PreShared Key TLS with GBA support Thesis presentation

  • Slides: 14
Download presentation
Pre-Shared Key TLS with GBA support Thesis presentation 22. 4. 2008 ESPOO, Finland Guoqing

Pre-Shared Key TLS with GBA support Thesis presentation 22. 4. 2008 ESPOO, Finland Guoqing Zhang Company Confidential 1 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd / Initials

Outline Theory: • Pre-Shared Key TLS protocol • Key selection in PSK-TLS • Generic

Outline Theory: • Pre-Shared Key TLS protocol • Key selection in PSK-TLS • Generic Bootstrapping Architecture • Combination of PSK-TLS with GBA Own works: • Implementation of PSK-TLS on Symbian OS • Design problem in key agreement of PSK-TLS • Improvement Proposal on Key agreement of PSK-TLS • Conclusions Company Confidential 2 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd / Initials

Pre-Shared Key TLS protocol • What is PSK-TLS • PSK-TLS is a new transport

Pre-Shared Key TLS protocol • What is PSK-TLS • PSK-TLS is a new transport layer protocol for establishing secure connection via pre-shared symmetric key between client and server • PSK-TLS is otherwise the same as TLS but introduce its own way of generating pre-master secret. • Why PSK-TLS avoids public key operation which is heavy for power-limited device like mobile phone • How the Pre-shared key is used The pre-shared key is used to generated pre-master secret in TLS protocol as below: Company Confidential 3 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd / Initials • Key Selection It is very likely in practice that there are difficult PSKs available for different usage. When multiple PSKs coexists in the device, PSK-TLS provides a mechanism to help client and server agree on which PSK should be used.

Key Selection in PSK-TLS • The client indicates its willingness to use PSKTLS by

Key Selection in PSK-TLS • The client indicates its willingness to use PSKTLS by including PSK cipher suites in Client. Hello • The server provides PSK-Identity-Hint in Server. Key. Exchange to help the client agree on the PSK • The client sends PSK-Identity back to the server to inform about the key it chooses Unsolved problem: The PSK-TLS only specifies how to use PSK but doesn’t give a solution on how to get the PSK in place. How to get symmetric key installed among communication entities? The security of PSK-TLS lies on the Pre-shared key. For the two entities which has never communicated before, how to make them share the same symmetric key which will use to establish secure connection later. Company Confidential 4 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd / Initials

Generic Bootstrapping Architecture - Background • GBA is a generic architecture which reuse the

Generic Bootstrapping Architecture - Background • GBA is a generic architecture which reuse the existing infrastructure in mobile network to install symmetric key into client (UE) and server (NAF) • It is specified by 3 GPP and promoted to be widely used for service protection in mobile network. • GBA is a service which should be provided by Operators. • Operator performs a trust authority to both mobile phone users and Service providers • GBA brings more business opportunities to operators. Company Confidential 5 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd / Initials

Generic Bootstrapping Architecture – How GBA works • Model for bootstrapping • GBA is

Generic Bootstrapping Architecture – How GBA works • Model for bootstrapping • GBA is run on Ub interface. BSF is located in operator domain. The aim of GBA is to install shared key in both UE and NAF can be web server for instance • HTTP Digest AKA is the protocol over Ub interface Company Confidential 6 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd / Initials

Generic Bootstrapping Architecture – How GBA works Continue… • When user subscribe to operator,

Generic Bootstrapping Architecture – How GBA works Continue… • When user subscribe to operator, the SIM card with secret key is issued to the subscriber. It is shared between operator’s HLR database and SIM. The secret key is the base of GBA • The NAF key is generated from Ks • NAF requests the key from BSF after bootstrapping • NAF_ID is composed by FQDN of NAF plus ID of algorithm on Ua interface Company Confidential 7 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd / Initials

Combination of PSK-TLS with GBA • GBA installs Ks_NAF in both UE and NAF

Combination of PSK-TLS with GBA • GBA installs Ks_NAF in both UE and NAF and the key can be used as PSK in PSK-TLS to generate pre-master secret • Since Ks_NAF is calculated from NAF FQDN, the PSK-TLS needs to support TLS extension specified in RFC 3546 for the case where one physical server has multiple virtual hostnames. • The Server. Key. Exchange contains “ 3 GPP-bootstrapping” as PSK-Identity-Hint • The Client. Key. Exchange contains B-TID as PSK-Identity • The server provides B-TID and hostname to BSF for Ks_NAF derivation Company Confidential 8 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd / Initials

Implementation of PSKTLS with GBA support on Symbian OS • The aim of the

Implementation of PSKTLS with GBA support on Symbian OS • The aim of the implementation is to make PSK-TLS available to applications using TLS stack automatically without extra changes from them. • TLS stack will choose the key sharing plus-in for the key agreement based the PSK-identityhint from the server Company Confidential 9 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd / Initials

Design problem in key agreement of PSK-TLS When multiple key sharing methods available: •

Design problem in key agreement of PSK-TLS When multiple key sharing methods available: • In current design of key agreement in PSK-TLS, it relies on PSK-Identity-Hint in Server. Key. Exchange to inform the key sharing method to use for PSK agreement It causes handshake failure if the requested key sharing method is not supported by the client • To decrease the possibility of handshake failure, client could indicate the supported key sharing method already in the beginning of handshake, namely at the time when Client. Hello is sent When client and server from different Operation Domains: • When GBA is used as key agreement methods, the roaming situation should be take into account otherwise PSK couldn’t be agreed even though both client and server support GBA. • PSK-TLS needs improvements on the key agreement methods ! Company Confidential 10 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd / Initials

Improvement Proposal on Key agreement of PSK-TLS • New format of PSK related cipher

Improvement Proposal on Key agreement of PSK-TLS • New format of PSK related cipher suites in PSK-TLS Old format TLS_PSK_WITH_RC 4_128_SHA New format TLS_PSKGBA_WITH_RC 4_128_SHA • Using TLS extension to deliver operation identity for key agreement in PSK-TLS with GBA in roaming situation enum Extension. Type { host_name(0) max_fragment_length(1) client_certificate_url(2) trusted_ca_keys(3) truncated_hmac(4) status_request(5) gba(6) } • This requires changes to RFC 4279 and TS 33. 220 in 3 GPP. It is not accepted yet so we didn’t take it into account when implementing the PSK-TLS. Company Confidential 11 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd / Initials

Conclusions • PSK-TLS with GBA support provides a good solution to mobile network security.

Conclusions • PSK-TLS with GBA support provides a good solution to mobile network security. It is promoted to be widely used. Symbian OS as the world-leading mobile OS must support is for business reason • It is possible to make PSK-TLS transparent to applications using TLS stack. Making the mechanism easy to use would encourage the application designer to select it as their security solutions. • The improvements on PSK-TLS will decrease possibility of handshake failure dramatically. • In future, we should provide API that allows applications to set PSK also. For those applications that know PSK, they can use the API to set the wanted PSK into use. For those applications that do not have the information they can rely on the TLS stack to handle it. Company Confidential 12 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd / Initials

Questions ? Company Confidential 13 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd

Questions ? Company Confidential 13 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd / Initials

Thank you ! Company Confidential 14 © 2005 Nokia V 1 -Filename. ppt /

Thank you ! Company Confidential 14 © 2005 Nokia V 1 -Filename. ppt / yyyy-mm-dd / Initials