Presentation is loading. Please wait.

Presentation is loading. Please wait.

Discussion of Outstanding TGai Security Topics

Published byArchibald Stafford Modified over 6 years ago

Similar presentations

Presentation on theme: "Discussion of Outstanding TGai Security Topics"— Presentation transcript:

1 Discussion of Outstanding TGai Security Topics
April 2009 doc.: IEEE /1243r0-draft October 30, 2012 Discussion of Outstanding TGai Security Topics Date: Authors: Name Company Address Phone René Struik Struik Security Consultancy Toronto ON, Canada USA: +1 (415) Toronto: +1 (647) Skype: rstruik René Struik (Struik Security Consultancy) Rich Kennedy, Research In Motion

2 October 30, 2012 Background The following contributions provide background: Presentations ai-authentication-with-local-authentication-and-optional-remote-authorization Specification text: ai-suggested-edits-to ai-tgai-spec-text-proposal-for-fils-authentication ai-suggested-edits-to ai-tgai-spec-text-proposal-for-fils-authentication- protocol-draft ai-tgai-spec-text-proposal-for-fils-authentication-protocol Updates provided now: Elaboration on questions resulting from Palm Springs meeting Details of cryptographic protocol ingredients (shown in context) – most already originally in 12/794r3 Main message: Opportunity for full conversion on protocol details, so as to arrive at solid, well-understood, yet nimble and flexible protocol and that is even already standardized elsewhere

3 Outline Protocol recap Computational cost public-key crypto
October 30, 2012 Outline Protocol recap Computational cost public-key crypto Certificate structure “piggy-backed data” along key confirmation flows Note: Our exposition is relative to certificate-based public-key protocol (i.e., without online third party), but does leave out details not necessary for current discussion

4 Protocol Recap October 30, 2012 Security properties:
Key establishment, mutual entity authentication, implicit key authentication, mutual key confirmation, etc. A Random X, CertCA(IdA,QA) MACk1(IdA || IdB || X || Y ) Key Establishment Key Confirmation B Random Y, CertCA(IdA, QB) STA AP René Struik (Struik Security Consultancy)

5 Computational Cost Public-Key Crypto
October 30, 2012 Computational Cost Public-Key Crypto Implementation cost ECC on constrained platforms: ATMega 128, MHz platform [1]: Koblitz curve K-163: 0.32s; K-233 curve: 0.73s (in assembly) Hardware-assisted implementation: much faster Anecdotal evidence: required with constrained smartgrid applications (e.g., US, Germany, France, etc.) Ref: [1] Diego F. Aranha, Julio López, Leonardo B. Oliveira and Ricardo Dahab. Efficient implementation of elliptic curves on sensor nodes. Conference on Hyperelliptic curves, discrete Logarithms, Encryption, etc., Frutillar, Chile, 2009 Options, as specified with 12/1172r0: Prime curve: P-256 FIPS Pub 186-3, NIST SP a, ANSI X Binary curve: K-283 FIPS Pub 18-3, NIST SP a, ANSI X Motivation: Prime curves: more vulnerable to crypto implementation attacks (side channel/fault attacks) and denial of service attack; most suitable when implemented on platform with efficient integer arithmetic; Binary curves: less vulnerable to crypto implementation attacks (side channel/fault attacks) and denial of service attacks; most suitable for resource-constrained, sensor-style platforms (e.g., af, low energy mode) Legacy constructs: RSA, ordinary DLP not specified, since not meeting FILS requirements René Struik (Struik Security Consultancy)

6 Key Info Field - Certificates (1)
October 30, 2012 Key Info Field - Certificates (1) Function of KeyInfo field Distribution of authentic long-term public keys QA and QB Options Device Certificates: KeyInfoA = “CertCA(IdA, QA)” Example: X509v3-style, etc. Logical separation of identifier space and public keys (same IdA can get new public key QA) Device configuration does not bind elements of identifier space and public keys Assignment of identifier could precede crypto operations (e.g., transceiver chip with Id, with higher-layer crypto and binding added later on when building system) Independent verification of authenticity binding possible, trivial key extraction Authorization based on management of device identities Requires CA who binds elements of identifier space and public keys Manual “Certificates”: KeyInfoA = “(IdA, QA)” Example: hashed public keys, etc. Logical binding of identifier space and public keys (new public key QA results in loss of IdA) Device configuration binds elements of identifier space and public keys Assignment of identifiers cannot precede crypto operations (e.g., transceiver chip can only obtain Id once higher-layer crypto added later on when building system) Independent verification of binding possible, trivial key extraction Authorization based on management of public-key related identities Does not require CA for authentic binding, but no evidence on “sanity checks” key generation Both require authentic authorization operations (device provisioning, personalization, etc.) René Struik (Struik Security Consultancy)

