Initial Keying for Key Sec John Viega Russ

  • Slides: 9
Download presentation
Initial Keying for Key. Sec John Viega, Russ Housley viega@securesoftware. com, housley@vigilsec. com

Initial Keying for Key. Sec John Viega, Russ Housley viega@securesoftware. com, housley@vigilsec. com

Progress in AF • We know where we’re going on what to do once

Progress in AF • We know where we’re going on what to do once CAs have keys. • Getting CA keys from pairwise keys is straightforward. • Little work on initial keying for CA keys • Channel for data – Meant for tunneling EAP, etc. • Need simple, out of the box way to install keys

Use Case • New device, need to set it up with pairwise key(s) •

Use Case • New device, need to set it up with pairwise key(s) • Neighbors should be able to agree on pairwise keys with little manual intervention • Would like a way to identify “my” devices and validate them.

Proposal (1) • Assign devices unique 128 -bit IDs – Loaded with MAC address

Proposal (1) • Assign devices unique 128 -bit IDs – Loaded with MAC address – 32 bits is a vendor identifier – 96 bits is vendor dependent, but must be unique • Random number is perfectly fine – The idea: give IDs to devices as a simple ACL

Proposal (2) • Use RSA to validate device owns ID and exchange pairwise keys

Proposal (2) • Use RSA to validate device owns ID and exchange pairwise keys – Vendor generates and installs private key and certificate w/ public key – Certificate is signed by a vendor’s signing credentials – Vendor’s credentials are signed by a root certification authority (CA) – IETF likely willing be that CA – CA would endorse vendor’s right to first 32 bits. – Vendor would endorse the validity of the remaining bits. • Net effect: unforgable credentials that facilitate enrollment

Simple Public Key Infrastructure

Simple Public Key Infrastructure

Analysis • Why not use MAC address? – MAC address forging is important to

Analysis • Why not use MAC address? – MAC address forging is important to layer 2. – Devices may have many MAC addresses. • Auxiliary benefits – Solves the layer 2 part of the ARP problem – Prevents counterfeiting hardware – Provides a basis for establishing trust in firmware • Drawbacks – Have to integrate with manufacturing process • Not costly • DOCSIS is doing something similar with cable modems – Requires hash function for signing • Probably SHA 1

Example establishment protocol • Sign. Crypt encrypts arg 1, auths both args • Unique

Example establishment protocol • Sign. Crypt encrypts arg 1, auths both args • Unique ID is encoded into certificate 1. A-> A_cert, Sign. Crypt(Ra, 0) 2. A<- B_cert, Sign. Crypt(Rb, Ra) 3. A-> AID, Sign. Crypt(0, Rb) • • -> B <- B -> B Shared secret is Ra XOR Rb All signatures and certs validated IDs checked to ACL On race, M 1 from lower unique ID wins

Summary • Unique IDs on each device • Simple key management • Does not

Summary • Unique IDs on each device • Simple key management • Does not eliminate other management methods – Credentials could be leveraged in centralized management • Auxiliary benefits • Vendor must install keypair