FDO Security Requirements

1. Introduction

2. FIDO Onboard Device:

2.1. Introduction

This document assesses the FIDO Device Onboard (FDO) protocol and specifies the security requirements that must be fulfilled in order to attain the stated security goals of this protocol.

2.1.1. Definition

2.2. Device (The device being manufactured; later, the device being provisioned)

2.3. Attack Classification

1. Automated attacks focused on stealing FDO credentials during the manufacturing process.

2. Automated attacks focused on impersonating the Rendezvous Server.

3. Automated attacks focused on impersonating new device owner during ownership transfer.

4. Automated attacks to authenticated device sessions.

5. Non-automated attacks to steal device credentials for cloning

3. Security Goals

3.1. Security Goals for Device

3.2. Security Goals for FDO Application

4. Security Assumptions

5. Asset to be Protected

For each primary asset to be protected, the threat(s) it faces in process, in motion, and in storage will be considered.

5.1. Primary Assets:

5.1.1. Device Attestation Key:

FDO uses cryptographic device attestation based on a signed Entity Attestation Token ([EAT]). The protocol can support many cryptographic mechanisms for device attestation, but this spec supports two basic capabilities: Intel® EPID and ECDSA. For each of the methods, there is a private key that is provisioned into the device, such as when the CPU or board is manufactured, for establishing the trust for a Restricted Operating Environment (ROE) that runs on the device. When signed by the device attestation key, this provides evidence of the code being executed in the ROE.

5.1.2. Ownership Credential:

This is a key pair that serves temporarily to identify the current owner of the device. When the device is manufactured, the manufacturer uses a key pair to put in an initial ownership credential. Later, the protocols conspire specifically to replace this credential with a new ownership credential, effecting ownership transfer.

5.1.3. Device Credential:

The Device credential does not identify the owner in general; it identifies the owner for the purposes of ownership transfer. The device credential from the manufacturer, stored in the device, must match the credential at one side of the Ownership Voucher. That is all. It is not intended that this key pair permanently identify the manufacturer or any of the parties in the Ownership Voucher. On the contrary, it is expected that the manufacturer may use different keys over time, and the owners will also use different keys over time, specifically to obscure their identity in the FDO protocols and increase of the robustness of FDO.

5.2. Secondary Assets:

5.2.1. IoT Platform:

5.2.1.1. FDO Applications:

5.2.1.2. Device Initialize Protocol (DI):

5.2.1.3. Transfer Ownership Protocol 0 (TO0):

5.2.1.4. Transfer Ownership Protocol 1 (TO1):

5.2.1.5. Transfer Ownership Protocol 2 (TO2):

5.2.1.6. Image Showing the Interaction Between the Protocols

6. Threat Analysis

6.1. General Threat List

6.2. Attack Scenarios

6.2.1. At Manufacturing

6.2.2. Device Platform

6.2.3. Communication

6.2.4. FDO Application

7. Impact and Likelihood for Consumer Environment

7.1. Define

• Defining Risk Impact:

• `Low Risk` : _Means that a threat event could be expected to have a limited adverse effect._

• `Medium Risk` : _Means that a threat event could be expected to have a serious adverse effect._

• `High Risk` : _Means that a threat event could be expected to have a severe or catastrophic adverse effect._

• Defining Likelihood:

• `Unlikely` : _Could occur at some time_

• `Likely` : _Will probably occur in most circumstances_

• `Almost certain` : _Can be expected to occur in most circumstances_

Impact is determined by variables that are context dependent, meaning the context of where the device is installed.

7.2. Impact

7.3. Likelihood

7.4. Manufacturing

7.5. Device Platforms

7.6. Communications

7.7. FDO Applications

8. Risk Mitigation and Security Requirements

8.1. Manufacturing Mitigations

8.2. Device Platform Mitigations

8.3. Communication Mitigations

8.4. FDO Application Mitigations

8.5. Security Profiles

9. Security and Privacy Requirements Catalog

10. Security Parameters Stored on FDO Device

The following is a classification of security parameters that are stored in the FDO Device.

