Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMC and PKI4IPSEC Jim Schaad. Requirements Issues What does MAY really mean What does SHOULD really mean Requirements on Admin Peer Requirements on structure.

Published byTodd Sutton Modified over 9 years ago

Similar presentations

Presentation on theme: "CMC and PKI4IPSEC Jim Schaad. Requirements Issues What does MAY really mean What does SHOULD really mean Requirements on Admin Peer Requirements on structure."— Presentation transcript:

1 CMC and PKI4IPSEC Jim Schaad

2 Requirements Issues What does MAY really mean What does SHOULD really mean Requirements on Admin Peer Requirements on structure Remove requirements in PROFILE doc

3 How CMC wants to do this Use standard request/response messages Use Transaction ID and nonces Use Pending

4 Pretty Picture REPOSITORY ----- CA | | | ----------------- RA --- Admin | | | ----------------- Peer -----------

5 Basic Enroll Process Establish Authorization Distribute Authorization Generate Public Key Request Cert Get Cert –Get trust anchor(s)

6 Admin Authorization Process Create Template Request Authorizations Get Authorizations Back Distribute Authorizations

7 Template Creation Out Of Band negotiation Template –Fixed portion –Restrictions –Control Items –Variable Portions Substitution if - then - else types –General Name –UTF8 String –Time –Extension –Other? Who can authorize

8 Request Authorizations Use CMC Request Body with new control For n items provide –template id –variable portion tokens –Timeout must not match any current authorization comparison rules –Binary or intelligent (ä has multiple encodings) should collision in current message error for both? should collision with existing item error for both? Re-request authorization?

9 Get Authorizations Back Use CMC Response Message for n items return –Auth token – PrintableString (ASCII) –Auth Passphrase – PrintableString (ASCII) –success/failure – error codes –Optional - token strings & id ? requirement PKI may alter parameters and return to admin for check §3.2.5

10 Distribute Authorization Data to be distributed –Authentication Token –Passphrase –Name of entity to talk to Optional Items –Trust anchor information –Restrictions Key Type, Key Length,…

11 Authorization Cancel CMC Request/Response Pair w/ new controls Authorization is identify by token allow for bulk revoke or just singles? May be signed by admin (SignedData) or use MAC by passphrase possessor (AuthData) Race conditions between issuing a cert and cancel Cancel of an issued Certificate return either success or consumed (with cert identifier) Query if authorization is still current?

12 EE Request Structure SignedData identify key by SKI id-cct-PKIData encap content Controls –id-cmc-identification - auth token –id-cmc-identityProof - derived from passphrase –id-cmc-transactionID - random number –id-cmc-senderNonce - random number CRMF CertRequest –certReqID - fixed value ok –subject name cn= –Public Key –SKI Extension with possibly fixed value. –Other extensions as required

13 EE Response Structure SignedData by CA or RA id-cct-PKIResponse encap content Controls –id-cmc-statusInfoExt –id-cmc-authData CMS objects –AuthData MAC by passphrase –id-cct-PKIResopnse encap content –Controls id-cmc-trustRoots Cert Bag - all certs including issued cert & root

14 Error Responses Error responses are sent signed or unsigned? (depends on error value?) Add new set of error codes specific to the new controls –Number of errors depends on granularity

15 Update, Renewal & Rekey Update –New cert - different content - same/different key Renewal –New cert - same content - same key Rekey –New cert - same content - different key

16 Renewal & Rekey (EE generates new request w/ new key if needed) Specify with original authorization or policy Update later –keep state in RA database assoicated with Issuer/Serial# –renewal vs rekey vs dead –time to start renewal query admin

17 Update In RA database w issuer/serial keep token strings for update cert allow for update of token strings by admin from cert id OR query admin OR Requires re-auth from Admin Requires new auth token & passphrase Requires re-enrollment from EE

18 CMC Requirements trans id nonces auth data from CMS for ee revoke signed data using sig key

19 Unmet Criteria Must specify the “type” of enrollment Update, Renewal, Rekey, Original

20 Open Issues In-line Authorization Should Peers be able to specify non Public Key information PKI Generation of keys -- bad idea? Queue and Manually Approve Advice to admin on all events

21 Open Issues Time out/race conditions –Use Pending from RA on an instant basis –Minimize network attack time –Requires some careful thought on error states and database information. Admin Enrollment on behalf of a peer –Key generation on peer –Key geneneration on admin

Download ppt "CMC and PKI4IPSEC Jim Schaad. Requirements Issues What does MAY really mean What does SHOULD really mean Requirements on Admin Peer Requirements on structure."

Similar presentations

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Cryptography and Network Security

Cryptography and Network Security
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.

Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Technology – Broad View1 Networks  For the most part, not a technology, but political/financial issue Available bandwidth continuously increasing (“√2-rule”

Technology – Broad View1 Networks  For the most part, not a technology, but political/financial issue Available bandwidth continuously increasing (“√2-rule”
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 8 Web Security.

Chapter 8 Web Security.
Security Management.

Security Management.
Trusted Archive Protocol (TAP) Carl Wallace

Trusted Archive Protocol (TAP) Carl Wallace
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.

11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Similar presentations

Ads by Google