NthPermutation Security LLC

Germantown MD 20874 US msj@nthpermutation.com

Security LAMPS This document describes two ASN.1 Attribute definitions, and an ASN.1 CLASS definition for an attestation statement structure that may be used to encode key attestation data for inclusion in PKCS10 certificate requests and in other circumstances.

Introduction This document creates two ATTRIBUTE/Attribute definitions. The first Attribute may be used to carry a set of certificates or public keys that may be necessary to validate an attestation. The second Attribute carries a structure that may be used to carry key attestation statements, signatures and related data. Both of these Attribute definitions are intended to be used to carry the attestation data a Certification Authority (CA) may need to decide to issue a certificate containg the attested key. The AttestStatement structure provides an encoding that may be used regardless of the actual format and mechanisms used by an given type of attestation. In its simplest expansion it encodes a SEQUENCE of an OBJECT IDENTIFIER and a related ASN.1 type. For the purposes of this document, a "certificate" is a signed binding of a public key and some identifying or use information. An X.509 Certificate is one example, but the structures described below allow for the carriage of any identifiable type of certificate. Examples include Card Verifiable Certificates and implicit certificates.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Definitions The following definitions should be used in the context of this document primarily to understand the relationship of an attestation to the ASN.1 structures used to carry an attestation in PKIX structures. As of the date of this document, the IETF lacked a common nomenclature for attestation-related terms.

Attestation Engine

The secure hardware and firmware used to compose and sign an attestation.

Attestation Key

Either the private key used to sign an attestation statement, or the related public key used to verify the attestation statement, depending on context.

Attester

The entity that directs the creation of an attestation statement and who owns, controls, or is permitted to use the private attestation key.

Ancillary Attestation Data

Any data provided from a source external to the attestation engine as part of the creation of an attestation statement and/or any additional data needed for the verification of an attestation statement. The externally provided data could be a relying party originated nonce, a time stamp, session information or other data meant to be bound in time to the attestation statement. Other additional data may be an internally formatted key, or other data needed to bridge between the attestation statement and PKIX or other relying or interpretating regimes. The format of externally provided data is not under the control of the attestation engine, but may need to be transformed, such as by hashing, before it may be incorporated within the attestation statement processing. For example, a relying party may need both the "externalData" argument for the TPM 2.0 TPM2_Certify command, and the TPMT_PUBLIC structure containing the key being certified to verify an attestation.

Attestation Statement

The object, any optional ancillary data incorporated during the creation of that object, and the signature over that object, created by an attestation engine at the request of an Attester to provide evidence of a fact or set of facts within the cognizance of the attestation engine at a particular point in time." Sometimes referred to simply as an "attestation".

Attestation

The implicit or explicit collection of an attestation statement, any ancillary data, an attestation key, and a chain of trust for that key. By convention, this contains at least the minimum data needed to cryptographically validate an attestation statement and extract any policy meaning.

Key Attestation

An attestation created with respect to a particular key or key pair.

ASN.1 Elements

Object Identifiers Placeholder for now, waiting on guidance. id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) } -- Branch for CSR and related attributes - IETF version of id-at id-cra OBJECT IDENTIFIER ::= { id-pkix (TBD1) } -- Branch for attestation statement types id-ata OBJECT IDENTIFIER ::= { id-pkix (TBD2) }

CertificateChoice This is an ASN.1 CHOICE construct used to represent an encoding of a broad variety of certificate types. CertificateChoice ::= CHOICE { cert Certificate, -- typical X.509 cert opaqueCert [0] IMPLICIT OCTET STRING, -- Format implicitly agreed upon -- by sender and receiver typedCert [1] IMPLICIT TypedCert, typedFlatCert [2] IMPLICIT TypedFlatCert } "Certificate" is a standard X.509 certificate that MUST be compliant with RFC5280. Enforcement of this constraint is left to the relying parties. "opaqueCert" should be used sparingly as it requires the receiving party to implictly know its format. It is encoded as an OCTET STRING. "TypedCert" is an ASN.1 construct that has the charateristics of a certificate, but is not encoded as an X.509 certificate. The certTypeField indicates how to interpret the certBody field. While it is possible to carry any type of data in this structure, it's intended the content field include data for at least one public key formatted as a SubjectPublicKeyInfo (see ). "TypedFlatCert" is a certificate that does not have a valid ASN.1 encoding. Think compact or implicit certificates as might be used with smart cards. certType indicates the format of the data in the certBody field, and ideally refers to a published specification. TypedFlatCert ::= SEQUENCE { certType OBJECT IDENTIFIER, certBody OCTET STRING }

AttestAttribute By definition, Attributes within a Certification Signing Request are typed as ATTRIBUTE. This attribute definition contains one or more attestation statements of a type "AttestStatement". id-cra-attestStatement OBJECT IDENTIFIER ::= { id-cra 2 } AttestAttribute ATTRIBUTE ::= { TYPE AttestStatement IDENTIFIED BY id-cra-attestStatement }

AttestCertsAttribute The "AttestCertsAttribute" contains a sequence of certificates that may be needed to validate the contents of an attestation statement contained in an attestAttribute. By convention, the first element of the SEQUENCE SHOULD contain the object that contains the public key needed to directly validate the attestAttribute. The remaining elements should chain that data back to an agreed upon root of trust for the attestation. id-cra-attestChainCerts OBJECT IDENTIFIER ::= { id-cra 1 } attestCertsAttribute ATTRIBUTE ::= { TYPE SEQUENCE OF CertificateChoice COUNTS MAX 1 IDENTIFIED BY id-cra-attestChainCerts }

