Enhancing Security with Hardware Attestation in TLS

Slide Note
Embed
Share

The hardware attestation in TLS presentation explores the theory and practice of remote attestation, emphasizing the need to improve workload authentication beyond software-bound trust. It delves into the use cases, remote attestation data flow, and the significance of Transport Layer Security (TLS) in establishing secure communication channels.

alissa
alissa Follow

Uploaded on Aug 14, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Hardware attestation in TLS

  2. Who am I? Ionu Mihalcea Senior Software Engineer at Arm ionut.mihalcea@arm.com https://www.linkedin.com/in/ionut-mihalcea-985314a5/ @ionut-arm

  3. Overview The theory Remote attestation TLS The practice MbedTLS Parsec Veraison

  4. The theory Remote attestation, TLS, and standards

  5. What are we trying to improve? Current status quo: Attacker assumed on communication path Workload authentication is rooted primarily in software Trust is necessarily bound to the entity provisioning the workload Hardware backing is usually reserved for protecting an identity key (e.g., HSMs) Can we use remotely-verifiable information about the security state of the workload, beyond key state/backing?

  6. Use cases PRIVATE IDENTITY KEY SERVICE CLOUD WORKLOAD ATTESTATION CERTIFICATE CREDENTIAL ATTESTATION CERTIFICATE CREDENTIAL EDGE DEVICE LOCAL DEVICE PRIVATE IDENTITY KEY IoT/Edge Device Onboarding Confidential Computing

  7. Remote attestation A class of hardware-backed mechanisms which enables a relying party1 to cryptographically verify the state of a previously-untrusted workload The attester device can issue its own credentials backed by a certificate provided by the manufacturer 1 Using RATS terminology in this presentation 7

  8. Remote attestation data flow Provision device and its identity Authentication

  9. Transport Layer Security (TLS) TLS is a ubiquitous component of network security, offering confidentiality and integrity to communication via a secure channel The secure channel is established following a handshake protocol The handshake protocol enables authentication between the two peers

  10. TLS v1.3 Handshake Client Server Client Hello (supported cipher suites, any extensions ), Key Share Server Hello (chosen cipher suite, any extensions ), Key share, Certificate, Certificate Verify, Finished (Mostly) Encrypted Certificate (Optional), Certificate Verify (Optional), Finished Secure data channel

  11. Goals To enhance authentication via remote attestation in TLS To support a wide range of platforms To support most common deployment patterns

  12. Security and privacy Planning to formally verify the extensions Meticulously working to prevent attacks (e.g., relay/splicing) Attestation credentials can reveal a lot of private and security- relevant metadata but this could be (partially) mitigated by use of specially-crafted attestation results

  13. The practice Prototype and ecosystem

  14. Big picture Producing an end-to-end proof of concept From attester through a TLS implementation, to a verifier Uses background-check model, TPM2.0 as a RoT Open-sourcing the entire stack The components themselves are open-source software Our work is harbored under the CCC Attestation SIG

  15. Prototype Architecture Verification Verifier Relying Party Authentication Attester Platform State Attester Private + Attestation Key(s) Attester RoT

  16. Prototype Architecture Verification Verifier Server TLS Stack (MbedTLS) Server Certificate Handshake (Augmented) Secure Channel Attestation Evidence TLS Stack (MbedTLS) Client Platform State Client Private + Attestation Key(s) Client RoT

  17. Parsec: A Platform Abstraction For Security Cloud-Native Applications, Any Programming Language, Any Runtime, Any Orchestration Any Platform, Any Architecture, Any Hardware Trusted Services Discrete TPM Firmware TPM Local HSM Remote HSM Custom

  18. What is Veraison? An Open-Source Library of Components to Build Attestation Verifier Services Verifier Service Standard Provisioning Data Model Verification API verify endorse Any Architecture, Any Deployment, Any Policy Application/Service (Relying Party) deploy attest Device Manufacturing

  19. Enhancements to Parsec A (generic) key attestation API Specific service configuration options (attesting key, TPM PCRs ) An API to enable generation of endorsements

  20. Extensions to Veraison Support for the attestation scheme required for the prototype: New plugin for evidence New plugin for endorsements

  21. MbedTLS Implementation of TLS and DTLS protocols Provides a reference implementation of the PSA Cryptography API Small code footprint, more suitable for IoT and Edge devices

  22. Open source ecosystem Pooling expertise and work across the industry Open sourcing should be more than an item on a checklist It should bring a continuous involvement in the ecosystem We ve been seeding and expanding projects in CNCF and CCC to build communities

  23. Rust ecosystem Released a number of crates relevant to RoTs: tss-esapi cryptoki psa-crypto The more important goal is to make these hardware features easier to consume via the Parsec Rust client

  24. Go ecosystem Released the veraison/go-cose package, used quite broadly Notary Sigstore Also other packages relevant to remote attestation and verification: Veraison/swid Veraison/corim

  25. Attestation as a plug-in Verification Verifier Server Authentication Server QUIC Stack TLS Stack Server Certificate Authentication Attestation Evidence Workload QUIC Stack TLS Stack Client Platform State Client Private + Attestation Key(s) Client RoT

  26. Wrap up

  27. Remote attestation is a viable authentication mechanism for TLS Our design aims to be as flexible and secure as possible We want to reify the theory into an end-to-end prototype We re hoping that the prototype will serve as a model for integrating remote attestation in other protocols

