doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs)‏ Submission Title: Key Negotiation for IEEE devices using the Host Identity Protocol (HIP)‏ Date Submitted: 18 November, 2009 Source: Robert Moskowitz (ICSAlabs, an Independent Division of Verizon Business Systems)‏ Address: Detroit, MI USA Voice:[…], FAX: […], robert dot moskowitz at icsalabs dot com Re: Unifying keying across protocol layers Abstract:The document proposes unifying the expensive keying mechanism across the protocol layers using the Host Identity Protocol, RFC Purpose:Review layered security model, why both Layer 2 & 3 security needed and how HIP can key Layer 2 security and provide Layer 3 security. Notice:This document has been prepared to assist the IEEE P It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release:The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 2 Key Negotiation for IEEE devices using the Host Identity Protocol (HIP)‏ Robert Moskowitz (ICSAlabs, an Independent Division of Verizon Business Systems)‏

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 3 What to Secure? As stated by Norm Finn at the start of the LinkSec effort: –Layer 2 security addresses the Risks and Liabilities of the Network Owner –Layer 3 security addresses the Risks and Liabilities of the System Owner –Layer 4 security addresses the Risks and Liabilities of the Application Owner –Layer 7 security addresses the Risks and Liabilities of the Data Owner –There is some natural overlap Note that each layer tends to have its own datagram framing requirements, but keying issues MAY be commonized.

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 4 A Security Curmudgeon Speaks out MAC security is at best half the problem It boarders on impossible to design a secure system that does not implement system security protocols –Even the smallest sensors are faced with this problem and thus a cost-vs-secure trade off. It is HARD to design a Key Management System –And, in part, why we have so few KMSs.

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 5 Key Management Requirements Really Secure –E.G. SigMa compliant webee.technion.ac.il/~hugo/sigma.html Minimal cost –Short exchange, e.g. 4 datagrams –Use ECC –Long-lived state, e.g. survive power cycles Challenge of maintaining CCM counter as well

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 6 Key Management Requirements Avoid 3 rd parties –E.G. PKI and AAA (used in 802.1X)‏ Support Access Control Lists (ACLs)‏ –With simple registration, e.g. password based Support Emergency Access –E.G. One time Password based –Restricted data flow E.G. “We detect a heartbeat in the rubble”

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 7 A Short Introduction to HIP And what it offers mBAN The Host Identity Protocol (HIP)‏ –Started January 1998 –RFCs: 4423, Leverages a Public Key “Host Identity” to –Set up a secure communication between 2 hosts True Peer-to-peer model –Decouple the Transport layer from the Internetworking layer –Currently RSA & DSA, ECC being added

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 8 A Short Introduction to HIP And what it offers mBAN Introduces the “Host Identity Tag” (HIT)‏ –A hash of the HI into the IPv6 address space Currently in ORCHID (RFC 4843) format Currently uses SHA-1 –Plans to add other hashes, e.g. GMAC –Applications bind to the HIT and never see routable IPv6 addresses HIP middle layer does the mappings –Redirects ARE a problem Supports true multihoming Supports true mobility Local Scope Identities (LSI) for IPv4 support

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 9 A Short Introduction to HIP And what it offers mBAN Uses The Encapsulating Security Payload (ESP) in Transport mode for datagram protection –Any ESP ciphersuite can be used ESP + CCM costs ~26 bytes –The SPI (Security Parameter Index) is the per-packet index to the HIT and IP addresses –All host-paired applications use the same Security Association

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 10 A Short Introduction to HIP And what it offers mBAN HIP is **NOT** a replacement for IKE in IPsec –It is similar, but solves different problems –IKEv2 came after HIP and has 'lessons learned' in its design. –Currently only supports ESP in Transport mode Discussions to add AH support for IPv6 If you want a tunnel, run a tunnel within Transport (IPnIP)‏

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 11 A Short Introduction to HIP And what it offers mBAN The HIP Base Exchange is 4 packets

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 12 A Short Introduction to HIP And what it offers mBAN

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 13 A Short Introduction to HIP And what it offers mBAN Limited policy negotiation –e.g. Key lifetime is a local host issue HIP mobility via Rendezvous Server –NOT a HOME agent –Systems register to an RVS –RVS only 'slingshots' I1 HIP API –Applications can query their security posture –Alternative to Layer 4 security

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 14 HIP brings to mBAN Key MAC security as well as Internetworking security –Implement a single KMS Applications are IP address ignorant –Mobility –IPv6 datagram compression Local loop does may not need SRC and DST addresses This will take work to work right

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 15 HIP work HIP code  Boeing has SCADA experience with their implementation Ported to ARM, but patches not yet public  Ericsson's NomadicLabs has BSD licensed code hip4inter.net

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 16 HIP work HIP code  Helsinki Institute of Information Technologies hipl.infrahip.net Available on N810 –RSA based HIP est. cost of 360mA, no data yet on ECC Ported to Imote2 –

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 17 HIP work “Internet of Things”  perso.telecom- paristech.fr/~urien/hiptag/index.html HIP EAP  Password challenge/response within HIP  draft-varjonen-hip-eap-00.txt

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 18 HIP References HIP book by Andrei Gurtov – HIP-Communications/dp/ Writings – Host Identity Protocol (HIP): Connectivity, Mobility, Multi-homing, Security, and Privacy over IPv4 and IPv6 networks – Performance of Host Identity Protocol on Lightweight Hardware –

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 19 HIP References More Writings – Analysis of the HIP Base Exchange Protocol – Note many of these recommendations were implemented Usable Security Management with Host Identity Protocol – Performance of Host Identity Protocol on Symbian OS –

doc.: IEEE Submission November 2009 Robert Moskowitz (ICSAlabs/VzB)Slide 20 Questions?