Attested

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

A statement is Attested if some Trusted Third Party can create a Validated Claim about a User Device used during either Authentication or Authorization.

Context

  • The Context in which an Attestation of Security applies is typically during the Validation of the security protection provided to User secrets (such as Credentials) on a User Device.
  • NIST 800-63-3 defines an Attestation as information conveyed to the verifier regarding a directly-connected authenticator or the endpoint involved in an authentication operation. Information conveyed by attestation MAY include, but is not limited to:
  1. The provenance (e.g., manufacturer or supplier certification), health, and integrity of the authenticator and endpoint.
  2. Security features of the authenticator.
  3. Security and performance characteristics of biometric sensor(s).
  4. Sensor modality.

Problems

  • When a secure operation is performed at a user location, the packet returned from that User Device needs to be trusted by the Site that receives it.
  • The signing key for that packet from a User Device will have a certificate that binds that signing key to a particular device.
  • If the device reports a serial number, or (equivalently) a public key that is unique that that device, that can be used as a tracking number for the owner of the device.
  • In 1999 Intel started to ship Pentium Processors with a serial number that created huge public outcry about the privacy implications. They backtracked a lot from their original assertions about security an privacy with a Q&A for their OEMs to address the issues.[1] No company has tried putting a serial number in processors since then.

Solution

  • The certificate for the signing key from the User Device, and potentially the configuration information from the device, will need to be Attested by some Trusted Third Party.
  • It is recommended that a large number (ca 100,000) devices be equipped with the same public key to avoid privacy concerns.[2] Then the public key is basically the Identifier for the category of User Device.
  • Attestation can be complex for programmable computers with a TPM, or simple for one function User Devices like Security Tokens.
  • An example of a single attestation program with associated metadata is described in the FIDO web site[2].
  • When a simple certificate is used, it typically is accompanied by a metadata statement, an example is this one at Yubico.

References

  1. Andrew Thomas, Intel Processor Serial Number Q&A for OEMs. (2000-05-04) https://www.theregister.co.uk/2000/05/04/intel_processor_serial_number_q/
  2. 2.0 2.1 FIDO TechNotes, The Truth about Attestation. (2018-07-19) https://fidoalliance.org/fido-technotes-the-truth-about-attestation/

Other internal and external links

  1. Synonyms include: Assured Corroborated Validated.