Network Working Group | H. Birkholz |
Internet-Draft | Fraunhofer SIT |
Intended status: Informational | M. Wiseman |
Expires: January 3, 2019 | GE Global Research |
H. Tschofenig | |
ARM Ltd. | |
July 02, 2018 |
Reference Terminology for Remote Attestation Procedures
draft-birkholz-attestation-terminology-02
This document is intended to illustrate and remediate the impedance mismatch of terms related to remote attestation procedures used in different domains today. New terms defined by this document provide a consolidated basis to support future work on attestation procedures in the IETF and beyond.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 3, 2019.
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
During its evolution, the term Remote Attestation has been used in multiple contexts and multiple scopes and in consequence accumulated various connotations with slightly different semantic meaning. Correspondingly, Remote Attestation Procedures (RATS) are employed in various usage scenarios and different environments.
In order to better understand and grasp the intend and meaning of specific RATS in the scope of the security area - including the requirements that are addressed by them - this document provides an overview of existing work, its background, and common terminology. As the contribution, from that state-of-the-art a set of terms that provides a stable basis for future work on RATS in the IETF is derived.
The primary application of RATS is to increase the trust and confidence in the integrity of the object characteristics and properties of a system entity that is intended to interact and exchange data with other system entities remotely. How an objects’s characteristics are attested remotely and which characteristics are actually chosen to be attested varies with the requirements of the use cases, or -– in essence –- depends on the risk that is intended to be mitigated via RATS. Effectively, RATS are a vital tool to be used to increase the confidence in the level of trust of a system that is supposed to be a trusted system.
In the remainder of this document a system that is capable to provide an appropriate amount of information about its integrity is considered to be a trustworthy system - or simply trustworthy.
The primary characteristics of a trustworthy system are commonly based on information about the integrity of its intended composition, its enrolled and subsequently installed software components, and the scope of known valid states that a trustworthy system is supposed to operate in.
It is important to note that the activity of attestation itself in principle only provides the evidence that proves the integrity of a (subset) of a system’s object characteristics. The provided evidence is used as a basis for further activities. Specific RATS define the higher semantic context about how the evidence is utilized and what RATS actually can accomplish; and what they cannot accomplish, correspondingly. Hence, this document is also intended to provide a map of terms, concepts and applications that illustrate the ecosystem of current applications of RATS.
In essence, a prerequisite for providing an adequate set of terms and definitions in the domain of RATS is a general understanding and a common definitions of “what” RATS can accomplish “how” RATS can to be used.
Please note that this document is still missing multiple reference and is considered “under construction”. The majority of definitions is still only originating from IETF work. Future iterations will pull in more complementary definitions from other SDO (e.g. Global Platform, TCG, etc.) and a general structure template to highlight semantic relationships and capable of resolving potential discrepancies will be introduced. A section of context awareness will provide further insight on how attestation procedures are vital to ongoing work in the IETF (e.g. I2NSF & tokbind). The definitions in the section about RATS are still self-describing in this version. Additional explanatory text will be added to provide more context and coherence.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119, BCP 14 [RFC2119].
The use of the term Remote Attestation Procedures always implies the involvement of at least two parties that each take on a specific role in corresponding RATS – the Attestor role and the Verifier role. Depending on the object characteristics attested and the nature of the parties, information is exchanged via specific types of Interconnects between them. The type of interconnect ranges from GIO pins, to a bus component, to the Internet, or from a direct physical connection, to a wireless association, to a world wide mesh of peers. In other words, virtually every kind communication path (Interconnect) can be used by system entities that take on the role of Attestor and Verifier (in fact, a single party can take on both roles at the same time, but there is only a limited use to this architecture).
This section introduces the term Computing Context in order to simplify the definition of RATS terminology.
The number of approaches and solutions to create things that provide the same capabilities as a “simple physical device” continuously increases. Examples include but are not limited to: the compartmentalization of physical resources, the separation of software instances with different dependencies in dedicated containers, and the nesting of virtual components via hardware-based and software-based solutions.
