DICE

From MgmtWiki
Jump to: navigation, search

Full Title

Device Identifier Composition Engine (DICE) for low-cost device's identity and attestation.

Context

DICE is designed to the absolute minimum root of trust for programmable devices. Although it can do some TPM-stuff, it's mostly the Root of Trust on which to build things like TPMs (which are themselves pretty complicated.)

Problems

There are two problems that are addressed by the TPM:

  1. Integrity of the code that is currently running on the device,
  2. Access to the data that is on the device or in the cloud.

Solutions

The primary objective of DICE is limited to the identity of the device and the integrity of the code running on the device. The basic DICE design does not cover access control issues.

  • Symmetric Identity Based Device Attestation paper describe a method to use only symmetric key cryptography together with an attestation service that retains a copy of the symmetric key to perform [[Remote Attestation Service] for the remote computer.
  • Many/most CPUs now have DICE support, although for more powerful CPUs it tends to be hidden away
  • DICE | Trusted Computing Group - Modern cyber-attacks are often sophisticated and relentless in their continual efforts to seek out vulnerabilities in modern technology-based solutions. At the same time, new market segments like the Internet of Things (IoT), are driving innovative architectures and creating solutions with challenging power, security, resource, and other constraints.
  • DICE: Device Identifier Composition Engine - Microsoft Research aka RIoT (Robust | Resilient | Recoverable – IoT)
  • There's a new sort of DICE called a DICE Protection Environment that's being driven by Google that's closer to a mini-TPM. This will also be a TCG standard in early March 2023.

References