------------> |
407	      | Sync-Token -------------------------------------------> |
408	      | Certify-Info -----------------------------------------> |
409	      | Measurement Log --------------------------------------> |
410	      | Attestation ------------------------------------------> |
411	      |                                           Verify Attestation
412	      |                                                         |
413	      |       <Time Passed>                                     |
414	      |                                                         |
415	      | Attestation ------------------------------------------> |
416	      |                                           Verify Attestation
417	      |                                                         |
418	      |       <Time Passed>                                     |
419	      |                                                         |
420	    PCR-Change                                                  |
421	      |                                                         |
422	    Create Restricted Key                                       |
423	    Certify Restricted Key                                      |
424	      |                                                         |
425	      | Certify-Info -----------------------------------------> |
426	      | Measurement Log --------------------------------------> |
427	      | Attestation ------------------------------------------> |
428	      |                                           Verify Attestation
429	      |                                                         |
430	    Boot                                                        |
431	      |                                                         |

433	    Create Sync-Token                                           |
434	      |                                                         |
435	    Create Restricted Key                                       |
436	    Certify Restricted Key                                      |
437	      |                                                         |
438	      | Sync-Token -------------------------------------------> |
439	      | Certify-Info -----------------------------------------> |
440	      | Measurement Log --------------------------------------> |
441	      | Attestation ------------------------------------------> |
442	      |                                           Verify Attestation
443	      |                                                         |
444	      |       <Time Passed>                                     |
445	      |                                                         |
446	      | Attestation ------------------------------------------> |
447	      |                                           Verify Attestation
448	      |                                                         |

450	                   Figure 1: Example sequence of events

452	3.  REST Realization

454	   Each of the seven data items is defined as a media type (Section 5).
455	   Representations of resources for each of these media types can be
456	   retrieved from URIs that are defined by the respective servers
457	   [RFC7320].  As can be derived from the URI, the actual retrieval is
458	   via one of the HTTPs ([RFC7230], [RFC7540]) or CoAP [RFC7252].  How a
459	   client obtains these URIs is dependent on the application; e.g., CoRE
460	   Web links [RFC6690] can be used to obtain the relevant URIs from the
461	   self-description of a server, or they could be prescribed by a
462	   RESTCONF data model [I-D.ietf-netconf-restconf].

464	4.  SNMP Realization

466	   SNMPv3 [STD62] [RFC3411] is widely available on computers and also
467	   constrained devices.  To transport the TUDA information elements, an
468	   SNMP MIB is defined below which encodes each of the seven TUDA
469	   information elements into a table.  Each row in a table contains a
470	   single read-only columnar SNMP object of datatype OCTET-STRING.  The
471	   values of a set of rows in each table can be concatenated to
472	   reconstitute a CBOR-encoded TUDA information element.  The Verifier
473	   can retrieve the values for each CBOR fragment by using SNMP GetNext
474	   requests to "walk" each table and can decode each of the CBOR-encoded
475	   data items based on the corresponding CDDL
476	   [I-D.greevenbosch-appsawg-cbor-cddl] definition.

478	   Design Principles:

480	   1.  Over time, TUDA attestation values age and should no longer be
481	       used.  Every table in the TUDA MIB has a primary index with the
482	       value of a separate scalar cycle counter object that
483	       disambiguates the transition from one attestation cycle to the
484	       next.

486	   2.  Over time, the measurement log information (for example) may grow
487	       large.  Therefore, read-only cycle counter scalar objects in all
488	       TUDA MIB object groups facilitate more efficient access with SNMP
489	       GetNext requests.

491	   3.  Notifications are supported by an SNMP trap definition with all
492	       of the cycle counters as bindings, to alert a Verifier that a new
493	       attestation cycle has occurred (e.g., synchronization data,
494	       measurement log, etc. have been updated by adding new rows and
495	       possibly deleting old rows).

497	4.1.  Structure of TUDA MIB

499	   The following table summarizes the object groups, tables and their
500	   indexes, and conformance requirements for the TUDA MIB:

502	   |-------------|-------|----------|----------|----------|
503	   | Group/Table | Cycle | Instance | Fragment | Required |
504	   |-------------|-------|----------|----------|----------|
505	   | General     |       |          |          | x        |
506	   | AIKCert     | x     | x        | x        |          |
507	   | TSACert     | x     | x        | x        |          |
508	   | SyncToken   | x     |          | x        | x        |
509	   | Restrict    | x     |          |          | x        |
510	   | Measure     | x     | x        |          |          |
511	   | VerifyToken | x     |          |          | x        |
512	   | SWIDTag     | x     | x        | x        |          |
513	   |-------------|-------|----------|----------|----------|

515	4.1.1.  Cycle Index

517	   A tudaV1<Group>CycleIndex is the:

519	   1.  first index of a row (element instance or element fragment) in
520	       the tudaV1<Group>Table;

522	   2.  identifier of an update cycle on the table, when rows were added
523	       and/or deleted from the table (bounded by tudaV1<Group>Cycles);
524	       and

526	   3.  binding in the tudaV1TrapV2Cycles notification for directed
527	       polling.

529	4.1.2.  Instance Index

531	   A tudaV1<Group>InstanceIndex is the:

533	   1.  second index of a row (element instance or element fragment) in
534	       the tudaV1<Group>Table; except for

536	   2.  a row in the tudaV1SyncTokenTable (that has only one instance per
537	       cycle).

539	4.1.3.  Fragment Index

541	   A tudaV1<Group>FragmentIndex is the:

543	   1.  last index of a row (always an element fragment) in the
544	       tudaV1<Group>Table; and

546	   2.  accomodation for SNMP transport mapping restrictions for large
547	       string elements that require fragmentation.

549	4.2.  Relationship to Host Resources MIB

551	   The General group in the TUDA MIB is analogous to the System group in
552	   the Host Resources MIB [RFC2790] and provides context information for
553	   the TUDA attestation process.

555	   The Verify Token group in the TUDA MIB is analogous to the Device
556	   group in the Host MIB and represents the verifiable state of a TPM
557	   device and its associated system.

559	   The SWID Tag group (containing a Concise SWID reference hash profile
560	   [I-D-birkholz-sacm-coswid]) in the TUDA MIB is analogous to the
561	   Software Installed and Software Running groups in the Host Resources
562	   MIB [RFC2790].

564	4.3.  Relationship to Entity MIB

566	   The General group in the TUDA MIB is analogous to the Entity General
567	   group in the Entity MIB v4 [RFC6933] and provides context information
568	   for the TUDA attestation process.

570	   The SWID Tag group in the TUDA MIB is analogous to the Entity Logical
571	   group in the Entity MIB v4 [RFC6933].

573	4.4.  Relationship to Other MIBs

575	   The General group in the TUDA MIB is analogous to the System group in
576	   MIB-II [RFC1213] and the System group in the SNMPv2 MIB [RFC3418] and
577	   provides context information for the TUDA attestation process.

579	4.5.  Definition of TUDA MIB

581	   <CODE BEGINS>
582	   TUDA-V1-ATTESTATION-MIB DEFINITIONS ::= BEGIN

584	   IMPORTS
585	       MODULE-IDENTITY, OBJECT-TYPE, Integer32, Counter32,
586	       enterprises, NOTIFICATION-TYPE
587	           FROM SNMPv2-SMI                 -- RFC 2578
588	       MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
589	           FROM SNMPv2-CONF                -- RFC 2580
590	       SnmpAdminString
591	           FROM SNMP-FRAMEWORK-MIB;        -- RFC 3411

593	   tudaV1MIB MODULE-IDENTITY
594	       LAST-UPDATED    "201607080000Z"  -- 08 July 2016
595	       ORGANIZATION
596	           "Fraunhofer SIT"
597	       CONTACT-INFO
598	           "Andreas Fuchs
599	           Fraunhofer Institute for Secure Information Technology
600	           Email: andreas.fuchs@sit.fraunhofer.de

602	           Henk Birkholz
603	           Fraunhofer Institute for Secure Information Technology
604	           Email: henk.birkholz@sit.fraunhofer.de

606	           Ira E McDonald
607	           High North Inc
608	           Email: blueroofmusic@gmail.com

610	           Carsten Bormann
611	           Universitaet Bremen TZI
612	           Email: cabo@tzi.org"

614	       DESCRIPTION
615	           "The MIB module for monitoring of time-based unidirectional
616	           attestation information from a network endpoint system,
617	           based on the Trusted Computing Group TPM 1.2 definition.

