Presentation is loading. Please wait.

Presentation is loading. Please wait.

Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2014-12-18.

Published byJasmin McDaniel Modified over 9 years ago

Similar presentations

Presentation on theme: "Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2014-12-18."— Presentation transcript:

1 Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, phawkes@qti.qualcomm.comphawkes@qti.qualcomm.com Meeting Date: 2014-12-18 Agenda Item: TS-0003

2 Presentation has four parts Background Information from TS-0001 Aim of this ePresentation Proposal Conclusion

3 Background Information from TS-0001 S-Type and C-Type AE-ID Stems Authentication and Registration Validation AE-ID Stem & Registration Support for multi-AE TLS Clients

4 AE-IDs in TS-0001 AE-ID has two main uses – Addressing – accessControlPolicies ARC & SEC identified need for two types of AE-ID – Some AE need an AE-ID assigned by M2M SP Independent of who the Registrar CSE is. AE may re-register to another CSE and continue to use the same S-Type AE-ID Stem – Some AE only need an AE-ID assigned by Registrar Only valid when AE is registered to that CSE. Another Registrar CSE would (most likely) assign a different C-Type AE-ID Stem 4

5 S-Type and C-Type AE-ID Stems C-Type AE-ID Stem: Cxx..x – Assigned by the Registrar CSE – C-Type Identifiers for various scopes CSE-Relative: C-Type AE-ID Stem SP-Relative: Registrar CSE-ID + C-Type AE-ID Stem Absolute:M2M-SP FQDN + Registrar CSE-ID + C-Type AE-ID Stem S-Type AE-ID Stem : Sxx…x – Assigned by the M2M SP – C-Type Identifiers for various scopes CSE-Relative: S-Type AE-ID Stem SP-Relative: S-Type AE-ID Stem Absolute: M2M SP FQDN + S-Type AE-ID Stem 5

6 Authent’n and Reg’n Validation AE may authenticate using PSK, Certificate or MAF – If authenticated, then Registrar CSE notes Credential-ID (more details in later slides) – Else Credential-ID = “None”. Up to Registrar Policy if unauthenticated AE allowed. If authentication was via cert then Registrar matches the App-ID value and/or AE-ID-Stem value if present in the certificate to those in the registration Registrar CSE obtains linked from Registrar’s which matches Credential-ID – can be stored on the IN-CSE – Matched dictates allowed combinations of App-ID value and AE-ID-Stem value 6

7 comprises – applicableCredID: list of Credential Identifiers applicable for that rule – allowedAppIDs: list of App-IDs allowed by the rule – allowedAE: list of AE-IDs allowed by the rule for identified App-IDs. Wildcards allowed: to allow writing single rules to cover multiple devices 7

8 AE-ID-Stem & Registration AE registration request options (TS-0001 Clause 10.1.1.2.2) a)AE wants Registrar to ask M2M SP to assign an S-Type AE-ID-stem to AE b)AE provides S-Type AE-ID-Stem value previously assigned by M2M SP c)AE wants Registrar CSE to assign a C-Type AE-ID-stem d)AE provides C-Type AE-ID-Stem value previously assigned by Registrar CSE Registrar CSE Response for each case… a)Registrar CSE forwards credential identifier to M2M SP for S-Type AE- ID-Stem assignment b)Registrar CSE forwards S-Type AE-ID-Stem value and credential identifier to M2M SP for verification c)Registrar CSE assigns a C-Type AE-ID-stem value d)Registrar CSE uses C-Type AE-ID-Stem value provided by AE 8

9 Support for multi-AE TLS Clients TLS client can provide security for – Single AE (executed by single App SW package on a single Node) – Multiple AE executed by single App SW package on a single Node – Multiple AE executed by multiple App SW package on a single Node 9

10 Goal of this presentation This presentation aims to describe this structure

11 Proposal SEC needs to define structure of the Credential-ID Proposal: Credential-ID has format – CredentialID Type, indicating one ofPSK, RawPublicKey certificate, certificate chain, or MAF – CredentialID Value, identifying a specific credential of the identified type. The format of value depends on the type of the credential.

12 PSK Kpsa, KpsaId: KpsaId = credential identifier We envisage three scenarios where the M2M SP would trust the (Kpsa, KpsaId) pair 1.Factory default: (Kpsa, KpsaId) pair was provisioned at the factory (e.g. if ADN and MN were sold as a single product with ADN and MN configured to work out of the box) 2.Admin provisioned: (Kpsa, KpsaId) pair was provisioned by an administrator with special privileges not afforded users. We assume that M2M SP trusts the administrators that could obtain this access. 3.MEF Provisioned The PSK Credential Identifier should be combination of – Identifier (1,2,3) for applicable provisioning scenario – KpsaId 12

13 Raw Public Key Certificate Credential Identifier Value corresponds to the publicKeyIdentifier (hash of the public key) as defined in TS-0003 13

