attestation rats eat
play

Attestation (RATS/EAT) Overview Laurence Lundblade February 2020 - PowerPoint PPT Presentation

Jan 16, 2024 •609 likes •956 views

Attestation (RATS/EAT) Overview Laurence Lundblade February 2020 Entity Attestation Good Devices Token Chip & device manufacturer Banking risk engine IoT backend Device ID (e.g. serial number) Boot state, debug state

  1. Attestation (RATS/EAT) Overview Laurence Lundblade February 2020

  2. Entity Attestation Good Devices Token • Chip & device manufacturer Banking risk engine IoT backend • Device ID (e.g. serial number) • Boot state, debug state … • Firmware, OS & app names and versions Car components Network infrastructure • Geographic location Bad Devices • Measurement, rooting & malware detection… All Are Optional Cryptographically Enterprise auth risk engine Electric company secured by signing 2

  3. EAT Initial Set of Claims Claim Descrip riptio tion UEID Identify a particular individual device, similar to a serial number OEM ID Identify the manufacturer of the device Boot and debug state Is secure/trusted/authenticated boot turned on? Is debug disabled? Geographic location GPS coordinates, speed, altitude Security level Rich OS, TEE, secure element… Nonce Token freshness Origination Identifies authority that can verify the token Time stamp Time and / or age of the token Submodules How to deal with claims from different subcomponents of a module. For example, the TEE and Rich OS are separate submodules. Nested tokens Putting one EAT inside another as a way of handling subcomponents Intended only as initial set. Expansion should include SW components, measurement, public keys (similar to Android attestation) and other. 3

  4. EAT Overall System Entity Manufacturer (e.g. chip or device vendor) Manufacturing process to put seed, private and/or public key, cert or other on device (this is Interaction to obtain public intentionally open-ended) key and related data for token verification. Nonce Entity (e.g., Chip, Device…) Relying Party (e.g., Server / Service) EAT Token Immutable private key for signing. Stored Key ID or Cert securely on device Signature and • Nonce public key Device status & Claims Claims Token creation • verification Claim 1 characteristics process & signing determination • Claim 2 … • Signature EAT Target get for r standard dardiza izatio tion 4

  5. Attes At estatio tation Verification key Architec Ar itecture re verify fy key gen Endor dorsement ement check eck Policy, known good values… Signing key Verifi ifier er Endor dorsement ement claim: OK Manufactu facture rer claim: nonce Makes device, provisions keys, runs verification service claim: OEM ID claim: GPS … claim: nonce Signing key claim: OEM ID Atte test stati ation on Result lt claim: GPS claim sign … claim … colle lect signature Part of device Atte test ster Decides whether to that attestation Atte test stati ation on Eviden ence ce enroll, authenticate, claims are about transact, allow Targe get access… Relying ing Party ty nonce Device ce / Entity ity Relying ing Party ty wants to enroll, authenticate, transact, access… 5

  6. An Anothe her r Verification key verify fy At Attes estat tation ion key gen Endor dorsement ement chec eck Ar Architec itecture re Policy, known good values… Verifi ifier er Signing key (more re are possibl ble) Endor dorsement ement Manufactu facture rer Makes device, provisions keys, runs verification service claim: OK claim: nonce claim: OEM ID claim: nonce Signing key claim: GPS claim: OEM ID … claim: GPS claim sign … Atte test stati ation on Result lt claim … colle lect signature Part of device Atte test ster Decides whether to that attestation Atte test stati ation on Eviden ence ce enroll, authenticate, claims are about transact, allow Targe get access… Relying ing Party ty nonce Device ce / Entity ity Relying ing Party ty wants to enroll, authenticate, transact, access… 6

  7. Primary Standardization Goal is Semantic Interoperability of Claims • Main types of claims to standardize: ◦ Device Identity ◦ Measurement ◦ Device boot, debug and configuration state ◦ Measurement and run time integrity checks ◦ Geographic location ◦ Device SW and HW versions ◦ Public key created on the device – Keystore, IoT and FIDO use cases • Claims should be generally applicable: ◦ Not specific to TPM, TrustZone, SGX, Secure Element… ◦ Not require any particular level of device security • Works with high-security device like Secure Elements and TPMs and low-security devices with nothing special at all. 7

