Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview of E2E Security CRs

Published byDella Fowler Modified over 5 years ago

Similar presentations

Presentation on theme: "Overview of E2E Security CRs"— Presentation transcript:

1 Overview of E2E Security CRs
Group Name: SEC WG Source: Qualcomm Inc., Phil Hawkes, Wolfgang Granzow Meeting Date: SEC#22.4, Agenda Item: End-to-End Security and Group Authentication

2 Background Qualcomm has four open CRs related to End-to-End Security
SEC R04-CR_TS-0003_R2_Updates_to_MAF_Text SEC R02-CR_TS-0003_Certificate_Enrolment SEC CR_TS-0003_R2_Certificate_Enrolment_procedure_call_flow SEC CR_TS-0003_Usage-constrained_key_derivation_from_Ke These changes solve a large set of problems Difficult to provide separate CRs for each problem, since there are interdependencies 91 and 92 are text separated from 71R01. For other solutions that could not be presented in separate CRs, the text is highlighted to simplify discussion on whether to include the text or not. All related to credential provisioning/distribution, mostly E2E Security related, and Better support for certificates (cert enrolment, cert authn w/ MAF) This presentation gives an overview of those changes Summary Slide followed by deeper dive into the individual problems and solutions. Presentation does not fully describe solutions – see CRs to understand solutions

3 Summary Table Problem Solution Summary Contribution (SEC-2016-00…)
Certificate Enrolment [SEC R02] Integration into RSPFs 71R02 Certificate enrolment-specific steps 91 SAEF, ESPrim and ESData should use same technologies with MEF SAEF, ESPrim or ESData use single extended versions of MEF procedures Limiting scope of usage of a symmetric keys established using MEF Security Usage Identifiers (SUIDs) defined for security features – used to limit scope Key derivation algorithm (stage 3 detail) 92 SAEF, ESPrim and ESData should use same technologies with MAF SAEF, ESPrim or ESData use single extended versions of MAF procedures 65R04 Limiting scope of usage of a symmetric keys established using MAF No way for MAF to select KmId for remotely provisioning symmetric key Added MAF KmId Retrieval procedure MAF auth’n could use client + server certs Extend MAF handshake (DTLS/TLS) to allow 65R04, 71R02 light blue highlighting If Enrolee B is enrolled with MEF, fast re-authenticate to retrieve symmetric key Allow use of a symmetric Enrolment Re-Authentication Key (Ker) generated during RSPF or provisioned certificate. 71R02 dark blue highlighting Triggering remote mgmt in remote provisioning RSPF can configure URI for remote mgmt 71R02 grey highlighting

4 Key distribution/provisioning for E2E (1)
MAF, MAF-SAEF, MEF & RSPFs were specified for key distribution/provisioning when we only had SAEFs for securing communication Now we also have ESPrim and ESData IDCC added clause 8.6 “Remote Security Frameworks for End-to-End Security” defining TEF providing key distribution/provisioning for ESPrim & ESData As mentioned earlier, more like MAF & operational-phase key distribution There would be advantages to having same key distribution/provisioning technologies for all of SAEF, ESPrim, ESData In particular, the overall system becomes less complex

5 Key distribution/provisioning for E2E (2)
[0071] MEF/RSPF Impact : Add text saying provisioned credentials may be also used for ESPrim and ESData Added support for Usage-Constrained Symmetric Keys, where usage may be MAF, SAEF, ESPrim, ESData … [0065]MAF Impact : Extracted MAF-specific details from clause on MAF-Based SAEF and put them in new clause 8.x not specific to SAEFs Added exchanges (within DTLS/TLS) Between Source End-Point and MAF (MAF Key Registration) Between Target End-Point and MAF (MAF Key Retrieval) Added support for source-generated keys (as in clause 8.6.3) Addition to existing support for “Bootstrapped” keys exported from TLS Added support for limiting scope of keys to SAEF, ESPrim, ESData,…

6 Limiting Scope of Symmetric Keys
Best practice: limit scope within which symmetric key is used The safest mechanism is incorporating, into the key derivation, some identifier or label defining the scope Impact Security Usage Identifiers (SUIDs) limits scope to A specific security feature (SAEF, ESPrim, ESData, others?) Specific option of security feature, where applicable e.g. ESData can use a symmetric key for Encryption Only or Signature Only [0071] RSPF Impact Symmetric Keys derivation incorporates SUID [0092] Stage 3 details of key derivation for RSPFs [0065] MAF Impact Source End-Point provides MAF with SUID limiting scope of distributed credential Target End-Point provides SUID to MAF when requesting credential Currently, derivation of Bootstrapped Kc does not include SUID, but it could easily be changed to include SUID Generation of source-generated Kc is out of scope.