7 Key Info Field – Certificates (2)
October 30, 2012 Key Info Field – Certificates (2) Function in context of key authentication Verification that only party that may be capable of computing the key is indeed its perceived communicating party Options, as specified with 12/1172r0: KeyInfo verification Device Certificates: KeyInfoA = “CertCA(IdA, QA)” X509v3-style ECDSA certificate, with SHA-256 hash function Cryptographic scheme standardized with FIPS Pub 180-2, FIPS Pub 186-3, ANSI X Certificate scheme standardized with RFC 3280, RFC 5480 Manual “Certificates”: KeyInfoA = “(IdA, QA)” Same as device certificate, but now without signature field Scheme standardized with IETF: approved draft farrell-decade-ni-10 (“Naming things with hashes”) Note: KeyInfoA can be locally stored as hashed version (e.g., using SHA-256 hash function) Question: Does specifying ordinary certificates and manual certs (“hashed keys”) suffice? (I did not hear any further feedback from Palm Springs participants after September 2012 meeting) René Struik (Struik Security Consultancy)

8 “Piggy-Backed Info” (1)
October 30, 2012 “Piggy-Backed Info” (1) Basic Protocol: Security properties: Key establishment, mutual entity authentication, implicit key authentication, mutual key confirmation, etc. A Random X, CertCA(IdA,QA) MACk1(IdA || IdB || X || Y ) Key Establishment Key Confirmation B Random Y, CertCA(IdA, QB) STA AP René Struik (Struik Security Consultancy)

9 “Piggy-Backed Info” (2)
October 30, 2012 “Piggy-Backed Info” (2) Extended Protocol #1: (with “piggy-backing”) Security properties: Key establishment, mutual entity authentication, implicit key authentication, mutual key confirmation, etc. Additional functionality: Authentication of exchanged “piggy-backed info” TextA and TextB (if any), via authentication tags key confirmation messages A Random X, CertCA(IdA,QA) MACk1(IdA || IdB || X || Y || [TextA]), TextA Key Establishment Key Confirmation B Random Y, CertCA(IdA, QB) MACk1(IdA || IdB || X || Y || [TextB]), TextB STA AP Piggy-backed info may originate remotely René Struik (Struik Security Consultancy)

10 “Piggy-Backed Info” (3)
October 30, 2012 “Piggy-Backed Info” (3) Extended Protocol #2: (with “piggy-backing”) Security properties: Key establishment, mutual entity authentication, implicit key authentication, mutual key confirmation, etc. Additional functionality: Authentication of exchanged “piggy-backed info” TextA and TextB (if any), via authentication tags already in key confirmation messages (if field present) Confidentiality and authenticity of exchanged “piggy-backed info” TextA and TextB (if any), via special enciphering function not present on basic protocol A Random X, CertCA(IdA,QA) MACk1(IdA || IdB || X || Y || [TextA]), [TextA]k2 Key Establishment Key Confirmation B Random Y, CertCA(IdA, QB) MACk1(IdA || IdB || X || Y || [TextB]), [TextB]k2 STA AP Piggy-backed info may originate remotely René Struik (Struik Security Consultancy)

11 “Piggy-Backed Info” (4)
October 30, 2012 “Piggy-Backed Info” (4) Options for securing “piggy-backed data”: Data authenticity only: Simply use authentication tag key confirmation Data authenticity via key confirmation tag, confidentiality separately: use, e.g., CTR mode construct1 Both authenticity and confidentiality separately: use any combined authentication and encryption mode (AEAD mode), e.g., CCM, GCM, OCB Notes: With options #2, #3, so-called “nonce misuse resistance” is a non-issue, since Enciphering function uses “fresh” key across different invocations along key confirmation message flows Nonce space of both protocol parties easy to separate Easy to use two “fresh” keys if really desired (use one key in each direction) Simplest option is to reuse (elements of) existing constructs, so as to save implementation cost (Option #2: CTR mode; option #3: CCM mode) Alignment of nonce structure with reused construct beneficial (depending on prevalent hardware [RS: please drop me a note!]) Fully compliant with standards (NIST, ANSI, etc.) 1See, e.g., 12/1151r3, §11.9a.2.4b, 11.9a.2.5b René Struik (Struik Security Consultancy)

