Presentation is loading. Please wait.

Presentation is loading. Please wait.

Update on BRSKI-AE – Support for asynchronous enrollment

Published byPhyllis Nicholson Modified over 5 years ago

Similar presentations

Presentation on theme: "Update on BRSKI-AE – Support for asynchronous enrollment"— Presentation transcript:

1 Update on BRSKI-AE – Support for asynchronous enrollment
draft-fries-anima-brski-async-enroll-01 Steffen Fries, Hendrik Brockhaus, Eliot Lear IETF 105 – ANIMA Working Group

2 Problem statement There exists various industrial scenarios, which
have limited online connectivity to backend services either technically or by policy. This may limit the exchange of certification request/response messages with an offsite PKI for issuing an LDevID. assume only limited on-site PKI functionality support (Proxy) Rely on a backend or centralized PKI, to perform (final) authorization of certification requests for an operational certificate (LDevID). May not feature trusted domain component for store and forward require multiple hops to the issuing PKI due to network segmentation. required consistency for certificate management over device / system lifecycle (e.g. , existing industrial standards require support of multiple enrolment protocols on the central side, while letting the pledge pick) Asset Management would be used to gain information about devices to be enrolled

3 Changes from version 00  01 Update of examples, specifically for building automation as well as introduction of two new application use cases (Infrastructure isolation policy, Less operational security in the deployment domain) in section 4.2. Consideration of existing enrollment protocols in the context of mapping the requirements to existing solutions in Section 4.3. Enhancement of description of architecture elements and potential changes to influences on BRSKI in Section 5. Removal of combined asynchronous interaction with MASA to not complicate the use case in section 5. New section 7 starting with the mapping to existing enrollment protocols by collecting boundary conditions.

4 Asynchronous enrollment with self-contained objects
Asynchronous enrollment has to cope with at leas the following requirements: Proof of possession of the private key corresponding to the public key contained in the certification request Proof of identity of the requestor, bound to the certification request (and thus to the proof of possession) Certificate waiting indication if the contacted RA is not able to issue the requested certificate immediately or is not reachable

5 Recap: BRSKI supports synchronous enrollment
Use of self-contained voucher (RFC 8366) to transport domain certificate signed by MASA does not rely on transport security can be leveraged for asynchronous provisioning of the voucher Use of online enrollment protocol (EST, RFC 7030) Utilizes PKCS#10 for CSR and uses IDevID of pledge for authentication during TLS handshake. Assumes enrollment authorization based on IDevID at the on-site RA/CA with authorization database. Drop Ship >| Vendor Service | | | | M anufacturer| | | | A uthorized |Ownership| | | S igning |Tracker | | | A uthority | | | | ^ | | BRSKI- V | MASA |... | | | . | | | . | | | | | | | . |Pledge | | Join | | Domain < | | | Proxy | | Registrar | | < > < > (PKI RA) | | | | BRSKI-EST | | | | | | |IDevID | | | | | | | Key Infrastructure | . | | | (e.g., PKI Certificate | . | Authority) | . "Domain" components

6 BRSKI-AE provides enhancements for asynchronous enrollment
Drop Ship >| Vendor Service | | | | M anufacturer| | | | A uthorized |Ownership| | | S igning |Tracker | | | A uthority | | | | ^ | | V | | | | | | | | BRSKI- | | | | | | . | MASA | Pledge | | Join | | Domain <-----+ | | | Proxy | | Registrar/ | . | < > < > (L)RA | . | | | BRSKI | | . | IDevID | | | ^ | | | | | | "on-site domain" components . | . | v . | Public Key Infrastructure |<----+ PKI RA | . . | PKI CA |---->+ [(Domain) Registrar (opt)]| . ^ | | v | Inventory (Asset) | . | Management | . "off-site domain" components Utilizes self-contained-object for certification request/response (CSR wrapping using existing certificate (IDevID)).  combines proof of possession and proof of identity Allows interaction with an off-site PKI rely on on-site simple store-and-forward (optionally no Domain Registrar) CSR authorization in conjunction with off-site asset management system But requires certificate waiting indication Support of in-band and out-of-band certificate management throughout the device lifecycle Allows BRSKI application in domains that already selected (other) enrollment protocols.

7 Requirement coping of (selected) enrollment protocols with respect to the asynchronous enrollment
EST (RFC 7030) Proof of possession: using PKCS #10 structure in the request method. Proof of identity: only for /fullcmc request. EST references RFC 5272 for fullcmc request. Signature of the SignedData of Full PKI Request calculated using the IDevID credential. Cert waiting indication: a 202 return code should be returned by the Join Registrar. Note that depending on the TLS binding, PKCS #10 has to be re-generated if teared down. CMP (RFC 4210) Proof of possession: provided by using either CRMF or PKCS#10 for certification request. Proof of identity: can be provided by using the MSG_SIG_ALG to protect the certificate request message with signatures Cert waiting indication: returned in the PKIStatus by the Join Registrar. Pledge retries using PollReqContent with a request identifier certReqId provided in initial CertRequest

8 Next Steps Further refinement of the approach
Definition of an abstract self-contained approach  YANG model, protocol agnostic Should allow support of existing enrollment protocols Allow domain registrar to support different enrollment protocol options Is the WG interested in this work?

9 Backup

Download ppt "Update on BRSKI-AE – Support for asynchronous enrollment"

Similar presentations

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
Dynamic Symmetric Key Provisioning Protocol (DSKPP)

Dynamic Symmetric Key Provisioning Protocol (DSKPP)
Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014.

Secure Network Bootstrapping Infrastructure May 15, 2014.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Configuring Directory Certificate Services Lesson 13.

Configuring Directory Certificate Services Lesson 13.
Proposal for device identification PAR. Scope Unique per-device identifiers (DevID) Method or methods for authenticating that device is bound to that.

Proposal for device identification PAR. Scope Unique per-device identifiers (DevID) Method or methods for authenticating that device is bound to that.

Similar presentations

Ads by Google