Authentication among distributed workloads is a critical yet complex task. PKI-based authentication relies heavily on software to anchor the trustworthiness of workloads, therefore failing to reliably convey the security state of the workload in the face of impersonation and persistent attackers. This is most apparent in cases where the underlying platform is particularly exposed and out of the control of the owner, such as in cloud computing and IoT. Hardware features have thus been introduced to enable remotely verifiable “trust metrics” using attestation. Such hardware-backed features provide a cryptographic proof of the software stack, and strong guarantees that the cryptographic keys used by the workload are properly protected from exfiltration. However, remote attestation comes with its own need to share and verify metadata, which must be engineered into existing software. While the protocol used to exchange this metadata is largely irrelevant to the actual attestation procedure, its positioning in the networking stack can enable specific use-cases and enhance the performance of the entire system. An appealing approach is to allow the creation of secure channels (such as TLS connections) using attestation metadata as the authentication mechanism. Current designs either rely on running an attestation protocol on top of an existing secure channel, or modify the semantics of certificates to convey attestation information when establishing the secure channel.
Our work focuses on standardising attestation metadata as first-class credentials in TLS. This new approach allows native, opaque metadata to be conveyed for authentication during the TLS handshake instead of (or together with) x509 certificates. Supporting flexibility in deployments without compromising on security has been a prime goal. Thus, we aim to cater to interaction models in which either the client, the server, or both can attest themselves, leveraging any hardware backend, and using different verification topologies. To showcase the standardisation effort, we are also developing an open-source, end-to-end proof-of-concept implementation of one of the interaction models supported. The PoC builds on top of two Linux Foundation projects – Parsec to abstract the root of trust attestation primitives, and Veraison to consume and verify the new evidence formats – and modifies mbedTLS to support a subset of the newly defined TLS extensions. As a hardware root of trust, the proof of concept is currently using a TPM2.0, with support for others being considered.