619	           Copyright (C) High North Inc (2016)."

621	       REVISION "201607080000Z" -- 08 July 2016
622	       DESCRIPTION
623	           "Third version, published as draft-birkholz-tuda-02."

625	       REVISION "201603210000Z" -- 21 March 2016
626	       DESCRIPTION
627	           "Second version, published as draft-birkholz-tuda-01."

629	       REVISION "201510180000Z" -- 18 October 2015
630	       DESCRIPTION
631	           "Initial version, published as draft-birkholz-tuda-00."

633	           ::= { enterprises fraunhofersit(21616) mibs(1) tudaV1MIB(1) }

635	   tudaV1MIBNotifications      OBJECT IDENTIFIER ::= { tudaV1MIB 0 }
636	   tudaV1MIBObjects            OBJECT IDENTIFIER ::= { tudaV1MIB 1 }
637	   tudaV1MIBConformance        OBJECT IDENTIFIER ::= { tudaV1MIB 2 }

639	   --
640	   --  General
641	   --
642	   tudaV1General           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 1 }

644	   tudaV1GeneralCycles OBJECT-TYPE
645	       SYNTAX      Counter32
646	       MAX-ACCESS  read-only
647	       STATUS      current
648	       DESCRIPTION
649	           "Count of TUDA update cycles that have occurred, i.e.,
650	           sum of all the individual group cycle counters.

652	           DEFVAL intentionally omitted - counter object."
653	       ::= { tudaV1General 1 }

655	   tudaV1GeneralVersionInfo OBJECT-TYPE
656	       SYNTAX      SnmpAdminString (SIZE(0..255))
657	       MAX-ACCESS  read-only
658	       STATUS      current
659	       DESCRIPTION
660	           "Version information for TUDA MIB, e.g., specific release
661	           version of TPM 1.2 base specification and release version
662	           of TPM 1.2 errata specification and manufacturer and model
663	           TPM module itself."
664	       DEFVAL      { "" }
665	       ::= { tudaV1General 2 }

667	   --
668	   --  AIK Cert
669	   --
670	   tudaV1AIKCert           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 2 }

672	   tudaV1AIKCertCycles OBJECT-TYPE
673	       SYNTAX      Counter32
674	       MAX-ACCESS  read-only
675	       STATUS      current
676	       DESCRIPTION
677	           "Count of AIK Certificate chain update cycles that have
678	           occurred.

680	           DEFVAL intentionally omitted - counter object."
681	       ::= { tudaV1AIKCert 1 }

683	   tudaV1AIKCertTable OBJECT-TYPE
684	       SYNTAX      SEQUENCE OF TudaV1AIKCertEntry
685	       MAX-ACCESS  not-accessible
686	       STATUS      current
687	       DESCRIPTION
688	           "A table of fragments of AIK Certificate data."
689	       ::= { tudaV1AIKCert 2 }

691	   tudaV1AIKCertEntry OBJECT-TYPE
692	       SYNTAX      TudaV1AIKCertEntry
693	       MAX-ACCESS  not-accessible
694	       STATUS      current
695	       DESCRIPTION
696	           "An entry for one fragment of AIK Certificate data."
697	       INDEX       { tudaV1AIKCertCycleIndex,
698	                     tudaV1AIKCertInstanceIndex,
699	                     tudaV1AIKCertFragmentIndex }
700	       ::= { tudaV1AIKCertTable 1 }

702	   TudaV1AIKCertEntry ::=
703	       SEQUENCE {
704	           tudaV1AIKCertCycleIndex         Integer32,
705	           tudaV1AIKCertInstanceIndex      Integer32,
706	           tudaV1AIKCertFragmentIndex      Integer32,
707	           tudaV1AIKCertData               OCTET STRING
708	       }

710	   tudaV1AIKCertCycleIndex OBJECT-TYPE
711	       SYNTAX      Integer32 (1..2147483647)
712	       MAX-ACCESS  not-accessible
713	       STATUS      current
714	       DESCRIPTION
715	           "High-order index of this AIK Certificate fragment.
716	           Index of an AIK Certificate chain update cycle that has
717	           occurred (bounded by the value of tudaV1AIKCertCycles).

719	           DEFVAL intentionally omitted - index object."
720	       ::= { tudaV1AIKCertEntry 1 }

722	   tudaV1AIKCertInstanceIndex OBJECT-TYPE
723	       SYNTAX      Integer32 (1..2147483647)
724	       MAX-ACCESS  not-accessible
725	       STATUS      current
726	       DESCRIPTION
727	           "Middle index of this AIK Certificate fragment.
728	           Ordinal of this AIK Certificate in this chain, where the AIK
729	           Certificate itself has an ordinal of '1' and higher ordinals
730	           go *up* the certificate chain to the Root CA.

732	           DEFVAL intentionally omitted - index object."
733	       ::= { tudaV1AIKCertEntry 2 }

735	   tudaV1AIKCertFragmentIndex OBJECT-TYPE
736	       SYNTAX      Integer32 (1..2147483647)
737	       MAX-ACCESS  not-accessible
738	       STATUS      current
739	       DESCRIPTION
740	           "Low-order index of this AIK Certificate fragment.

742	           DEFVAL intentionally omitted - index object."
743	       ::= { tudaV1AIKCertEntry 3 }

745	   tudaV1AIKCertData OBJECT-TYPE
746	       SYNTAX      OCTET STRING (SIZE(0..1024))
747	       MAX-ACCESS  read-only
748	       STATUS      current
749	       DESCRIPTION
750	           "A fragment of CBOR encoded AIK Certificate data."
751	       DEFVAL      { "" }
752	       ::= { tudaV1AIKCertEntry 4 }

754	   --
755	   --  TSA Cert
756	   --
757	   tudaV1TSACert           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 3 }

759	   tudaV1TSACertCycles OBJECT-TYPE
760	       SYNTAX      Counter32
761	       MAX-ACCESS  read-only
762	       STATUS      current
763	       DESCRIPTION
764	           "Count of TSA Certificate chain update cycles that have
765	           occurred.

767	           DEFVAL intentionally omitted - counter object."
768	       ::= { tudaV1TSACert 1 }

770	   tudaV1TSACertTable OBJECT-TYPE
771	       SYNTAX      SEQUENCE OF TudaV1TSACertEntry
772	       MAX-ACCESS  not-accessible
773	       STATUS      current
774	       DESCRIPTION
775	           "A table of fragments of TSA Certificate data."
776	       ::= { tudaV1TSACert 2 }

778	   tudaV1TSACertEntry OBJECT-TYPE
779	       SYNTAX      TudaV1TSACertEntry
780	       MAX-ACCESS  not-accessible
781	       STATUS      current
782	       DESCRIPTION
783	           "An entry for one fragment of TSA Certificate data."
784	       INDEX       { tudaV1TSACertCycleIndex,
785	                     tudaV1TSACertInstanceIndex,
786	                     tudaV1TSACertFragmentIndex }
787	       ::= { tudaV1TSACertTable 1 }

789	   TudaV1TSACertEntry ::=
790	       SEQUENCE {
791	           tudaV1TSACertCycleIndex         Integer32,
792	           tudaV1TSACertInstanceIndex      Integer32,
793	           tudaV1TSACertFragmentIndex      Integer32,
794	           tudaV1TSACertData               OCTET STRING
795	       }

797	   tudaV1TSACertCycleIndex OBJECT-TYPE
798	       SYNTAX      Integer32 (1..2147483647)
799	       MAX-ACCESS  not-accessible
800	       STATUS      current
801	       DESCRIPTION
802	           "High-order index of this TSA Certificate fragment.
803	           Index of a TSA Certificate chain update cycle that has
804	           occurred (bounded by the value of tudaV1TSACertCycles).

806	           DEFVAL intentionally omitted - index object."
807	       ::= { tudaV1TSACertEntry 1 }

809	   tudaV1TSACertInstanceIndex OBJECT-TYPE
810	       SYNTAX      Integer32 (1..2147483647)
811	       MAX-ACCESS  not-accessible
812	       STATUS      current
813	       DESCRIPTION
814	           "Middle index of this TSA Certificate fragment.
815	           Ordinal of this TSA Certificate in this chain, where the TSA
816	           Certificate itself has an ordinal of '1' and higher ordinals
817	           go *up* the certificate chain to the Root CA.

