Presentation is loading. Please wait.

Presentation is loading. Please wait.

TNC Proposals for NEA Protocols Presentation by Steve Hanna to NEA WG meeting at IETF 71 March 11, 2008.

Published byMilton Stanley Modified over 8 years ago

Similar presentations

Presentation on theme: "TNC Proposals for NEA Protocols Presentation by Steve Hanna to NEA WG meeting at IETF 71 March 11, 2008."— Presentation transcript:

1 TNC Proposals for NEA Protocols Presentation by Steve Hanna to NEA WG meeting at IETF 71 March 11, 2008

2 TNC Proposals for NEA Protocols2 PB-TNC

3 March 11, 2008TNC Proposals for NEA Protocols3 PB-TNC Purpose & Requirements PB Purpose –Carry PA messages between PBC & PBS –Carry global assessment decision from PBS to PBC –Carry other messages between PBC & PBS PB Challenging Requirements –MUST support half-duplex PT –MUST support grouping attributes to minimize RTs –MUST operate efficiently over low-bandwidth links –MUST carry PA message routing identifiers –SHOULD allow PBC or PBS to start assessment –MUST support adapting to user language preference –MAY include security measures or depend on PT security

4 March 11, 2008TNC Proposals for NEA Protocols4 PB-TNC Design Features Simple round-robin state machine –PBS or PBC can start by sending a batch –PBS & PBC take turns sending batches –End with PBS sending result or early close Compact batch & message format (Binary TLV) Designed for extensibility –No short fields, several reserved fields, versioning support –IANA process for standard extensions –Vendor IDs for non-standard extensions (cannot be required) PA message routing by PA message type –Optional delivery by PC/PV ID No PB-TNC security, depends on PT

5 March 11, 2008TNC Proposals for NEA Protocols5 PB-TNC State Machine +---------+ CRETRY +---------+ CDATA | Server |<---------| Decided | CLOSE +----------->| Working |--------->| |-------+ | +---------+ RESULT +---------+ | | ^ | | v | | | +---------------------->======= ======== | | CLOSE " End " " Init " CDATA or| |SDATA or ======= ======== CRETRY| |SRETRY ^ ^ | | | v | | | | SDATA +---------+ CLOSE | | | +-------->| Client |----------------------+ | | | Working | | | +---------+ | | CLOSE | +--------------------------------------------------+

6 March 11, 2008TNC Proposals for NEA Protocols6 PB-TNC Encapsulation PT PB-TNC Header PB-TNC Message (Type=PB-Batch-Type, Batch-Type=CDATA) PB-TNC Message (Type=PB-PA) PA Message PB-TNC Message (Type=PB-PA) PA Message

7 March 11, 2008TNC Proposals for NEA Protocols7 PB-TNC Header 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Batch Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

8 March 11, 2008TNC Proposals for NEA Protocols8 PB-TNC Message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | PB-TNC Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Value (Variable Length) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

9 March 11, 2008TNC Proposals for NEA Protocols9 IETF Standard PB-TNC Message Types Message Type Definition ------------ ---------- 0 PB-Experimental - reserved for experimental use 1 PB-Batch-Type - indicates the type of the PB-TNC batch that contains this message 2 PB-PA - contains a PA message 3 PB-Access-Recommendation - includes Posture Broker Server access recommendation (also known as global assessment decision) 4 PB-Remediation-Parameters - includes Posture Broker Server remediation parameters 5 PB-Error - error indicator 6 PB-Language-Preference - sender's preferred language(s) for human-readable strings 7 PB-Reason-String - string explaining reason for Posture Broker Server access recommendation

10 March 11, 2008TNC Proposals for NEA Protocols10 PB-TNC Batch-Type Message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | PB-TNC Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |D| Reserved | Batch Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

11 March 11, 2008TNC Proposals for NEA Protocols11 PB-TNC Batch Types Number Name ------ ---- 1 CDATA 2 SDATA 3 RESULT 4 CRETRY 5 SRETRY

