Presentation is loading. Please wait.

Presentation is loading. Please wait.

Group Secure Association Key Management Protocol (GSAKMP) Presented by Hugh Harney

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Group Secure Association Key Management Protocol (GSAKMP) Presented by Hugh Harney"— Presentation transcript:

1 Group Secure Association Key Management Protocol (GSAKMP) Presented by Hugh Harney hh@sparta.com

2 Agenda Framework GSAKMP Policy GSAKMP Key Management GSAKMP Message Structures Summary

3 SMuG Framework

4 Policy Group policy vs. Peer Policies AndreaBob A and B have 1 st hand knowledge A and B are sharing their own data A and B participate in key creation Andrea Bob Sue ? A and B have 1 st hand knowledge A and S have 1 st hand knowledge B and S have never communicated Who owns the data? How can S trust B? B trust S? Was the A to B key exchange as strong As the A to S exchange? Will A and B protect the data equally? Is A authorized to distribute key? Is A controlling the group?

5 GSAKMP Features Layered approach Additional functionality vs. re-engineering Full policy specification and dissemination Authenticated policy token Distributed Key Management Security infrastructure discovery Push or Pull operation Optional fields for high grade security Ubiquitous policy enforcement Access control Authorizations Mechanism specifications Rekey Logical Key Hierarchy Proof of concept source code is available - FREE

6 GSAKMP Policy Token (Generic) Token IDAuthorizationAccess ControlMechanismsSignature Block VersionProtocolGroup IDTimestamp Group OwnerKey Server Compromise Recovery Agent PermissionsAccess Group Communications Security Association Unicast Security Association Signer ID Certificate Info Signature Data

7 GSAKMP Policy IPSEC example Token ID Field Token ID Authorizations Access Control Mechanisms Signature Block Group Name IPV4 Multicast Addr: 224.0.0.7 Group #: abcd Source Address: aaa.bbb.ccc.ddd Token version GSAKMP v1.0 ANTIGONE v1.0 Protocol ID IP Multicast Reliable IP Multi Life date 1 day

8 GSAKMP Policy IPSEC example: Authorizations Field Token ID Authorizations Access Control Mechanisms Signature Block Root Cert Type(s) X.509 v3-DSS-SHA1 Key length 1024 Root CA /C=US/ST=MD/L=Columbia/ O=SPARTA,Inc./CN =John Root Group Owner Subject Name /C=US/ST=MD/L=Columbia/ O=SPARTA,Inc./ CN=Jane Owner (Opt Serial #) 1234…. PKI Information GC/KS Subject Name (Opt) Serial # PKI Information Rekey Control Subject Name (Opt) Serial # PKI Information Root Cert Type(s) X.509 v3-DSS-SHA1 Key length 1024 Root CA /C=US/ST=MD/L=Columbia/ O=SPARTA,Inc./CN = Sally Member

9 GSAKMP Policy IPSEC example: Access Control Field Token ID Authorizations Access Control Mechanisms Signature Block permissions Security level 1 Security level 2 Security level 3 Etc. access Control List /C=US/ST=MD/L=Columbia/O=SPARTA,Inc./CN = Grumpy Member /C=US/ST=MD/L=Columbia/O=SPARTA,Inc./CN = Doc Member /C=US/ST=MD/L=Columbia/O=SPARTA,Inc./CN = Sneezy Member Etc. Access Control Rules Distinguished name must be in member Database AND Distinguished name must not be on bad guy list

10 GSAKMP Policy IPSEC example: Mechanisms Field Token ID Authorizations Access Control Mechanisms Signature Block Unicast Peer SA Security Protocol Key Length Key Creation Method Group Establishment Messages Key encryption algorithm Signature Key creation method Group Data Comms SPI: mandatory for group Security Protocol Key Length Key Creation Method Group Source Authentication Group Management Key encryption algorithm Rekey method Signature Data channel exceptions AH ESP IPSec (none) Direction in out ESP Algorithm 3 DES ( See DOI) ESP Authentication hmac-sha (See DOI) Encapsulation Mode tunnel transport SA Life time bytes Selectors source address: 111.222.333.444 (destination port): (group ID): 4 byte? (security label):

11 GSAKMP Policy IPSEC example: Signature Block Field Token ID Authorizations Access Control Mechanisms Signature Block Signature Information Algorithm: DSS Hash: SHA1 Signature Data

12 GSAKMP Key Management - Group Establishment Architecture Group Owner Group Controller (GC/KS) Group Member Group Member Group Member Group Member Subordinate Group Controller (GC/KS) Group Member Group Member