819	           DEFVAL intentionally omitted - index object."
820	       ::= { tudaV1TSACertEntry 2 }

822	   tudaV1TSACertFragmentIndex OBJECT-TYPE
823	       SYNTAX      Integer32 (1..2147483647)
824	       MAX-ACCESS  not-accessible
825	       STATUS      current
826	       DESCRIPTION
827	           "Low-order index of this TSA Certificate fragment.

829	           DEFVAL intentionally omitted - index object."
830	       ::= { tudaV1TSACertEntry 3 }

832	   tudaV1TSACertData OBJECT-TYPE
833	       SYNTAX      OCTET STRING (SIZE(0..1024))
834	       MAX-ACCESS  read-only
835	       STATUS      current
836	       DESCRIPTION
837	           "A fragment of CBOR encoded TSA Certificate data."
838	       DEFVAL      { "" }
839	       ::= { tudaV1TSACertEntry 4 }

841	   --
842	   --  Sync Token
843	   --
844	   tudaV1SyncToken         OBJECT IDENTIFIER ::= { tudaV1MIBObjects 4 }

846	   tudaV1SyncTokenCycles OBJECT-TYPE
847	       SYNTAX      Counter32
848	       MAX-ACCESS  read-only
849	       STATUS      current
850	       DESCRIPTION
851	           "Count of Sync Token update cycles that have
852	           occurred.

854	           DEFVAL intentionally omitted - counter object."
855	       ::= { tudaV1SyncToken 1 }

857	   tudaV1SyncTokenTable OBJECT-TYPE
858	       SYNTAX      SEQUENCE OF TudaV1SyncTokenEntry
859	       MAX-ACCESS  not-accessible
860	       STATUS      current
861	       DESCRIPTION
862	           "A table of fragments of Sync Token data."
863	       ::= { tudaV1SyncToken 2 }

865	   tudaV1SyncTokenEntry OBJECT-TYPE
866	       SYNTAX      TudaV1SyncTokenEntry
867	       MAX-ACCESS  not-accessible
868	       STATUS      current
869	       DESCRIPTION
870	           "An entry for one fragment of Sync Token data."
871	       INDEX       { tudaV1SyncTokenCycleIndex,
872	                     tudaV1SyncTokenFragmentIndex }
873	       ::= { tudaV1SyncTokenTable 1 }

875	   TudaV1SyncTokenEntry ::=
876	       SEQUENCE {
877	           tudaV1SyncTokenCycleIndex       Integer32,
878	           tudaV1SyncTokenFragmentIndex    Integer32,
879	           tudaV1SyncTokenData             OCTET STRING
880	       }

882	   tudaV1SyncTokenCycleIndex OBJECT-TYPE
883	       SYNTAX      Integer32 (1..2147483647)
884	       MAX-ACCESS  not-accessible
885	       STATUS      current
886	       DESCRIPTION
887	           "High-order index of this Sync Token fragment.
888	           Index of a Sync Token update cycle that has
889	           occurred (bounded by the value of tudaV1SyncTokenCycles).

891	           DEFVAL intentionally omitted - index object."
892	       ::= { tudaV1SyncTokenEntry 1 }

894	   tudaV1SyncTokenFragmentIndex OBJECT-TYPE
895	       SYNTAX      Integer32 (1..2147483647)
896	       MAX-ACCESS  not-accessible
897	       STATUS      current
898	       DESCRIPTION
899	           "Low-order index of this Sync Token fragment.

901	           DEFVAL intentionally omitted - index object."
902	       ::= { tudaV1SyncTokenEntry 2 }

904	   tudaV1SyncTokenData OBJECT-TYPE
905	       SYNTAX      OCTET STRING (SIZE(0..1024))
906	       MAX-ACCESS  read-only
907	       STATUS      current
908	       DESCRIPTION
909	           "A fragment of CBOR encoded Sync Token data."
910	       DEFVAL      { "" }
911	       ::= { tudaV1SyncTokenEntry 3 }

913	   --
914	   --  Restriction Info
915	   --
916	   tudaV1Restrict          OBJECT IDENTIFIER ::= { tudaV1MIBObjects 5 }

918	   tudaV1RestrictCycles OBJECT-TYPE
919	       SYNTAX      Counter32
920	       MAX-ACCESS  read-only
921	       STATUS      current
922	       DESCRIPTION
923	           "Count of Restriction Info update cycles that have
924	           occurred.

926	           DEFVAL intentionally omitted - counter object."
927	       ::= { tudaV1Restrict 1 }

929	   tudaV1RestrictTable OBJECT-TYPE
930	       SYNTAX      SEQUENCE OF TudaV1RestrictEntry
931	       MAX-ACCESS  not-accessible
932	       STATUS      current
933	       DESCRIPTION
934	           "A table of instances of Restriction Info data."
935	       ::= { tudaV1Restrict 2 }

937	   tudaV1RestrictEntry OBJECT-TYPE
938	       SYNTAX      TudaV1RestrictEntry
939	       MAX-ACCESS  not-accessible
940	       STATUS      current
941	       DESCRIPTION
942	           "An entry for one instance of Restriction Info data."
943	       INDEX       { tudaV1RestrictCycleIndex }
944	       ::= { tudaV1RestrictTable 1 }

946	   TudaV1RestrictEntry ::=
947	       SEQUENCE {
948	           tudaV1RestrictCycleIndex        Integer32,
949	           tudaV1RestrictData              OCTET STRING
950	       }

952	   tudaV1RestrictCycleIndex OBJECT-TYPE
953	       SYNTAX      Integer32 (1..2147483647)
954	       MAX-ACCESS  not-accessible
955	       STATUS      current
956	       DESCRIPTION
957	           "Index of this Restriction Info entry.
958	           Index of a Restriction Info update cycle that has
959	           occurred (bounded by the value of tudaV1RestrictCycles).

961	           DEFVAL intentionally omitted - index object."
962	       ::= { tudaV1RestrictEntry 1 }

964	   tudaV1RestrictData OBJECT-TYPE
965	       SYNTAX      OCTET STRING (SIZE(0..1024))
966	       MAX-ACCESS  read-only
967	       STATUS      current
968	       DESCRIPTION
969	           "An instance of CBOR encoded Restriction Info data."
970	       DEFVAL      { "" }
971	       ::= { tudaV1RestrictEntry 2 }

973	   --
974	   --  Measurement Log
975	   --
976	   tudaV1Measure           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 6 }

978	   tudaV1MeasureCycles OBJECT-TYPE
979	       SYNTAX      Counter32
980	       MAX-ACCESS  read-only
981	       STATUS      current
982	       DESCRIPTION
983	           "Count of Measurement Log update cycles that have
984	           occurred.

986	           DEFVAL intentionally omitted - counter object."
987	       ::= { tudaV1Measure 1 }

989	   tudaV1MeasureInstances OBJECT-TYPE
990	       SYNTAX      Counter32
991	       MAX-ACCESS  read-only
992	       STATUS      current
993	       DESCRIPTION
994	           "Count of Measurement Log instance entries that have
995	           been recorded (some entries MAY have been pruned).

997	           DEFVAL intentionally omitted - counter object."
998	       ::= { tudaV1Measure 2 }

1000	   tudaV1MeasureTable OBJECT-TYPE
1001	       SYNTAX      SEQUENCE OF TudaV1MeasureEntry
1002	       MAX-ACCESS  not-accessible
1003	       STATUS      current
1004	       DESCRIPTION
1005	           "A table of instances of Measurement Log data."
1006	       ::= { tudaV1Measure 3 }

1008	   tudaV1MeasureEntry OBJECT-TYPE
1009	       SYNTAX      TudaV1MeasureEntry
1010	       MAX-ACCESS  not-accessible
1011	       STATUS      current
1012	       DESCRIPTION
1013	           "An entry for one instance of Measurement Log data."
1014	       INDEX       { tudaV1MeasureCycleIndex,
1015	                     tudaV1MeasureInstanceIndex }
1016	       ::= { tudaV1MeasureTable 1 }

1018	   TudaV1MeasureEntry ::=
1019	       SEQUENCE {
1020	           tudaV1MeasureCycleIndex         Integer32,
1021	           tudaV1MeasureInstanceIndex      Integer32,
1022	           tudaV1MeasureData               OCTET STRING
1023	       }

1025	   tudaV1MeasureCycleIndex OBJECT-TYPE
1026	       SYNTAX      Integer32 (1..2147483647)
1027	       MAX-ACCESS  not-accessible
1028	       STATUS      current
1029	       DESCRIPTION
1030	           "High-order index of this Measurement Log entry.
1031	           Index of a Measurement Log update cycle that has
1032	           occurred (bounded by the value of tudaV1MeasureCycles).

