Update on BRSKI-AE – Support for asynchronous enrollment

Slides:

Advertisements

Similar presentations

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Advertisements

Dynamic Symmetric Key Provisioning Protocol (DSKPP)

Secure Network Bootstrapping Infrastructure May 15, 2014.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Configuring Active Directory Certificate Services Lesson 13.

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Configuring Directory Certificate Services Lesson 13.

Proposal for device identification PAR. Scope Unique per-device identifiers (DevID) Method or methods for authenticating that device is bound to that.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Michael Myers VeriSign, Inc.

Cullen Jennings Certificate Directory for SIP.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Microsoft Virtual Academy Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access.

GEONET Brainstorming Document. Content Purpose of the document Brainstorming process / plan Proposed charter Assumptions Use cases Problem description.

IETF #65 Network Discovery and Selection Problem draft-ietf-eap-netsel-problem-04 Farooq Bari Jouni Korhonen.

Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.

Doc.: IEEE /2179r0 Submission July 2007 Steve Emeott, MotorolaSlide 1 Summary of Updates to MSA Overview and MKD Functionality Text Date:

Bootstrapping Key Infrastructures

Access Policy - Federation March 23, 2016

Trust Profiling for Adaptive Trust Negotiation

Public Key Infrastructure (PKI)

Secure Proxy ND Support for SEND draft-krishnan-csi-proxy-send-00

Trust Anchor Management Problem Statement

Cryptography and Network Security

Katrin Hoeper Channel Bindings Katrin Hoeper

A Reference Model for Autonomic Networking draft-ietf-anima-reference-model-03.txt 97th IETF, Nov 2016 Michael Behringer (editor), Brian Carpenter, Toerless.

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

OmniRAN Introduction and Way Forward

Integrating the Healthcare Enterprise

THE STEPS TO MANAGE THE GRID

Public Key Infrastructure (PKI)

Session Initiation Protocol (SIP)

BRSKI overview and issues

CS691 M2009 Semester Project PHILIP HUYNH

APNIC Trial of Certification of IP Addresses and ASes

CompTIA Security+ Study Guide (SY0-401)

CS691 M2009 Semester Project PHILIP HUYNH

Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008

NAAS 2.0 Features and Enhancements

Goals Introduce the Windows Server 2003 family of operating systems

LXI Security Overview October 2018 Rev 1.8.

Public Key Infrastructure from the Most Trusted Name in e-Security

YANG model for ANI IETF101 draft-eckert-anima-enosuchd-raft-yet-99

Pre-Authentication Authentication of Management Frames

Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

draft-eckert-anima-noc-autoconfig-00 draft-eckert-anima-grasp-dnssd-01

Advanced Computer Networks

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)

Bootstrapping Key Infrastructure over EAP draft-lear-eap-teap-brski

OpenID Enhanced Authentication Profile (EAP) Working Group

Cryptography Lecture 27.

IoT Onboarding for Date: Authors: November 2018

draft-friel-acme-integrations

OpenID Enhanced Authentication Profile (EAP) Working Group

Presentation transcript:

Update on BRSKI-AE – Support for asynchronous enrollment draft-fries-anima-brski-async-enroll-01 Steffen Fries, Hendrik Brockhaus, Eliot Lear IETF 105 – ANIMA Working Group

Problem statement There exists various industrial scenarios, which have limited online connectivity to backend services either technically or by policy. This may limit the exchange of certification request/response messages with an offsite PKI for issuing an LDevID. assume only limited on-site PKI functionality support (Proxy) Rely on a backend or centralized PKI, to perform (final) authorization of certification requests for an operational certificate (LDevID). May not feature trusted domain component for store and forward require multiple hops to the issuing PKI due to network segmentation. required consistency for certificate management over device / system lifecycle (e.g. , existing industrial standards require support of multiple enrolment protocols on the central side, while letting the pledge pick) Asset Management would be used to gain information about devices to be enrolled

Changes from version 00  01 Update of examples, specifically for building automation as well as introduction of two new application use cases (Infrastructure isolation policy, Less operational security in the deployment domain) in section 4.2. Consideration of existing enrollment protocols in the context of mapping the requirements to existing solutions in Section 4.3. Enhancement of description of architecture elements and potential changes to influences on BRSKI in Section 5. Removal of combined asynchronous interaction with MASA to not complicate the use case in section 5. New section 7 starting with the mapping to existing enrollment protocols by collecting boundary conditions.

