BRSKI overview and issues

Slides:

Advertisements

Similar presentations

Network Security Essentials Chapter 11

Advertisements

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

Secure Network Bootstrapping Infrastructure May 15, 2014.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

A RELOAD Usage for Distributed Conference Control (DisCo) – update – draft-knauf-p2psip-disco-00 draft-knauf-p2psip-disco-00 Alexander Knauf, Gabriel Hege,

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Copyright © B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall Security Systems Lecture notes Dr.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.

draft-kwatsen-netconf-zerotouch-01

Network Layer4-1 DHCP: Dynamic Host Configuration Protocol Goal: allow host to dynamically obtain its IP address from network server when it joins network.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

Unit 1: Protection and Security for Grid Computing Part 2

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Anima IETF 93 draft-pritikin-anima-bootstrapping- keyinfra-02 Design Team Update.

Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.

Bootstrapping Key Infrastructures

Draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home.

Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources 1.

Smart Money Concept.

NETCONF Server and RESTCONF Server Configuration Models draft-ietf-netconf-server-model-07 NETCONF WG IETF 93 Prague.

Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources.

6tisch security design team: progress since Toronto

Microsoft Windows NT 4.0 Authentication Protocols

Chapter 5 Network and Transport Layers

Trust Anchor Management Problem Statement

University of Stuttgart University of Murcia

Cryptography and Network Security

draft-lemonade-imap-submit-01.txt “Forward without Download”

A Reference Model for Autonomic Networking draft-ietf-anima-reference-model-03.txt 97th IETF, Nov 2016 Michael Behringer (editor), Brian Carpenter, Toerless.

Configuring and Troubleshooting Routing and Remote Access

Security and Encryption

Radius, LDAP, Radius used in Authenticating Users

Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)

* Essential Network Security Book Slides.

NAAS 2.0 Features and Enhancements

YANG model for ANI IETF101 draft-eckert-anima-enosuchd-raft-yet-99

Student: Ying Hong Course: Database Security Instructor: Dr. Yang

CS 465 Certificates Last Updated: Oct 14, 2017.

Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

3GPP and SIP-AAA requirements

Kai Bu 05 Secure Connection The topic to be covered this week is secure connection. Apparently, the.

draft-eckert-anima-noc-autoconfig-00 draft-eckert-anima-grasp-dnssd-01

Advanced Computer Networks

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)

Bootstrapping Key Infrastructure over EAP draft-lear-eap-teap-brski

Introduction to Let’s Encrypt

DTLS Key Establishment for IoT

Session 20 INST 346 Technologies, Infrastructure and Architecture

IoT Onboarding for Date: Authors: November 2018

draft-friel-acme-integrations

Remote ATtestation ProcedureS (RATS)

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

National Trust Platform

Update on BRSKI-AE – Support for asynchronous enrollment

Presentation transcript:

BRSKI overview and issues Very short BRSKI overview. recap of incoming/outgoing discussion audit token, nonce-full/nonce-less versions online view, offline view ownership voucher details: Kent

The cast Manufacturer Manufacturer Authorized Signing Authority (MASA) Registar Join Assistant/Proxy New Node (pledge) (ownership) voucher LL fe80::123->fe80::proxy ULA fd12:345::1-> registrar (circuit proxy, IPIP, NAT66)

Incoming (callhome) / Outgoing Debate I-D.ietf-netconf -call-home 6tisch Will use incoming, With COMI+ System-keystore proxy Call Home -outgoing TCP, followed by swap of client/server Incoming pledge registrar Syn coap Syn/ack pledge registrar Syn ClientHello syn Syn/ack Syn/ack Outgoing ack TLS ClientHello SSH open pledge registrar syn Syn/ack Tcp client TLS server ANIMA Decided to stick With outgoing via proxy Ack TLS ClientHello

Audit tokens and ownership Mix of contradictory requirements! Weak to no link to owner May be bearer token! Likely contains link to owner’s public key. May link to some DN/CN of owner Uses MASA to serve as registration, providing audit trail to subsequent “owners” Ownership Voucher Strong link to owner MASA either produces the voucher (possibly “online”), or provides access to already created voucher. MASA stores history of previous vouchers. (controversial), may include Voucher Revocation List!

Audit vs Ownership Voucher YANG description module: ietf-voucher +--rw voucher Audit Ownership +--rw assertion trust anchor for Registrar +--rw trusted-ca-certificate id of Registrar +--rw certificate-id | +--rw cn-id? string | +--rw dns-id? string +--rw unique-id* id of Pledge +--rw nonce Real Time Clock proofing +--rw created-on if RTC available on Pledge +--rw expires-on +--rw revocation-location under consideration +--rw additional-data future proofing

Token Requirements Online validation May include NEA-type assessment of current firmware of device (remote attestation) back to vendor. Strong connection to supply chain to provide proof of ownership. Offline validation Need to collect all Tokens/Vouchers onto stable storage for use offline. National security concerns, disaster recovery, protection against vendor going out of business Uncooperative/immature supply chain Need to include voucher in bearer token form inside packaging as QR code Supporting re-sale of devices, transitive trust of ownership vouchers