  8. EAT Format (basically CWT) • COSE format for signing draft-mandyam-eat-00 Small message size for IoT • • Allows for varying signing algorithms, Overall verall st structure: : COS COSE_S E_Sign ign1 carries headers, sets overall format protected Algorithm -- Examples: ECDSA 256, RSA 2048, ECDAA headers Signing Scheme -- Examples: IEEE IDevID, EPID, X.509 Hierarchy • CBOR format for claims Key ID -- identifies the key needed to verify signature unprotected • Small message size for IoT headers Certs (optional) -- to chain up to a root for some signing schemes • Labelling of claims • Very flexible data types for all kinds of different claims. • CBOR formatted map of claims that describe device and its disposition • Translates to JSON • Few and simple or many, complex, nested… yload • All claims are optional -- no minimal set Signed payl • The format and meaning of a basic set of claims should be standardized • Signature proves device and claims for interoperability (critical) • Should be adaptable to cover many different use cases from tiny IoT Accommodate different end-end signing • Si devices to complex mobile phones schemes because of device • Privacy issues must be taken into account manufacturing issues • Privacy requirements also drive variance signature -- Examples: 64-byte ECDSA signature, 256-byte RSA signature sig in signing schemes si 8

  9. Example Token COSE binary ~130 COSE ECDSA signing overhead is JSON text ~500 bytes including sig about 87 bytes: 23 for headers and bytes including a structure, 64 bytes for ECDSA sig JOSE sig CBOR diagnostic representation of binary data of full signed token [ Payload Translated to JSON / protected / << { - Integer labels mapped to strings / alg / 1: -7 / ECDSA 256 / - Binary data base 64 encoded } >>, - Floating point numbers turned into strings / unprotected / { / kid / 4: h'4173796d6d65747269634543445341323536’ { }, “ UEID ” : “k8if9d98Mk97 9077L 3 8Uw 34kKFRHJgd18f==”, / payload / << { “ secureBoot ” : true , / UEID / 8: h'5427c1ff28d23fbad1f29c4c7c6a55 ’, “ debugDisable ” : true , / secure boot enabled / 13: true / debug disabled / 15: true “ integrity ” : { / integrity / -81000: { “ status ” : true , / status / -81001: true “ timestamp ”: “2015 -10- 5T05:09:04Z”, / timestamp / 21: 1444064944, }, }, “ location ” : { / location / 18: { “ lat ” : “32.9024843386”, / lat / 19: 32.9024843386, “ long ” : “-117.192956976”, / long / 20: -117.192956976 }, }, } } >>, / signature / h'5427c1ff28d23fbad1f29c4c7c6a555e601d6fa29f9179bc3d7438bacaca5acd08c8 d4d4f96131680c429a01f85951ecee743a52b9b63632c57209120e1c9e30' ] 9

  10. COSE Signing Scheme Flexibility • Many standard algorithms already supported ◦ RSA, ECDSA and Edwards-Curve Signing (public key) ◦ HMAC and AES-based MACs (symmetric key) • Extensible for future algorithms ◦ IANA registry for algorithms exists today • Extensible for special case schemes ◦ Proprietary simple HMACs schemes, perhaps HW based ◦ Possibly Intel EPID ◦ (non-standard algorithms will of course be less interoperable) 10

  11. Privacy • Entity Attestation Tokens are intended for many use cases with varying privacy requirements ◦ Some will be simple with only 2 or 3 claims, others may have 100 claims ◦ Simple, single-use IoT devices, have fewer privacy issues and may be able to include claims that complex devices like Android phones cannot • Options for handling privacy ◦ Omit privacy-violating claims ◦ Redesign claims especially to work with privacy regulation ◦ Obtain user permission to include claims that would otherwise be privacy-violating Some signing schemes will be privacy-preserving (e.g. group key, ECDAA) and some will • not 11

