Doc.: IEEE 802.15-02030r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks.

Slides:



Advertisements
Similar presentations
Doc.: IEEE xxx Submission January 2015 N. Sato and K. Fukui (OKI)Slide 1 Project: IEEE P Working Group for Wireless Personal Area.
Advertisements

Doc.: IEEE b Submission March 2005 Robert Cragie, Jennic Ltd.Slide 1 Project: IEEE P Working Group for Wireless Personal Area.
Doc.: IEEE b Submission March 2005 Robert Cragie, Jennic Ltd.Slide 1 Project: IEEE P Working Group for Wireless Personal Area.
Doc.: IEEE s Submission January 2015 Mineo Takai, Space-Time EngineeringSlide 1 Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE xxxxx Submission doc. : IEEE doc. : IEEE pac Nov 2012 Slide 1 Project: IEEE P Working.
Submission January, 2005 Rene Struik, Certicom Corp.Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks.
Doc.: IEEE /114r1 Submission February, 2002 Rene Struik, Certicom Corp.Slide 1 Project: IEEE P Working Group for Wireless Personal Area.
Doc.: IEEE f Submission May 11, 2009 René Struik (Certicom Research)Slide 1 Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE xxxxx Submission doc. : IEEE Nov 2012 Slide 1 Project: IEEE P Working Group for Wireless Personal Area.
Doc.: IEEE /xxxr0 Submission Phil Jamieson November 2002 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission.
Doc.: IEEE sru Submission 17 Sept 2013 M Ariyoshi, S Kitazawa (ATR)Slide 1 Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE /123r0 Submission February, 2002 Rene Struik, Certicom Corp.Slide 1 Project: IEEE P Working Group for Wireless Personal Area.
Doc.: IEEE /368r0 Submission September 2003 Ranta et al., Discussion on UWB MAC for mobile devices Project: IEEE P Working Group for Wireless.
May 2001 William A. ArbaughSlide 1 doc.: IEEE /245r0 Submission Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs)
10 March 2002 doc.: IEEE /126r0 Bob Huang, Sony ElectronicsSlide 1Submission Project: IEEE P Working Group for Wireless Personal Area Networks.
Doc.: IEEE b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 1 Project: IEEE P Working Group for Wireless Personal Area.
Doc.: IEEE b Submission March 2005 Robert Cragie, Jennic Ltd.Slide 1 Project: IEEE P Working Group for Wireless Personal Area.
Submission January, 2005 Rene Struik, Certicom Corp.Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks.
Doc.: IEEE /044r0 Submission March, 2000 Cypher/NISTSlide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission.
Doc.: IEEE /220r0 Submission July, 2002 Rene Struik, Certicom Corp.Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks.
Doc.: IEEE Submission November 2012 Sunggeun Jin (ETRI)Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks.
Doc.: IEEE Submission doc. : IEEE March 2009 Project: IEEE P Working Group for Wireless Personal Area Networks.
Doc.: IEEE /080r0 Submission February 2004 Welborn, MotorolaSlide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs)
Doc.: IEEE Submission September 16, 2004 Poor & Struik / Ember & CerticomSlide 1 Project: IEEE P Working Group for Wireless Personal.
Doc: IEEE xxx Submission March 2015 Jeongseok Yu et al., Chung-Ang University Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE Submission March 17, 2005 Poor & Struik / Ember & CerticomSlide 1 Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE Submission July 2014 Li, Hernandez, Dotlic, Miura, NICT Slide 1 Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE /0310r0 Submission Sept 2007 Srinivas Sreemanthula Slide 1 IEEE MEDIA INDEPENDENT HANDOVER DCN: MIH-Security-Options.ppt.
Doc.: IEEE Submission November 2003, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission.
Doc.: IEEE Submission November 16, 2004 Poor & Struik / Ember & CerticomSlide 1 Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE /174r0 Submission March, 2003 Rene Struik, Certicom Corp.Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks.
Doc.: IEEE /054r0 Submission January 2003 Dr. John R. Barr, MotorolaSlide 1 Project: IEEE Working Group for Wireless Personal Area Networks.
Doc.: IEEE /0051r2 Submission January 2004 Dr. John R. Barr, MotorolaSlide 1 Project: IEEE Working Group for Wireless Personal Area Networks.
November 2011 Jin-Meng Ho and David Davenport. doc.: IEEE Slide 1Submission Project: IEEE P Working Group for Wireless Personal.
Doc.: IEEE /0098r0 Submission July 2010 Alex Reznik, et. al. (InterDigital)Slide Security Procedures Notice: This document has been.
Doc.: IEEE xxxxx Submission doc. : IEEE Slide 1 Junbeom Hur and Sungrae Cho, Chung-Ang University Project: IEEE P
Doc.: IEEE /0013r0 Submission January 2010 Mika Kasslin, NokiaSlide 1 Coexistence architecture of Notice: This document has been prepared.
Doc.: IEEE /440r2 Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: IEEE :
Submission doc.: IEEE /0339r0 Jul 2004 Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title:
Doc.: IEEE m SubmissionSlide 1 May 2012 Project: IEEE P Working Group for Wireless Personal Area Networks(WPANs) Submission.
14 March 2002 doc.: IEEE /152r2 Gregg Rasor, MotorolaSlide 1Submission Project: IEEE P Working Group for Wireless Personal Area Networks.
April 13, 2018 doc.: IEEE r0 March, 2003 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title:
June 16, 2018 doc.: IEEE r0 January, 2005
June 17, 2018 doc.: IEEE r0 January, 2005
doc.: IEEE <doc#>
doc.: IEEE <doc#>
June 2006 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Proposed Scenarios for Usage Model Document.
Project: IEEE P Coexistence TAG
January 15th Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Security protocol for Body area networks]
doc.: IEEE <doc#>
December 2, 2018 doc.: IEEE r0 May, 2004
March 2018 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [SG SECN Call for Proposals] Date Submitted:
Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: Security Architecture Considerations Date.
<May,2009> doc.: IEEE <doc .....> <July 2009>
December 7, 2018 doc.: IEEE r0 July, 2003
Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Discovery Procedure] Date Submitted:
January 16, 2019 doc.: IEEE r0 September, 2004
Submission Title: [Resolutions for CID 85, 86, and 87]
Submission Title: [One-to-many and many-to-many peering procedures]
IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx
February 24, 2019 doc.: IEEE r0 July, 2003
Sept Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Add the Authentication to Enhance the Security.
May Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Add the Authentication to Enhance the Security.
Submission Title: [One-to-many and many-to-many peering procedures]
<month year> doc.: IEEE August 2014
27 Febraury 2002 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: Security Sub-committee Status Report.
November 1999 doc.: IEEE /119r0 November 1999
May 26, 2019 doc.: IEEE r0 December, 2001
July 15, 2019 doc.: IEEE r0 May, 2002 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES.
Submission Title: [TG3a Compromise Direction]
Presentation transcript:

