| Internet-Draft | AISS Attestation Token | April 2022 |
| Tschofenig, et al. | Expires 24 October 2022 | [Page] |
This specification defines a profile of the Entity Attestation Token (EAT) for use in special System-on-Chip (SoC) designs that are generated automatically utilizing a methodology currently developed in a DARPA funded project.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 24 October 2022.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The DARPA-funded project Automated Implementation of Secure Silicon (AISS) is aimed at making scalable on-chip security pervasive. The objective is to develop ways to automate the process of adding security into integrated circuits.¶
If successful, AISS will allow security to be inexpensively incorporated into chip designs with minimal effort and expertise, ultimately making scalable on-chip security ubiquitous. The project seeks to create a novel, automated chip design flow that will allow the security mechanisms to scale consistently with the goals of the design.¶
As a minimal component, the generated chip designs must offer attestation capabilities.¶
This specification describes the minimal claim set offered by an attestation token conforming to the Entity Attestation Token (EAT) specification. This attestation token is, on request, provided to a Verifier.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The following term is used in this document:¶
This section describes the claims to be used in an AISS attestation token.¶
CDDL [RFC8610] along with text descriptions is used to define each claim independent of encoding. The following CDDL type(s) are reused by different claims:¶
aiss-hash-type = bytes .size 32 / bytes .size 48 / bytes .size 64¶
The Nonce claim is used to carry the challenge provided by the caller to demonstrate freshness of the generated token.¶
The EAT [I-D.ietf-rats-eat] nonce (claim key 10) is used. The following
constraints apply to the nonce-type:¶
This claim MUST be present in an AISS attestation token.¶
aiss-nonce = (
nonce-label => aiss-hash-type
)
¶
The Instance ID claim represents the unique identifier of the attestation key.¶
The EAT ueid (claim key 256) of type RAND is used. The following
constraints apply to the ueid-type:¶
This claim MUST be present in an AISS attestation token.¶
aiss-instance-id-type = bytes .size 33
aiss-instance-id = (
ueid-label => aiss-instance-id-type
)
¶
The Implementation ID claim uniquely identifies the implementation of the immutable RoT. A verification service uses this claim to locate the details of the RoT implementation from a manufacturer. Such details are used by a verification service to determine the security properties or certification status of the RoT implementation.¶
The value and format of the ID is decided by the manufacturer or a particular certification scheme. For example, the ID could take the form of a product serial number, database ID, or other appropriate identifier.¶
This claim MUST be present in an AISS attestation token.¶
Note that this identifies the RoT implementation, not a particular instance. The Instance ID claim, see Section 3.2, uniquely identifies an instance.¶
aiss-implementation-id-type = bytes .size 32
aiss-implementation-id = (
aiss-implementation-id-label => aiss-implementation-id-type
)
¶
The Security Lifecycle claim represents the current lifecycle state of the RoT. The state is represented by an unsigned integer.¶
The lifecycle states are illustrated in Figure 1. When the device is deployed, a Verifier can only trust reports when the lifecycle state is in "Secured" and "Non-RoT Debug" states. The states "Testing" and "Provisioning" are utilized during manufacturing. A device is in "Decommisioned" state when it is retired.¶
This claim MUST be present in an AISS attestation token.¶
.-------------. .-------------.
+ Testing |-------> Provisioning |
'-------------' '------+------'
| .------------------.
| | |
v v |
.---------. |
.---------+ Secured +-----------. |
| '-+-------' | |
| | ^ | |
| v | v |
| .------------+------. .----------+----.
| | Non-RoT Debug | | Recoverable |
v '---------+---------' | RoT Debug |
.----------------. | '------+--------'
| Decommissioned |<-----------+-------------------'
'----------------'
aiss-lifecycle-unknown-type = 0
aiss-lifecycle-testing-type = 1
aiss-lifecycle-provisioning-type = 2
aiss-lifecycle-secured-type = 3
aiss-lifecycle-non-rot-debug-type = 4
aiss-lifecycle-recoverable-rot-debug-type = 5
aiss-lifecycle-decommissioned-type = 6
aiss-lifecycle-type =
aiss-lifecycle-unknown-type /
aiss-lifecycle-testing-type /
aiss-lifecycle-provisioning-type /
aiss-lifecycle-secured-type /
aiss-lifecycle-non-rot-debug-type /
aiss-lifecycle-recoverable-rot-debug-type /
aiss-lifecycle-decommissioned-type
aiss-lifecycle = (
aiss-lifecycle-label => aiss-lifecycle-type
)
¶
The Boot Odometer claim contains a value that represents the number of times the entity or submod has been booted.¶
The EAT boot-seed-label (claim key TBD) of type unsigned integer is used.¶
This claim MUST be present in an AISS attestation token.¶
aiss-boot-odometer = (
aiss-boot-odometer-label => uint
)
¶
Watermarking, the process of marking an asset with a known structure, is used to detect intellectual property (IP) theft and overuse. Watermarking in hardware IPs is the mechanism of embedding a unique "code" into IP without altering the original functionality of the design. The ownership of the IP can be later verified when the watermark is extracted.¶
The Watermark claim contains a code extracted from the watermarking hardware identified by an identifier. This identifier is formated as a type 4 UUID [RFC4122].¶