  12. Detailed Claims Description 12

  13. Nonce Basic Claim A unique string from the relying party Included in token to prevent replay attacks 13

  14. Universal Entity ID (UEID) Basic Claim defined in EAT draft Identify an individual manufactured entity, device, chip, box… • Like a serial number, but not necessarily sequential • NOT a model number, device type or class of device • Universally and globally unique across all devices from all manufacturers without any qualifier. • Permanent, not reprogrammable • Not intended for direct use by humans Several types of binary byte strings defined: • Type 1 – 128 to 256-bit random number (e.g., a GUID) • Type 2 – IEEE EUI (similar to or same as MAC addresses registered by company by IEEE) • Type 3 – IMEI (typical mobile phone serial number) • Types 4,5,6 – IEEE EUI-48, 60 and 64 The relying party, receiver or consumer, MUST treat this as a completely opaque identifier 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BEHAVIORAL HEALTH AGENCY (BHA)- LICENSING, ATTESTATION, AND DEEMING Attestation for Substance

BEHAVIORAL HEALTH AGENCY (BHA)- LICENSING, ATTESTATION, AND DEEMING Attestation for Substance

BEHAVIORAL HEALTH AGENCY (BHA)- LICENSING, ATTESTATION, AND DEEMING Attestation for Substance Use Disorder (SUD) Services DOH agrees that an attestation process for SUD services should be an option The attestation process for SUD

474 views • 8 slides
PSA APIs An overview Attestation API 1.0.1 we are in the process of dropping a new

PSA APIs An overview Attestation API 1.0.1 we are in the process of dropping a new

PSA APIs An overview Attestation API 1.0.1 we are in the process of dropping a new release which allows signing using symmetric attestation keys (using COSE Mac0) Fully documented in ARM IHI 0085 TF-M master is slightly behind the

542 views • 17 slides
Solutions to exercise 3 Rasmus Waagepetersen October 16, 2019 Exercise 3 (rats) We plot

Solutions to exercise 3 Rasmus Waagepetersen October 16, 2019 Exercise 3 (rats) We plot

Solutions to exercise 3 Rasmus Waagepetersen October 16, 2019 Exercise 3 (rats) We plot response versus log-age (and age) rats$logage=log(rats$age) library(lattice) xyplot(response~logage,group=rat,type=&quot;l&quot;,data=rats) Vs log-age

112 views • 8 slides
(RATS) July 24, 2020 PERSS RATS MMHC + PORT CRAN BMHCA Point of Reentry and Transition

(RATS) July 24, 2020 PERSS RATS MMHC + PORT CRAN BMHCA Point of Reentry and Transition

Reentry and Transition Services (RATS) July 24, 2020 PERSS RATS MMHC + PORT CRAN BMHCA Point of Reentry and Transition (PORT) PORT Practices Bellevue Hospital Kings County Hospital PORTline Post-release outreach HCV

658 views • 13 slides
The RATS Collection: Supporting HLT Research with Degraded Audio Data David Graff, Kevin Walker,

The RATS Collection: Supporting HLT Research with Degraded Audio Data David Graff, Kevin Walker,

The RATS Collection: Supporting HLT Research with Degraded Audio Data David Graff, Kevin Walker, Stephanie Strassel, Xiaoyi Ma, Karen Jones, Ann Sawyer Linguistic Data Consortium University of Pennsylvania, USA RATS Overview Robust

496 views • 31 slides
Direct Anonymous Attestation Revisited Jan Camenisch IBM Research Zurich Joint work with

Direct Anonymous Attestation Revisited Jan Camenisch IBM Research Zurich Joint work with

Direct Anonymous Attestation Revisited Jan Camenisch IBM Research Zurich Joint work with Ernie Brickell, Liqun Chen, Manu Drivers, Anja Lehmann. jca@zurich.ibm.com, @JanCamenisch, ibm.biz/jancamenisch Direct Anonymous Attestation What

655 views • 31 slides
A Minimalist Approach to Remote Attestation Aurlien Francillon Eurecom Quan Nguyen, Kasper B.

A Minimalist Approach to Remote Attestation Aurlien Francillon Eurecom Quan Nguyen, Kasper B.

