March 2009 Richard Paine, SelfSlide 1...
-
Upload
mavis-bridges -
Category
Documents
-
view
214 -
download
0
Transcript of March 2009 Richard Paine, SelfSlide 1...
March 2009
Richard Paine, SelfSlide 1
sg-whitespace-09-0061-00-0000-Secure-Datastore-Architecture-Concepts
Submission
Project IEEE 802 Executive Committee Study Group on TV White Spaces – Secure Datastore /End-to-End Security Architecture Concepts
Title ECSG WS Study Group
Date Submitted
2009-03-09
Source(s) Contributor: Richard Paine, Affiliation Self Voice: 206-854-8199, e-mail: [email protected]
Abstract IEEE 802 ECSG on White Space slide deck to capture 802 and TVWS USE CASE Security Issues
Purpose To provide input to the ECSG and others on possible use cases that will help clarify how the TVWS spectrum might be secured and how these uses might possibly be addressed by IEEE 802 work.
Release The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.
Patent Policy and Procedures
The contributor is familiar with the IEEE-SA Patent Policy and Procedures:<http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and <http://standards.ieee.org/guides/opman/sect6.html#6.3>.Further information is located at <http://standards.ieee.org/board/pat/pat-material.html> and <http://standards.ieee.org/board/pat>.
March 2009
Richard Paine, SelfSlide 2
sg-whitespace-09-0061-00-0000-Secure-Datastore-Architecture-Concepts
Submission
802 End-to-End Security
March 2009
Richard Paine, SelfSlide 3
sg-whitespace-09-0061-00-0000-Secure-Datastore-Architecture-Concepts
Submission
OSI-TCP/IP Stack Comparison
04/21/23
March 2009
Richard Paine, SelfSlide 4
sg-whitespace-09-0061-00-0000-Secure-Datastore-Architecture-Concepts
Submission
Platform and Security Layers
802.1x, etc.
Modem
OS-Internetworking
OS-Session
Application
Modem
OS-Internetworking
OS-Session
ApplicationApplication-Secured Payload
SSL, TLS, etc.
IPSec, HIP, etc.
Physical Medium
Media Media
802.1x, etc.
• Each platform abstraction layer supports its own communications security– Note: Media security is generally platform-to-network, not platform-to-platform
• Implementation of each platform abstraction should be secured– Certification of regulatory/standards compliance– Real-time attestation of implementation (“tamper-proof”)– Ability to secure sensitive data– This is not shown, but implied
March 2009
Richard Paine, SelfSlide 5
sg-whitespace-09-0061-00-0000-Secure-Datastore-Architecture-Concepts
Submission
Modem Modem
802 Interface to the “Outside World”
04/21/23
802.1x, etc.
OS-Internetworking OS-Internetworking
IPSec, HIP, etc.
PhysicalMedium
Media Media
802.1x, etc.
Discontinuity between IEEE 802 and IETF
March 2009
Richard Paine, SelfSlide 6
sg-whitespace-09-0061-00-0000-Secure-Datastore-Architecture-Concepts
Submission
End Device Stack
802 PHY
802 MAC
Network Equipment
802 IFTo UpperLayers
802 IFTo NetworkDeviceLayers
Data Link
04/21/23
Physical Medium
March 2009
Richard Paine, SelfSlide 7
sg-whitespace-09-0061-00-0000-Secure-Datastore-Architecture-Concepts
Submission
Lightweight Host Identity Protocol Example
TCP/UDP TCP/UDP
HIP HIPIPSEC IPSEC
IPIP
Authentication Layer Authentication Layer
ESP Payload: not encrypted, not authenticated
Authenticated Control Messages
Authentication Interaction
Unauthenticated Control Messages
Gurtov; Host Identity Protocol (HIP); Wiley, 2008; pg 131.