12 Other Considerations Use standards whenever possible:
October 30, 2012 Other Considerations Use standards whenever possible: Reuses existing implementations and makes compliance process easier Fosters interoperability, confidence in sufficient scrutiny E.g., use standard representations ECC point, reference NIST SP a schemes Keep protocol engine separate from usual frame processing state machine Allows reuse of existing crypto state machines, without specific “tweaks” of general components Allows reuse of key agreement engine for other applications besides ai (e.g., NFC protocol on WiFi-enabled device) Avoids convoluted security arguments (easier to study properties of protocol) E.g., no enciphering of entire Association Request/Response frame, but only payload fields (where key agreement flows reside) René Struik (Struik Security Consultancy)

13 List of Questions after Palm Springs meeting
October 30, 2012 List of Questions after Palm Springs meeting (no doubt, partial – additions welcome) René Struik (Struik Security Consultancy)

14 Questions Resulting from Palm Springs Meeting (1)
October 30, 2012 Questions Resulting from Palm Springs Meeting (1) TGai mailing list: (David Goodall, as of September 21, 2012, 7.35pm EDT) 1. What functionality or advantages do we lose when we lose the EAPOL key frames? A specific example is that the multi-band operations introduced in 11ad require use of fields which were added to EAPOL key frames 1-4. If we don’t have the EAPOL key frames in the 11ai mechanism, and we want the multi-band operation, then we need to do some extra specification work. This should be do-able but there may be an ongoing requirement to maintain this part of the multi-band functionality in more than one place in the specification. I need to review further to see if there any other similar issues.    2. Will 11ai fast initial link setup be fast for low power, CPU-challenged devices? An example is a mobile battery powered RFID sensor tag with perhaps a 50 MHz 32 bit CPU. I gather that the current non-TTP proposal will take perhaps 10 ms on a smart phone with a 1 GHz processor so it does not appear suitable for low power devices. Rene Struik has indicated that this issue can be addressed with a different selection of elliptic curve and various processing techniques.

15 Questions Resulting from Palm Springs Meeting (2)
October 30, 2012 Questions Resulting from Palm Springs Meeting (2) Main outstanding topics resulting from Palm Springs sessions on TGai security: Certificate structure Mechanism for authentication and (possibly) encryption of “piggy-backed data” along key confirmation Other topics: Reuse of existing crypto and security functionality Compliance to external specifications (e.g., key wrap?)

Download ppt "Discussion of Outstanding TGai Security Topics"

Similar presentations

Doc.: IEEE 802.11-09/1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: 2009-09-15 Authors:

Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: 2012-10-30 Authors:

Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.

Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester 2008-2009 ITGD 2202 University of Palestine.

Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
Doc.: 11-12-0794r3 Submission August 31, 2012 René Struik (Struik Security Consultancy)Slide 1 Authentication with Local Authentication and Optional Remote.

Doc.: r3 Submission August 31, 2012 René Struik (Struik Security Consultancy)Slide 1 Authentication with Local Authentication and Optional Remote.
Doc.: IEEE 802.11-12/1054r0 Submission Sep. 2012 Santosh Pandey (Cisco)Slide 1 FILS Reduced Neighbor Report Date: 2012-09-07 Authors:

Doc.: IEEE /1054r0 Submission Sep Santosh Pandey (Cisco)Slide 1 FILS Reduced Neighbor Report Date: Authors:
Chapter 21 Public-Key Cryptography and Message Authentication.

Chapter 21 Public-Key Cryptography and Message Authentication.
Cryptography and Network Security (CS435) Part Eight (Key Management)

Cryptography and Network Security (CS435) Part Eight (Key Management)
23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.

23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.
Doc.: IEEE 802.11-11/1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: 2012-01-09 Authors:

Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings.
Doc.: IEEE 802.11-01/495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.

Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Doc.: 11-12-1243r1 Submission October 30, 2012 René Struik (Struik Security Consultancy)Slide 1 Discussion of Outstanding TGai Security Topics Date: 2012-10-30.

Doc.: r1 Submission October 30, 2012 René Struik (Struik Security Consultancy)Slide 1 Discussion of Outstanding TGai Security Topics Date:
Doc.: 11-13-0201-07 Submission May 13, 2013 Rene Struik (Struik Security Consultancy)Slide 1 FILS Handling of Large Objects, FILS Piggy-Backing Date: 2013-05-13.

Doc.: Submission May 13, 2013 Rene Struik (Struik Security Consultancy)Slide 1 FILS Handling of Large Objects, FILS Piggy-Backing Date:

Similar presentations

Ads by Google