• Externally provisioned credentials

• FDO Protocol parameters

• TLS parameters and TLS connection parameters, if TLS is in use

The following table describes parameters in each category:

10.1. The following sources were consulted in the course of this work:

• FIDO Device Onboard Specification: https://fidoalliance.org/specs/FDO/fido-device-onboard-v1.0-ps-20210323/fido-device-onboard-v1.0-ps-20210323.html#OV

• FIDO Security Reference: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-security-ref-v2.0-id-20180227.html#dfn-sa-1

• ARM PSA Platform Security Architecture Model: https://armkeil.blob.core.windows.net/developer/Files/pdf/PlatformSecurityArchitecture/Architect/DEN0079_PSA_SM_ALPHA-03_RC01.pdf

• ETSI EN 303 645: https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf

• EUROSMART IoT SCS: https://www.eurosmart.com/eurosmart-iot-certification-scheme/

• OWASP IoT Vulnerabilities: https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf

• GlobalPlatform Security Evaluation Standard for IoT Platforms (SESIP): https://globalplatform.org/specs-library/security-evaluation-standard-for-iot-platforms-sesip-v1-0-gp_fst_070/

11. FDO Allowed Cryptography List {#FDO_Allowed_Cryptography_List}

11.1. Requirements for Additional Candidates

If a vendor wants to add a cryptographic security function to the Allowed Cryptography list, then the vendor / lab shall provide a written argument that:

• Additional candidates for algorithms shall at least support a security strength of 112 bits,

• It iIs not a proprietary solution,

• It fulfills the required security attributes (e.g., if the use requires confidentiality and data authentication, the primitive provides this),

• It as a security strength that can be readily characterized,

• It is accepted or recommended by at least one major international standardization group (e.g., ISO, IETF), or one national or European organizations (e.g., NIST [SP800-131Ar2], ANSI, SOGIS [SOGISCrypto]) and

• It has undergone extensive public review.

NOTE: The vendor is responsible for any extension of the COSE and EAT protocols to support a new cryptographic security function.

11.2. Allowed Cryptographic Functions

The stated security level identifies the expected number of computations that a storage-constrained attacker (who has access to more than 2^80 bytes of storage) shall expend in order to compromise the security of the cryptographic security function, under the currently best-known attack that can be conducted under this storage constraint. This has been extracted from the currently best-known relevant attacks against each cryptographic primitive, and is expected to shift over time as attacks improve.

At the time of this document’s is publication, there are not yet any standardized ( NIST Project or ISO/IEC JTC 1/SC 27/WG 2 SD8 on Post-Quantum Cryptography) quantum-safe cryptographic algorithms for asymmetric algorithms (e.g., signature, key protection based on RSA, and anonymous attestation). It is also not yet clear if the key size SHOULD (or SHOULD NOT) be increased for symmetric algorithms.

If the security level stated is n (where the security level is here defined with a classical computing power, and does not take into account quantum cryptanalysis), then the `expected number of computations` is less than the expected number of computations required to guess an `(n+1)-bit random binary string`, and `not less than the number of computations required` to guess an `n` bit random binary string (i.e., on average, the number of computations required is less than `2^n` computations and greater than or equal to `2^(n-1)` computations.)

11.2.1. Post-Quantum Cryptography

Quantum computers are expected to solve problems faster than conventional computing can do. To what extent quantum computers will shorten the time needed to solve some difficult mathematical problems is a matter of controversy. In theory, a large scale, stable, and fault-tolerant quantum computer leveraging Shor’s algorithm could break asymmetric cryptography based on either RSA or Elliptic Curve technology. This means that the factorization of large composite numbers (on which RSA security is based) or the computation of discrete logarithms (on which DSA and ECDSA are based) would become feasible with the use of a quantum computer regardless of the sizes of the keys.

