-
Notifications
You must be signed in to change notification settings - Fork 4
Attested TLS Core concepts
An entity (be it a device or a compute environment), sometimes need to make verifiable claims about its security characteristics. This can be needed as a prerequisite step before any secure interaction can be undertaken with the entity. For example, a Relying Party prior to admitting the device in a network or releasing some sensitive resources (data and code) into its compute environment, needs to assess the trustworthiness of the entity. The means by which an entity can be evaluated for trustworthiness is known as attestation. Stated alternatively, attestation is the system by which an entity produces evidence about itself that another party can use to evaluate the trustworthiness of that entity.
Broadly speaking, attestation is a matched pair of the following operations:
-
Endorsements – this is the process by which supply chain actors (including hardware providers, firmware providers and software providers) define and publish the authoritative properties of a valid system. These properties can take various forms. The unique identity of a manufactured device might be an example of an endorsement. Such an identity might take the form of a certified public key. Another example of an endorsement might be the measurement (hash or checksum) of a firmware binary within the platform. The firmware provider would be able to publish the expected measurements of known-good firmware binaries.
-
Verification – this is the process by which an actual target compute system is checked and evaluated against the known endorsements. Bundles of evidence from the entity are obtained at runtime.
Although endorsement and verification are a matched pair, they are usually performed by different entities/actors, and at different points in time.
Evaluation or appraisal of evidence for trustworthiness can be rather complex. This is because it requires apriori knowledge about correct Endorsements for the entity prior to performing the appraisal. Hence it is deemed unrealistic that every Relying Party is capable of the appraisal of Evidence. Hence that burden is typically offloaded to an Attestation Verifier.
Endorsement and verification are a matched pair, entwined in a producer-consumer relationship. There can be no verification without endorsement because endorsement provides the reference and the source of truth against which a running system can be compared. Verification is fundamentally a process of comparison. Verification cannot happen in a vacuum, because then there would be no point of reference, and hence nothing to compare against.
An attestation verifier’s role is to see whether this evidence constitutes a trustworthy system. When verification passes, the entity is deemed suitable for use, at which point a secure interaction with the entity can be undertaken.
For the sake of completeness two interactions of the Entity (here shown as Attester, as per RATS Architecture document), with the Relying Party and the Verifier is shown below.
- Passport Model
In this model, an Attester conveys Evidence to a Verifier, which compares the Evidence against its appraisal policy. The Verifier then gives back an Attestation Result which the Attester treats as opaque data.
The Attester does not consume the Attestation Result, but might cache it. The Attester can then present the Attestation Result to a Relying Party, which makes trust decisions about the Attester based on the contents of Attestation Results and its own appraisal policy. The Attester may also present the same Attestation Result to other Relying Parties.
.------------.
| | Compare Evidence
| Verifier | against appraisal policy
| |
'--------+---'
^ |
Evidence | | Attestation
| | Result
| v
.---+--------. .-------------.
| +------------->| | Compare Attestation
| Attester | Attestation | Relying | Result against
| | Result | Party | appraisal policy
'------------' '-------------'
- Background Check Model
In this model, an Attester conveys Evidence to a Relying Party, which treats it as opaque and simply forwards it on to a Verifier. The Verifier compares the Evidence against its appraisal policy, and returns an Attestation Result to the Relying Party. The Relying Party then makes trust decisions about the Attester based on the contents of Attestation Results and its own appraisal policy.
.-------------.
| | Compare Evidence
| Verifier | against appraisal
| | policy
'--------+----'
^ |
Evidence | | Attestation
| | Result
| v
.------------. .----|--------.
| +-------------->|---' | Compare Attestation
| Attester | Evidence | Relying | Result against
| | | Party | appraisal policy
'------------' '-------------'