Internet-Draft Nonce-based Freshness in CMP August 2023
Tschofenig & Brockhaus Expires 2 February 2024 [Page]
Workgroup:
LAMPS
Internet-Draft:
draft-tschofenig-lamps-nonce-for-cmp-01
Published:
Intended Status:
Standards Track
Expires:
Authors:
H. Tschofenig
Siemens
H. Brockhaus
Siemens

Nonce-based Freshness for Attestation in Certification Requests for use with the Certification Management Protocol

Abstract

Certificate Management Protocol (CMP) defines protocol messages for X.509v3 certificate creation and management. CMP provides interactions between client systems and PKI components, such as a Registration Authority (RA) and a Certification Authority (CA).

CMP allows an RA/CA to inform an end entity about the information it has to provide in a certification request. When an end entity places attestation information in form of evidence in a certification signing request (CSR) it may need to demonstrate freshness of the provided evidence. Attestation technology today often accomplishes this task via the help of nonces. This document specifies how nonces are provided by an RA/CA to the end entity for inclusion in evidence.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 2 February 2024.

Table of Contents

1. Introduction

Certificate Management Protocol (CMP) [I-D.ietf-lamps-rfc4210bis] defines protocol messages for X.509v3 certificate creation and management. CMP provides interactions between client systems and PKI components, such as a Registration Authority (RA) and a Certification Authority (CA).

CMP allows an RA/CA to inform an end entity about the information it has to provide in a certification request. When an end entity places attestation information in form of evidence in a certification signing request (CSR) it may need to demonstrate freshness of the provided evidence. Such an attestation extension to a CSR is described in [I-D.ounsworth-csr-attestation]. Attestation technology today, such as [TPM20] and [I-D.tschofenig-rats-psa-token], often accomplishes this task via the help of nonces. A discussion of freshness approaches for evidence is found in Section 10 of [RFC9334].

For an end entity to include a nonce in the evidence (by the attester) it is necessary to obtain this nonce from the relying party, i.e. RA/CA in our use case, first. Since the CSR itself is a 'one-shot' message the CMP protocol is used to obtain the nonce from the RA/CA. CMP already offers a mechanism to request information from the RA/CA prior to a certification request. This document uses the CertReqTemplate described in Section 5.3.19.16 of [I-D.ietf-lamps-rfc4210bis]. Once the nonce is obtained the end entity can issue an API call to the attester to request evidence and passes the nonce as an input parameter into the API call. The returned evidence is then embedded into a CSR and returned to the RA/CA in a certification request message.

This exchange is shown graphically below.

End entity                                          RA/CA
==========                                      =============

              -->>-- CertReqTemplate request -->>--
                                               Verify request
                                               Generate nonce*
                                               Create response
              --<<-- CertReqTemplate response --<<--
                     (nonce)
Generate key pair
Fetch Evidence (with nonce) from attester
Evidence Response from attestation
Creation of certification request
Protect request
              -->>-- certification request -->>--
                     (evidence including nonce)
                                               Verify request
                                               Verify evidence*
                                               Check replay*
                                               Issue certificate
                                               Create response
              --<<-- certification response --<<--
Handle response
Store certificate

*: These steps require interactions with a verifier.

2. Terminology and Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

The terms attester, relying party, verifier and evidence are defined in [RFC9334].

We use the terms certification signing request (CSR) and certification request interchangeably.

3. Certificate Request Template Extension

The following structure defines the attestation nonce provided by the CA/RA via a CertReqTemplate response message. This leads to an extra roundtrip to convey the nonce to the end entity (and ultimately to the attester functionality inside the device).

   id-pe-attestionNonce OBJECT IDENTIFIER ::=  { id-pe TBD1 }

   AttestationNonce ::= OCTET STRING

The end entity MUST construct a CertReqTemplate request message to trigger the RA/CA to transmit a nonce.

When the RA/CA receive the CertReqTemplate request message the profile information is used to determine that the end entity supports attestation functionality. If the end-entity supports attestation and the policy requires attestation information in a CSR to be provided, the RA/CA issues a CertReqTemplate response containing a nonce in in the template. The AttestationNonce MUST contain a random value that depends on the used attestation technology. For example, the PSA attestation token [I-D.tschofenig-rats-psa-token] supports nonces of length 32, 48 and 64 bytes. Other attestation technologies use nonces of similar length. The assumption in this specification is that the RA/CA have out-of-band knowledge about the required nonce length required for the technology used by the end entity.