System entities are composed of system entities. In essence, every physical or logical device is a composite of system entities. In consequence, a composite device also constitutes a system entity. Every component in that composite is a potential Computing Context capable of taking on the roles of Attestor or Verifier. The scope and application of these roles can range from:
Analogously, the increasing number of features and functions that constitute components of a device start to blur the lines that are required to categorize each solution and approach precisely. To address this increasingly challenging categorization, the term Computing Context defines the characteristics of the system entities that can take on the role of an Attestor and/or the role of a Verifier. This approach is intended to provide a stable basis of definitions for future solutions that continuous to remain viable long-term.
The formal semantic relationship of a Computing Context and the definitions provided by RFC 4949 is a as follows.
The scope of the term computing context encompasses
Analogously, a sub-context is a subsystem and as with system components, computing contexts can be nested and therefore be physical system components or logical (“virtual”) system (sub-)components.
The formal semantic relationship is based on the following definitions from RFC 4949.
While the semantic relationships highlighted above constitute the fundamental basis to provide a define Computing Context, the following list of object characteristics is intended to improve the application of the term and provide a better understanding of its meaning:
A computing context:
In contrast, a docker [ref docker, find a more general term here] context is not a distinguishable isolated slice of an information system and therefore is not an independent Computing Context. [more feedback on this statement is required as the capabilities of docker-like functions evolve continuously]
Examples include: a smart phone, a nested virtual machine, a virtualized firewall function running distributed on a cluster of physical and virtual nodes, or a trust-zone.
The identity of a Computing Context provides the basis for creating evidence about data origin authenticity. Confidence in the identity assurance level [NIST SP-800-63-3] or the assurance levels for identity authentication [RFC4949] impacts the confidence in the evidence an Attestor provides.
This section introduces terms and definitions that are required to illustrate the scope and the granularity of RATS workflows in the domain of security automation. Terms defined in the following sections will be based on this workflow-related definitions.
In general, RATS are composed of iterative activities that can be conducted in intervals. It is neither a generic set of actions nor simply a task, because the actual actions to be conducted by RATS can vary significantly depending on the protocols employed and types of Computing Contexts involved.
This document provides NNN prominent examples of use cases attestation procedures are intended to address:
These use case summary highlighted above is based in the following terms defined in RFC4949 and complementary sources of terminology:
A very prominent goal of attestation procedures – and therefore a suitable example used as reference in this document - is to address the “lying endpoint problem”.
Information created, relayed, or, in essence, emitted by a computing context does not have to be correct. There can be multiple reasons why that is the case and the “lying endpoint problem” represents a scenario, in which the reason is the compromization of computing contexts with malicious intend. A compromised computing context could try to “pretend” to be integer, while actually feeding manipulated information into a security domain, therefore compromising the effectiveness of automated security functions. Attestation – and remote attestation procedures specifically – is an approach intended to identify compromised software instances in computing contexts.
Per definition, a “lying endpoint” cannot be “trusted system”.
Remote attestation procedures are intended to enable the consumer of information emitted by an computing context to assess the validity and integrity of the information transferred. The approach is based on the assumption that if evidence can be provided in order to prove the integrity of every software instance installed involved in the activity of creating the emitted information in question, the emitted information can be considered valid and integer.
In contrast, such evidence has to be impossible to create if the software instances used in a computing context are compromised. Attestation activities that are intended to create this evidence therefore also to also provide guarantees about the validity of the evidence they can create.
[working title, write up use case here, ref teep requirements]
A “lying endpoint” is not trustworthy.
[working title, pulled from various sources, vital]
This document will include requests to IANA:
There are always some.
Maybe.
No changes yet.
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[RFC4949] | Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007. |
[I-D.ietf-sacm-terminology] | Birkholz, H., Lu, J., Strassner, J., Cam-Winget, N. and A. Montville, "Security Automation and Continuous Monitoring (SACM) Terminology", Internet-Draft draft-ietf-sacm-terminology-14, December 2017. |
[RFC7519] | Jones, M., Bradley, J. and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015. |