secure mobile architecture notice: this document has been prepared to assist ieee 802.11. it is...

Secure Mobile Architecture

Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.

Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.11.

Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures <http:// ieee802.org/guides/bylaws/sb-bylaws.pdf>, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair <[email protected]> as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802.11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at <[email protected]>.

Date: 2005-03-13

Name Company Address Phone email Richard Paine Boeing 206-854-8199 [email protected]

om

Authors:

May 2005 doc.: IEEE 802.11-05/0373r0

Richard Paine, BoeingSlide 1Submission

mailto:[email protected]

mailto:[email protected]

NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.

May 2005

Richard Paine, BoeingSlide 2

doc.: IEEE 802.11-05/0373r0

Submission

SMA DemonstrationDec. 2004

SMA Demo TeamMath & Computing Technologies

NGI_SMA_DemoSlides Apr 19, 2023 | 3

Boeing Technology | Phantom Works

Copyright © 2004 Boeing. All rights reserved.

E&IT | Mathematics and Computing Technology



May 2005 doc.: IEEE 802.11-05/0373r0Agenda

• Video Introduction• Motivation and Problem Statement• Overview of SMA Components

• PKI, HIP, NDS, LENS• Demonstration

• Component overview• Provisioning• Mobility (IP Address change)• Location-based Policy enforcement• Rule-based policy enforcement

• Application to Boeing Enterprise• CY’05 plans• Q & A







May 2005 doc.: IEEE 802.11-05/0373r0What is “SMA”?

ecure Cryptographic identities are associated with each and every packet.

obile Mobility-driven address changes trans-parent to applications & connections.

rchitecture Significantly improves our Enterprise network architecture by providing:

• Improved flexibility and agility• Network-enforced, end-to-end security• Centralized access control with delegated

authority• Reduced operational cost and complexity• Uniform internal/external access method

SMA







May 2005 doc.: IEEE 802.11-05/0373r0So what is the problem?

• Cost and complexity of managing current network infrastructure is quickly becoming unmanageable

• We have a growing need for flexibility, mobility and user diversity

• We are quickly becoming an ISP for our suppliers, vendors and customers

– How do we affordably enforce AAA requirements for this diverse population?

• Wireless networking is revolutionizing our factory and office environments

– How do we support the needs of emerging e-enabled factories, products, and mobile workers?

• We need a secure, agile network infrastructure that can quickly adapt to new requirements and emerging network technologies.








• Video Introduction• Motivation and Problem Statement• Overview of SMA Elements










May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements

PKI Public Key Infrastructure

HIP Host Identity Protocol

NDS Network Directory Services

LENS Location-Enabled Network Services

SMA Secure Mobile Architecture

+







May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: PKI






+








• Boeing has begun deployment of a PKI using• A hierarchical trust chain of x.509 certificates• “Server”, “Personal” and “SecureBadge” certificates

• Certificates contain:• Identity (user, machine, etc.)• Public Key• Cryptographic signature by trusted authority

• Private Key:• Holder is “owner” of certificate identity• Usually protected by a password or PIN

• Soft Certificates (“SoftCerts”):• File-based private key

• Hard Certificates (“HardCerts”)• Private key on hardware token (Smartcard, SIM, etc.)• Signing/decrypting done with on-board computing resources








• HardCert advantages• Difficult to subvert or duplicate• Portable — user can carry token between computers

• HardCert disadvantages• Limited on-board computing speed and communications

• Use “TempCerts” to bridge this gap:• A SoftCert with delegated, short time-validity• Issued to a user/machine after HardCert authentication

• Advantages• Reduced exposure to SoftCert subversion/duplication• SoftCert performance

– Needed for HIP security associations• Quickly installable/removable on “shared devices”• Useful in “ factory tool room” type shared device domain








Badgecert

Tempcert

ClientRA

SSL/TLSTunnel

1

2

Boeing PKI

SLDAP

1) Badge used for Client Auth; TempCert request sent to RA2) RA issues TempCert3) Client has TempCert available for up to 8 hours

TempCert Provisioning Process







May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: HIP






+








HIP Overview• Background

• Original concept developed by Bob Moskowitz• Currently exists as IETF “Experimental RFC”• Boeing heavily involved in RFC development

– Linux implementation released as Open Source– Windows implementation soon to be released

• Other major players: Cisco, Ericsson, NEC, Siemens, NTT DoCoMo, universities

• HIP provides opportunistic pair-wise SA’s• Somewhat like IPSec• Client Cert retrieved from DNS or LDAP directory• SA based on identity, not IP address• SA established/managed by a IP control channel• SA data flows through ESP-IP packets• Mobility events handled in IP stack via HIP READDR packets








UserSpace

KernelSpace

Application

IP StackIPSec

HIP Daemon

PF_INET PF_KEYPF_RAW

KeyEngine

Initiator Responder

HIP-Enabled Secure Communications

Application

IP StackIPSec

HIP Daemon

PF_INETPF_KEY PF_RAW

KeyEngine

HIP Handshake

IPSec ESP Data – Identified by SPI, not IP Address








Initiator ResponderI1 packet

Opportunityfor DoS attack(e.g. TCP SYNflood)

