CMC and PKI4IPSEC Jim Schaad. Requirements Issues What does MAY really mean What does SHOULD really mean Requirements on Admin Peer Requirements on structure.

Slides:



Advertisements
Similar presentations
CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
Advertisements

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Cryptography and Network Security
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.
Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Technology – Broad View1 Networks  For the most part, not a technology, but political/financial issue Available bandwidth continuously increasing (“√2-rule”
Cryptography and Network Security Chapter 17
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 8 Web Security.
Security Management.
Trusted Archive Protocol (TAP) Carl Wallace
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
1 Cryptography Cryptography is a collection of mathematical techniques to ensure confidentiality of information Cryptography is a collection of mathematical.
1 PKI Update September 2002 CSG Meeting Jim Jokl
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Web Security : Secure Socket Layer Secure Electronic Transaction.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.
(Business) Process Centric Exchanges
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Cryptography and Network Security (CS435) Part Twelve (Electronic Mail Security)
sec1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: TGa_Proposal_Antonio_Izquierdo (Protecting the Information Service.
Michael Myers VeriSign, Inc.
PKI Activities at Virginia September 2000 Jim Jokl
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.
Security PGP IT352 | Network Security |Najwa AlGhamdi 1.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.
Manifests (and Destiny?) Stephen Kent BBN Technologies.
Creating and Managing Digital Certificates Chapter Eleven.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
EMU and DANE Jim Schaad August Cellars. EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking – CRLs – OCSP.
2/19/2016clicktechsolution.com Security. 2/19/2016clicktechsolution.com Threats Threats to the security of itself –Loss of confidentiality.
Security  is one of the most widely used and regarded network services  currently message contents are not secure may be inspected either.
CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #60 – PKI4IPSEC Working.
CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #61 – PKI4IPSEC Working.
By Marwan Al-Namari & Hafezah Ben Othman Author: William Stallings College of Computer Science at Al-Qunfudah Umm Al-Qura University, KSA, Makkah 1.
PKI Services for CYPRUS STOCK EXCHANGE Kostas Nousias.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
Cryptography and Network Security
Jim Schaad Soaring Hawk Security
Secure communication among services
Organized by governmental sector (National Institute of information )
Cryptography and Network Security
ROA Content Proposal November 2006 Geoff Huston.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Chapter 3 - Public-Key Cryptography & Authentication
Cryptography and Network Security
Update on BRSKI-AE – Support for asynchronous enrollment
Presentation transcript:

CMC and PKI4IPSEC Jim Schaad

Requirements Issues What does MAY really mean What does SHOULD really mean Requirements on Admin Peer Requirements on structure Remove requirements in PROFILE doc

How CMC wants to do this Use standard request/response messages Use Transaction ID and nonces Use Pending

Pretty Picture REPOSITORY CA | | | RA --- Admin | | | Peer

Basic Enroll Process Establish Authorization Distribute Authorization Generate Public Key Request Cert Get Cert –Get trust anchor(s)

Admin Authorization Process Create Template Request Authorizations Get Authorizations Back Distribute Authorizations

Template Creation Out Of Band negotiation Template –Fixed portion –Restrictions –Control Items –Variable Portions Substitution if - then - else types –General Name –UTF8 String –Time –Extension –Other? Who can authorize

Request Authorizations Use CMC Request Body with new control For n items provide –template id –variable portion tokens –Timeout must not match any current authorization comparison rules –Binary or intelligent (ä has multiple encodings) should collision in current message error for both? should collision with existing item error for both? Re-request authorization?

Get Authorizations Back Use CMC Response Message for n items return –Auth token – PrintableString (ASCII) –Auth Passphrase – PrintableString (ASCII) –success/failure – error codes –Optional - token strings & id ? requirement PKI may alter parameters and return to admin for check §3.2.5

Distribute Authorization Data to be distributed –Authentication Token –Passphrase –Name of entity to talk to Optional Items –Trust anchor information –Restrictions Key Type, Key Length,…

Authorization Cancel CMC Request/Response Pair w/ new controls Authorization is identify by token allow for bulk revoke or just singles? May be signed by admin (SignedData) or use MAC by passphrase possessor (AuthData) Race conditions between issuing a cert and cancel Cancel of an issued Certificate return either success or consumed (with cert identifier) Query if authorization is still current?

EE Request Structure SignedData identify key by SKI id-cct-PKIData encap content Controls –id-cmc-identification - auth token –id-cmc-identityProof - derived from passphrase –id-cmc-transactionID - random number –id-cmc-senderNonce - random number CRMF CertRequest –certReqID - fixed value ok –subject name cn= –Public Key –SKI Extension with possibly fixed value. –Other extensions as required

EE Response Structure SignedData by CA or RA id-cct-PKIResponse encap content Controls –id-cmc-statusInfoExt –id-cmc-authData CMS objects –AuthData MAC by passphrase –id-cct-PKIResopnse encap content –Controls id-cmc-trustRoots Cert Bag - all certs including issued cert & root

Error Responses Error responses are sent signed or unsigned? (depends on error value?) Add new set of error codes specific to the new controls –Number of errors depends on granularity

Update, Renewal & Rekey Update –New cert - different content - same/different key Renewal –New cert - same content - same key Rekey –New cert - same content - different key

Renewal & Rekey (EE generates new request w/ new key if needed) Specify with original authorization or policy Update later –keep state in RA database assoicated with Issuer/Serial# –renewal vs rekey vs dead –time to start renewal query admin

Update In RA database w issuer/serial keep token strings for update cert allow for update of token strings by admin from cert id OR query admin OR Requires re-auth from Admin Requires new auth token & passphrase Requires re-enrollment from EE

CMC Requirements trans id nonces auth data from CMS for ee revoke signed data using sig key

Unmet Criteria Must specify the “type” of enrollment Update, Renewal, Rekey, Original

Open Issues In-line Authorization Should Peers be able to specify non Public Key information PKI Generation of keys -- bad idea? Queue and Manually Approve Advice to admin on all events

Open Issues Time out/race conditions –Use Pending from RA on an instant basis –Minimize network attack time –Requires some careful thought on error states and database information. Admin Enrollment on behalf of a peer –Key generation on peer –Key geneneration on admin

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.