Asynchronous enrollment with self-contained objects Asynchronous enrollment has to cope with at leas the following requirements: Proof of possession of the private key corresponding to the public key contained in the certification request Proof of identity of the requestor, bound to the certification request (and thus to the proof of possession) Certificate waiting indication if the contacted RA is not able to issue the requested certificate immediately or is not reachable

Recap: BRSKI supports synchronous enrollment Use of self-contained voucher (RFC 8366) to transport domain certificate signed by MASA does not rely on transport security can be leveraged for asynchronous provisioning of the voucher Use of online enrollment protocol (EST, RFC 7030) Utilizes PKCS#10 for CSR and uses IDevID of pledge for authentication during TLS handshake. Assumes enrollment authorization based on IDevID at the on-site RA/CA with authorization database. +------------------------+ +--------------Drop Ship--------------->| Vendor Service | | +------------------------+ | | M anufacturer| | | | A uthorized |Ownership| | | S igning |Tracker | | | A uthority | | | +--------------+---------+ | ^ | | BRSKI- V | MASA +-------+ ............................................|... | | . | . | | . +------------+ +-----------+ | . | | . | | | | | . |Pledge | . | Join | | Domain <-------+ . | | . | Proxy | | Registrar | . | <-------->............<-------> (PKI RA) | . | | | BRSKI-EST | | . | | . | | +-----+-----+ . |IDevID | . +------------+ | . | | . +-----------------+----------+ . | | . | Key Infrastructure | . | | . | (e.g., PKI Certificate | . +-------+ . | Authority) | . . +----------------------------+ . . . ................................................ "Domain" components

BRSKI-AE provides enhancements for asynchronous enrollment +------------------------+ +--------------Drop Ship--------------->| Vendor Service | | +------------------------+ | | M anufacturer| | | | A uthorized |Ownership| | | S igning |Tracker | | | A uthority | | | +--------------+---------+ | ^ | | V | +--------+ ......................................... | | | . . | | | . +------------+ +------------+ . | BRSKI- | | . | | | | . | MASA | Pledge | . | Join | | Domain <-----+ | | . | Proxy | | Registrar/ | . | <-------->............<-------> (L)RA | . | | . | BRSKI | | . | IDevID | . | | +------^-----+ . | | . +------------+ | . | | . . . +--------+ ...............................|......... "on-site domain" components . | . .............................................|..................... . +---------------------------+ +--------v------------------+ . . | Public Key Infrastructure |<----+ PKI RA | . . | PKI CA |---->+ [(Domain) Registrar (opt)]| . . +---------------------------+ +--------+--^---------------+ . . | | . . +--------v--+---------------+ . . | Inventory (Asset) | . . | Management | . . +---------------------------+ . ................................................................... "off-site domain" components Utilizes self-contained-object for certification request/response (CSR wrapping using existing certificate (IDevID)).  combines proof of possession and proof of identity Allows interaction with an off-site PKI rely on on-site simple store-and-forward (optionally no Domain Registrar) CSR authorization in conjunction with off-site asset management system But requires certificate waiting indication Support of in-band and out-of-band certificate management throughout the device lifecycle Allows BRSKI application in domains that already selected (other) enrollment protocols.

Requirement coping of (selected) enrollment protocols with respect to the asynchronous enrollment EST (RFC 7030) Proof of possession: using PKCS #10 structure in the request method. Proof of identity: only for /fullcmc request. EST references RFC 5272 for fullcmc request. Signature of the SignedData of Full PKI Request calculated using the IDevID credential. Cert waiting indication: a 202 return code should be returned by the Join Registrar. Note that depending on the TLS binding, PKCS #10 has to be re-generated if teared down. CMP (RFC 4210) Proof of possession: provided by using either CRMF or PKCS#10 for certification request. Proof of identity: can be provided by using the MSG_SIG_ALG to protect the certificate request message with signatures Cert waiting indication: returned in the PKIStatus by the Join Registrar. Pledge retries using PollReqContent with a request identifier certReqId provided in initial CertRequest

Next Steps Further refinement of the approach Definition of an abstract self-contained approach  YANG model, protocol agnostic Should allow support of existing enrollment protocols Allow domain registrar to support different enrollment protocol options Is the WG interested in this work?

Backup