1034	           DEFVAL intentionally omitted - index object."
1035	       ::= { tudaV1MeasureEntry 1 }

1037	   tudaV1MeasureInstanceIndex OBJECT-TYPE
1038	       SYNTAX      Integer32 (1..2147483647)
1039	       MAX-ACCESS  not-accessible
1040	       STATUS      current
1041	       DESCRIPTION
1042	           "Low-order index of this Measurement Log entry.
1043	           Ordinal of this instance of Measurement Log data
1044	           (NOT bounded by the value of tudaV1MeasureInstances).

1046	           DEFVAL intentionally omitted - index object."
1047	       ::= { tudaV1MeasureEntry 2 }

1049	   tudaV1MeasureData OBJECT-TYPE
1050	       SYNTAX      OCTET STRING (SIZE(0..1024))
1051	       MAX-ACCESS  read-only
1052	       STATUS      current
1053	       DESCRIPTION
1054	           "A instance of CBOR encoded Measurement Log data."
1055	       DEFVAL      { "" }
1056	       ::= { tudaV1MeasureEntry 3 }

1058	   --
1059	   --  Verify Token
1060	   --
1061	   tudaV1VerifyToken       OBJECT IDENTIFIER ::= { tudaV1MIBObjects 7 }

1063	   tudaV1VerifyTokenCycles OBJECT-TYPE
1064	       SYNTAX      Counter32
1065	       MAX-ACCESS  read-only
1066	       STATUS      current
1067	       DESCRIPTION
1068	           "Count of Verify Token update cycles that have
1069	           occurred.

1071	           DEFVAL intentionally omitted - counter object."
1072	       ::= { tudaV1VerifyToken 1 }

1074	   tudaV1VerifyTokenTable OBJECT-TYPE
1075	       SYNTAX      SEQUENCE OF TudaV1VerifyTokenEntry
1076	       MAX-ACCESS  not-accessible
1077	       STATUS      current
1078	       DESCRIPTION
1079	           "A table of instances of Verify Token data."
1080	       ::= { tudaV1VerifyToken 2 }

1082	   tudaV1VerifyTokenEntry OBJECT-TYPE
1083	       SYNTAX      TudaV1VerifyTokenEntry
1084	       MAX-ACCESS  not-accessible
1085	       STATUS      current
1086	       DESCRIPTION
1087	           "An entry for one instance of Verify Token data."
1088	       INDEX       { tudaV1VerifyTokenCycleIndex }
1089	       ::= { tudaV1VerifyTokenTable 1 }

1091	   TudaV1VerifyTokenEntry ::=
1092	       SEQUENCE {
1093	           tudaV1VerifyTokenCycleIndex     Integer32,
1094	           tudaV1VerifyTokenData           OCTET STRING
1095	       }

1097	   tudaV1VerifyTokenCycleIndex OBJECT-TYPE
1098	       SYNTAX      Integer32 (1..2147483647)
1099	       MAX-ACCESS  not-accessible
1100	       STATUS      current
1101	       DESCRIPTION
1102	           "Index of this instance of Verify Token data.
1103	           Index of a Verify Token update cycle that has
1104	           occurred (bounded by the value of tudaV1VerifyTokenCycles).

1106	           DEFVAL intentionally omitted - index object."
1107	       ::= { tudaV1VerifyTokenEntry 1 }

1109	   tudaV1VerifyTokenData OBJECT-TYPE
1110	       SYNTAX      OCTET STRING (SIZE(0..1024))
1111	       MAX-ACCESS  read-only
1112	       STATUS      current
1113	       DESCRIPTION
1114	           "A instance of CBOR encoded Verify Token data."
1115	       DEFVAL      { "" }
1116	       ::= { tudaV1VerifyTokenEntry 2 }

1118	   --
1119	   --  SWID Tag
1120	   --
1121	   tudaV1SWIDTag           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 8 }

1123	   tudaV1SWIDTagCycles OBJECT-TYPE
1124	       SYNTAX      Counter32
1125	       MAX-ACCESS  read-only
1126	       STATUS      current
1127	       DESCRIPTION
1128	           "Count of SWID Tag update cycles that have occurred.

1130	           DEFVAL intentionally omitted - counter object."
1131	       ::= { tudaV1SWIDTag 1 }

1133	   tudaV1SWIDTagTable OBJECT-TYPE
1134	       SYNTAX      SEQUENCE OF TudaV1SWIDTagEntry
1135	       MAX-ACCESS  not-accessible
1136	       STATUS      current
1137	       DESCRIPTION
1138	           "A table of fragments of SWID Tag data."
1139	       ::= { tudaV1SWIDTag 2 }

1141	   tudaV1SWIDTagEntry OBJECT-TYPE
1142	       SYNTAX      TudaV1SWIDTagEntry
1143	       MAX-ACCESS  not-accessible
1144	       STATUS      current
1145	       DESCRIPTION
1146	           "An entry for one fragment of SWID Tag data."
1147	       INDEX       { tudaV1SWIDTagCycleIndex,
1148	                     tudaV1SWIDTagInstanceIndex,
1149	                     tudaV1SWIDTagFragmentIndex }
1150	       ::= { tudaV1SWIDTagTable 1 }

1152	   TudaV1SWIDTagEntry ::=
1153	       SEQUENCE {
1154	           tudaV1SWIDTagCycleIndex         Integer32,
1155	           tudaV1SWIDTagInstanceIndex      Integer32,
1156	           tudaV1SWIDTagFragmentIndex      Integer32,
1157	           tudaV1SWIDTagData               OCTET STRING
1158	       }

1160	   tudaV1SWIDTagCycleIndex OBJECT-TYPE
1161	       SYNTAX      Integer32 (1..2147483647)
1162	       MAX-ACCESS  not-accessible
1163	       STATUS      current
1164	       DESCRIPTION
1165	           "High-order index of this SWID Tag fragment.
1166	           Index of an SWID Tag update cycle that has
1167	           occurred (bounded by the value of tudaV1SWIDTagCycles).

1169	           DEFVAL intentionally omitted - index object."
1170	       ::= { tudaV1SWIDTagEntry 1 }

1172	   tudaV1SWIDTagInstanceIndex OBJECT-TYPE
1173	       SYNTAX      Integer32 (1..2147483647)
1174	       MAX-ACCESS  not-accessible
1175	       STATUS      current
1176	       DESCRIPTION
1177	           "Middle index of this SWID Tag fragment.
1178	           Ordinal of this SWID Tag instance in this update cycle.

1180	           DEFVAL intentionally omitted - index object."
1181	       ::= { tudaV1SWIDTagEntry 2 }

1183	   tudaV1SWIDTagFragmentIndex OBJECT-TYPE
1184	       SYNTAX      Integer32 (1..2147483647)
1185	       MAX-ACCESS  not-accessible
1186	       STATUS      current
1187	       DESCRIPTION
1188	           "Low-order index of this SWID Tag fragment.

1190	           DEFVAL intentionally omitted - index object."
1191	       ::= { tudaV1SWIDTagEntry 3 }

1193	   tudaV1SWIDTagData OBJECT-TYPE
1194	       SYNTAX      OCTET STRING (SIZE(0..1024))
1195	       MAX-ACCESS  read-only
1196	       STATUS      current
1197	       DESCRIPTION
1198	           "A fragment of CBOR encoded SWID Tag data."
1199	       DEFVAL      { "" }
1200	       ::= { tudaV1SWIDTagEntry 4 }

1202	   --
1203	   --  Trap Cycles
1204	   --
1205	   tudaV1TrapV2Cycles NOTIFICATION-TYPE
1206	       OBJECTS {
1207	           tudaV1GeneralCycles,
1208	           tudaV1AIKCertCycles,
1209	           tudaV1TSACertCycles,
1210	           tudaV1SyncTokenCycles,
1211	           tudaV1RestrictCycles,
1212	           tudaV1MeasureCycles,
1213	           tudaV1MeasureInstances,
1214	           tudaV1VerifyTokenCycles,
1215	           tudaV1SWIDTagCycles
1216	       }
1217	       STATUS  current
1218	       DESCRIPTION
1219	           "This trap is sent when the value of any cycle or instance
1220	           counter changes (i.e., one or more tables are updated).