  28. Questions?

  29. Bibliography TLS extension draft: https://datatracker.ietf.org/doc/draft-fossati-tls- attestation/ CCC project repo: https://github.com/CCC-Attestation/attested-tls- poc Parsec: https://parsec.community/ Veraison: https://github.com/veraison MbedTLS: https://www.trustedfirmware.org/projects/mbed-tls/ Draft repo: https://github.com/yaronf/draft-tls-attestation RATS architecture: https://datatracker.ietf.org/doc/rfc9334/

Related


A New Approach to TLS Inspection

A New Approach to TLS Inspection

aviend
Understanding TLS v1.3: Enhancing Round-Trip Times and SSL Configuration

Understanding TLS v1.3: Enhancing Round-Trip Times and SSL Configuration

mohammed
Integrity in Attestation and Isolation by Luca Wilke

Integrity in Attestation and Isolation by Luca Wilke

alianna
Exploring DANE, DNSSEC, and TLS in Go6Lab

Exploring DANE, DNSSEC, and TLS in Go6Lab

kasz640
Understanding Transport Layer Security (TLS)

Understanding Transport Layer Security (TLS)

amabel
Enhancing Eduroam Security with New Standards and Practices

Enhancing Eduroam Security with New Standards and Practices

pippa
Diploma in Hardware & Networking: Upgrade Your IT Skills

Diploma in Hardware & Networking: Upgrade Your IT Skills

melia
Modernizing Network Security with nQUIC Noise-Based Packet Protection

Modernizing Network Security with nQUIC Noise-Based Packet Protection

katarina
Understanding Computer Organization and Architecture

Understanding Computer Organization and Architecture

alexei
Hold Down and Release Mechanism Hardware Simulator for Ground Deployment Testing

Hold Down and Release Mechanism Hardware Simulator for Ground Deployment Testing

aurelia
Overview of Computer Hardware Components and Software Functions

Overview of Computer Hardware Components and Software Functions

ainhoa
Anatomy of a Computer System: Hardware Components and Functions

Anatomy of a Computer System: Hardware Components and Functions

alaiya
Understanding Computer Hardware Components

Understanding Computer Hardware Components

kasper
Optimizing DNN Pruning for Hardware Efficiency

Optimizing DNN Pruning for Hardware Efficiency

vinicius
Overview of Fly and Trajectory Scans in Data Acquisition

Overview of Fly and Trajectory Scans in Data Acquisition

ciha
Understanding the Role of Security Champions in Organizations

Understanding the Role of Security Champions in Organizations

irvin
Understanding the Roles of a Security Partner

Understanding the Roles of a Security Partner

zaara
HIGHWIND Hardware: Team and Responsibilities Overview

HIGHWIND Hardware: Team and Responsibilities Overview

ameerah
Information Security – Theory vs. Reality

Information Security – Theory vs. Reality

shoto
Understanding Security Management in an ICT Environment

Understanding Security Management in an ICT Environment

truett
Roughtime: Securing time for IoT devices

Roughtime: Securing time for IoT devices

jayda
Addressing Monitoring Challenges in Hardware Offloading

Addressing Monitoring Challenges in Hardware Offloading

florin
Understanding Computer Systems: Components and Organization

Understanding Computer Systems: Components and Organization

mungo
Understanding Operating Systems: Introduction and Functions

Understanding Operating Systems: Introduction and Functions

cleopatra

More Related Content

Understanding Computer Systems and Components
Understanding Computer Systems and Components
Efficient Data Race Detection Using Transactional Memory
Efficient Data Race Detection Using Transactional Memory
Understanding the Basics of BIOS in Computers
Understanding the Basics of BIOS in Computers
Overview of Electronics Maintenance and Pre-Processing Hardware at Agata Project - October 2016
Overview of Electronics Maintenance and Pre-Processing Hardware at Agata Project - October 2016
Hardware Monitoring Evolution at CERN: Lemon vs. Collectd
Hardware Monitoring Evolution at CERN: Lemon vs. Collectd
Enhancing Security Definitions for Functional Encryption
Enhancing Security Definitions for Functional Encryption
Comprehensive IT & Security Solutions for Home and Business Needs
Comprehensive IT & Security Solutions for Home and Business Needs
Challenges in Standard QUIC Protocol Implementation
Challenges in Standard QUIC Protocol Implementation
5G Use Case Proposal for Dublin Ericsson
5G Use Case Proposal for Dublin Ericsson
BCA 601(N): Computer Network Security
BCA 601(N): Computer Network Security
International Approaches to Enhance Nuclear Safety and Security
International Approaches to Enhance Nuclear Safety and Security
TSA Updates on Security Training Rule for OTRB Companies
TSA Updates on Security Training Rule for OTRB Companies
AEP Enterprise Security Program Overview - June 2021 Update
AEP Enterprise Security Program Overview - June 2021 Update
Evolving Security Practices in DevOps: A Holistic Approach
Evolving Security Practices in DevOps: A Holistic Approach
Certification and Training in Information Security
Certification and Training in Information Security
Understanding Security Onion: Network Security Monitoring Tools
Understanding Security Onion: Network Security Monitoring Tools
Overview of Social Security and Health Care System in Turkey
Overview of Social Security and Health Care System in Turkey
Understanding Cyber Security and Risks
Understanding Cyber Security and Risks
Understanding Provable Security Models in Cryptography
Understanding Provable Security Models in Cryptography
Understanding Computer Security Principles and Practices
Understanding Computer Security Principles and Practices
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
Enhancing Rail Security in the European Union
Enhancing Rail Security in the European Union
Software Security Principles and Practices: Enhancing Program Code Security
Software Security Principles and Practices: Enhancing Program Code Security
Towards Single-Event Upset Detection in Hardware Secure RISC-V Processors
Towards Single-Event Upset Detection in Hardware Secure RISC-V Processors