This claim MUST be present in an AISS attestation token when the attestation token request asked for a watermark to be present.¶
watermark-type = [
id: bstr .size 16,
watermark: bytes
]
aiss-watermark = ( watermark-label => watermark-type )
¶
The Profile Definition claim encodes the unique identifier that corresponds to the EAT profile described by this document. This allows a receiver to assign the intended semantics to the rest of the claims found in the token.¶
The EAT profile (claim key 265) is used. The following constraints
apply to its type:¶
This claim MUST be present in an AISS attestation token.¶
aiss-profile-type = "http://aiss/1.0.0"
aiss-profile = (
profile-label => aiss-profile-type
)
¶
The AISS attestation token is encoded in CBOR [RFC8949] format. Only definite-length string, arrays, and maps are allowed.¶
Cryptographic protection is accomplished by COSE. The signature structure MUST be COSE_Sign1. Only the use of asymmetric key algorithms is envisioned.¶
The CWT CBOR tag (61) is not used. An application that needs to exchange PSA attestation tokens can wrap the serialised COSE_Sign1 in a dedicated media type, as for example defined in defined in Section 8.2 or the CoAP Content-Format defined in Section 8.3.¶
The AISS attestation token supports the freshness models for attestation Evidence
based on nonces (Section 10.2 and 10.3 of [I-D.ietf-rats-architecture]) using
the nonce claim to convey the nonce supplied by the Verifier. No further
assumption on the specific remote attestation protocol is made.¶
aiss-token = {
aiss-nonce,
aiss-instance-id,
aiss-profile,
aiss-implementation-id,
aiss-lifecycle,
aiss-boot-odometer,
aiss-watermark,
}
aiss-lifecycle-label = 2500
aiss-implementation-id-label = 2501
aiss-watermark-label = 2502
aiss-boot-odometer-label = 2503
; from EAT
nonce-label = 10
ueid-label = 256
profile-label = 265
aiss-hash-type = bytes .size 32 / bytes .size 48 / bytes .size 64
aiss-nonce = (
nonce-label => aiss-hash-type
)
aiss-instance-id-type = bytes .size 33
aiss-instance-id = (
ueid-label => aiss-instance-id-type
)
aiss-implementation-id-type = bytes .size 32
aiss-implementation-id = (
aiss-implementation-id-label => aiss-implementation-id-type
)
aiss-lifecycle-unknown-type = 0
aiss-lifecycle-testing-type = 1
aiss-lifecycle-provisioning-type = 2
aiss-lifecycle-secured-type = 3
aiss-lifecycle-non-rot-debug-type = 4
aiss-lifecycle-recoverable-rot-debug-type = 5
aiss-lifecycle-decommissioned-type = 6
aiss-lifecycle-type =
aiss-lifecycle-unknown-type /
aiss-lifecycle-testing-type /
aiss-lifecycle-provisioning-type /
aiss-lifecycle-secured-type /
aiss-lifecycle-non-rot-debug-type /
aiss-lifecycle-recoverable-rot-debug-type /
aiss-lifecycle-decommissioned-type
aiss-lifecycle = (
aiss-lifecycle-label => aiss-lifecycle-type
)
aiss-boot-odometer = (
aiss-boot-odometer-label => uint
)
watermark-type = [
id: bstr .size 16,
watermark: bytes
]
aiss-watermark = ( watermark-label => watermark-type )
aiss-profile-type = "http://aiss/1.0.0"
aiss-profile = (
profile-label => aiss-profile-type
)
¶
To verify the token, the primary need is to check correct encoding and signing as detailed in Section 4. In particular, the Instance ID claim is used (together with the kid in the COSE header, if present) to assist in locating the public key used to verify the signature covering the token. The key used for verification is supplied to the Verifier by an authorized Endorser along with the corresponding Attester's Instance ID.¶
In addition, the Verifier will typically operate a policy where values of some of the claims in this profile can be compared to reference values, registered with the Verifier for a given deployment, in order to confirm that the device is endorsed by the manufacturer supply chain. The policy may require that the relevant claims must have a match to a registered reference value.¶
The protocol used to convey Endorsements and Reference Values to the Verifier is not in scope for this document.¶
This specification requests IANA to register the following claims in the "CBOR Web Token (CWT) Claims" registry [IANA-CWT].¶
IANA is requested to register the "application/aiss-attestation-token" media type [RFC2046] in the "Media Types" registry [IANA-MediaTypes] in the manner described in RFC 6838 [RFC6838], which can be used to indicate that the content is an AISS Attestation Token.¶
Additional information:¶
IANA is requested to register the CoAP Content-Format ID for the "application/aiss-attestation-token" media type in the "CoAP Content-Formats" registry [IANA-CoAP-Content-Formats].¶
The following example shows an AISS attestation token for an hypothetical system. The attesting device is in a lifecycle state Section 3.4 of SECURED.¶
The claims in this example are:¶
{
/ instance-id / 255: h'FF0039A1',
/ nonce / 10: h'AABBCCDD',
/ lifecycle / 2500: 2,
/ implementation-id / 2501: h'CCDDEE',
/ watermark / 2502: h'010203',
/ boot-odometer / 2503: 5,
/ profile-id / 256: "aiss/1.0.0",
}
¶
The resulting COSE object is:¶
18(
[
/ protected / h'A10126',
/ unprotected / {},
/ payload / h'A718FF44FF0039A10A44AABBCCDD1909C4021901006
A616973732F312E302E301909C543CCDDEE1909C643
0102031909C705',
/ signature / h'9744085E05D875E5EAAEC1598D1DD9E14097CCE4E9A
484344D08C9D41244713C700CD4F1CD7E86C0C6397A
ABECE40E166EBA5AA92DB11170F69B2DD8E681708E'
]
)
¶
We would like to thank Rob Aitken, Mike Borza, Liam Dillon, Dale Donchin, John Goodenough, and Oleg Raikhman for their feedback.¶
Work on this document has in part been supported by the DARPA AISS project (grant agreement HR0011-20-9-0043).¶