1222	           Note:  The value of sysUpTime in IETF MIB-II (RFC 1213) is
1223	           always included in SNMPv2 traps, per RFC 3416."
1224	       ::= { tudaV1MIBNotifications 1 }

1226	   --
1227	   --  Conformance Information
1228	   --
1229	   tudaV1Compliances           OBJECT IDENTIFIER
1230	       ::= { tudaV1MIBConformance 1 }

1232	   tudaV1ObjectGroups          OBJECT IDENTIFIER
1233	       ::= { tudaV1MIBConformance 2 }

1235	   tudaV1NotificationGroups    OBJECT IDENTIFIER
1236	       ::= { tudaV1MIBConformance 3 }

1238	   --
1239	   --  Compliance Statements
1240	   --
1241	   tudaV1BasicCompliance MODULE-COMPLIANCE
1242	       STATUS  current
1243	       DESCRIPTION
1244	           "An implementation that complies with this module MUST
1245	           implement all of the objects defined in the mandatory
1246	           group tudaV1BasicGroup."
1247	       MODULE  -- this module
1248	       MANDATORY-GROUPS { tudaV1BasicGroup }

1250	       GROUP   tudaV1OptionalGroup
1251	       DESCRIPTION
1252	           "The optional TUDA MIB objects.
1253	           An implementation MAY implement this group."

1255	       GROUP   tudaV1TrapGroup
1256	       DESCRIPTION
1257	           "The TUDA MIB traps.
1258	           An implementation SHOULD implement this group."
1259	       ::= { tudaV1Compliances 1 }

1261	   --
1262	   --  Compliance Groups
1263	   --
1264	   tudaV1BasicGroup OBJECT-GROUP
1265	       OBJECTS {
1266	           tudaV1GeneralCycles,
1267	           tudaV1GeneralVersionInfo,
1268	           tudaV1SyncTokenCycles,
1269	           tudaV1SyncTokenData,
1270	           tudaV1RestrictCycles,
1271	           tudaV1RestrictData,
1272	           tudaV1VerifyTokenCycles,
1273	           tudaV1VerifyTokenData
1274	       }
1275	       STATUS  current
1276	       DESCRIPTION
1277	           "The basic mandatory TUDA MIB objects."
1278	       ::= { tudaV1ObjectGroups 1 }

1280	   tudaV1OptionalGroup OBJECT-GROUP
1281	       OBJECTS {
1282	           tudaV1AIKCertCycles,
1283	           tudaV1AIKCertData,
1284	           tudaV1TSACertCycles,
1285	           tudaV1TSACertData,
1286	           tudaV1MeasureCycles,
1287	           tudaV1MeasureInstances,
1288	           tudaV1MeasureData,
1289	           tudaV1SWIDTagCycles,
1290	           tudaV1SWIDTagData
1291	       }
1292	       STATUS  current
1293	       DESCRIPTION
1294	           "The optional TUDA MIB objects."
1295	       ::= { tudaV1ObjectGroups 2 }

1297	   tudaV1TrapGroup NOTIFICATION-GROUP
1298	       NOTIFICATIONS { tudaV1TrapV2Cycles }
1299	       STATUS      current
1300	       DESCRIPTION
1301	           "The recommended TUDA MIB traps - notifications."
1302	       ::= { tudaV1NotificationGroups 1 }

1304	   END
1305	   <CODE ENDS>

1307	5.  IANA Considerations

1309	   This memo includes requests to IANA, including registrations for
1310	   media type definitions.

1312	   TBD

1314	6.  Security Considerations

1316	   There are Security Considerations.  TBD

1318	7.  Change Log

1320	   Changes from version 01 to version 02:

1322	   o  Restructuring of Introduction, highlighting conceptual
1323	      prerequisites

1325	   o  Restructuring of Concept to better illustrate differences to hand-
1326	      shake based attestation and deciding factors regarding freshness
1327	      properties

1329	   o  Subsection structure added to Terminology

1331	   o  Clarification of descriptions of approach (these were the FIXMEs)

1333	   o  Correction of RestrictionInfo structure: Added missing signature
1334	      member

1336	   Changes from version 00 to version 01:

1338	   Major update to the SNMP MIB and added a table for the Concise SWID
1339	   profile Reference Hashes that provides additional information to be
1340	   compared with the measurement logs.

1342	8.  Contributors

1344	   TBD

1346	9.  References

1348	9.1.  Normative References

1350	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
1351	              Requirement Levels", BCP 14, RFC 2119,
1352	              DOI 10.17487/RFC2119, March 1997,
1353	              <http://www.rfc-editor.org/info/rfc2119>.

1355	9.2.  Informative References

1357	   [AIK-Credential]
1358	              "TCG Credential Profile", 2007,
1359	              <http://www.trustedcomputinggroup.org/files/
1360	              temp/642686EC-1D09-3519-AD58BB4C50BD5028/
1361	              IWG%20Credential_Profiles_V1_R1_14.pdf>.

1363	   [AIK-Enrollment]
1364	              TCG Infrastructure Working Group, "A CMC Profile for AIK
1365	              Certificate Enrollment", 2011,
1366	              <https://www.trustedcomputinggroup.org/files/
1367	              resource_files/738DF0BB-1A4B-B294-D0AF6AF9CC023163/
1368	              IWG_CMC_Profile_Cert_Enrollment_v1_r7.pdf>.

1370	   [I-D-birkholz-sacm-coswid]
1371	              Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D.
1372	              Waltermire, "Concise Software Identifiers", draft-
1373	              birkholz-sacm-coswid-00 (work in progress), March 2016.

1375	   [I-D.greevenbosch-appsawg-cbor-cddl]
1376	              Vigano, C. and H. Birkholz, "CBOR data definition language
1377	              (CDDL): a notational convention to express CBOR data
1378	              structures", draft-greevenbosch-appsawg-cbor-cddl-08 (work
1379	              in progress), March 2016.

1381	   [I-D.ietf-netconf-restconf]
1382	              Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
1383	              Protocol", draft-ietf-netconf-restconf-15 (work in
1384	              progress), July 2016.

1386	   [IEEE802.1AR]
1387	              IEEE Computer Society, "IEEE Standard for Local and
1388	              metropolitan area networks -- Secure Device Identity",
1389	              IEEE Std 802.1AR, 2009.

1391	   [PTS]      "TCG Attestation PTS Protocol Binding to TNC IF-M", 2011,
1392	              <http://www.trustedcomputinggroup.org/files/
1393	              resource_files/508E7E89-1A4B-B294-D06395D5FD7EC4E7/
1394	              IFM_PTS_v1_0_r28.pdf>.

1396	   [REST]     Fielding, R., "Architectural Styles and the Design of
1397	              Network-based Software Architectures", Ph.D. Dissertation,
1398	              University of California, Irvine, 2000,
1399	              <http://www.ics.uci.edu/~fielding/pubs/dissertation/
1400	              fielding_dissertation.pdf>.

1402	   [RFC1213]  McCloghrie, K. and M. Rose, "Management Information Base
1403	              for Network Management of TCP/IP-based internets: MIB-II",
1404	              STD 17, RFC 1213, DOI 10.17487/RFC1213, March 1991,
1405	              <http://www.rfc-editor.org/info/rfc1213>.

1407	   [RFC2790]  Waldbusser, S. and P. Grillo, "Host Resources MIB",
1408	              RFC 2790, DOI 10.17487/RFC2790, March 2000,
1409	              <http://www.rfc-editor.org/info/rfc2790>.

1411	   [RFC3161]  Adams, C., Cain, P., Pinkas, D., and R. Zuccherato,
1412	              "Internet X.509 Public Key Infrastructure Time-Stamp
1413	              Protocol (TSP)", RFC 3161, DOI 10.17487/RFC3161, August
1414	              2001, <http://www.rfc-editor.org/info/rfc3161>.

