Enhancing Security with Hardware Attestation in TLS

Slide Note
Embed
Share

The hardware attestation in TLS presentation explores the theory and practice of remote attestation, emphasizing the need to improve workload authentication beyond software-bound trust. It delves into the use cases, remote attestation data flow, and the significance of Transport Layer Security (TLS) in establishing secure communication channels.

alissa
alissa Follow

Uploaded on Aug 14, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Hardware attestation in TLS

  2. Who am I? Ionu Mihalcea Senior Software Engineer at Arm ionut.mihalcea@arm.com https://www.linkedin.com/in/ionut-mihalcea-985314a5/ @ionut-arm

  3. Overview The theory Remote attestation TLS The practice MbedTLS Parsec Veraison

  4. The theory Remote attestation, TLS, and standards

  5. What are we trying to improve? Current status quo: Attacker assumed on communication path Workload authentication is rooted primarily in software Trust is necessarily bound to the entity provisioning the workload Hardware backing is usually reserved for protecting an identity key (e.g., HSMs) Can we use remotely-verifiable information about the security state of the workload, beyond key state/backing?

  6. Use cases PRIVATE IDENTITY KEY SERVICE CLOUD WORKLOAD ATTESTATION CERTIFICATE CREDENTIAL ATTESTATION CERTIFICATE CREDENTIAL EDGE DEVICE LOCAL DEVICE PRIVATE IDENTITY KEY IoT/Edge Device Onboarding Confidential Computing

  7. Remote attestation A class of hardware-backed mechanisms which enables a relying party1 to cryptographically verify the state of a previously-untrusted workload The attester device can issue its own credentials backed by a certificate provided by the manufacturer 1 Using RATS terminology in this presentation 7

  8. Remote attestation data flow Provision device and its identity Authentication

  9. Transport Layer Security (TLS) TLS is a ubiquitous component of network security, offering confidentiality and integrity to communication via a secure channel The secure channel is established following a handshake protocol The handshake protocol enables authentication between the two peers

  10. TLS v1.3 Handshake Client Server Client Hello (supported cipher suites, any extensions ), Key Share Server Hello (chosen cipher suite, any extensions ), Key share, Certificate, Certificate Verify, Finished (Mostly) Encrypted Certificate (Optional), Certificate Verify (Optional), Finished Secure data channel

  11. Goals To enhance authentication via remote attestation in TLS To support a wide range of platforms To support most common deployment patterns

  12. Security and privacy Planning to formally verify the extensions Meticulously working to prevent attacks (e.g., relay/splicing) Attestation credentials can reveal a lot of private and security- relevant metadata but this could be (partially) mitigated by use of specially-crafted attestation results

  13. The practice Prototype and ecosystem

  14. Big picture Producing an end-to-end proof of concept From attester through a TLS implementation, to a verifier Uses background-check model, TPM2.0 as a RoT Open-sourcing the entire stack The components themselves are open-source software Our work is harbored under the CCC Attestation SIG

  15. Prototype Architecture Verification Verifier Relying Party Authentication Attester Platform State Attester Private + Attestation Key(s) Attester RoT

  16. Prototype Architecture Verification Verifier Server TLS Stack (MbedTLS) Server Certificate Handshake (Augmented) Secure Channel Attestation Evidence TLS Stack (MbedTLS) Client Platform State Client Private + Attestation Key(s) Client RoT

  17. Parsec: A Platform Abstraction For Security Cloud-Native Applications, Any Programming Language, Any Runtime, Any Orchestration Any Platform, Any Architecture, Any Hardware Trusted Services Discrete TPM Firmware TPM Local HSM Remote HSM Custom

  18. What is Veraison? An Open-Source Library of Components to Build Attestation Verifier Services Verifier Service Standard Provisioning Data Model Verification API verify endorse Any Architecture, Any Deployment, Any Policy Application/Service (Relying Party) deploy attest Device Manufacturing

  19. Enhancements to Parsec A (generic) key attestation API Specific service configuration options (attesting key, TPM PCRs ) An API to enable generation of endorsements

  20. Extensions to Veraison Support for the attestation scheme required for the prototype: New plugin for evidence New plugin for endorsements

  21. MbedTLS Implementation of TLS and DTLS protocols Provides a reference implementation of the PSA Cryptography API Small code footprint, more suitable for IoT and Edge devices

  22. Open source ecosystem Pooling expertise and work across the industry Open sourcing should be more than an item on a checklist It should bring a continuous involvement in the ecosystem We ve been seeding and expanding projects in CNCF and CCC to build communities

  23. Rust ecosystem Released a number of crates relevant to RoTs: tss-esapi cryptoki psa-crypto The more important goal is to make these hardware features easier to consume via the Parsec Rust client