7 Certificate Enrolment
Purpose Provisioning Enrolee certificate on behalf of M2M SP or M2M Trust Enabler MEF would be appropriate function to facilitate this. Could be part of RSPF Suggested SEC R02. Change implemented [0071] and [0091] RSPF Impact [0071] Previously, RSPF consisted of a TLS handshake providing mutual authentication of Enrolee and MEF Added “Enrolment exchange” between Enrolee and MEF Includes instruction from MEF to Enrolee triggering Certificate Enrolment via an identified URI Updates Overview ( ), details in clause (referenced in ) Certificate Enrolment procedure call flow (Stage 2 only) [0091] Stage 3: Propose using Enrolment over Secure Transport (EST) [RFC7030], relying on mutual authentication in RSPF’s existing TLS handshake Issue: EST is currently defined only for HTTP/TLS. Release 2 will only support certificate enrolment over HTTP/TLS. This will be addressed in stage 3 details

8 MAF KmId Retrieval procedure
Purpose Used when remotely provisioning a symmetric key for MAF. Triggers the MAF to retrieve Km from MAF, assign KmId provide KmId to Enrolee Impact MAF Changes [0065] Referenced in SAEF text (8.2.1 overview, MAF SAEF) Description in MAF Security Framework details (clause 8.x) RSPF Changes [0071] Referenced in RSPF text ( , )

9 Enrolment Re-authentication
Purpose Enrolee B may need to retrieve, from MEF, a usage-limited symmetric key provisioned to Enrolee. Makes sense to allow Enrolee B to use a credential established with MEF when Enrolee B enrolled Enrolled Certificate or Symmetric Enrolment Re-Authentication Key (Ker) RSPF Impact [0071] and Generation of symmetric Enrolment Re-Authentication Key (Ker) and Enrolment Re-Authentication Key Identifier (KerId) Allowing Enrolee B to use enrolled certificate or Ker+KerId for mutual authentication with MAF Relevant Highlighted using dark blue background

10 Cert Authentication w/ MAF
Purpose MAF Handshake (TLS/DTLS) currently only supports symmetric keys Certificate-based TLS might be preferable in some deployments Advantage: no need for MAF to store secrets for every end-point Impact MAF Changes [0065] Details specific to using certificates 8.x.2 MAF Credential Configuration 8.x.4 MAF Handshake. RSPF Changes [0071] (Intro) Mentions that certs can be used for auth’n w/ MAF (Overview flow), (Details in PPSK RSPF) If MEF instructs Enrolee to use a MAF, then MEF indicates to Enrolee whether to use symmetric key or certificate for authentication with MAF Relevant Highlighted using light blue background

11 Triggering Remote Management
Purpose Enables the MEF to instruct/configure the Enrolee to perform remote management after the remote security provisioning is completed RSPF Impact [0071] As part of Enrolment Exchange, MEF may provide the base URI of a remote management server with which the Enrolee shall initiate contact for remote management Relevant Highlighted using grey background

Download ppt "Overview of E2E Security CRs"

Similar presentations

Facing the Challenges of M2M Security and Privacy

Facing the Challenges of M2M Security and Privacy
Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2014-12-18.

Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,

On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,
App-ID Use Cases, Syntax and Attributes SEC-2015-0508-App-ID_Use_Cases,_Syntax_and_Attributes Group Name: Architecture Source: Darold Hemphill, iconectiv,

App-ID Use Cases, Syntax and Attributes SEC App-ID_Use_Cases,_Syntax_and_Attributes Group Name: Architecture Source: Darold Hemphill, iconectiv,
1x Device Binding Framework Overview to TSG-AC 3GPP2 TSG-AC AC00-20130603-027 Source: TSG-SX WG4 Contact(s): Anand Palanigounder,

1x Device Binding Framework Overview to TSG-AC 3GPP2 TSG-AC AC Source: TSG-SX WG4 Contact(s): Anand Palanigounder,
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: 2013-11-19 Agenda Item:

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Certificate Enrolment STEs Group Name: SEC#17.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2015-07-08.

Certificate Enrolment STEs Group Name: SEC#17.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
July 16, 20031 Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: 2013-11-26 Agenda Item:

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Usage Scenarios for CSE Group Name: WG2(ARC-WG) Source: Shingo Meeting Date: 2013-09-19 Agenda Item: Message.

Usage Scenarios for CSE Group Name: WG2(ARC-WG) Source: Shingo Meeting Date: Agenda Item: Message.
Certificate Enrolment STEs Group Name: SEC#17.3 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2015-07-15.

Certificate Enrolment STEs Group Name: SEC#17.3 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
Step by step approach Group Name: WG2 Source: Michael hs. Yang, LG uplus, Jaeseung Song, NEC Europe, Meeting.

Step by step approach Group Name: WG2 Source: Michael hs. Yang, LG uplus, Jaeseung Song, NEC Europe, Meeting.
Certificate Enrolment STEs Group Name: SEC#18 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2015-07-20.

Certificate Enrolment STEs Group Name: SEC#18 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
Group Name: oneM2M WG1 Requirements Source: Phil Hawkes, Rapporteur “Benefits of oneM2M technology” TR,

Group Name: oneM2M WG1 Requirements Source: Phil Hawkes, Rapporteur “Benefits of oneM2M technology” TR,
OneM2M Challenges of M2M Security and Privacy

OneM2M Challenges of M2M Security and Privacy
Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.2,

Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.2,
SACRED REQUIREMENTS DOCUMENT Stephen Farrell, Baltimore Alfred Arsenault, Diversinet.

SACRED REQUIREMENTS DOCUMENT Stephen Farrell, Baltimore Alfred Arsenault, Diversinet.
Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2014-12-18.

Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
E2EKey Resource Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.3, 2015-12-17 Agenda Item: End-to-End Security.

E2EKey Resource Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.3, Agenda Item: End-to-End Security.

Similar presentations

Ads by Google