1416	   [RFC3411]  Harrington, D., Presuhn, R., and B. Wijnen, "An
1417	              Architecture for Describing Simple Network Management
1418	              Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
1419	              DOI 10.17487/RFC3411, December 2002,
1420	              <http://www.rfc-editor.org/info/rfc3411>.

1422	   [RFC3418]  Presuhn, R., Ed., "Management Information Base (MIB) for
1423	              the Simple Network Management Protocol (SNMP)", STD 62,
1424	              RFC 3418, DOI 10.17487/RFC3418, December 2002,
1425	              <http://www.rfc-editor.org/info/rfc3418>.

1427	   [RFC6690]  Shelby, Z., "Constrained RESTful Environments (CoRE) Link
1428	              Format", RFC 6690, DOI 10.17487/RFC6690, August 2012,
1429	              <http://www.rfc-editor.org/info/rfc6690>.

1431	   [RFC6933]  Bierman, A., Romascanu, D., Quittek, J., and M.
1432	              Chandramouli, "Entity MIB (Version 4)", RFC 6933,
1433	              DOI 10.17487/RFC6933, May 2013,
1434	              <http://www.rfc-editor.org/info/rfc6933>.

1436	   [RFC7049]  Bormann, C. and P. Hoffman, "Concise Binary Object
1437	              Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049,
1438	              October 2013, <http://www.rfc-editor.org/info/rfc7049>.

1440	   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
1441	              Protocol (HTTP/1.1): Message Syntax and Routing",
1442	              RFC 7230, DOI 10.17487/RFC7230, June 2014,
1443	              <http://www.rfc-editor.org/info/rfc7230>.

1445	   [RFC7252]  Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
1446	              Application Protocol (CoAP)", RFC 7252,
1447	              DOI 10.17487/RFC7252, June 2014,
1448	              <http://www.rfc-editor.org/info/rfc7252>.

1450	   [RFC7320]  Nottingham, M., "URI Design and Ownership", BCP 190,
1451	              RFC 7320, DOI 10.17487/RFC7320, July 2014,
1452	              <http://www.rfc-editor.org/info/rfc7320>.

1454	   [RFC7540]  Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
1455	              Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
1456	              DOI 10.17487/RFC7540, May 2015,
1457	              <http://www.rfc-editor.org/info/rfc7540>.

1459	   [SCALE]    Fuchs, A., "Improving Scalability for Remote Attestation",
1460	              Master Thesis (Diplomarbeit), Technische Universitaet
1461	              Darmstadt, Germany, 2008.

1463	   [SFKE2008]
1464	              Stumpf, F., Fuchs, A., Katzenbeisser, S., and C. Eckert,
1465	              "Improving the scalability of platform attestation",
1466	              ACM Proceedings of the 3rd ACM workshop on Scalable
1467	              trusted computing, page 1-10, 2008.

1469	   [STD62]    "Internet Standard 62", STD 62, RFCs 3411 to 3418,
1470	              December 2002.

1472	   [TPM12]    "Information technology -- Trusted Platform Module -- Part
1473	              1: Overview", ISO/IEC 11889-1, 2009.

1475	Appendix A.  Realization with TPM 1.2 functions

1477	A.1.  TPM Functions

1479	   The following TPM structures, resources and functions are used within
1480	   this approach.  They are based upon the TPM 1.2 specification
1481	   [TPM12].

1483	A.1.1.  Tick-Session and Tick-Stamp

1485	   On every boot, the TPM initializes a new Tick-Session.  Such a tick-
1486	   session consists of a nonce that is randomly created upon each boot
1487	   to identify the current boot-cycle - the phase between boot-time of
1488	   the device and shutdown or power-off - and prevent replaying of old
1489	   tick-session values.  The TPM uses its internal entropy source that
1490	   guarantees virtually no collisions of the nonce values between two of
1491	   such boot cycles.

1493	   It further includes an internal timer that is being initialize to
1494	   Zero on each reboot.  From this point on, the TPM increments this
1495	   timer continuously based upon its internal secure clocking
1496	   information until the device is powered down or set to sleep.  By its
1497	   hardware design, the TPM will detect attacks on any of those
1498	   properties.

1500	   The TPM offers the function TPM_TickStampBlob, which allows the TPM
1501	   to create a signature over the current tick-session and two
1502	   externally provided input values.  These input values are designed to
1503	   serve as a nonce and as payload data to be included in a
1504	   TickStampBlob: TickstampBlob := sig(TPM-key, currentTicks || nonce ||
1505	   externalData).

1507	   As a result, one is able to proof that at a certain point in time
1508	   (relative to the tick-session) after the provisioning of a certain
1509	   nonce, some certain externalData was known and provided to the TPM.
1510	   If an approach however requires no input values or only one input
1511	   value (such as the use in this document) the input values can be set
1512	   to well-known value.  The convention used within TCG specifications
1513	   and within this document is to use twenty bytes of zero
1514	   h'0000000000000000000000000000000000000000' as well-known value.

1516	A.1.2.  Platform Configuration Registers (PCRs)

1518	   The TPM is a secure cryptoprocessor that provides the ability to
1519	   store measurements and metrics about an endpoint's configuration and
1520	   state in a secure, tamper-proof environment.  Each of these security
1521	   relevant metrics can be stored in a volatile Platform Configuration
1522	   Register (PCR) inside the TPM.  These measurements can be conducted
1523	   at any point in time, ranging from an initial BIOS boot-up sequence
1524	   to measurements taken after hundreds of hours of uptime.

1526	   The initial measurement is triggered by the Platforms so-called pre-
1527	   BIOS or ROM-code.  It will conduct a measurement of the first
1528	   loadable pieces of code; i.e.\ the BIOS.  The BIOS will in turn
1529	   measure its Option ROMs and the BootLoader, which measures the OS-
1530	   Kernel, which in turn measures its applications.  This describes a
1531	   so-called measurement chain.  This typically gets recorded in a so-
1532	   called measurement log, such that the values of the PCRs can be
1533	   reconstructed from the individual measurements for validation.

1535	   Via its PCRs, a TPM provides a Root of Trust that can, for example,
1536	   support secure boot or remote attestation.  The attestation of an
1537	   endpoint's identity or security posture is based on the content of an
1538	   TPM's PCRs (platform integrity measurements).

1540	A.1.3.  PCR restricted Keys

1542	   Every key inside the TPM can be restricted in such a way that it can
1543	   only be used if a certain set of PCRs are in a predetermined state.
1544	   For key creation the desired state for PCRs are defined via the
1545	   PCRInfo field inside the keyInfo parameter.  Whenever an operation
1546	   using this key is performed, the TPM first checks whether the PCRs
1547	   are in the correct state.  Otherwise the operation is denied by the
1548	   TPM.

1550	A.1.4.  CertifyInfo

1552	   The TPM offers a command to certify the properties of a key by means
1553	   of a signature using another key.  This includes especially the
1554	   keyInfo which in turn includes the PCRInfo information used during
1555	   key creation.  This way, a third party can be assured about the fact
1556	   that a key is only usable if the PCRs are in a certain state.

1558	A.2.  Protocol and Procedure

1560	A.2.1.  AIK and AIK Certificate

1562	   Attestations are based upon a cryptographic signature performed by
1563	   the TPM using a so-called Attestation Identity Key (AIK).  An AIK has
1564	   the properties that it cannot be exported from a TPM and is used for
1565	   attestations.  Trust in the AIK is established by an X.509
1566	   Certificate emitted by a Certificate Authority.  The AIK certificate
1567	   is either provided directly or via a so-called PrivacyCA
1568	   [AIK-Enrollment].

1570	   This element consists of the AIK certificate that includes the AIK's
1571	   public key used during verification as well as the certificate chain
1572	   up to the Root CA for validation of the AIK certificate itself.

1574	   TUDA-Cert = [AIK-Cert, TSA-Cert]; maybe split into two for SNMP
1575	   AIK-Cert = Cert
1576	   TSA-Cert = Cert

1578	                    Figure 2: TUDA-Cert element in CDDL

1580	   The TSA-Cert is a standard certificate of the TSA.

1582	   The AIK-Cert may be provisioned in a secure environment using
1583	   standard means or it may follow the PrivacyCA protocols.  Figure 3
1584	   gives a rough sketch of this protocol.  See [AIK-Enrollment] for more
1585	   information.

