Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Slides:



Advertisements
Similar presentations
Bridging Technical Possibilities With Policy Technicalities Montreal, QC June 24, 2003.
Advertisements

Secure Network Bootstrapping Infrastructure May 15, 2014.
Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.
1 Miami-Dade County Public Schools. 2 From the Data Center to the Cloud: Manny Castañeda Miami-Dade County Public Schools.
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 Presentation_ID © 1999, Cisco Systems, Inc. Programmable Networks OPENSIG-99 Industry Panel John Hopprich.
Cloud Usability Framework
Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.
New Challenges in Cloud Datacenter Monitoring and Management
Windows 2003 and 802.1x Secure Wireless Deployments.
Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.
Report from the “Smart Object Security Workshop 23 rd March 2012, Paris” Presenter: Hannes Tschofenig.
An Answer to the EC Expert Group on CLOUD Computing Keith G Jeffery Scientific Coordinator.
1 Low-cost Manufacturing, Usability, and Security: An Analysis of Bluetooth Simple Pairing and Wi-Fi Protected Setup Cynthia KuoCarnegie Mellon University.
Eugene Chang EMU WG, IETF 70
Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.
SAML Right Here, Right Now Hal Lockhart September 25, 2012.
Tiziano Ciceri Product Manager
Distributed systems – Part 2  Bluetooth 4 Anila Mjeda.
© Synergetics Portfolio Security Aspecten.
Secure Credential Manager Claes Nilsson - Sony Ericsson
Application Policy on Network Functions (APONF) G. Karagiannis and T.Tsou 1.
Dnssd requirements draft-ietf-dnssd-requirements-01 Kerry Lynn Stuart Cheshire Marc Blanchet Daniel Migault IETF 89, London, 3 March 2014.
draft-ietf-netconf-zerotouch
PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG
Stroeder.COM TF-LSD Meeting S/MIME Certificate Collector  Motivation  Proposed Solution  Discussion.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
- NCSU project goals and requirements - Adoption Drivers - Current challenges and pain points - Identacor at NCSU - Identacor Features - NCSU Key Benefits.
IETF-91 (Hawaii) ANIMA WG Meeting Session Session Room Coral 5 November10 th, 2014 ANIMA WG Last update: November.
Page 1 IETF Speermint Working Group Speermint Requirements/Guidelines for SIP session peering draft-ietf-speermint-requirements-02 IETF 69 - Monday July.
Analysis and recommendation for the ULA usage draft-liu-v6ops-ula-usage-analysis-00 draft-liu-v6ops-ula-usage-analysis-00 Bing Liu(speaker), Sheng Jiang.
1 Trusted Transitive Introduction Max Pritikin (Presentation by Cullen Jennings) Revision A.
Introducing… Conferencing Manager. Agenda Citrix MetaFrame Conferencing Manager Solving business challenges Value to our channel Citrix MetaFrame Conferencing.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Slide 1 RFID Network Infrastructure Overview P. Krishna Reva Systems.
Introducing Novell ® Identity Manager 4 Insert Presenter's Name (16pt) Insert Presenter's Title (14pt) Insert Company/ (14pt)
Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,
1 IETF 91, 10 Nov 2014draft-behringer-anima-reference-model-00.txt A Reference Model for Autonomic Networking draft-behringer-anima-reference-model-00.txt.
SRA Key Topics Reference Architectures for Cyber-Physical Systems Dr. Christian El Salloum AVL List GmbH.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,
Anima IETF 93 draft-pritikin-anima-bootstrapping- keyinfra-02 Design Team Update.
Bootstrapping Key Infrastructures
Draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home.
ONAP SD-WAN Use Case Proposal.
91th IETF, 10 Nov 2014  Michael Behringer Steinthor Bjarnason Balaji BL
A Reference Model for Autonomic Networking draft-ietf-anima-reference-model-03.txt 97th IETF, Nov 2016 Michael Behringer (editor), Brian Carpenter, Toerless.
Federated IdM Across Heterogeneous Clouding Environment
draft-ietf-netconf-reverse-ssh
Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)
Windows 10 & Intune: A Modern Desktop Management Story Joe Crandall.
BRSKI overview and issues
PLUG-N-HARVEST ID: H2020-EU
Factory default Setting draft-wu-netmod-factory-default-01
Public Key Infrastructure from the Most Trusted Name in e-Security
YANG model for ANI IETF101 draft-eckert-anima-enosuchd-raft-yet-99
Policy-Based IPSec Management (Role combination)
Examples of deployment scenarios
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)
Bootstrapping Key Infrastructure over EAP draft-lear-eap-teap-brski
IoT Onboarding for Date: Authors: November 2018
draft-friel-acme-integrations
Update on BRSKI-AE – Support for asynchronous enrollment
Presentation transcript:

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Security or Usability? Both!