A Minimalist Approach to Remote Attestation Aurlien Francillon Eurecom Quan Nguyen, Kasper B. Rasmussen, Gene Tsudik UC Irvine Overview Motivation Definition of Remote Attestation From Definition to Properties From Properties

452 views • 17 slides
Fetal Cardiac Fin indings in in Rats Exposed to Tri richloroethylene (T (TCE) in in Dri

Fetal Cardiac Fin indings in in Rats Exposed to Tri richloroethylene (T (TCE) in in Dri

Fetal Cardiac Fin indings in in Rats Exposed to Tri richloroethylene (T (TCE) in in Dri rinking Water John M. DeSesso 1 , Christopher Bevan 2 , James S. Bus 1 1 Exponent, 2 Halogenated Solvents Industry Alliance Presented to: United States

848 views • 26 slides
-1- 1 CONTENTS 1. INTRODUCTION 2. HISTORY 3. PRODUCTS 4. ATTESTATION 5. CUSTOMERS 6. VISION

-1- 1 CONTENTS 1. INTRODUCTION 2. HISTORY 3. PRODUCTS 4. ATTESTATION 5. CUSTOMERS 6. VISION

-1- 1 CONTENTS 1. INTRODUCTION 2. HISTORY 3. PRODUCTS 4. ATTESTATION 5. CUSTOMERS 6. VISION 7. PICTURES -2- 2 1.INTRODUCE COMPANY NAME : HY ROBOTICS CO., LTD ( SOUTH KOREA ) HYROBOTICS CORP ( USA ) PRESIDENT : KANG, DAE

364 views • 10 slides
7.1 TEMPORARY INSCRIPTION ATTESTATION What is TIA? Controlling TIA: Every foreign vessel under

7.1 TEMPORARY INSCRIPTION ATTESTATION What is TIA? Controlling TIA: Every foreign vessel under

7.1 TEMPORARY INSCRIPTION ATTESTATION What is TIA? Controlling TIA: Every foreign vessel under contract to operate on BJW shall be subscribed on Inspection Management System SISGEVI. Expire Date of the TIA: The expiring date of the TIA

336 views • 17 slides
SC Self Audit Attestation &amp; SQMD Plan Affirmation Elaine Siegel Market Services Policy Lead

SC Self Audit Attestation &amp; SQMD Plan Affirmation Elaine Siegel Market Services Policy Lead

SC Self Audit Attestation &amp; SQMD Plan Affirmation Elaine Siegel Market Services Policy Lead Stakeholder Web Conference August 23, 2018 1:00 PM 2:00 PM (PDT) CAISO Public CAISO Public SC Self Audit Attestation &amp; SQMD Plan

564 views • 12 slides
Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive

Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive

Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive Director EY Chair AICPA Trust Information Integrity Task Force Agenda Item 8-D IAASB Meeting, September 21-25, 2015 New York, USA Page 1 Increasing

444 views • 17 slides
MCUBoot Attestation David Brown What is MCUboot MCUboot Secure bootloader Its History

MCUBoot Attestation David Brown What is MCUboot MCUboot Secure bootloader Its History

MCUBoot Attestation David Brown What is MCUboot MCUboot Secure bootloader Its History Manages signed images Handles updates, maintaining security Currently, custom manifest (SUIT maybe some day) What is TF-M Reference

91 views • 8 slides
Thermal emission The diode The triode How do triodes amplify? RATS

Thermal emission The diode The triode How do triodes amplify? RATS

Agenda A brief history Thermal emission The diode The triode How do triodes amplify? RATS presentation 2013 Mike Maxey 23/03/2013 G8CTJ 1 In 1802, Humphrey Davy invents the electric lamp - 1 In 1875,

660 views • 43 slides
cyanothioacetamide) on blood indicators of rats with acute tetrachloromethane hepatitis Bogdan

cyanothioacetamide) on blood indicators of rats with acute tetrachloromethane hepatitis Bogdan

Influence of partially hydrogenated pyridines (derivatives of cyanothioacetamide) on blood indicators of rats with acute tetrachloromethane hepatitis Bogdan Krivokolysko 1, *, Elena Bibik 2 , Anna Burdeynaya 3 , Konstantin Frolov 4 , Victor

131 views • 12 slides
Distributed Attestation for Device Swarms in IoTs Under the Guidance of Prof. Vinay Ribeiro and

Distributed Attestation for Device Swarms in IoTs Under the Guidance of Prof. Vinay Ribeiro and