1587	   The X.509 Certificate is built from the AIK public key and the
1588	   corresponding PKCS #7 certificate chain, as shown in Figure 3.

1590	   Required TPM functions:

1592	   | create_AIK_Cert(...) = {
1593	   |   AIK = TPM_MakeIdentity()
1594	   |   IdReq = CollateIdentityRequest(AIK,EK)
1595	   |   IdRes = Call(AIK-CA, IdReq)
1596	   |   AIK-Cert = TPM_ActivateIdentity(AIK, IdRes)
1597	   | }
1598	   |
1599	   | /* Alternative */
1600	   |
1601	   | create_AIK_Cert(...) = {
1602	   |   AIK = TPM_CreateWrapKey(Identity)
1603	   |   AIK-Cert = Call(AIK-CA, AIK.pubkey)
1604	   | }

1606	                 Figure 3: Creating the TUDA-Cert element

1608	A.2.2.  Synchronization Token

1610	   The reference for Attestations are the Tick-Sessions of the TPM.  In
1611	   order to put Attestations into relation with a Real Time Clock (RTC),
1612	   it is necessary to provide a cryptographic synchronization between
1613	   the tick session and the RTC.  To do so, a synchronization protocol
1614	   is run with a Time Stamp Authority (TSA) that consists of three
1615	   steps:

1617	   o  The TPM creates a TickStampBlob using the AIK
1618	   o  This TickstampBlob is used as nonce to the Timestamp of the TSA

1620	   o  Another TickStampBlob with the AIK is created using the TSA's
1621	      Timestamp a nonce

1623	   The first TickStampBlob is called "left" and the second "right" in a
1624	   reference to their position on a time-axis.

1626	   These three elements, with the TSA's certificate factored out, form
1627	   the synchronization token

1629	   TUDA-Synctoken = [
1630	     left: TickStampBlob-Output,
1631	     timestamp: TimeStampToken,
1632	     right: TickStampBlob-Output,
1633	   ]

1635	   TimeStampToken = bytes ; RFC 3161

1637	   TickStampBlob-Output = [
1638	     currentTicks: TPM-CURRENT-TICKS,
1639	     sig: bytes,
1640	   ]

1642	   TPM-CURRENT-TICKS = [
1643	     currentTicks: uint
1644	     ? (
1645	       tickRate: uint
1646	       tickNonce: TPM-NONCE
1647	     )
1648	   ]
1649	   ; Note that TickStampBlob-Output "right" can omit the values for
1650	   ;   tickRate and tickNonce since they are the same as in "left"

1652	   TPM-NONCE = bytes .size 20

1654	                    Figure 4: TUDA-Sync element in CDDL

1656	   Required TPM functions:

1658	   | dummyDigest = h'0000000000000000000000000000000000000000'
1659	   | dummyNonce = dummyDigest
1660	   |
1661	   | create_sync_token(AIKHandle, TSA) = {
1662	   |   ts_left = TPM_TickStampBlob(
1663	   |       keyHandle = AIK_Handle,      /*TPM_KEY_HANDLE*/
1664	   |       antiReplay = dummyNonce,     /*TPM_NONCE*/
1665	   |       digestToStamp = dummyDigest  /*TPM_DIGEST*/)
1666	   |
1667	   |   ts = TSA_Timestamp(TSA, nonce = hash(ts_left))
1668	   |
1669	   |   ts_right = TPM_TickStampBlob(
1670	   |       keyHandle = AIK_Handle,      /*TPM_KEY_HANDLE*/
1671	   |       antiReplay = dummyNonce,     /*TPM_NONCE*/
1672	   |       digestToStamp = hash(ts))    /*TPM_DIGEST*/
1673	   |
1674	   |   TUDA-SyncToken = [[ts_left.ticks, ts_left.sig], ts,
1675	   |                     [ts_right.ticks.currentTicks, ts_right.sig]]
1676	   |   /* Note: skip the nonce and tickRate field for ts_right.ticks */
1677	   | }

1679	                 Figure 5: Creating the Sync-Token element

1681	A.2.3.  RestrictionInfo

1683	   The attestation relies on the capability of the TPM to operate on
1684	   restricted keys.  Whenever the PCR values for the machine to be
1685	   attested change, a new restricted key is created that can only be
1686	   operated as long as the PCRs remain in their current state.

1688	   In order to prove to the Verifier that this restricted temporary key
1689	   actually has these properties and also to provide the PCR value that
1690	   it is restricted, the TPM command TPM_CertifyInfo is used.  It
1691	   creates a signed certificate using the AIK about the newly created
1692	   restricted key.

1694	   This token is formed from the list of:

1696	   o  PCR list,

1698	   o  the newly created restricted public key, and

1700	   o  the certificate.

1702	 TUDA-RestrictionInfo = [Composite,
1703	                         restrictedKey_Pub: Pubkey,
1704	                         CertifyInfo]

1706	 PCRSelection = bytes .size (2..4) ; used as bit string

1708	 Composite = [
1709	   bitmask: PCRSelection,
1710	   values: [*PCR-Hash],
1711	 ]

1713	 Pubkey = bytes ; may be extended to COSE pubkeys

1715	 CertifyInfo = [
1716	   TPM-CERTIFY-INFO,
1717	   sig: bytes,
1718	 ]

1720	 TPM-CERTIFY-INFO = [
1721	   ; we don't encode TPM-STRUCT-VER:
1722	   ; these are 4 bytes always equal to h'01010000'
1723	   keyUsage: uint, ; 4byte? 2byte?
1724	   keyFlags: bytes .size 4, ; 4byte
1725	   authDataUsage: uint, ; 1byte (enum)
1726	   algorithmParms: TPM-KEY-PARMS,
1727	   pubkeyDigest: Hash,
1728	   ; we don't encode TPM-NONCE data, which is 20 bytes, all zero
1729	   parentPCRStatus: bool,
1730	   ; no need to encode pcrinfosize
1731	   pcrinfo: TPM-PCR-INFO,        ; we have exactly one
1732	 ]

1734	 TPM-PCR-INFO = [
1735	     pcrSelection: PCRSelection; /* TPM_PCR_SELECTION */
1736	     digestAtRelease: PCR-Hash;  /* TPM_COMPOSITE_HASH */
1737	     digestAtCreation: PCR-Hash; /* TPM_COMPOSITE_HASH */
1738	 ]

1740	 TPM-KEY-PARMS = [
1741	   ; algorithmID: uint, ; <= 4 bytes -- not encoded, constant for TPM1.2
1742	   encScheme: uint, ; <= 2 bytes
1743	   sigScheme: uint, ; <= 2 bytes
1744	   parms: TPM-RSA-KEY-PARMS,
1745	 ]

1747	 TPM-RSA-KEY-PARMS = [
1748	   ; "size of the RSA key in bits":
1749	   keyLength: uint
1750	   ; "number of prime factors used by this RSA key":
1751	   numPrimes: uint
1752	   ; "This SHALL be the size of the exponent":
1753	   exponentSize: null / uint / biguint
1754	   ; "If the key is using the default exponent then the exponentSize
1755	   ; MUST be 0" -> we represent this case as null
1756	 ]

1758	                    Figure 6: TUDA-Key element in CDDL

1760	   Required TPM functions:

1762	   | dummyDigest = h'0000000000000000000000000000000000000000'
1763	   | dummyNonce = dummyDigest
1764	   |
1765	   | create_Composite
1766	   |
1767	   | create_restrictedKey_Pub(pcrsel) = {
1768	   |   PCRInfo = {pcrSelection = pcrsel,
1769	   |              digestAtRelease = hash(currentValues(pcrSelection))
1770	   |              digestAtCreation = dummyDigest}
1771	   |   / * PCRInfo is a TPM_PCR_INFO and thus also a TPM_KEY */
1772	   |
1773	   |   wk = TPM_CreateWrapKey(keyInfo = PCRInfo)
1774	   |   wk.keyInfo.pubKey
1775	   | }
1776	   |
1777	   | create_TPM-Certify-Info = {
1778	   |   CertifyInfo = TPM_CertifyKey(
1779	   |       certHandle = AIK,          /* TPM_KEY_HANDLE */
1780	   |       keyHandle = wk,            /* TPM_KEY_HANDLE */
1781	   |       antiReply = dummyNonce)    /* TPM_NONCE */
1782	   |
1783	   |   CertifyInfo.strip()
1784	   |   /* Remove those values that are not needed */
1785	   | }

1787	                       Figure 7: Creating the pubkey

1789	A.2.4.  Measurement Log

1791	   Similarly to regular attestations, the Verifier needs a way to
1792	   reconstruct the PCRs' values in order to estimate the trustworthiness
1793	   of the device.  As such, a list of those elements that were extended
1794	   into the PCRs is reported.  Note though that for certain
1795	   environments, this step may be optional if a list of valid PCR
1796	   configurations exists and no measurement log is required.