It is a shared problem Netconf “Develop a zero touch configuration document (a technique to establish a secure…” Homenet “consider security aspects and the impact on manageability” 6tisch “zero-touch join: new nodes must recognize the network without explicit provisioning” Anima “Security has many aspects that need configuration and are therefore candidates to become autonomic.” And more!

Key exchange requires Integrity This is well understood “The problem of key exchange has not yet been solved” A solution has not being proposed

Build on the methods we have Physically secured links Previously deployed keys/Trust-Anchors Out-of-band channels (discounted due to usability implications) These are usability challenges Not everybody can balance rocks Vendors will do the hard balancing IETF will make the hard decisions

draft-pritikin-anima-bootstrapping-keyinfra What are the entities? What do they do? Domain Registrar Domain Registrar No user interface “Zero Touch” Flexible but fixed behavior All decisions No crypto by user Minimal Decisions Minimal required behavior Flexible features No lock-in (?) New Entity e.g. Device Cloud e.g. Manufacturer This is a simplified discussion Do: MASA

draft-pritikin-anima-bootstrapping-keyinfra What do they know? Domain Registrar Domain Registrar New Entity e.g. Device Cloud e.g. Manufacturer This is a simplified discussion Manufacturer TA 802.1AR Certificate Nonce Goal: add Domain TA Manufacturer TA(s) Domain TA Access Control List Manufacturer TA(s) Log Know:

draft-ietf-netconf-zerotouch-01 Domain Registrar Domain Registrar No user interface “Zero Touch” Flexible but fixed behavior No crypto by user Build config s6.2 Ownership validation New Entity e.g. Device Cloud e.g. Manufacturer Any errors are attributable to me Manufacturer TA 802.1AR Certificate Goal: add config Manufacturer TA(s) Domain TA Who owns which device Do: Know: For Comparison

draft-richardson-6tisch-security-architecture-02 Domain Registrar Domain Registrar s1.4.2 Ownership validation New Entity e.g. Device Cloud e.g. Manufacturer Any errors are attributable to me Who owns which device Do: Know: For Comparison No crypto by user Requests cert chain specific to device Manufacturer TA(s) Domain TA No user interface “Zero Touch” Flexible but fixed behavior Manufacturer TA 802.1AR Certificate Goal: establish TLS

draft-pritikin-anima-bootstrapping-keyinfra Domain Registrar Domain Registrar No user interface “Zero Touch” Flexible but fixed behavior All decisions No crypto by user Minimal Decisions Minimal required behavior Flexible features No lock-in (?) New Entity e.g. Device Cloud e.g. Manufacturer This is a simplified discussion Do: MASA Manufacturer TA 802.1AR Certificate Nonce Goal: add Domain TA Manufacturer TA(s) Domain TA Access Control List Manufacturer TA(s) Log Know: Recap slide

draft-pritikin-anima-bootstrapping-keyinfra How? Domain Registrar Domain Registrar New Entity e.g. Device Cloud e.g. Manufacturer (discovery ignored here) 802.1AR, nonce Domain TA, Identity, [nonce] Proof of log, privacy protected logs Proof of logging, Domain TA “enroll” e.g. RFC7030 EST Decisions made by policy using logs

Benefits Flexible Device behavior Decisions at Domain Registrar Privacy protected logs The requirement is that Domain Registrar can recognize unexpected and nonceless log entries Flexible Cloud behavior Nonceless entries support time shifting Greater sales integration allows policy enforcement at the cloud Flexible use cases Solves bootstrap of key infrastructure Anima, NETCONF, Homenet, 6tisch etc can build on this Minimum viable feature set is easy to achieve

Thank you