Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public Key Distribution Network (PKDN) for DTN Security Key Management IETF95 DTN Working Group Meeting https://tools.ietf.org/html/draft-viswanathan-dtn-pkdn-00.

Published byBathsheba McKenzie Modified over 8 years ago

Similar presentations

Presentation on theme: "Public Key Distribution Network (PKDN) for DTN Security Key Management IETF95 DTN Working Group Meeting https://tools.ietf.org/html/draft-viswanathan-dtn-pkdn-00."— Presentation transcript:

1 Public Key Distribution Network (PKDN) for DTN Security Key Management IETF95 DTN Working Group Meeting https://tools.ietf.org/html/draft-viswanathan-dtn-pkdn-00 April 4, 2016 Kapali Viswanathan (kapaleeswaran.viswanathan@boeing.com)kapaleeswaran.viswanathan@boeing.com Fred L. Templin (fred.l.templin@boeing.com)

2 Overview PKDN Overview PKDN Entities and Functions PKDN & DTN Key Management Requirements Changes Since Last Version

3 Delay Tolerant Networking PKDN Overview Certificate revocation Manager Validator Sender Receiver Subscribe Publish (Delta-CRL) Public key certificate Validated public key certificate Revocation status CRL = Certificate Revocation List Delta-CRL = Additions to CRL Session management Revocation event propagation Depends on reliable DTN Multicast -Certificate revocation manager certifies one or more validators. -Sender chooses a validator either by configuration or by discovery. Current PoC implements choice by configuration. Secure Communications Revocation status Validated public key certificate Public key certificate

4 PKDN Layering Delay Tolerant Network Cloud (Interconnected Bundle Protocol Routers) Receiver Bundle Protocol Certificate Revocation Manager Bundle Protocol Validator Bundle Protocol Validator Bundle Protocol Certificate Revocation Manager Bundle Protocol Sender Receiver Bundle Protocol Sender

5 PKDN Event Propagation Key Generation Key Associated with an addressable Identity Key Use Association (or Key) Expiry Association (or Key) Revocation Key Disuse Role of PKDN: Association performed by arbitrary external software (e.g. X.509 PKI software) PKDN references key uniquely as: (key-fingerprint, expiry- timestamp)n output Role of PKDN: Provides an in-band mechanism to exchange validated certificates Role of PKDN: Propagates public key revocation events to a network of validators using multicast communication Notifies public-key revocation events to interested endpoints

6 Overview PKDN Overview PKDN Entities and Functions PKDN & DTN Key Management Requirements Changes Since Last Version

7 Delay Tolerant Networking Revocation event subscription Certificate revocation Manager Validator Sender Receiver Subscribe Publish (Delta-CRL) Public key certificate Validated public key certificate Revocation status CRL = Certificate Revocation List Delta-CRL = Additions to CRL Revocation status Validated public key certificate Public key certificate

8 Delay Tolerant Networking Revocation event & status propagation Certificate revocation Manager Validator Sender Receiver Subscribe Publish (Delta-CRL) Public key certificate Validated public key certificate Revocation status CRL = Certificate Revocation List Delta-CRL = Additions to CRL Revocation status Validated public key certificate Public key certificate

9 Delay Tolerant Networking Session management and secure communication Certificate revocation Manager Validator Sender Receiver Subscribe Publish (Delta-CRL) Public key certificate Validated public key certificate Revocation status CRL = Certificate Revocation List Delta-CRL = Additions to CRL Revocation status Validated public key certificate Public key certificate

10 Overview PKDN Overview PKDN Entities and Functions PKDN & DTN Key Management Requirements Changes Since Last Version

11 PKDN & DTN Key Management Requirements REQ1: Must Provide Keys When Needed Receivers receive validated sender certificates encapsulated with initial message bundles REQ2: Must Be Trustworthy Certificates are signed by trusted authorities Certificate revocations are signed by trusted authorities REQ3: No Single Point of Failure Multiple CRMs are allowed Path redundancy from CRMs to Validators strengthen REQ3 REQ4: Multiple Points of Authority Multiple certificate and certificate revocation authorities can co-exist REQ5: No Veto Validators, Senders, and Receivers can be configured to validate certificates and certificate revocations issued by multiple authorities https://datatracker.ietf.org/doc/draft-templin-dtnskmreq

12 PKDN & DTN Key Management Requirements REQ6: Must Bind Public Key with DTN Node Identity Realized using standard public key certificate structures (certificates minimally include address, public key, and expiry date) REQ7: Must Support Secure Bootstrapping All PKDN entities must have root public key and root revocation public key manually installed REQ8: Must Support Revocation Validators and CRM achieve this property REQ9: Revocations Must Be Delay Tolerant Achieved by designing PKDN as a strict overlay on top of DTN and by using event-driven semantics

13 Overview PKDN Overview PKDN Entities and Functions PKDN & DTN Key Management Requirements Changes Since Last Version

14 Draft title changed from ‘draft-viswanathan-dtnwg-pkdn-00’ to align document to DTN Working Group Now using unicast Certificate Revocations for interested parties instead of DTN-wide CRL multicast PKDN Validators remember the certificates of interest to individual receivers for a limited time period Senders must send fresh certificates through a PKDN validator before validator interest memory expiration

15

Download ppt "Public Key Distribution Network (PKDN) for DTN Security Key Management IETF95 DTN Working Group Meeting https://tools.ietf.org/html/draft-viswanathan-dtn-pkdn-00."

Similar presentations

Router Identification Problem Statement J.W. Atwood 2008/03/11

Router Identification Problem Statement J.W. Atwood 2008/03/11
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Validity Management in SPKI 24 April 2002 (author) (presentation)

Validity Management in SPKI 24 April 2002 (author) (presentation)
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Proposal for device identification PAR. Scope Unique per-device identifiers (DevID) Method or methods for authenticating that device is bound to that.

Proposal for device identification PAR. Scope Unique per-device identifiers (DevID) Method or methods for authenticating that device is bound to that.
Module 9: Fundamentals of Securing Network Communication.

Module 9: Fundamentals of Securing Network Communication.

Similar presentations

Ads by Google