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Security Architectural Issues for the Wireless Personal Area Network] Date Submitted: [22 January, 2002] Source: [Rene Struik] Company [Certicom Corp.] Address [5520 Explorer Drive, 4th Floor, Mississauga, ON Canada L4W 5L1] Voice:[+1 (905) ], FAX: [+1 (905) ], Re: [] Abstract:[This document describes elements of the security architectural framework for the Wireless Personal Area Network, based on the characteristics of this network and its intended operational usage.] Purpose:[Highlight issues that need to be solved to ensure the success of the WPAN security.] Notice:This document has been prepared to assist the IEEE P It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release:The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 2 Security Architectural Issues for the WPAN René Struik Certicom Research

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 3 Outline System overview - Refined access control mechanisms Devices and their roles - Review (also for further discussion during the day) Trust in the piconet - Relaxation of trust requirements - Multi-casting [enough for ½ day presentation…]

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 4 System overview – device level Binding information (device level) Device & device Id: physical tying of device to its identity (to prevent identity theft) Established at manufacturing stage Device Id & public key: cryptographic binding between the public key and the device’s identity (e.g., via a public key or implicit certificate) Established at manufacturing stage or generated internally and registered with trusted third party User & device: binding between device and its user, via authentication techniques (e.g., password, PIN code, biometrics) Established at personalization of the device or prior to operational use (e.g., PIN initialization) Device Id & device attributes: binding between the device Id and personalization attributes (e.g., via attribute certificate) Established at personalization of the device User & user attributes: binding between a user and personalization attributes hereof (e.g., via attribute certificate) Established at personalization of the device or at registration of the user with trusted third party Attribute certificate Public key certificate user A A Id A PAPA attr A password Physical embedding Not in draft D09

