TNC Proposals for NEA Protocols Presentation by Steve Hanna to NEA WG meeting at IETF 71 March 11, 2008.

Slides:



Advertisements
Similar presentations
Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
Advertisements

November 9, 2009IETF 76 NEA WG1 NEA Working Group IETF 76 Co-chairs: Steve Hanna
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
CT-KIP Magnus Nyström, RSA Security 23 May Overview A client-server protocol for initialization (and configuration) of cryptographic tokens —Intended.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
SOAP.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Header and Payload Formats
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Diameter End-to-End Security: Keyed Message Digests, Digital Signatures, and Encryption draft-korhonen-dime-e2e-security-00 Jouni Korhonen, Hannes Tschofenig.
NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
CSCI 6962: Server-side Design and Programming
S/MIME and CMS Presentation for CSE712 By Yi Wen Instructor: Dr. Aidong Zhang.
Wireless and Security CSCI 5857: Encoding and Encryption.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
16.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 16 Security at the Application Layer: PGP and.
An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
IETF SFC: Service Chain Header draft-zhang-sfc-sch-01
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
July 27, 2009IETF NEA Meeting1 NEA Working Group IETF 75 Co-chairs: Steve Hanna
QUALCOMM Incorporated 1 Protocol Options for BSN- BSMCS Controller Interface Jun Wang, Kirti Gupta 05/16/2005 Notice: Contributors grant a free, irrevocable.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Karlstad University IP security Ge Zhang
March 7, 2008Security Proposal 1 CCSDS Link Security Proposal Ed Greenberg Greg Kazz Howard Weiss March 7, 2008.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
NEA Requirement I-D IETF 68 – Prague Paul Sangster Symantec Corporation.
Mar 22, 2010IETF NEA Meeting1 NEA Working Group (oauth is in Redondo!) IETF 77 Mar 22, Co-chairs:
NEA Working Group IETF 80 March 29, 2011 Mar 29, 2011IETF NEA Meeting1.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.
EAP-FAST Version 2 draft-zhou-emu-eap-fastv2-00.txt Hao Zhou Nancy Cam-Winget Joseph Salowey Stephen Hanna March 2011.
NEA Working Group IETF meeting July 27, Co-chairs: Steve Hanna
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Dec 5, 2007NEA Working Group1 NEA Requirement I-D IETF 70 – Vancouver Mahalingam Mani Avaya Inc.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
IETF 57 PANA WG PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
Electronic Mail Security Prepared by Dr. Lamiaa Elshenawy
7.6 Secure Network Security / G.Steffen1. In This Section Threats to Protection List Overview of Encrypted Processing Example.
NEA Working Group IETF meeting July 27, 2011 Jul 27, 2011IETF 81 - NEA Meeting1.
NEA Working Group IETF 72 Co-chairs: Steve Hanna Susan
Security SMIME IT352 | Network Security |Najwa AlGhamdi 1.
1 End-to-middle Security in SIP Kumiko Ono NTT Corporation March 1, 2004 draft-ietf-sipping-e2m-sec-reqs-01.txt draft-ono-sipping-end2middle-security-01.txt.
Secure Instant Messenger in Android Name: Shamik Roy Chowdhury.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Multiple Signatures in CMS Russ Housley IETF 66, Montreal, Canada.
Cryptography CSS 329 Lecture 13:SSL.
UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture
End-to-middle Security in SIP
PANA Issues and Resolutions
Secure Sockets Layer (SSL)
CCSDS Link Security Proposal
Homework #5 Solutions Brian A. LaMacchia
ELECTRONIC MAIL SECURITY
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
ELECTRONIC MAIL SECURITY
Presentation transcript:

TNC Proposals for NEA Protocols Presentation by Steve Hanna to NEA WG meeting at IETF 71 March 11, 2008

TNC Proposals for NEA Protocols2 PB-TNC

March 11, 2008TNC Proposals for NEA Protocols3 PB-TNC Purpose & Requirements PB Purpose –Carry PA messages between PBC & PBS –Carry global assessment decision from PBS to PBC –Carry other messages between PBC & PBS PB Challenging Requirements –MUST support half-duplex PT –MUST support grouping attributes to minimize RTs –MUST operate efficiently over low-bandwidth links –MUST carry PA message routing identifiers –SHOULD allow PBC or PBS to start assessment –MUST support adapting to user language preference –MAY include security measures or depend on PT security