March 2009
Richard Paine, SelfSlide 8
sg-whitespace-09-0061-00-0000-Secure-Datastore-Architecture-Concepts
Submission
Secure Network Equipment
IF To UpperLayers
The End-to-End LHIP Security Stack
04/21/23
Secure Network Equipment
IF To UpperLayers
Physical Medium
March 2009
Richard Paine, SelfSlide 9
sg-whitespace-09-0061-00-0000-Secure-Datastore-Architecture-Concepts
Submission
The End-to-End HIP/SMA Security Stack
802 PHY
802 MAC
Secure Network Equipment
IF To UpperLayers
Data Link802 IFTo UpperLayers
FCC WSDB and Schema
SMA SecureDataStoreAnd Schema
SMA PKI DatastorePeople/Machines
TNC SecureDataStore and Schema
04/21/23
Adding HIP, TNC, and the FCC WS Work
802 IFTo DeviceLayers
IETF’s SecureDataStore and Schema (MAP)
Physical Medium
March 2009
Richard Paine, SelfSlide 10
sg-whitespace-09-0061-00-0000-Secure-Datastore-Architecture-Concepts
Submission04/21/23
802.1x, etc.
Modem
OS-Internetworking
Modem
OS-Internetworking
IPSec, HIP, SMA, etc.
PhysicalMedium
Media Media
802.1x, etc.
TCG’s TNC SecureDataStore and Schema (IF-MAP)
IETF’s SecureDataStore and Schema (MAP)
TCG’s TNC SecureDataStore and Schema (IF-MAP)
IETF’s SecureDataStore and Schema (MAP)
OS-Session
Application
OS-Session
ApplicationApplication-Secured Payload
SSL, TLS, etc.
FCC SecureWS DataStore
FCC SecureWS DataStore
TOG’s SMA Secure Datastore and SchemaTOG’s SMA Secure Datastore and Schema
SMA PKI DatastorePeople/Machines
SMA PKI DatastorePeople/Machines
Summary Data
802 Interface to the “Outside World”
March 2009
Richard Paine, SelfSlide 11
sg-whitespace-09-0061-00-0000-Secure-Datastore-Architecture-Concepts
Submission04/21/23
Ideal End-to-End Security
Modem
OS-Internetworking
Modem
OS-Internetworking
IP Infrastructure
Media Media
OS-Session
Application
OS-Session
ApplicationSSL, TLS, etc.
App.-Secured Payload
IPSec, HIP, SMA, etc.
TrustedPolicyEngine
Trusted component used to verify compliance and prevent policy violation
IETF/TCG/TOG/IEEE SecureDataStore and Schema (MAP)
TrustedPolicyEngine
IETF/TCG/TOG/IEEE SecureDataStore and Schema (MAP)
March 2009
Richard Paine, SelfSlide 12
sg-whitespace-09-0061-00-0000-Secure-Datastore-Architecture-Concepts
Submission
Secure Datastore Commonalities
• Datastores/Schema all have similarities (FCC, SMA, LHIP, & TNC)– Location information and measurement
• Geolocation, sensor measurements
– Host information:• Identity, name, address, etc.
– Network IDs:• MAC, IP address, etc.
– Local policy databases• Spectrum policy information• Security policies database• Co-existence policies
– Remote database information• DNS, Spectrum Servers, Certificate Authorities, Sensitive SW Sources (e.g. McAfee), etc.
– Trust certificates– Identities of trusted third party connections
• IF should/could be standardized
March 2009
Richard Paine, SelfSlide 13
sg-whitespace-09-0061-00-0000-Secure-Datastore-Architecture-Concepts
Submission
Interfaces Need to be Defined
• 802.11k SME MIB “Zero Config”-like Access– Object IDs for the MIB Entries
• 802.11 SME MIB Clients• 802.16 MIB Clients• 802.21 MIB Clients• SMA Interface [SLDAP (Secure Lightweight Directory
Access Protocol)]• DNS• TCG’s TNC [IF-MAP (InterFace-Metadata Access Point)]• FCC WS – interface undefined, but required fields
similar
March 2009
Richard Paine, SelfSlide 14
sg-whitespace-09-0061-00-0000-Secure-Datastore-Architecture-Concepts
Submission
End-to-End Projects Identified
• Joint IEEE-IETF Task Force on end-to-end security protocols and definitions– Passing of SMA/cryptographic identity/security information from PHY
to upper layers (schema?)
• IEEE/802.21 project for security handoff between disparate systems (schema?)
• Joint IEEE-TCG Task Force on device security at lower layers– Attesting to lower layers– Compliance with regulatory/standards policies, e.g. FCC White Spaces
regulations
• Interface definitions for all interfaces in 802