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 5 System overview – piconet level Binding information (piconet level) Basic binding information Device association: via non-cryptographic means Device authentication: evidence as of true device identities via -non-cryptographic techniques (if piconet in ‘no security’ mode) -mutual entity authentication (if piconet in ‘authentication only’ mode) -authenticated key establishment (if piconet in ‘authentication and encryption’ mode) Optionally authenticated key establishment or authenticated key transfer as well Realized via use of, e.g., a public key or implicit certificate Device authorization: additional access control based upon true user/usage of devices via, e.g., attribute certificate and access control lists maintained by each device Realized at personalization of the device or prior to operational use, with dynamic updates AB Entity authentication (optionally key establishment) Public Key directory Access control list A Access control list B Attribute certificates Not in draft D09

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 6 System overview – piconet level (cont’d) Binding information (piconet level) Derived binding information Key transport: transfer of authentic symmetric keying material (encryption key, integrity key) via key transport using public key or symmetric key techniques in each of the following ways: -broadcast mode -peer-to-peer mode † ( † : Not in draft D09) -multicast mode † Realized via use of, e.g., authentic public keys or via authentic key encryption key Message communication: secure transfer of messages via -no cryptographic techniques (unsecured transport); -confidentiality only (secure transport) -both confidentiality and integrity (secure and authentic transport) Realized via use of data encryption, data integrity, or combined cryptographic primitive Remark (maintenance of access control lists) With user interface: similar to, e.g., an ‘address book’ on a PDA or via a confirm/reject button Without user interface: e.g., at initialization or prior to operational use (the ‘resurrecting Duckling’ (Ross Anderson)).

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 7 System overview – inter-piconet level Binding information (inter-piconet level) Basic binding information Association: via non-cryptographic means (between piconet, child piconet, neighbor piconet) A B

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 8 Devices and their roles Role model Security Manager. Sole source of local trust management. -Facilitates establishment of keying material between ordinary devices -Facilitates maintenance of keying relationships -Enforces security policy Ordinary device. Part of piconet or could become part hereof. - Responsible for secure processing and storage of keying material Piconet controller (PNC). Sole source of local message control. -Facilitates admission of ordinary devices to the piconet. -Allocates time slots for message exchanges between devices -No security responsibilities Portal. Sole source that ensures integration with external networks. -No security responsibilities External trusted party. Sole source of global trust management -Facilitates establishment of public keying material between ordinary devices -Facilitates maintenance of public keying relationships -Enforces security policy Role of portal considered out of scope, since it deals with communications with outside world

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 9 Devices and their roles (cont’d) Motivation role model Distributed implementation possible, since roles only conceptually centralized. - Allowance for more than 1 PNC (since not fixed in time and place). - Allowance for more than 1 Security Manager, more than External Trusted Party. Roles independent of actual implementation. - Different roles may be implemented on a single device (e.g, PNC and Security Manager). Separation of roles and devices that assume these roles - Allowance for dynamic mappings of roles to devices possible (e.g., changes to PNC and Security Mgr). - Different devices may associate different roles with the same device, depending on their view on the role(s) this device should play (e.g., device is Security Mgr for one device, ordinary device for another). PNC need not be fixed in time and place. Hence, not prudent to assign a priori security functionality to it (for otherwise, trust might need to be established over and over again, at each change of PNC). External Trusted Party is sole source of global trust, since it is external to the network and might have the resources deemed necessary for proper key management, e.g., secure key generation facilities, proper authentic storage of keying material, availability. Remark (dynamic vs. static mappings) Devices need way to recognize which role(s) other devices play or should play. Static mapping. Mapping may be defined at initialization. Dynamic mapping. Mapping must be realized by securely associating roles to devices, allowing dynamic verification (e.g., via attribute certificates).

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 10 Devices and their roles (cont’d) Mapping of roles to devices Static mapping of roles to devices Draft D09 document uses static mapping (since local address of PNC is fixed as 0x00): PNC assumes the role of Security Manager (for all devices) Each device assumes the role of ordinary device (for all devices) Each device may assume the role of (alternate) PNC There are no other mappings of roles to devices in effect. Remarks (static mapping) The Security Manager is identified with the current PNC for all devices, hence one has Concentration of all trust in one device: - each device must trust the same Security Manager (PNC) - each device must trust each subsequent Security Manager (PNC). Change of PNC invokes by definition change of Security Manager: - potentially expensive re-establishment of keying relationship between devices and the Security Manager.