When the end entity receives the CertReqTemplate response it SHOULD use this nonce as input to an attestation API call made to the attester functionality on the device. The rational behind this design is that the client may support an attestation technology but configuration or policies make it unavailable. Hence, it is better for an RA/CA to be aggressive in sending a nonce, at least where there is a reasonable chance the client supports attestation functionality and the client should be allowed to ignore the nonce if it either does not support it or cannot use it for policy reasons.

While the semantic of the attestation API and the software/hardware architecture is out-of-scope of this specification, the API will return evidence from the attester in a format specific to the attestation technology utilized. The encoding of the returned evidence varies but will be placed inside the CSR, as specified in [I-D.ounsworth-csr-attestation]. The software creating the CSR will not have to interpret the evidence format - it is treated as an opaque blob. It is important to note that the nonce is carried either implictily or explicitly in the evidence and it MUST NOT be conveyed in elements of the CSR.

The processing of the CSR containing attestation information is described in [I-D.ounsworth-csr-attestation]. Note that the CA MUST NOT issue a certificate that contains the extension provided in the CertReqTemplate containing the nonce. Instead the nonce is typically embedded in the evidence and used as a way to provide freshness of the evidence signed by the attester.

[Editor's Note: It may be useful to augment the CertReqTemplate request with information about the type of attestation technology/technologies available on the end entity. This is a topic for further discussion.]

4. IANA Considerations

[Editor's Note: The ASN.1 module OID (TBD2) and the new private extension (TBD1) must be registered.]

5. Security Considerations

This specification adds a nonce to the Certificate Request Template for use with attestation information in a CSR. This specification assumes that the nonce does not require confidentiality protection without impacting the security property of the attestation protocol. [RFC9334] defining the IETF remote attestation architecture discusses this and other aspects in more detail.

For the use of attestation in the CSR the security considerations of [I-D.ounsworth-csr-attestation] are relevant to this document.

6. Acknowledgments

We would like to thank Russ Housley and Carl Wallace for their review comments.

7. Compilable ASN.1 Definitions

PKIX-CMP-KeyAttestationNonceExtn-2023 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-cmpKeyAttestationNonce(TBD2) }

DEFINITIONS IMPLICIT TAGS ::= BEGIN

IMPORTS

id-pe FROM PKIX1Explicit-2009 -- from [RFC5912] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } ;

id-pe-attestionNonce OBJECT IDENTIFIER ::= { id-pe TBD1 }

AttestationNonce ::= OCTET STRING

END

8. References

8.1. Normative References

[I-D.ietf-lamps-rfc4210bis]
Brockhaus, H., von Oheimb, D., Ounsworth, M., and J. Gray, "Internet X.509 Public Key Infrastructure -- Certificate Management Protocol (CMP)", Work in Progress, Internet-Draft, draft-ietf-lamps-rfc4210bis-07, , <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-rfc4210bis-07>.
[I-D.ounsworth-csr-attestation]
Ounsworth, M. and H. Tschofenig, "Use of Attestation with Certification Signing Requests", Work in Progress, Internet-Draft, draft-ounsworth-csr-attestation-00, , <https://datatracker.ietf.org/doc/html/draft-ounsworth-csr-attestation-00>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.

8.2. Informative References

[I-D.tschofenig-rats-psa-token]
Tschofenig, H., Frost, S., Brossard, M., Shaw, A. L., and T. Fossati, "Arm's Platform Security Architecture (PSA) Attestation Token", Work in Progress, Internet-Draft, draft-tschofenig-rats-psa-token-12, , <https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-12>.
[RFC9334]
Birkholz, H., Thaler, D., Richardson, M., Smith, N., and W. Pan, "Remote ATtestation procedureS (RATS) Architecture", RFC 9334, DOI 10.17487/RFC9334, , <https://www.rfc-editor.org/rfc/rfc9334>.
[TPM20]
Trusted Computing Group, "Trusted Platform Module Library Specification, Family 2.0, Level 00, Revision 01.59", , <https://trustedcomputinggroup.org/resource/tpm-library-specification/>.

Authors' Addresses

Hannes Tschofenig
Siemens
Hendrik Brockhaus
Siemens