When such mature quantum computers will be available for cryptanalysis purposes is another unknown. Yet because of the serious consequences of this threat becoming a reality, the NIST has decided to start developing standards for asymmetric quantum safe cryptography (https://csrc.nist.gov/projects/post-quantum-cryptography). A call for contributions has started the process for the selection of quantum safe algorithms eligible for standardization back in 2016. Discussions on standardization of quantum safe cryptographic primitives are also ongoing at ETSI CYBER and ISO/IEC JTC 1/SC 27. Stateful hash-based signatures are the first family of quantum safe cryptographic mechanisms standardized (NIST SP 800-208 and ISO 14888-4).

NIST has recently published the list of selected post-quantum algorithms for asymmetric cryptography after the conclusion of the Round 3 of the screening process (https://csrc.nist.gov/projects/post-quantumcryptography/round-3-submissions). This list includes 3 finalist (Crystals-Dilithium, Falcon, Rainbow) and 3 alternate (GeMSS, Picnic, Sphincs+) candidates for a signature algorithm, and 4 finalist (Kyber, NTRU, SABER, Classic McEliece) and 5 alternate (Bike, FrodoKEM, HQC, NTRUprime, SIKE) candidates for a Key Encryption Mechanism/Encryption algorithm. NIST expects to select at most one candidate between Kyber, NTRU and Saber for KEM, and one between Dilithium and Falcon (all based on structured lattices). The final standard will be released as draft for public comment in 2022-2023, and finalized by 2024.

NIST has not planned to standardize key agreement mechanisms to replace DH/ECDH. NIST explained the rationale in its FAQ: “NIST believes that in its most widely used applications, such as those requiring forward secrecy, Diffie-Hellman can be replaced by any secure KEM with an efficient key generation algorithm.” Another solution is to use a hybrid approach, mixing a “classical” algorithm with a quantum-safe one. In this case, keys derived by a hybrid key establishment scheme remain secure if at least one of the underlying schemes is secure. NIST plans to incorporate a hybrid key establishment construction in a future revision of NIST SP 800- 56C.

Dealing with symmetric cryptography, a conservative approach regarding post-quantum symmetric cryptography is to double the key size (i.e., migrating from AES-128 to AES-256) and increase the digest size (i.e., migrating from SHA-256 to SHA-384). But Grover’s algorithm (which could theoretically be used to weaken the security of block ciphers and hash functions) will provide little or no advantage for attacking symmetric cryptography or hash functions. Consequently, AES-128, AES-192 and SHA-256 are still recommended in this version of the document.

11.2.2. Confidentiality Algorithms

Note: Provide confidentiality, up to the stated security level.

11.2.3. Hashing Algorithms

Note: Provide pre-image resistance, second pre-image resistance, and collision resistance.

11.2.4. Data Authentication Algorithms

Note: Provide data authentication. It is not uncommon to truncate the result of a MAC, but to be resistant, the final length should be at least 96 bits (see SOGIS Note 14-MACTruncation96 in SOGISCrypto). The security level cannot exceed the final length.

Note: [1]Both due to the obvious guessing attack, and covers the case where the supplied key is hashed for the HMAC. [2]Based on a birthday attack; a collision of the final state can lead to an existential forgery of longer messages with the same prefix.

11.2.5. Key Protection Algorithms

Note: Provide confidentiality and data authentication.

11.2.6. Agreement Algorithms

Allowing two or more parties to generate a shared secret. It is generally followed by a key derivation function (KDF), as described in the next section, to generate one or several keys from the shared secret.

11.2.7. Key Derivation Functions (KDFs)

11.2.8. Signature Algorithms

Note: Provide integrity, authentication, and non-repudiation.

11.2.9. AEAD Algorithms

Note: Provide confidentiality and data authentication.

Note: ChaCha20-Poly1305 is specified in the given IETF RFC, but it is on the informational track. It is recommended by French ANSSI.

Appendix A: Cryptography Table List

For an overview of Cryptography used in FDO, see [FDO-Specification] Appendix C (https://fidoalliance.org/specs/FDO/FIDO-Device-Onboard-RD-v1.1-20211214/FIDO-device-onboard-spec-v1.1-rd-20211214.html)

Note: FIDO Alliance is aware of a later use of Future Crypto (Enhanced Strength for Quantum Safe Cryptography) and will update the tables once standardized (NIST, ISO/IEC).