March 11, 2008TNC Proposals for NEA Protocols4 PB-TNC Design Features Simple round-robin state machine –PBS or PBC can start by sending a batch –PBS & PBC take turns sending batches –End with PBS sending result or early close Compact batch & message format (Binary TLV) Designed for extensibility –No short fields, several reserved fields, versioning support –IANA process for standard extensions –Vendor IDs for non-standard extensions (cannot be required) PA message routing by PA message type –Optional delivery by PC/PV ID No PB-TNC security, depends on PT

March 11, 2008TNC Proposals for NEA Protocols5 PB-TNC State Machine CRETRY CDATA | Server |< | Decided | CLOSE >| Working | >| | | RESULT | | ^ | | v | | | >======= ======== | | CLOSE " End " " Init " CDATA or| |SDATA or ======= ======== CRETRY| |SRETRY ^ ^ | | | v | | | | SDATA CLOSE | | | >| Client | | | | Working | | | | | CLOSE |

March 11, 2008TNC Proposals for NEA Protocols6 PB-TNC Encapsulation PT PB-TNC Header PB-TNC Message (Type=PB-Batch-Type, Batch-Type=CDATA) PB-TNC Message (Type=PB-PA) PA Message PB-TNC Message (Type=PB-PA) PA Message

March 11, 2008TNC Proposals for NEA Protocols7 PB-TNC Header |Version| Reserved | | Batch Length |

March 11, 2008TNC Proposals for NEA Protocols8 PB-TNC Message | Flags | PB-TNC Vendor ID | | PB-TNC Message Type | | PB-TNC Message Length | | PB-TNC Message Value (Variable Length) |

March 11, 2008TNC Proposals for NEA Protocols9 IETF Standard PB-TNC Message Types Message Type Definition PB-Experimental - reserved for experimental use 1 PB-Batch-Type - indicates the type of the PB-TNC batch that contains this message 2 PB-PA - contains a PA message 3 PB-Access-Recommendation - includes Posture Broker Server access recommendation (also known as global assessment decision) 4 PB-Remediation-Parameters - includes Posture Broker Server remediation parameters 5 PB-Error - error indicator 6 PB-Language-Preference - sender's preferred language(s) for human-readable strings 7 PB-Reason-String - string explaining reason for Posture Broker Server access recommendation

March 11, 2008TNC Proposals for NEA Protocols10 PB-TNC Batch-Type Message | Flags | PB-TNC Vendor ID | | PB-TNC Message Type | | PB-TNC Message Length | |D| Reserved | Batch Type |

March 11, 2008TNC Proposals for NEA Protocols11 PB-TNC Batch Types Number Name CDATA 2 SDATA 3 RESULT 4 CRETRY 5 SRETRY

March 11, 2008TNC Proposals for NEA Protocols12 PB-PA Message | Flags | PB-TNC Vendor ID | | PB-TNC Message Type | | PB-TNC Message Length | | Flags | PA Message Vendor ID | | PA Subtype | | Posture Collector Identifier | Posture Validator Identifier | | PA Message Body (Variable Length) |

March 11, 2008TNC Proposals for NEA Protocols13 Questions about PB-TNC?

March 11, 2008TNC Proposals for NEA Protocols14 PA-TNC

March 11, 2008TNC Proposals for NEA Protocols15 PA-TNC Purpose & Requirements PA Purpose –Carry attributes between PCs & PVs PA Challenging Requirements –MUST support extensible set of standard attributes –MUST support extensible set of vendor-specific attributes –MUST support Posture Request attributes –MUST support half-duplex PT –MUST support grouping attributes to minimize RTs –MUST operate efficiently over low-bandwidth links –SHOULD provide security

March 11, 2008TNC Proposals for NEA Protocols16 PA-TNC Design Features Use message routing (PA Subtype) to ID component –Anti-Virus, Firewall, HIPS, OS, VPN, etc. Realize that most attributes apply across all components –Manufacturer, product ID, version, operational status, attribute request –So provide a standard way to describe these attributes, but allow extensions Use compact message format (Binary TLV) Design for extensibility –No short fields, several reserved fields –IANA process for standard extensions –Vendor IDs for non-standard extensions (cannot be required) Separate PA-TNC security since WG was uncertain

March 11, 2008TNC Proposals for NEA Protocols17 PA-TNC Within PB-TNC PT PB-TNC Header PB-TNC Message (Type=PB-Batch-Type, Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3,...)