  24. Go ecosystem Released the veraison/go-cose package, used quite broadly Notary Sigstore Also other packages relevant to remote attestation and verification: Veraison/swid Veraison/corim

  25. Attestation as a plug-in Verification Verifier Server Authentication Server QUIC Stack TLS Stack Server Certificate Authentication Attestation Evidence Workload QUIC Stack TLS Stack Client Platform State Client Private + Attestation Key(s) Client RoT

  26. Wrap up

  27. Remote attestation is a viable authentication mechanism for TLS Our design aims to be as flexible and secure as possible We want to reify the theory into an end-to-end prototype We re hoping that the prototype will serve as a model for integrating remote attestation in other protocols

  28. Questions?

  29. Bibliography TLS extension draft: https://datatracker.ietf.org/doc/draft-fossati-tls- attestation/ CCC project repo: https://github.com/CCC-Attestation/attested-tls- poc Parsec: https://parsec.community/ Veraison: https://github.com/veraison MbedTLS: https://www.trustedfirmware.org/projects/mbed-tls/ Draft repo: https://github.com/yaronf/draft-tls-attestation RATS architecture: https://datatracker.ietf.org/doc/rfc9334/

Related


Understanding TLS/SSL: Security, Attacks, and TLS 1.3

Understanding TLS/SSL: Security, Attacks, and TLS 1.3

otts_oel
A New Approach to TLS Inspection

A New Approach to TLS Inspection

aviend
Evolution of TLS Security Profiles and Best Practices

Evolution of TLS Security Profiles and Best Practices

antwine_m
Understanding TLS v1.3: Enhancing Round-Trip Times and SSL Configuration

Understanding TLS v1.3: Enhancing Round-Trip Times and SSL Configuration

mohammed
Understanding Transport Layer Security (TLS) and Secure Sockets Layer (SSL)

Understanding Transport Layer Security (TLS) and Secure Sockets Layer (SSL)

ambell
Integrity in Attestation and Isolation by Luca Wilke

Integrity in Attestation and Isolation by Luca Wilke

alianna
Exploring DANE, DNSSEC, and TLS in Go6Lab

Exploring DANE, DNSSEC, and TLS in Go6Lab

kasz640
Understanding Transport Layer Security (TLS)

Understanding Transport Layer Security (TLS)

amabel
TLS Freight Forwarding Pvt Ltd: Your Business Partner for Complete Logistics & Supply Chain Solutions

TLS Freight Forwarding Pvt Ltd: Your Business Partner for Complete Logistics & Supply Chain Solutions

rayl_9
Enhancing Eduroam Security with New Standards and Practices

Enhancing Eduroam Security with New Standards and Practices

pippa
Secure Cloud Applications with Intel SGX - OSDI 2014 Presentation Summary

Secure Cloud Applications with Intel SGX - OSDI 2014 Presentation Summary

albritton_a
Architectural Hardware Support for Operating Systems in ECE344 Lecture

Architectural Hardware Support for Operating Systems in ECE344 Lecture

lashawnd
Modernizing Network Security with nQUIC Noise-Based Packet Protection

Modernizing Network Security with nQUIC Noise-Based Packet Protection

katarina
Diploma in Hardware & Networking: Upgrade Your IT Skills

Diploma in Hardware & Networking: Upgrade Your IT Skills

melia
Hardware Security and Trusted Platform Module Overview

Hardware Security and Trusted Platform Module Overview

till_ace
Hardware-Assisted Page Walks for Virtualized Systems

Hardware-Assisted Page Walks for Virtualized Systems

mzia
Enhancing Hardware and Software Security in Public Communications Networks

Enhancing Hardware and Software Security in Public Communications Networks

lena_rie
Comprehensive DevOps Security Training Overview

Comprehensive DevOps Security Training Overview

jahv_808
Managing Device Proliferation and BYOD Policies in SMB Non-Profits

Managing Device Proliferation and BYOD Policies in SMB Non-Profits

sre_r
Understanding Computer Organization and Architecture

Understanding Computer Organization and Architecture

alexei
Hold Down and Release Mechanism Hardware Simulator for Ground Deployment Testing

Hold Down and Release Mechanism Hardware Simulator for Ground Deployment Testing

aurelia
Overview of Computer Hardware Components and Software Functions

Overview of Computer Hardware Components and Software Functions

ainhoa
Anatomy of a Computer System: Hardware Components and Functions

Anatomy of a Computer System: Hardware Components and Functions

alaiya
Understanding Computer Hardware Components

Understanding Computer Hardware Components

kasper

More Related Content