14 Certificate Chain Trust anchor information is configured to the Registrar CSE – E.g. using remote entity management. Certificate can include a variety of identifiers in subjectAltName – List of applicable AE-IDs (assigned by M2M SP) – List of applicable App-IDs (globally assigned) – Node-ID (assigned by M2M SP) – Device identifiers defined elsewhere (e.g.IMEI) Policy OIDs restrict indicate which of the above identifiers are permitted in end-entity certificates – Also present in Trust anchor information & Intermediate CA certificates 14

15 Trust Anchor Considerations The M2M SP must take care to configure the correct policy OIDs for trust anchors on Registrar CSE End-entity certificates containing an S-Type AE-ID need to be issued by (or on behalf of) M2M SP. – Typically, a Registrar CSE would be configured with only the M2M SP trust anchor (or one other third party trust anchor) for such certificates End-entity certificates containing other identifiers do not need to be issued by (or on behalf of) the M2M SP. – A Registrar CSE could be configured with many trust anchors for such certificates 15

16 Challenges Very complex to support all these types of identifiers. – E.g. Difficult to define rules constraining identifiers in end-entity certificates for such a variety of identifiers Propose using a common OID-based oneM2M-certificate-ID mandatory in certificates used to authenticate AE 16

17 oneM2M-Certificate-ID oneM2M-Certificate-ID is Object Identifier (OID) based, comprising – oneM2M-Certificate-ID-Indicator arc (to be assigned!!!) – One or more arcs assigned to CAs – End-Entity-ID arc Use “otherName” field in subjectAltName extension – otherName “Type-ID” set to oneM2M-Certificate-ID-Indicator – otherName “value” set to remainder of oneM2M-Certificate-ID CA Certificates use the name constraints extension (see clause 4.2.1.10 “Name Constraints” of RFC 5280 [34]) to constrain the oneM2M-Certificate-ID to specific subtrees in subsequent end- entity certificates in a certification path. Subtrees are represented by an otherName field with – otherName “type-ID” set to oneM2M-Certificate-ID-Indicator – otherName “value” set to set to remainder of object identifier identifying the subtree. 17

18 MAF-Based Credential Identifiers MAF may be used to authenticate TLS client behind which is – A single AE executed by a single App SW Package on a single Node/Device – one or more AE executed by a single App SW Package on a single Node/Device – one or more AE executed by one or more App SW Packages on a single Node/Device During Security Association Establishment, the MAF provides the Registrar CSE with – Kmc – MAF-relative identifier for the TLS client, previously provisioned to the MAF Credential Identifier is a combination of – MAF FQDN – MAF-relative identifier 18

19 Conclusion: Summary of Proposal Credential TypeTypeValue FormatExample PSK1-KpsaIssuerTypeID ‘-’ KpsaId1-1-sensor1 1-2-adminIssuedPSK 1-3-567@mef.com RawPublicKey Certificate 2-publicKeyIdentifier (hash of subjectPublicKeyInfo) 2-aH6jK… Certificate Chain3-OID-based oneM2M- Certificate-ID 3-123.456.789 MAF4-KmId MAF_ISSUED_ID ‘@’ MAF_FQDN 4-123@maf.com

Download ppt "Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2014-12-18."

Similar presentations

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: 2014-05-07 Discussion  Source: OBERTHUR Technologies Information  Contact:

SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Is a Node or not Node? ARC-2014-1194-Node_resolution Group Name: ARC Source: Barbara Pareglio, NEC, Meeting Date: ARC#9.1 Agenda.

Is a Node or not Node? ARC Node_resolution Group Name: ARC Source: Barbara Pareglio, NEC, Meeting Date: ARC#9.1 Agenda.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security Essentials Chapter 4

Network Security Essentials Chapter 4
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Facing the Challenges of M2M Security and Privacy

Facing the Challenges of M2M Security and Privacy
App-ID Ad-Hoc Technical Issues TP AppID-2014-0003R02 Group Name: App-ID Ad-Hoc Group Source: Darold Hemphill, iconectiv,

App-ID Ad-Hoc Technical Issues TP AppID R02 Group Name: App-ID Ad-Hoc Group Source: Darold Hemphill, iconectiv,
DNS-centric PKI Sean Turner Russ Housley Tim Polk.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,

On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,
Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Mechanism to support establishment of charging policies Group Name: WG2-ARC Source: InterDigital Meeting Date: TP8 Agenda Item:

Mechanism to support establishment of charging policies Group Name: WG2-ARC Source: InterDigital Meeting Date: TP8 Agenda Item:
Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi.

Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi.
Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.
App-ID Use Cases, Syntax and Attributes SEC-2015-0508-App-ID_Use_Cases,_Syntax_and_Attributes Group Name: Architecture Source: Darold Hemphill, iconectiv,

App-ID Use Cases, Syntax and Attributes SEC App-ID_Use_Cases,_Syntax_and_Attributes Group Name: Architecture Source: Darold Hemphill, iconectiv,

Similar presentations

Ads by Google