Internet-Draft | KAT | September 2024 |
Brossard, et al. | Expires 6 March 2025 | [Page] |
This document defines an evidence format for key attestation based on the Entity Attestation Token (EAT).¶
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the Remote ATtestation ProcedureS Working Group mailing list (rats@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/rats/.¶
Source for this draft and an issue tracker can be found at https://github.com/thomas-fossati/draft-kat.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 6 March 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This document defines an evidence format for key attestation based on EAT [I-D.ietf-rats-eat].¶
The following terms are used in this document:¶
A set of software and/or hardware components that need to be trusted to act as a security foundation required for accomplishing the security goals of a system. In our case, the RoT is expected to offer the functionality for attesting to the state of the platform, and indirectly also to attest the integrity of the IK (public as well as private key) and the confidentiality of the IK private key.¶
Cryptographic key belonging to the RoT that is only used to sign attestation tokens.¶
An AK used specifically for signing attestation tokens relating to the state of the platform.¶
Evidence containing properties of the environment(s) in which the private keys are stored. For example, a Relying Party may want to know whether a private key is stored in a hardware security module and cannot be exported in unencrypted fashion.¶
An AK used specifically for signing KATs. In some systems only a single AK is used. In that case the AK is used as a PAK and a KAK.¶
The IK consists of a private and a public key. The private key is used by the usage protocol. The public key is included in the Key Attestation Token. The IK is protected by the RoT.¶
A (security) protocol that requires demonstrating possession of the private IK.¶
A collection of claims that a RoT assembles (and signs) with the purpose of informing - in a verifiable way - relying parties about the identity and state of the platform. Essentially a type of Evidence as per the RATS architecture terminology [RFC9334].¶
An AT containing claims relating to the security state of the platform, including software constituting the platform trusted computing base (TCB). The process of generating a PAT typically involves gathering data during measured boot.¶
An AT containing a claim with a public key. The KAT may also contain other claims, such as those indicating its validity. The KAT is signed by the KAK. The key attestation service, which is part of the platform root of trust (RoT), conceptually acts as a local certification authority since the KAT behaves like a certificate.¶
A structure used to bundle a KAT and a PAT together for transport in the usage protocol. If the KAT already includes a PAT, in form of a nested token, then it already corresponds to a CAB. A CAB is equivalent to a certificate that binds the identity of the platform's TCB with the IK public key.¶
Party that proves possession of a private key to a recipient of a KAT.¶
Party that receives the KAT containing the proof-of-possession key information from the presenter.¶
The issuer that creates the KAT and bundles a KAT together with a PAT in a CAB.¶
The reader is assumed to be familiar with the vocabulary and concepts defined in [RFC9334].¶
CDDL [RFC8610] [RFC9165] is used to describe the data formats and the examples in Section 6 use CBOR diagnostic notation defined in Section 8 of [STD94] and Appendix G of [RFC8610].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Key attestation is an extension to the attestation functionality described in [RFC9334]. We describe this conceptually by splitting the internals of the attester into two parts, platform attestation and key attestation. This is shown in Figure 1. These are logical roles and implementations may combine them into a single physical entity.¶
Security-sensitive functionality, like attestation, has to be placed into the trusted computing base. Since the trusted computing base itself may support different isolation layers, the design allows platform attestation to be separated from key attestation whereby platform attestation requires more privilege than the key attestation code. Cryptographic services, used by key attestation and by platform attestation, are separated although not shown in the figure.¶
The protocol used for communication between the Presenter and the Recipient is referred as usage protocol. The usage protocol, which is outside the scope of this specification, needs to support proof-of-possession of the private key (explained further below). An example usage protocol is TLS with the extension defined in [I-D.fossati-tls-attestation].¶
The Presenter triggers the generation of the IK. The IK consists of a public key (pIK) and a private key (sIK). The Presenter may, for example, use the following API call to trigger the generation of the key pair for a given algorithm and to obtain a key handle (key_id).¶
key_id = GenerateKeyPair(alg_id)¶
The private key is created and stored such that it is only accessible to the KAS rather than to the Presenter.¶
Next, the KAS needs to trigger the creation of the Platform Attestation Token (PAT) by the Platform Attestation Service. The PAT needs to be linked to the Key Attestation Token (KAT) and this linkage can occur in a number of ways. One approach is described in this specification in Section 5.1. The Key Attestation Token (KAT) includes the public key of the IK (pIK) and is then signed with the Key Attestation Key (KAK).¶
To ensure freshness of the PAT and the KAT a nonce is used, as suggested by the RATS architecture [RFC9334]. Here is the symbolic API call to request a KAT and a PAT, which are concatenated together as the CAB.¶
cab = createCAB(key_id, nonce)¶
Once the CAB has been sent by the Presenter to the Recipient, the Presenter has to demonstrate possession of the private key. The signature operation uses the private key of the IK (sIK). How this proof-of-possession of the private key is accomplished depends on the details of the usage protocol and is outside the scope of this specification.¶
The Recipient of the CAB and the proof-of-possession data (such as a digital signature) first extracts the PAT and the KAT. The PAT and the KAT may need to be conveyed to a Verifier. If the PAT is in the form of attestation results the checks can be performed locally at the Recipient, whereby the following checks are made:¶
The signature protecting the PAT MUST pass verification when using available trust anchor(s).¶
The chaining of PAT and KAT MUST be verified. The detailed verification procedure depends on the chaining mechanism utilized.¶
The claims in the PAT MUST be matched against stored reference values.¶
The signature protecting the KAT MUST pass verification.¶
The KAT MUST be checked for replays using the nonce included in the KAT definition (see Figure 2).¶
Once all these steps are completed, the verifier produces the attestation result and includes (if needed) the IK public key (pIK).¶
The KAT utilizes the proof-of-possession functionality defined in [RFC8747] to encode the public key of the IK (pIK).¶
The claims in the KAT are as follows:¶
There are no strict requirements regarding the composition of the
platform attestation token's claims-set, except for the presence of the
eat_nonce
claim used for binding (Section 5.1.1).¶
An example of PAT could be the PSA Token [I-D.tschofenig-rats-psa-token].¶
The KAT and PAT tokens are combined in a CMW "collection" [I-D.ietf-rats-msg-wrap] as shown in Figure 3.¶
KAT and PAT are a form of layered attestation (Section 3.2 of [RFC9334]). For the scheme to be secure, it is crucial that their
linkage is captured in their combined wire image. The way this is
achieved is by hashing the CBOR-encoded COSE_Key corresponding to the
KAK (i.e., the kak-pub
claim in the KAT) and using it to populate the
eat_nonce
claim in the PAT. The signature on the PAT seals the image
of the used KAK and therefore the linkage between the two layers.¶
TODO Security¶
TODO IANA¶
cab = { "kat": [ "application/eat+cwt", bytes .cbor cose_sign1<kat> ] "pat": [ "application/eat+cwt", bytes .cbor cose_sign1<pat> ] "__cmwc_t": "tag:ietf.org,2024-02-29:rats/kat" } ;# import rfc9052 kat = { &(eat_nonce: 10) => bstr .size (8..64) &(cnf: 8) => ak-pub &(kak-pub: 2500) => COSE_Key } ak-pub = cnf-map cnf-map = { &(cose-key: 1) => COSE_Key } pat = { &(eat_nonce: 10) => bstr .size (8..64) * (int / text) => any } cose_sign1<C> = [ Headers payload: bytes .cbor C signature: bytes ]¶
TODO acknowledge.¶