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 11 Trust in the piconet Mapping of roles to devices (implied trust) Static mapping of roles to devices (as in draft D09) PNC Ordinary device A trusts B AB (1)(2) (3) (1)Situation before PNC handover (2)Disappearance of the directed trust graph pointing to the PNC, at handover of tasks (3)Re-establishment of the directed trust graph pointing to the new PNC, after PNC has assumed its tasks Notes Expensive re-keying requirement for the new PNC (once a key change is needed). Unclear whether all devices should trust the new PNC. (NB: Trust from A to B does not imply trust from B to A (trust relationship is non-symmetric!!!))

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 12 Trust in the piconet (cont’d) Mapping of roles to devices (implied trust) Static mapping of roles to devices (as in draft D09) A1A1 PNC A2A2 A3A3 A4A4 k k k k All devices A 1, …, A 4 trust the PNC in the following sense: The devices trust that the key k distributed by the PNC was generated securely (by PNC or another device); (2)The devices trust that the PNC does not expose key k to any entity outside the group {A 1,…,A 4 }. Hence, the PNC is both a trusted key source and a trusted key distributor. The implied trust is that none of the other devices leaks any information on the key k. AB kGeneralization (1) If B sends A the key k intended for group G, this indicates that B trusts A not to expose the key k to entities outside the group G. (2) B only sends A the key k if A is a member of the group G. (3) If A trusts B, then A accepts the key k communicated by B both as encryption key and as decryption key for group G. (4) If A does not trust B, then A accept the key k communicated by B only for decryption purposes (and does not care about the group G). Note. This generalization is consistent with the hierarchical trust model in draft D09. (here, G is a group of recipients)

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 13 Trust in the piconet (cont’d) Mapping of roles to devices (implied trust) Dynamic mapping of roles to devices (generalization of draft D09 to the case where there is no common Security Manager) Trust relationships Each device maintains a list of all the devices that it trusts. This list always includes the device itself. Rules 1.Each device trusts the secure storage and processing of all devices. 2.Each device trusts the external third party. 3.Only devices that are instructed to forward a key, shall do so. Whenever a device A wants to send a key to subgroup G of the piconet and does not have such a key yet, it proceeds as follows (we assume A to be contained in group G): 1.A requests a key from one of the devices it trusts, and provides this device, B say, with an authentic indication of the group G the key is intended for. (B must be contained in group G.) 2.B securely generates a key and forwards this, in some secure fashion, to each of the devices in group G individually (with the instruction not to forward this further). 3. Alternatively, B may adopt the procedure in (2), but send the key, in some secure fashion, to a subgroup S of devices in G only and instruct the (nonempty subset of) devices among these in S that he trusts to forward the key to the (remainder of the) group G.

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 14 Trust in the piconet (cont’d) The presented algorithm describes a way to securely multicast a key k to an arbitrary nonempty group G of devices, provided that each device involved in forwarding the key can unambiguously reconstruct from the group G the true identities of the devices in question. Note. This unambiguous correspondence between the set G and the true identities of these devices is trivial in the broadcast scenario and the peer-to-peer scenario. For the general multicast scenario, it requires each device to maintain an authentic list of local device address/IEEE MAC correspondences. Step (3) of the algorithm allows the key distribution to take place concurrently. Obviously, devices that already obtained the key, can be excluded from the set G. The advantage of distributing the workload of processing keys over more than one processor is that ‘expensive’ public key operations, potentially involved in the algorithm are then also executed in parallel. The expected ‘depth’ of the key distribution algorithm is a few iterations (roughly O(log2(#N)) if each device has a few devices it trusts). The advantage of this approach is that in the event of a PNC hand over, this workload compares very favorable with the expensive re-keying step that would be required in the more rigid scenario described in draft D09. Thus, the piconet security framework becomes more robust. A third advantage of the algorithm presented here is that it does not require devices to compulsory trust a device that somehow becomes PNC.

doc.: IEEE r0 Submission December, 2001 Rene Struik, Certicom Corp.Slide 15