1798	   TUDA-Measurement-Log = [*PCR-Event]
1799	   PCR-Event = [
1800	     type: PCR-Event-Type,
1801	     pcr: uint,
1802	     template-hash: PCR-Hash,
1803	     filedata-hash: tagged-hash,
1804	     pathname: text; called filename-hint in ima (non-ng)
1805	   ]

1807	   PCR-Event-Type = &(
1808	     bios: 0
1809	     ima: 1
1810	     ima-ng: 2
1811	   )

1813	   ; might want to make use of COSE registry here
1814	   ; however, that might never define a value for sha1
1815	   tagged-hash /= [sha1: 0, bytes .size 20]
1816	   tagged-hash /= [sha256: 1, bytes .size 32]

1818	A.2.5.  Implicit Attestation

1820	   The actual attestation is then based upon a TickStampBlob using the
1821	   restricted temporary key that was certified in the steps above.  The
1822	   TPM-Tickstamp is executed and thereby provides evidence that at this
1823	   point in time (with respect to the TPM internal tick-session) a
1824	   certain configuration existed (namely the PCR values associated with
1825	   the restricted key).  Together with the synchronization token this
1826	   tick-related timing can then be related to the real-time clock.

1828	   This element consists only of the TPM_TickStampBlock with no nonce.

1830	   TUDA-Verifytoken = TickStampBlob-Output

1832	                   Figure 8: TUDA-Verify element in CDDL

1834	   Required TPM functions:

1836	   | imp_att = TPM_TickStampBlob(
1837	   |     keyHandle = restrictedKey_Handle,     /*TPM_KEY_HANDLE*/
1838	   |     antiReplay = dummyNonce,              /*TPM_NONCE*/
1839	   |     digestToStamp = dummyDigest)          /*TPM_DIGEST*/
1840	   |
1841	   | VerifyToken = imp_att

1843	                    Figure 9: Creating the Verify Token

1845	A.2.6.  Attestation Verification Approach

1847	   The seven TUDA information elements transport the essential content
1848	   that is required to enable verification of the attestation statement
1849	   at the Verifier.  The following listings illustrate the verification
1850	   algorithm to be used at the Verifier in pseudocode.  The pseudocode
1851	   provided covers the entire verification task.  If only a subset of
1852	   TUDA elements changed (see Section 2.1), only the corresponding code
1853	   listings need to be re-executed.

1855	   | TSA_pub = verifyCert(TSA-CA, Cert.TSA-Cert)
1856	   | AIK_pub = verifyCert(AIK-CA, Cert.AIK-Cert)

1858	                  Figure 10: Verification of Certificates

1860	  | ts_left = Synctoken.left
1861	  | ts_right = Synctoken.right
1862	  |
1863	  | /* Reconstruct ts_right's omitted values; Alternatively assert == */
1864	  | ts_right.currentTicks.tickRate = ts_left.currentTicks.tickRate
1865	  | ts_right.currentTicks.tickNonce = ts_left.currentTicks.tickNonce
1866	  |
1867	  | ticks_left = ts_left.currentTicks
1868	  | ticks_right = ts_right.currentTicks
1869	  |
1870	  | /* Verify Signatures */
1871	  | verifySig(AIK_pub, dummyNonce || dummyDigest || ticks_left)
1872	  | verifySig(TSA_pub, hash(ts_left) || timestamp.time)
1873	  | verifySig(AIK_pub, dummyNonce || hash(timestamp) || ticks_right)
1874	  |
1875	  | delta_left = timestamp.time -
1876	  |     ticks_left.currentTicks * ticks_left.tickRate / 1000
1877	  |
1878	  | delta_right = timestamp.time -
1879	  |     ticks_right.currentTicks * ticks_right.tickRate / 1000

1881	             Figure 11: Verification of Synchronization Token

1883	   | compositeHash = hash_init()
1884	   | for value in Composite.values:
1885	   |     hash_update(compositeHash, value)
1886	   | compositeHash = hash_finish(compositeHash)
1887	   |
1888	   | certInfo = reconstruct_static(TPM-CERTIFY-INFO)
1889	   |
1890	   | assert(Composite.bitmask == ExpectedPCRBitmask)
1891	   | assert(certInfo.pcrinfo.PCRSelection == Composite.bitmask)
1892	   | assert(certInfo.pcrinfo.digestAtRelease == compositeHash)
1893	   | assert(certInfo.pubkeyDigest == hash(restrictedKey_Pub))
1894	   |
1895	   | verifySig(AIK_pub, dummyNonce || certInfo)

1897	                Figure 12: Verification of Restriction Info

1899	   | for event in Measurement-Log:
1900	   |     if event.pcr not in ExpectedPCRBitmask:
1901	   |         continue
1902	   |     if event.type == BIOS:
1903	   |         assert_whitelist-bios(event.pcr, event.template-hash)
1904	   |     if event.type == ima:
1905	   |         assert(event.pcr == 10)
1906	   |         assert_whitelist(event.pathname, event.filedata-hash)
1907	   |         assert(event.template-hash ==
1908	   |                hash(event.pathname || event.filedata-hash))
1909	   |     if event.type == ima-ng:
1910	   |         assert(event.pcr == 10)
1911	   |         assert_whitelist-ng(event.pathname, event.filedata-hash)
1912	   |         assert(event.template-hash ==
1913	   |                hash(event.pathname || event.filedata-hash))
1914	   |
1915	   |     virtPCR[event.pcr] = hash_extend(virtPCR[event.pcr],
1916	   |                                      event.template-hash)
1917	   |
1918	   | for pcr in ExpectedPCRBitmask:
1919	   |     assert(virtPCR[pcr] == Composite.values[i++]

1921	                Figure 13: Verification of Measurement Log

1923	  | ts = Verifytoken
1924	  |
1925	  | /* Reconstruct ts's omitted values; Alternatively assert == */
1926	  | ts.currentTicks.tickRate = ts_left.currentTicks.tickRate
1927	  | ts.currentTicks.tickNonce = ts_left.currentTicks.tickNonce
1928	  |
1929	  | verifySig(restrictedKey_pub, dummyNonce || dummyDigest || ts)
1930	  |
1931	  | ticks = ts.currentTicks
1932	  |
1933	  | time_left = delta_right + ticks.currentTicks * ticks.tickRate / 1000
1934	  | time_right = delta_left + ticks.currentTicks * ticks.tickRate / 1000
1935	  |
1936	  | [time_left, time_right]

1938	               Figure 14: Verification of Attestation Token

1940	Acknowledgements

1942	Authors' Addresses

1944	   Andreas Fuchs
1945	   Fraunhofer Institute for Secure Information Technology
1946	   Rheinstrasse 75
1947	   Darmstadt  64295
1948	   Germany

1950	   Email: andreas.fuchs@sit.fraunhofer.de

1952	   Henk Birkholz
1953	   Fraunhofer Institute for Secure Information Technology
1954	   Rheinstrasse 75
1955	   Darmstadt  64295
1956	   Germany

1958	   Email: henk.birkholz@sit.fraunhofer.de

1960	   Ira E McDonald
1961	   High North Inc
1962	   PO Box 221
1963	   Grand Marais  49839
1964	   US

1966	   Email: blueroofmusic@gmail.com
1967	   Carsten Bormann
1968	   Universitaet Bremen TZI
1969	   Bibliothekstr. 1
1970	   Bremen  D-28359
1971	   Germany

1973	   Phone: +49-421-218-63921
1974	   Email: cabo@tzi.org