TIGRESS Threat Model

TIGRESS Threat Model Google

lassey@google.com

Apple

castiz@apple.com

Apple

dvinokurov@apple.com

Applications and Real-Time Transfer dIGital cREdentialS Securely tigress threat model This document describes a threat model by which the working group can evaluate potential solutions to the problems laid out in the TIGRESS charter. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Transfer dIGital cREdentialS Securely Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction The TIGRESS Working Group is chartered to deliver a protocol for transferring copies of digital credentials. The charter specifies certain goals:

Privacy goals:

The intermediate server should not see sensitive details of the Provisioning Information
The intermediate server should not be able to provision the credential itself, acting as an intermediary for the recipient (person-in-the-middle, impersonation attack)
Aside from network-level metadata, the intermediate server should not learn information about the sender or receiver

Security goals:

Allow for ensuring that only the intended recipient is able to provision the credential
Allow for ensuring that the credential can only be provisioned once (anti-replay)
Allow for ensuring that the sender has the intent to transfer (proof of the fact that the initiation of the credential transfer is attributed to a valid device and a user)

Functional goals:

Allow a sender to initiate a credential transfer and select an intermediary server
Allow a recipient to view the transfer request with Provisioning Information , and provision the credential information associated with it upon receipt
Allow a sender and a recipient to perform multiple round trip communications within a limited time frame
Not require that both the sender and recipient have connectivity to the intermediary server at the same time
Support opaque message content based on the credential type
Support a variety of types of credentials, to include those adhering to public standards (e.g., Car Connectivity Consortium) and proprietary (i.e., non-public or closed community) formats

From these goals we can derive a threat model for the general problem space.

Threat Model

Assets and Data

Credential The credential or key that is being transferred via this protocol.

Intermediary data Data that is transferred over the course of the transaction.

Credential transfer invitation The initial data containing Provisioning Information transmetted to the receiver which represents an invitation to accept the transferred credential.

Users

Sender The user who initiates the credential transfer.

Receiver The user who is the intended recipient and accepts the invitation with the transferred credential.

Credential Authority The Provisioning Entity that manages the lifecycle of a credential on a device.

Attackers and Motivations

Threats and mitigations

Threat Description	Likelihood	Impact	Mitigations
An Attacker with physical access to the victim's phone initiates the transfer of a Credential to the the Attacker's device	MED	HIGH
Attacker intercepts or eavesdrops on sharing message	HIGH	HIGH
Sender mistakenly sends to the wrong Receiver	HIGH	HIGH
Sender device compromised	MED	HIGH
Attacker compromises Credential Authority	LOW	HIGH	None
Credential Authority can recognize and track Sender across shares	HIGH	LOW	None
Credential Authority can recognize and track Receiver across shares	HIGH	LOW	None
Sender can recognize and track Receiver across shares	HIGH	LOW	None
Receiver can recognize and track Sender across shares	HIGH	LOW	None

If an intermediary server is used Some designs may rely on an intermediary server to facilitate the transfer of material. Below are threats and mitigations assuming that there is an intermediary server hosting encrypted content at an "unguessable" location.

Threat Description	Likelihood	Impact
Attacker brute forces "unguessable" location	LOW	LOW
Attacker intercepts encryption key	MED	MED
Attacker intercepts encryption key and unguessable location	MED	HIGH
Attacker compromises intermediary server	LOW	LOW
Attacker uses intermediary server to store unrelated items (i.e. cat pictures)	HIGH	LOW

Mitigations.

User authentication at the time of transfer initiation Implementers SHOULD take sufficient precautions to ensure that the device owner is in possession of the device when initiating a transfer such as requiring authentication at the time of initition.

Secret to be sent securily Solution should require an end-to-end encrypted messaging channel or otherwise specify a way to send a secret out of band.

Transfer control Implementers should ensure any initiated attempts of credential transfer can be withdrawn or revoked at any time.

Limited time-to-live for mailbox storage Limited TTL of storage, rate limiting of requests.

Separation of shareURL and secret Separate transmission of encryption key and unguessable location.

Group transfer warning Implementor should warn users about transferring credentials to groups.

Encrypted mailbox content Content on the server is encrypted.

Mailbox size limit and TTL Intermediary server should have tight size limits and TTLS to discourage misuse

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

IANA Considerations This document has no IANA actions.

References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References Tigress requirements

Acknowledgments This document took as inspiration the threat model that was part of Dmitry Vinokurov's sample implementation document.