AttestStatement An AttestStatement is an object of class ATTEST-STATEMENT encoded as a sequence fields, of which the type of the "value" field is controlled by the value of the "type" field, similar to an Attribute definition. Depending on whether the "value" field contains an entire signed attestation, or only the toBeSigned portion, the algId field may or may not be present. If present it contains the AlgorithmIdentifier of the signature algorithm used to sign the attestation statement. If absent, either the value field contains an indication of the signature algorithm, or the signature algorithm is fixed for that specific type of AttestStatement. Similarly for the "signature" field, if the "value" field contains only the toBeSigned portion of the attestation statement, this field SHOULD be present. The "signature" field may by typed as any valid ASN.1 type. Opaque signature types SHOULD specify the use of sub-typed OCTET STRING. For example: MyOpaqueSignature ::= OCTET STRING If possible, the ATTEST-STATEMENT SHOULD specify an un-wrapped representation of a signature, rather than an OCTET STRING or BIT STRING wrapped ASN.1 structure. I.e., by specifying ECDSA-Sig-Value from PKIXAlgs-2009 to encode an ECDSA signature. ECDSA-Sig-Value ::= SEQUENCE { r INTEGER, s INTEGER } The ancillaryData field contains data provided externally to the attestation engine,and/or data that may be needed to relate the attestation to other PKIX elements. The format or content of the externally provided data is not under the control of the attestation engine. For example, this field might contain a freshness nonce generated by the relying party, a signed time stamp, or even a hash of protocol data or nonce data. See below for a few different examples.

IANA Considerations The IANA is requested to open two new registries and allocate a value from the "SMI Security for PKIX Module Identifier" registry for the included ASN.1 module.

"SMI Security for PKIX Certificate Signing Request Attributes" Registry Please open up a registry for CSR Attributes within the SMI-numbers registry, allocating an assignment from id-pkix ("SMI Security for PKIX" Registry) for the purpose. Proposed Name: id-cra (id-cra OBJECT IDENTIFIER ::= {id-pkix (TBD) } ) Initial Contents Initial entries for CSR Attributes registry

Decimal	Description	References
1	Attestation Certificate Chain	This Doc
2	Attestation Statement	This Doc

"SMI Security for PKIX Certificate Signing Request Attributes" Registry Please open up a registry for CSR Attributes within the SMI-numbers registry, allocating an assignment from id-pkix ("SMI Security for PKIX" Registry) for the purpose. Proposed Name: id-ata (id-ata OBJECT IDENTIFIER ::= {id-pkix (TBD) } Initial Contents - None.

Security Considerations The attributes and structures defined in this document are primarily meant to be used as additional Attributes for a PKCS10 Certification Signing Request (CSR). As such, it's up to the receiving/relying party to place as much or as little trust in the contents of these attributes as necessary to satisfy its own policies. A relying party will need either a specification defining how an attestation type was formed and how to validate that type, or a trusted method of verifying the attestation. In the former case, a relying party should consider the information available from any certificate chain covering the attesting key when deciding to accept the attestation. Most attestations will need to provide a method to convert the attested key representation into the equivalent SubjectPublicKey info structure and the attested key MUST be compared for equivalence to the public key provided in the CSR before accepting the attestation. The relying party, as always, is responsible for setting the rules for what it will accept. The presence of an AttestAttribute is not required by any current standard, but such attribute may provide the relying party with additional assurance as a prerequisite to issuing certificates or other credentials. That acceptance criteria is out of scope for this document. Whether to require an AttestAttribute or its contents in any specific use case is out-of-scope for this document.

References Normative References Informative References Federal Office for Information Security Federal Republic of Germany Certicom Research Trusted Computing Group Trusted Computing Group Trusted Computing Group

Examples

Simple Attestation Example This is a fragment of ASN.1 meant to demonstrate an absolute minimal definition of an ATTEST-STATEMENT. A similar fragment could be used to define an ATTEST-STATEMENT for an opaque HSM vendor specific atterstation model.

Example TPM V2.0 Attestation Attribute - Non Normative What follows is a fragment of an ASN.1 module that might be used to define an attestation statment attribute to carry a TPM V2.0 key attestation - i.e., the output of the TPM2_Certify command. This is an example and NOT a registered definition. It's provided simply to give an example of how to write an ATTEST-STATEMENT definition and module. This attestation is the result of executing a TPM2_Certify command over a TPM key. See for more details. The data portion of the value field encoded as OCTET STRING is the attestationData from the TPM2B_ATTEST produced by the TPM. In other words, strip off the TPM2B_ATTEST "size" field and place the TPMS_ATTEST encoded structure in the OCTET STRING data field. The algId is derived from the "sigAlg" field of the TPMT_SIGNATURE structure. The signature field is a TpmSignature, created by transforming the TPMU_SIGNATURE field to the appropriate structure given the signature type. The ancillary field contains a structure with the TPMT_PUBLIC structure that contains the TPM's format of the key to be attested. The attestation statement data contains a hash of this structure, and not the key itself, so the hash of this structure needs to be compared to the value in the attestation attestation statement. If that passes, the key needs to be transformed into a PKIX style key and compared to the key in the certificate signing request to complete the attestation verification. The ancillary field also contains an optional OCTET STRING which is used if the TPM2_Certify command is called with a non-zero length "qualifyingData" argument to contain that data. An AttestCertChain attribute MUST be present if this attribute is used as part of a certificate signing request.

ASN.1 Module for Attestation The following module imports definitions from the modules defined in . IANA Note: Please replace TBDMOD, TBD1 and TBD2 with assigned values.

Acknowledgements Thanks to Russ Housley for a first and useful pass over the original ASN.1. Thanks to Mike Ounsworth for not complaining too much when I wrote this. Placeholder here for people who spend time reviewing the draft!