Presentation is loading. Please wait.

Presentation is loading. Please wait.

Initial Keying for KeySec John Viega, Russ Housley

Similar presentations


Presentation on theme: "Initial Keying for KeySec John Viega, Russ Housley"— Presentation transcript:

1 Initial Keying for KeySec John Viega, Russ Housley viega@securesoftware.com, housley@vigilsec.com

2 We know where we’re going on what to do once CAs have keys. Getting CA keys from pairwise keys is straightforward. Little work on initial keying for CA keys Channel for data –Meant for tunneling EAP, etc. Need simple, out of the box way to install keys Progress in AF

3 Use Case New device, need to set it up with pairwise key(s) Neighbors should be able to agree on pairwise keys with little manual intervention Would like a way to identify “my” devices and validate them.

4 Proposal (1) Assign devices unique 128-bit IDs –Loaded with MAC address –32 bits is a vendor identifier –96 bits is vendor dependent, but must be unique Random number is perfectly fine –The idea: give IDs to devices as a simple ACL

5 Proposal (2) Use RSA to validate device owns ID and exchange pairwise keys –Vendor generates and installs private key and certificate w/ public key –Certificate is signed by a vendor’s signing credentials –Vendor’s credentials are signed by a root certification authority (CA) –IETF likely willing be that CA –CA would endorse vendor’s right to first 32 bits. –Vendor would endorse the validity of the remaining bits. Net effect: unforgable credentials that facilitate enrollment

6 Simple Public Key Infrastructure

7 Analysis Why not use MAC address? –MAC address forging is important to layer 2. –Devices may have many MAC addresses. Auxiliary benefits –Solves the layer 2 part of the ARP problem –Prevents counterfeiting hardware –Provides a basis for establishing trust in firmware Drawbacks –Have to integrate with manufacturing process Not costly DOCSIS is doing something similar with cable modems –Requires hash function for signing Probably SHA1

8 Example establishment protocol SignCrypt encrypts arg1, auths both args Unique ID is encoded into certificate 1.A-> A_cert, SignCrypt(Ra, 0) -> B 2.A<- B_cert, SignCrypt(Rb,Ra) <- B 3.A-> AID, SignCrypt(0, Rb) -> B Shared secret is Ra XOR Rb All signatures and certs validated IDs checked to ACL On race, M1 from lower unique ID wins

9 Summary Unique IDs on each device Simple key management Does not eliminate other management methods –Credentials could be leveraged in centralized management Auxiliary benefits Vendor must install keypair


Download ppt "Initial Keying for KeySec John Viega, Russ Housley"

Similar presentations


Ads by Google