12 March 11, 2008TNC Proposals for NEA Protocols12 PB-PA Message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | PB-TNC Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | PA Message Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PA Subtype | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Posture Collector Identifier | Posture Validator Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PA Message Body (Variable Length) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

13 March 11, 2008TNC Proposals for NEA Protocols13 Questions about PB-TNC?

14 March 11, 2008TNC Proposals for NEA Protocols14 PA-TNC

15 March 11, 2008TNC Proposals for NEA Protocols15 PA-TNC Purpose & Requirements PA Purpose –Carry attributes between PCs & PVs PA Challenging Requirements –MUST support extensible set of standard attributes –MUST support extensible set of vendor-specific attributes –MUST support Posture Request attributes –MUST support half-duplex PT –MUST support grouping attributes to minimize RTs –MUST operate efficiently over low-bandwidth links –SHOULD provide security

16 March 11, 2008TNC Proposals for NEA Protocols16 PA-TNC Design Features Use message routing (PA Subtype) to ID component –Anti-Virus, Firewall, HIPS, OS, VPN, etc. Realize that most attributes apply across all components –Manufacturer, product ID, version, operational status, attribute request –So provide a standard way to describe these attributes, but allow extensions Use compact message format (Binary TLV) Design for extensibility –No short fields, several reserved fields –IANA process for standard extensions –Vendor IDs for non-standard extensions (cannot be required) Separate PA-TNC security since WG was uncertain

17 March 11, 2008TNC Proposals for NEA Protocols17 PA-TNC Within PB-TNC PT PB-TNC Header PB-TNC Message (Type=PB-Batch-Type, Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3,...)

18 March 11, 2008TNC Proposals for NEA Protocols18 IETF Standard PA Subtypes Number Name ------ ---- 0 Testing 1 Operating System 2 Anti-Virus 3 Anti-Spyware 4 Anti-Malware 5 Firewall 6 IDPS 7 VPN

19 March 11, 2008TNC Proposals for NEA Protocols19 PA-TNC Message Header 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

20 March 11, 2008TNC Proposals for NEA Protocols20 PA-TNC Attribute 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | PA-TNC Attribute Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PA-TNC Attribute Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PA-TNC Attribute Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Correlation ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attribute Value (Variable Length) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

21 March 11, 2008TNC Proposals for NEA Protocols21 IETF Standard PA-TNC Attribute Types Number Name ------ ---- 0 Testing 1 Attribute Request 2 Product Information 3 Numeric Version 4 String Version 5 Operational Status 6 Port Filter 7 Installed Packages 8 PA-TNC Error

22 March 11, 2008TNC Proposals for NEA Protocols22 Main Types Defined in PB-TNC and PA-TNC PB-TNC Message Type –PB-Batch-Type, PB-PA, etc. PB-TNC Batch Type –CDATA, SDATA, etc. PA Subtype –Operating System, Anti-Virus, etc. PA-TNC Attribute Type –Product Information, Numeric Version, etc. All easily extensible except PB-TNC Batch Type –Via PEN for vendor-specific values –Via IANA registry for standard values

23 March 11, 2008TNC Proposals for NEA Protocols23 Questions about PA-TNC?

24 March 11, 2008TNC Proposals for NEA Protocols24 PA-TNC Security

25 March 11, 2008TNC Proposals for NEA Protocols25 PA-TNC Security Purpose & Requirements PA-TNC Security Purpose –Secure attributes between PCs & PVs PA-TNC Security Challenging Requirements –SHOULD provide authentication, integrity, and confidentiality protection of PA attributes –[If security protection is included,] MUST protect against active and passive attacks by intermediaries and endpoints including replay attacks –MUST operate efficiently over low-bandwidth links

26 March 11, 2008TNC Proposals for NEA Protocols26 PA-TNC Security Design Features Use Cryptographic Message Syntax (CMS) to secure PA-TNC messages –Avoids need for roundtrips to establish session keys –Allows for granular use of PA-TNC security only when desired –Allows for authentication without confidentiality –Extensible for nonce and capabilities exchange Allow protection of multiple attributes at once –Reduces bandwidth Assume that PCs and PVs handle authorization

27 March 11, 2008TNC Proposals for NEA Protocols27 CMS Protected Content PA-TNC Attribute Type New PA-TNC Attribute Type May be contained in any PA Subtype Contains CMS ContentInfo structure –May have signed-data or enveloped-data

28 March 11, 2008TNC Proposals for NEA Protocols28 signed-data Used when confidentiality protection is not needed encapContentInfo MUST contain one or more PA-TNC attributes certificates MUST include signer’s certificate and SHOULD include certificate path to trust anchor crls MAY include CRLs Only one SignerInfo permitted –MUST include signedAttrs with Nonce CMS attribute MUST: RSA 2048 & SHA-256 MUST-: SHA-1 SHOULD: ECDSA 256

29 March 11, 2008TNC Proposals for NEA Protocols29 Nonce CMS Attribute Provides replay protection MUST be included in all signedAttrs Includes pcNonce and pvNonce fields –PC & PV select unpredictable initial values –Increment to 2^32-1, then reselect

30 March 11, 2008TNC Proposals for NEA Protocols30 enveloped-data Used when confidentiality protection is needed encryptedContentInfo MUST contain encrypted version of signed-data originatorInfo MUST include signer’s certificate and SHOULD include certificate path to trust anchor, MAY include CRLs recipientInfo contains encryption keys for recipients

31 March 11, 2008TNC Proposals for NEA Protocols31 enveloped-data Algorithms Content EncryptionMUST AES 128 & 256 Key TransportMUST RSA wrap AES CEK 2048 Key AgreementMUST ESDH w/ AES KEK (128 & 256) Previously Distributed Symmetric KEK MUST AES Key Wrap (128 & 256) Password BasedMUST Password Derived AES (128 & 256) (if sptd)

32 March 11, 2008TNC Proposals for NEA Protocols32 Security Capabilities PA-TNC Attribute Type Used to indicate prioritized list of supported algorithms May be contained in any PA Subtype May be requested with Attribute Request Contains signed-data with Nonce and paTncSecurityCapabilities in SignerInfo’s signedAttrs and empty encapContent

33 March 11, 2008TNC Proposals for NEA Protocols33 Concerns with PA-TNC Security Need review by CMS experts Concern about data size Concern about complexity for PC & PV Concern about difficulty of configuring PC & PV authorization

34 March 11, 2008TNC Proposals for NEA Protocols34 Questions about PA-TNC Security?

Download ppt "TNC Proposals for NEA Protocols Presentation by Steve Hanna to NEA WG meeting at IETF 71 March 11, 2008."

Similar presentations

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
November 9, 2009IETF 76 NEA WG1 NEA Working Group IETF 76 Co-chairs: Steve Hanna

November 9, 2009IETF 76 NEA WG1 NEA Working Group IETF 76 Co-chairs: Steve Hanna
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
CT-KIP Magnus Nyström, RSA Security 23 May 2005. Overview A client-server protocol for initialization (and configuration) of cryptographic tokens —Intended.

CT-KIP Magnus Nyström, RSA Security 23 May Overview A client-server protocol for initialization (and configuration) of cryptographic tokens —Intended.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
SOAP.

SOAP.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Header and Payload Formats

Header and Payload Formats
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Diameter End-to-End Security: Keyed Message Digests, Digital Signatures, and Encryption draft-korhonen-dime-e2e-security-00 Jouni Korhonen, Hannes Tschofenig.

Diameter End-to-End Security: Keyed Message Digests, Digital Signatures, and Encryption draft-korhonen-dime-e2e-security-00 Jouni Korhonen, Hannes Tschofenig.
NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.

NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.

Similar presentations

Ads by Google