Distributed Attestation for Device Swarms in IoTs Under the Guidance of Prof. Vinay Ribeiro and Prof. Kolin Paul Samuel Wedaj(2014CSZ8390) Background: 2 The term Internet of things was first coined in 1999 A hybrid network of

601 views • 25 slides
Learning to Extract Entities from Labeled and Unlabeled Text Rosie Jones Language Technologies

Learning to Extract Entities from Labeled and Unlabeled Text Rosie Jones Language Technologies

Learning to Extract Entities from Labeled and Unlabeled Text Rosie Jones Language Technologies Institute School of Computer Science Carnegie Mellon University May 5th, 2005 Extracting Information from Text Yesterday Rio de Janeiro was

1.05k views • 80 slides
Crafting Your Census Campaign Plan 1 Hi, Im Christina! Senior Project Manager 270

Crafting Your Census Campaign Plan 1 Hi, Im Christina! Senior Project Manager 270

Crafting Your Census Campaign Plan 1 Hi, Im Christina! Senior Project Manager 270 Strategies 2 270 Strategies and Do Big Things Who We We are community organizers, digital strategists, Are communications professionals, and data

955 views • 47 slides
RCB: A Simple and Practical Framework for Real-time Collaborative Browsing Chuan Yue, Zi Chu, and

RCB: A Simple and Practical Framework for Real-time Collaborative Browsing Chuan Yue, Zi Chu, and

RCB: A Simple and Practical Framework for Real-time Collaborative Browsing Chuan Yue, Zi Chu, and Haining Wang The College of William and Mary End-user Real-time Communication 2 Document Sharing and Collaboration Adobe Buzzword 3 Web

636 views • 28 slides
DISPLACED PHYSICS AT THE LHC Eric Kuflik Cornell University with Csaba Csaki (Cornell) Salvator

DISPLACED PHYSICS AT THE LHC Eric Kuflik Cornell University with Csaba Csaki (Cornell) Salvator

DISPLACED PHYSICS AT THE LHC Eric Kuflik Cornell University with Csaba Csaki (Cornell) Salvator Lombardo (Cornell) Oren Slone (Tel Aviv) Tomer Volansky (Tel Aviv) OUTLINE Motivation Dynamical R-Parity Violation displaced LSP

1.01k views • 55 slides
PRESENTATION DECK V3.3. SEPTEMBER 2018 A mobile-first crypto-exchange platform that empowers

PRESENTATION DECK V3.3. SEPTEMBER 2018 A mobile-first crypto-exchange platform that empowers

PRESENTATION DECK V3.3. SEPTEMBER 2018 A mobile-first crypto-exchange platform that empowers consumers to participate in the token economy. SECURITY MOBILE AS A COLD WALLET Wallets are stored on your phone, Wallets are safe if we get hacked

552 views • 17 slides
Lets Make an Impact Investing Deal Monday, October 16, 2017 Monday, October 16, 2017 9:30

Lets Make an Impact Investing Deal Monday, October 16, 2017 Monday, October 16, 2017 9:30

Lets Make an Impact Investing Deal Monday, October 16, 2017 Monday, October 16, 2017 9:30 a.m. 9:30 a.m. 11:45 a.m. 11:45 a.m. exp exponentphilanthrop ntphilanthropy.org y.org 1 #exponent17 #exponent17 Overview exp

1.07k views • 59 slides
Images and Filters CSE 576 Ali Farhadi Many slides from Steve Seitz and Larry Zitnick

Images and Filters CSE 576 Ali Farhadi Many slides from Steve Seitz and Larry Zitnick

Images and Filters CSE 576 Ali Farhadi Many slides from Steve Seitz and Larry Zitnick Administrative Stuff See the setup instructions on the course web page Setup your environment Project Topic Team up (discussion board)

1.02k views • 57 slides
Image Processing I Computer Vision Fall 2018 Columbia University Homework 1 Posted online

Image Processing I Computer Vision Fall 2018 Columbia University Homework 1 Posted online

Image Processing I Computer Vision Fall 2018 Columbia University Homework 1 Posted online today Due September 24 before class starts Turn in PDF and your code online Office Hours Carl: Monday 4:30pm to 5:30pm, CSB 502 Oscar:

1.27k views • 99 slides

More recommend