Public Key Distribution Network (PKDN) for DTN Security Key Management IETF95 DTN Working Group Meeting https://tools.ietf.org/html/draft-viswanathan-dtn-pkdn-00.

Slides:

Advertisements

Similar presentations

Router Identification Problem Statement J.W. Atwood 2008/03/11

Advertisements

Chapter 14 – Authentication Applications

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Validity Management in SPKI 24 April 2002 (author) (presentation)

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Computer Science Public Key Management Lecture 5.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Proposal for device identification PAR. Scope Unique per-device identifiers (DevID) Method or methods for authenticating that device is bound to that.

Module 9: Fundamentals of Securing Network Communication.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Efficient Fault-Tolerant Certificate Revocation Rebecca Wright Patrick Lincoln Jonathan Millen AT&T Labs SRI International.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz

Security fundamentals Topic 5 Using a Public Key Infrastructure.

AMQP, Message Broker Babu Ram Dawadi. overview Why MOM architecture? Messaging broker like RabbitMQ in brief RabbitMQ AMQP – What is it ?

Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-01 Suresh Krishnan Ana Kukec Khaja Ahmed.

1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Delay Tolerant Network (DTN) Security Key Management Design Alternatives IETF94 DTN Working Group November 3, 2015 Fred L. Templin

Bootstrapping Key Infrastructures

Public Key Infrastructure. A PKI: 1. binds public keys to entities 2. enables other entities to verify public key bindings 3. provides services for management.

Key management issues in PGP

Alternative Governance Models for PKI

Chapter 5 Network Security Protocols in Practice Part I

Resource subscription using DDS in oneM2M

Multicast Listener Discovery

Zueyong Zhu† and J. William Atwood‡

Cryptography and Network Security

Information Security message M one-way hash fingerprint f = H(M)

Distributed Keyservers

CS480 Cryptography and Information Security

Goals of soBGP Verify the origin of advertisements

Peer-to-peer networking

Delay-Tolerant Security Key Administration (DTKA)

IS3230 Access Security Unit 9 PKI and Encryption

Information Security message M one-way hash fingerprint f = H(M)

Information Security message M one-way hash fingerprint f = H(M)

Using SSL – Secure Socket Layer

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

APNIC Trial of Certification of IP Addresses and ASes

Choosing the Discovery Model Martin Forsberg

CompTIA Security+ Study Guide (SY0-501)

Message Security, User Authentication, and Key Management

Security in ebXML Messaging

Created by : Ashish Shah, J.M. PATEL COLLEGE OF COMMERCE

جايگاه گواهی ديجيتالی در ايران

Information Security message M one-way hash fingerprint f = H(M)

Digital Certificates and X.509

刘振上海交通大学计算机科学与工程系电信群楼3-509

Created by : Ashish Shah, J.M. PATEL COLLEGE OF COMMERCE

Data-Centric Networking

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

刘振上海交通大学计算机科学与工程系电信群楼3-509

Proposed DTN WG Charter Items

Presentation transcript:

Public Key Distribution Network (PKDN) for DTN Security Key Management IETF95 DTN Working Group Meeting April 4, 2016 Kapali Viswanathan Fred L. Templin

Overview PKDN Overview PKDN Entities and Functions PKDN & DTN Key Management Requirements Changes Since Last Version

Delay Tolerant Networking PKDN Overview Certificate revocation Manager Validator Sender Receiver Subscribe Publish (Delta-CRL) Public key certificate Validated public key certificate Revocation status CRL = Certificate Revocation List Delta-CRL = Additions to CRL Session management Revocation event propagation Depends on reliable DTN Multicast -Certificate revocation manager certifies one or more validators. -Sender chooses a validator either by configuration or by discovery. Current PoC implements choice by configuration. Secure Communications Revocation status Validated public key certificate Public key certificate

PKDN Layering Delay Tolerant Network Cloud (Interconnected Bundle Protocol Routers) Receiver Bundle Protocol Certificate Revocation Manager Bundle Protocol Validator Bundle Protocol Validator Bundle Protocol Certificate Revocation Manager Bundle Protocol Sender Receiver Bundle Protocol Sender

PKDN Event Propagation Key Generation Key Associated with an addressable Identity Key Use Association (or Key) Expiry Association (or Key) Revocation Key Disuse Role of PKDN: Association performed by arbitrary external software (e.g. X.509 PKI software) PKDN references key uniquely as: (key-fingerprint, expiry- timestamp)n output Role of PKDN: Provides an in-band mechanism to exchange validated certificates Role of PKDN: Propagates public key revocation events to a network of validators using multicast communication Notifies public-key revocation events to interested endpoints

Overview PKDN Overview PKDN Entities and Functions PKDN & DTN Key Management Requirements Changes Since Last Version

Delay Tolerant Networking Revocation event subscription Certificate revocation Manager Validator Sender Receiver Subscribe Publish (Delta-CRL) Public key certificate Validated public key certificate Revocation status CRL = Certificate Revocation List Delta-CRL = Additions to CRL Revocation status Validated public key certificate Public key certificate

Delay Tolerant Networking Revocation event & status propagation Certificate revocation Manager Validator Sender Receiver Subscribe Publish (Delta-CRL) Public key certificate Validated public key certificate Revocation status CRL = Certificate Revocation List Delta-CRL = Additions to CRL Revocation status Validated public key certificate Public key certificate

Delay Tolerant Networking Session management and secure communication Certificate revocation Manager Validator Sender Receiver Subscribe Publish (Delta-CRL) Public key certificate Validated public key certificate Revocation status CRL = Certificate Revocation List Delta-CRL = Additions to CRL Revocation status Validated public key certificate Public key certificate

Overview PKDN Overview PKDN Entities and Functions PKDN & DTN Key Management Requirements Changes Since Last Version

PKDN & DTN Key Management Requirements REQ1: Must Provide Keys When Needed Receivers receive validated sender certificates encapsulated with initial message bundles REQ2: Must Be Trustworthy Certificates are signed by trusted authorities Certificate revocations are signed by trusted authorities REQ3: No Single Point of Failure Multiple CRMs are allowed Path redundancy from CRMs to Validators strengthen REQ3 REQ4: Multiple Points of Authority Multiple certificate and certificate revocation authorities can co-exist REQ5: No Veto Validators, Senders, and Receivers can be configured to validate certificates and certificate revocations issued by multiple authorities

PKDN & DTN Key Management Requirements REQ6: Must Bind Public Key with DTN Node Identity Realized using standard public key certificate structures (certificates minimally include address, public key, and expiry date) REQ7: Must Support Secure Bootstrapping All PKDN entities must have root public key and root revocation public key manually installed REQ8: Must Support Revocation Validators and CRM achieve this property REQ9: Revocations Must Be Delay Tolerant Achieved by designing PKDN as a strict overlay on top of DTN and by using event-driven semantics

Overview PKDN Overview PKDN Entities and Functions PKDN & DTN Key Management Requirements Changes Since Last Version

Draft title changed from ‘draft-viswanathan-dtnwg-pkdn-00’ to align document to DTN Working Group Now using unicast Certificate Revocations for interested parties instead of DTN-wide CRL multicast PKDN Validators remember the certificates of interest to individual receivers for a limited time period Senders must send fresh certificates through a PKDN validator before validator interest memory expiration