13 GSAKMP Key Management Establishment messages Request to Join SA Establishment Invitation Invitation Response Key Download Acknowledgment Shared Key Group Session ControllerMessage Member

14 GSAKMP Key Management Rekey Rekey ControllerMessage Member Rekey

15 Request to join Message Name : Request to Join Dissection : {HDR, GrpID, Nonce_I, GSA RQ} SigM, [CertM] Payload Types : GSAKMP Header, Nonce, Notification, Signature, [Certificate], [Certificate Request], [Vendor ID], [Identification], [Authorization] SigM : Signature of Group Member CertM : Certificate of Group Member {}SigX :Indicates minimum fields used in Signature [ ] : Indicate an optional data item

16 Invitation Message Name : Invitation to Join Dissection : {HDR, GrpID, Policy Token, (Nonce_R, Nonce_C) OR Nonce_I, [Key Creation], GSA RQ}SigC, [CertC], [SigSC], [CertSC] Payload Types : GSAKMP Header, Policy Token, Nonce, Notification, Signature, [Certificate], [Signature], [Certificate], [Key Creation], [Certificate Request], [Vendor ID], [Identification], [Authorization] SigC : Signature of Group Controller SigSC : Signature of Subordinate Group Controller CertC : Certificate of Group Controller CertSC : Certificate of Subordinate Group Controller {} SigX :Indicates minimum fields used in Signature [] : Indicate an optional data item

17 Invitation Response Message Name : Invitation Response Dissection : {HDR, GrpID, (Nonce_R, Nonce_C) OR Nonce_C, [ID_R], [Key Creation], GSA RS}SigM, [CertM] Payload Types : GSAKMP Header, Nonce, [Identification], Notification, Signature, [Key Creation], [Certificate], [Vendor ID], [Authorization] SigM : Signature of Group Member CertM : Certificate of Group Member {}SigX :Indicates minimum fields used in Signature [] : Indicate an optional data item

18 Key download over SA Message Name : Key Download Dissection : {HDR, GrpID, Nonce_C, ID_R, [(]Key Data[)*]}SigC, [SigSC], [CertSC] Payload Types : GSAKMP Header, Nonce, Identification, Key Download, Signature, [Authorization], [Vendor ID] SigC : Signature of Group Controller SigSC : Signature of Subordinate Group Controller CertC : Certificate of Group Controller CertSC : Certificate of Subordinate Group Controller {}SigX :Indicates minimum fields used in Signature [] : Indicate an optional data item (data)* : Indicates encrypted information

19 Key download insufficient SA Definition Message Name : Key Download Dissection : {HDR, GrpID, Nonce_C, ID_R, (Key Data)*}SigC, [SigSC], [CertSC] Payload Types : GSAKMP Header, Nonce, Identification, Key Download, Signature, [Authorization], [Vendor ID] SigC : Signature of Group Controller SigSC : Signature of Subordinate Group Controller CertC : Certificate of Group Controller CertSC : Certificate of Subordinate Group Controller {}SigX :Indicates minimum fields used in Signature [] : Indicate an optional data item (data)* : Indicates encrypted information

20 Acknowledgement Message Name : Acknowledgment Dissection : {HDR, GrpID, Nonce_C, [ID_R], ACK}SigM, [CertM] Payload Types : GSAKMP Header, Nonce, [Identification], Notification, Signature, [Certificate], [Vendor ID], [Identification], [Authorization] SigM : Signature of Group Member CertM : Certificate of Group Member {}SigX :Indicates minimum fields used in Signature [] : Indicate an optional data item

21 Rekey Message Name : Rekey Event Dissection : {HDR, GrpID, [Policy Token], Rekey Array}SigC, [CertC] Payload Types : GSAKMP Header, [Policy Token], Rekey Event, Signature, [Certificate], [Vendor ID] SigC : Signature of Group Controller CertC : Certificate of Group Controller {}SigX :Indicates minimum fields used in Signature [] : Indicate an optional data item

22 Closing Remarks GSAKMP has a free release ftp://ftp.sparta.com/pub/columbia/gsak mp hh@sparta.com

Download ppt "Group Secure Association Key Management Protocol (GSAKMP) Presented by Hugh Harney"

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication.

ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Network Layer Security: IPSec

Network Layer Security: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Sepucha_Date_01 Group Key Management Architecture Howie Weiss NASA/JPL/SPARTA

Sepucha_Date_01 Group Key Management Architecture Howie Weiss NASA/JPL/SPARTA

Similar presentations

Ads by Google