March 11, 2008TNC Proposals for NEA Protocols18 IETF Standard PA Subtypes Number Name Testing 1 Operating System 2 Anti-Virus 3 Anti-Spyware 4 Anti-Malware 5 Firewall 6 IDPS 7 VPN

March 11, 2008TNC Proposals for NEA Protocols19 PA-TNC Message Header | Version | Reserved | | Message Identifier |

March 11, 2008TNC Proposals for NEA Protocols20 PA-TNC Attribute | Flags | PA-TNC Attribute Vendor ID | | PA-TNC Attribute Type | | PA-TNC Attribute Length | | Correlation ID | | Attribute Value (Variable Length) |

March 11, 2008TNC Proposals for NEA Protocols21 IETF Standard PA-TNC Attribute Types Number Name Testing 1 Attribute Request 2 Product Information 3 Numeric Version 4 String Version 5 Operational Status 6 Port Filter 7 Installed Packages 8 PA-TNC Error

March 11, 2008TNC Proposals for NEA Protocols22 Main Types Defined in PB-TNC and PA-TNC PB-TNC Message Type –PB-Batch-Type, PB-PA, etc. PB-TNC Batch Type –CDATA, SDATA, etc. PA Subtype –Operating System, Anti-Virus, etc. PA-TNC Attribute Type –Product Information, Numeric Version, etc. All easily extensible except PB-TNC Batch Type –Via PEN for vendor-specific values –Via IANA registry for standard values

March 11, 2008TNC Proposals for NEA Protocols23 Questions about PA-TNC?

March 11, 2008TNC Proposals for NEA Protocols24 PA-TNC Security

March 11, 2008TNC Proposals for NEA Protocols25 PA-TNC Security Purpose & Requirements PA-TNC Security Purpose –Secure attributes between PCs & PVs PA-TNC Security Challenging Requirements –SHOULD provide authentication, integrity, and confidentiality protection of PA attributes –[If security protection is included,] MUST protect against active and passive attacks by intermediaries and endpoints including replay attacks –MUST operate efficiently over low-bandwidth links

March 11, 2008TNC Proposals for NEA Protocols26 PA-TNC Security Design Features Use Cryptographic Message Syntax (CMS) to secure PA-TNC messages –Avoids need for roundtrips to establish session keys –Allows for granular use of PA-TNC security only when desired –Allows for authentication without confidentiality –Extensible for nonce and capabilities exchange Allow protection of multiple attributes at once –Reduces bandwidth Assume that PCs and PVs handle authorization

March 11, 2008TNC Proposals for NEA Protocols27 CMS Protected Content PA-TNC Attribute Type New PA-TNC Attribute Type May be contained in any PA Subtype Contains CMS ContentInfo structure –May have signed-data or enveloped-data

March 11, 2008TNC Proposals for NEA Protocols28 signed-data Used when confidentiality protection is not needed encapContentInfo MUST contain one or more PA-TNC attributes certificates MUST include signer’s certificate and SHOULD include certificate path to trust anchor crls MAY include CRLs Only one SignerInfo permitted –MUST include signedAttrs with Nonce CMS attribute MUST: RSA 2048 & SHA-256 MUST-: SHA-1 SHOULD: ECDSA 256

March 11, 2008TNC Proposals for NEA Protocols29 Nonce CMS Attribute Provides replay protection MUST be included in all signedAttrs Includes pcNonce and pvNonce fields –PC & PV select unpredictable initial values –Increment to 2^32-1, then reselect

March 11, 2008TNC Proposals for NEA Protocols30 enveloped-data Used when confidentiality protection is needed encryptedContentInfo MUST contain encrypted version of signed-data originatorInfo MUST include signer’s certificate and SHOULD include certificate path to trust anchor, MAY include CRLs recipientInfo contains encryption keys for recipients

March 11, 2008TNC Proposals for NEA Protocols31 enveloped-data Algorithms Content EncryptionMUST AES 128 & 256 Key TransportMUST RSA wrap AES CEK 2048 Key AgreementMUST ESDH w/ AES KEK (128 & 256) Previously Distributed Symmetric KEK MUST AES Key Wrap (128 & 256) Password BasedMUST Password Derived AES (128 & 256) (if sptd)

March 11, 2008TNC Proposals for NEA Protocols32 Security Capabilities PA-TNC Attribute Type Used to indicate prioritized list of supported algorithms May be contained in any PA Subtype May be requested with Attribute Request Contains signed-data with Nonce and paTncSecurityCapabilities in SignerInfo’s signedAttrs and empty encapContent

March 11, 2008TNC Proposals for NEA Protocols33 Concerns with PA-TNC Security Need review by CMS experts Concern about data size Concern about complexity for PC & PV Concern about difficulty of configuring PC & PV authorization

March 11, 2008TNC Proposals for NEA Protocols34 Questions about PA-TNC Security?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.