-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provable boots #158
Comments
The attestation server could generate a challenge and publish EK + AK + quote + hash(challenge) to the log. After activate credential, the client could sign challenge with the AK and publish this result. An auditor could pair these two entries to verify that It's worse than that -- anyone can fake this on their own by creating a fake AK and publishing fake entries to the transparency log for any EK. |
Too bad there isn't a way to get the decrypted seed from |
Well, what you'd do is publish a signature of the "message" ( To make this more useful we need a timestamp as well. So I'd make it:
|
The threat model can't include all entities being compromised! :) |
This seems very much related to #141. In fact, I believe they are duplicates. |
Timestamps are useful, although there are always the questions of "how to set the time?" and "what is time?". The problem with the attestation server generated challenge is that it can then fake the data for the client log entry. The client does not need to be involved, so a single compromise is all that is required. |
Sure, but recall that the client can get credentials from the enrollment server, so the client can also sign its entry with a key that is not known to the attestation server. (Essentially we can have a long-term AK.) |
Regarding time... we need time mainly to make it easier to locate the entries, but for real security we need to make sure that TPM |
For some applications it would be useful to cryptographically prove that an attested server has booted in a trusted state. Ideally these results would be published into a transparency log, which would allow auditing of which machines booted when and in which state.
But wait, you say, isn't that what attestation does? Except that there is nothing in the protocol for an outside observer to tie the quote to the EK -- the ephemeral AK signs it, and there is no proof of possession after the attestation server delivers the
makecredential
blob to the client. The client doesn't reveal the result of the call toactivatecredential
, which is the only thing that ties the AK and quote to the EK.The encrypted assets delivered in the attestation could contain a host key and cert, which could be used as proof-of-posession after
activatecredential
delivers the session key. Although that doesn't tie this boot to the quote, only a boot. The attestation server could include an AK cert, which the client could then publish, but that shifts the trust to the attestation server.This would be easier if the EK could sign things...
The text was updated successfully, but these errors were encountered: