Robert Moskowitz, Verizon September 2012 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: Moving KMP Forward Date Submitted: September 19, 2012 Source: Robert Moskowitz, Verizon Address 1000 Bent Creek Blvd, MechanicsBurg, PA, USA Voice:+1 (248) 968-9809, e-mail: rgm@labs.htt-consult.com Re: Key Managementn over 4e Multipurpose Frames Abstract: Discussion of KMP transport Purpose: To refine our understanding of the transport mechism Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15. Robert Moskowitz, Verizon

Robert Moskowitz Palm Springs, CA Sept 19, 2012 September 2012 Moving KMP Forward Robert Moskowitz Palm Springs, CA Sept 19, 2012 Robert Moskowitz, Verizon

Abstract Agreements to date Open items Next steps September 2012 Robert Moskowitz, Verizon

Agreements to date KMP encapsulation data format September 2012 Agreements to date KMP encapsulation data format State Machines general content General statements on Security Associations KMP guidelines general format Robert Moskowitz, Verizon

KMP Transport Use a COMMAND Frame IE for KMP encapsulation September 2012 KMP Transport Use a COMMAND Frame IE for KMP encapsulation 802.15.4 IE with max size of 2047 802.15.7 IE max size of 255 Multiple IEs per frame an option Issue with COMMAND frame, need to file maintenance item Robert Moskowitz, Verizon

KMP Transport MAC details September 2012 KMP Transport MAC details Unauthenticated PDUs always use long addresses e.g. KMP rekeying within authenticated PDUs MAY use short addresses KMP payload MAY be fragmented over multiple IEs/frames Use Forced ACK for fragmentation chaining support Robert Moskowitz, Verizon

KMP Information Element September 2012 KMP Information Element Frame format MAC specific information ID/Length 802.15.4 = 0x0a/max2047 802.15.7 = 0x03/max255 Content Control Field – 1 byte KMP fragment Robert Moskowitz, Verizon

KMP IE Content September 2012 Robert Moskowitz, Verizon Octets: 1 Bits: 1 7 KMP Fragment Chaining flag 0 = last/only one 1 = yes, chaining First packet: Multipurpose ID Other packets: Chain count Multipurpose ID: 98-126 98 = KMP Chaining count: 2-96 2 = 2nd fragment 3 = 3rd fragment … 96 = 96th fragment (last possible) Robert Moskowitz, Verizon

KMP IE Content KMP fragment KMP ID – 1 byte 802.1X = 1 HIP = 2 September 2012 KMP IE Content KMP fragment KMP ID – 1 byte 802.1X = 1 HIP = 2 IKEv2 = 3 PANA = 4 SAE, etc. KMP payload Robert Moskowitz, Verizon

KMP Content Examples Examples go here! September 2012 Robert Moskowitz, Verizon

KMP State Machines Two State Machines KMP COMMAND Frame Processing September 2012 KMP State Machines Two State Machines KMP COMMAND Frame Processing Interface between COMMAND processing and KMP Transport Mechanism Basic function is IE processing and fragmentation support KMP Transport Mechanism Robert Moskowitz, Verizon

KMP COMMAND frame processing September 2012 KMP COMMAND frame processing Fragmentation support Outbound KMP payload divided to fit MPDU Fragment sent with Forced ACK Resend if no ACK returned ACK may have been lost MAX retries = ? Next fragment on ACK receipt Robert Moskowitz, Verizon

KMP COMMAND frame processing September 2012 KMP COMMAND frame processing Fragmentation support Inbound Assemble payload from frame received and send ACK Could be a duplicate fragment ACK lost Deliver payload to KMP on completion Robert Moskowitz, Verizon

KMP Transport Mechanism September 2012 KMP Transport Mechanism State machine to handle triggers to/from KMP higher layer Pass through for KMP payloads Triggers from MAC events to KMP Security Enabled to start KMP Frame Counter watch to trigger rekey Robert Moskowitz, Verizon

KMP Transport Mechanism September 2012 KMP Transport Mechanism Security enabled trigger macSecurityEnabled = True on device Start KMP as first transmission to Coordinator – Before Associate? macSecurityEnabled = True on coordinator Receipt of unsecured frame force start? Receipt of secure frame with unknown keys Coordinator lost keys (eg reboot) force start? Robert Moskowitz, Verizon

KMP Transport Mechanism September 2012 KMP Transport Mechanism Frame counter trigger macFrameCounter = 0xffffffff – n Where n allows rekeying before key exhaustion Start KMP rekeying With unicast keying either device MAY trigger rekeying? ASSUMPTION: Only coordinators send with group keys and rekey as needed Robert Moskowitz, Verizon

Security and PAN architecture September 2012 Security and PAN architecture Pairwise keying is used for unicast traffic 2 sets of Security Associations (SAs) Peer-to-Peer communications will only be unicast traffic due to the hidden node challenge Robert Moskowitz, Verizon

Security and PAN architecture September 2012 Security and PAN architecture Two basic SA tables Key Table Device Table Robert Moskowitz, Verizon

KMP Security Associations September 2012 KMP Security Associations Security Association content What keys? PTK, GTK, etc. Counters, lifetimes, etc. Robert Moskowitz, Verizon

KMP Security Associations September 2012 KMP Security Associations Group SAs ASSUMPTIONS There is no MAC Multicast, only Broadcast Question: Did 6lowpan allocate a Multicast MAC address for ND? Non-coordinator nodes ignore broadcasts Robert Moskowitz, Verizon

15.4 Specifics Pre 15.4e device support For 6lowpan PANs September 2012 15.4 Specifics Pre 15.4e device support For 6lowpan PANs Develop a submission to the IETF using the Dispatch Type in RFC 4944 PDUs with the KMP Dispatch Type a length field will be equivalent to the 15.4e KMP IE A 6lowpan device that supports 15.4e SHOULD also support this pre-15.4e mode of operation Who wants to author this? Robert Moskowitz, Verizon

KMP Guidelines KMP Sections General KMP description Use case(s) September 2012 KMP Guidelines KMP Sections General KMP description Sub sections as needed, e.g. backend authentication mechanism Use case(s) 802.15 Profile References to defining documents Parameter specifics, e.g. in HIP, K=0 SA definition E.G. Tie into security PID Robert Moskowitz, Verizon

KMP Guidelines Initial list of KMPs 802.1X September 2012 KMP Guidelines Initial list of KMPs 802.1X Needs to include an actual key exchange like the 802.11i 4-way handshake HIP – R. Moskowitz/J. Haapola IKEv2 – T. Kivinen PANA – Yoshihiro Ohba SAE Robert Moskowitz, Verizon

KMP Guidelines KMP Profiling for 15.9 usage Change in encapsulation September 2012 KMP Guidelines KMP Profiling for 15.9 usage Change in encapsulation e.g. IKEv2 specified to run over UDP Additions for SA management e.g. 802.1X does not supply link keys. In 802.11 usage, this is done via the 4- Way Handshake Special attention to broadcast keying management Others? Robert Moskowitz, Verizon

KMP Guidelines KMP use cases Why this KMP? Practical examples September 2012 KMP Guidelines KMP use cases Why this KMP? Code size, CPU/battery demand Multi-layer code reuse Practical examples Deployment advice Identity installation and registration When performed Life-cycle management Rekeying Robert Moskowitz, Verizon

September 2012 Open Items Robert Moskowitz, Verizon

15.4 Security Options Unclear what are the valid constructs September 2012 15.4 Security Options Unclear what are the valid constructs Encrypt controlled by macSecurityEnabled OR SecurityLevel Thus application can force security when it is not generally selected Likewise an application can set SecurityLevel to Zero to disable protection for a datagram Robert Moskowitz, Verizon

15.4 Security Options Unclear what are the valid constructs September 2012 15.4 Security Options Unclear what are the valid constructs Key Identifier Mode sets the security process but what sets it? The app? Robert Moskowitz, Verizon

15.4 Security Options Unclear what are the valid constructs September 2012 15.4 Security Options Unclear what are the valid constructs Limit to Key Identifier Mode explicit? KeyIdMode = 0x00 Per device pair keying (unicast) PAN broadcast Coordinator broadcast (for beacons) Device broadcast to coordinator Robert Moskowitz, Verizon

September 2012 Next Steps Robert Moskowitz, Verizon