(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.

Slides:

Advertisements

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.

Advertisements

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

IETF OAuth Proof-of-Possession

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Internet Engineering Task Force Provisioning of Symmetric Keys Working Group Hannes Tschofenig.

Some Thoughts on Data Representation 47th IETF AAAarch Research Group David Spence Merit Network, Inc.

Ubiquitous Access Control Workshop 1 7/17/06 Access Control and Authentication for Converged Networks Z. Judy Fu John Strassner Motorola Labs {judy.fu,

802.1x EAP Authentication Protocols

ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23,

Client-server interactions in Mobile Applications.

Security Management.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.

OAuth Security Hannes Tschofenig Derek Atkins. State-of-the-Art Design Team work late 2012/early 2013 Results documented in Appendix 3 (Requirements)

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

ACE BOF, IETF-89 London Authentication and Authorization for Constrained Environments (ACE) BOF Wed 09:00-11:30, Balmoral BOF Chairs: Kepeng Li, Hannes.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.

An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.

Distributed systems – Part 2  Bluetooth 4 Anila Mjeda.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Module 9: Fundamentals of Securing Network Communication.

DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.

DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.

Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication.

IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.

Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

OAuth Use Cases Zachary Zeltsan 31 March Outline Why use cases? Present set in the draft draft-zeltsan-oauth-use-cases-01.txt by George Fletcher.

Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session.

November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.

SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.

Web Services Security Patterns Alex Mackman CM Group Ltd

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.

Diameter Overload DIME WG IETF 87 July, Starting Point DIAMETER_TOO_BUSY provides little guidance on what a Diameter client should do when it receives.

IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)

Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.

Keyprov PSKC spec Philip Hoyer 71-st IETF, Philadelphia.

August 2, 2005IETF63 EAP WG AAA-Key Derivation with Lower-Layer Parameter Binding (draft-ohba-eap-aaakey-binding-01.txt) Yoshihiro Ohba (Toshiba) Mayumi.

MIP6 RADIUS IETF-72 Update draft-ietf-mip6-radius-05.txt A. LiorBridgewater Systems K. ChowdhuryStarent Networks H. Tschofenig Nokia Siemens Networks.

Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.

- Richard Bhuleskar “At the end of the day, the goals are simple: safety and security” – Jodi Rell.

Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.

CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López

Convergence of Network Management Protocols

Informing AAA about what lower layer protocol is carrying EAP

CSE Retargeting to AE, IPE, and NoDN Hosted Resources

Phil Hunt, Hannes Tschofenig

Bert Greevenbosch, ACE comparison Bert Greevenbosch, draft-greevenbosch-ace-comparison.

Securing the CASP Protocol

OAuth Design Team Call 11th February 2013.

Diameter ABFAB Application

Presentation transcript:

(Preliminary) Gap Analysis Hannes Tschofenig

Goal of this Presentation The IETF has developed a number of security technologies that are applicable to the presented use cases. Is there possibility for re-use? Go through a few selected technologies to identify gaps.

Non-Goals Design the solution in this room.  Don’t get hung up on the details.

Tutorials Kerberos – Slides Slides – Recording Recording OAuth – Slides Slides – Recording Recording “PKI/Certificate Model” – Slides Slides – Recording Recording AAA – Slides: Note:.arf files are Webex recordings. You might need to use a Webex player. See

ABFAB | Authorization | | Server | | | +-^ ^--+ * EAP o RADIUS * o v v--+ | | | | | Client | EAP/EAP Method | Resource | | | | Server | | | GSS-API | | | | | | | | Application | | | | Data | | | | | |

Gaps Real-time interaction between the AAA server and the resource server. ABFAB architecture uses layering of EAP within the GSS-API, which adds additional overhead. A binding for the transport of EAP payloads in CoAP, for example, does not exist. No unified authorization policy language has been defined for the AAA/EAP architecture. Instead, RADIUS attributes carry information about access control decisions.

Kerberos | Authorization | | Server | ^ / Request / / Ticket / / / /Ticket / /{SK}C-KDC / / / v | | Ticket + Authenticator | Resource | | Client | >| Server | | | | | Application Data

Gaps Each ticket is only usable for a single service (intentionally). Kerberos uses ASN.1 for encoding of the ticket and various messages. No access control policy language has been standardized. – Standardization in KITTEN in progress. – Proprietary policies are, however, used in real-world deployments. A CoAP binding for the KRB_PRIV and the KRB_SAFE message exchanges not been defined. Ticket and Authenticator rely on symmetric key only.

OAuth |Authorization| |Server | ^ / Request / / Access / / Token / /Access Token / / O / v /|\ | -----> | | Access Token | Resource | / \ | Server | Resource | | | | Owner Application Data

Gaps Support for cross-realm interaction has not been standardized. A binding for CoAP does not exist for the client to authorization server nor for the client to resource server. The OAuth architecture does not standardize the authentication procedure of the resource owner to the authorization server itself. Profile is needed to navigate through the options (since OAuth provides a lot of flexibility). CoAP/DTLS bindings currently not defined.

“PKI/Certificate Model” |Certification| | Authority | ^ / Request / / Short / / Lived / /Short Lived Cert / / Certificate / / / v | | DTLS with certificate | | | | or app layer msg w/cert |Resource | | Client | >|Server | | | | | Application Data

Gaps The certificate format and the PKI management protocols use ASN.1. No UDP or CoAP transport is defined for CMC/CMP/SCEP. For PKCS#10 no transport is defined at all. Asymmetric cryptography is computationally more expensive than symmetric cryptography but offers additional security benefits.

Conclusion … need to agree on the requirements first. – There may also be other relevant security technologies as well. Our preliminary analysis makes us believe that some work is needed to get these security protocols to work on constrained devices. Need a venue to have a dialog.