Simple packet, contains compressed (hashed)version of Host Identities

HIP Handshake









R1 packet

Reply withstock packetand cookiechallenge(No state kept)

Contains:1. Diffie-Hellman public value2. Cookie puzzle3. Encryption negotiation4. Responder’s Host Identity

Is signed by Responder’s Host Identity

HIP Handshake









R1 packet

I2 packet

1. Solve cookie puzzle2. Generate key material Contains:

1. Diffie-Hellman public value2. Cookie solution3. Encryption negotiation4. IPsec SPI5. (Encrypted) Host Identity6. (optional) piggybacked data

Is signed by Initiator’s Host Identity

HIP Handshake









R1 packet

I2 packet

R2 packet

1. Validate cookie puzzle2. Generate key material3. Install IPsec SA

Contains:1. IPsec SPI2. (option) piggybacked data

Is signed by Responder’s Host Identity

HIP Handshake








Initiator Responder

Install IPsec SA

I1 packet

All further packets in IPsec ESP envelope(Host Identity is implied by the SPI)

R1 packet

I2 packet

R2 packet

HIP Handshake








IP header

IPSec (ESP)

Encrypted Header and Transport Payload

Host Identity (HI) is public/private key pair:

Identity definedby holder of private key

Public key usedby others to authenticatecontrol messages

SHA-1 hash of public key forms a“Host Identity Tag (HIT)”- used where 128 bit fields are needed - self-referential (i.e., HIT can besecurely used instead of HI)

HIT isimplied

by the SPIvalue in

IPsec header

HIP incursno per-packet

overhead







May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: NDS






+








• Support for real-time endpoint mobility & location data• Future integration with Boeing DNS and directory (CED,

NAMS-ng) infrastructure

Enterprise

DNS Proxy

Security Perimeter

Directory

SLDAPClient

Policy DecisionDaemon

Middleboxes

Client

DNSDDNS

Location Server

Directory Information Flow








• Three separate LDAP root directories• People

– Similar to CED/BLUES• Hosts

– Similar to DNS host data– Includes Certificate and HIT and current Location

• Policy– Currently Allowed/Not-Allowed location regions in building

Directory Schema








Generic ISP Provisioning Process

DHCPServer

AAAServer

Client

802.11

Access Point

Enterprise Provisioning Process

RA

Client

TLS

Directory

1 2

1) HardCert authentication for TempCert2) Identity IP Update in Directory

Two-Stage Client Provisioning

DNS

SLD

AP

SLD

AP







May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: LENS






+








• Location Tracking• Identity associated with connections

– So we already know the “who”, just need the “where”• Several competing wireless location technologies

– Airespace– Pango– AeroScout– Wherenet

• Confusion between 802.11 tracking and RFID tag tracking– We are focusing on 802.11 tracking including 802.11 active tags

• Location Services• Required E911 services• Smart services: Printing, paging, workflow tracking• Location policy enforcement

– E.g., No wireless access outside of Boeing property line








LocationComputationServer

Directory

Location DistributionServer & Policy

LocationRequestingClient

Passive Tag Gate BoeingIntranet

Location Architecture







May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements






+







May 2005 doc.: IEEE 802.11-05/0373r0

Router

Demonstration Infrastructure

smamobile1

Boeing Intranet

AAA ServerAP

AP

AP

…

sma4

DNS Namespace:mobile.tl.boeing.com

130.42.32.0/24

Subnet

Test RADIUS Server (33-12)

DHCP

Directory

DNS

Airespace

TempCert RA

LocationServer

LPDD







May 2005 doc.: IEEE 802.11-05/0373r0Demonstration

ISP Provisioning Process

DHCPServer

RADIUS

smamobile1

WP

A(E

AP

/TLS

)

Enterprise Provisioning Process

1) HardCert authentication for delegated TempCert

2) Identity IP Update

SecurityPerimeter

AirespaceRA

smamobile1

TLSDirectory

1 2

DNS

SLD

AP

SLD

AP

Two-Stage Provisioning Process








• Wireless client experiences address change• Address change forced by DHCP server for demo• Client auto-updates Directory/DNS with new IP• Client notifies existing SA peers using HIP READDR packets• Ssh from Windows to wireless client dies after address

change

• TELNET session data continues after address change

• Future:• Faster address change• Multi-homed clients• Anticipatory readdressing (802.11k)• Legacy client shim to support UDP “connections”

Mobility Event








• Wireless client “moves” into disallowed location zone• Airespace location server not working• We simulate location changes today using prototype GUI

• Peer’s location policy enforcement• Peer’s PED sees new location in disallowed region• Peer deletes existing SA• Peer refuses new client SA requests from disallowed regions• Peer moves back into allowed region

– SA automatically re-established• Future

• Improved location server capabilities• Middlebox policy enforcement—don’t depend on peers

Location Policy Enforcement








• Simple case:• All connections associated with particular employee are

invalidated• Manual “GUI” interface used for now

• Future:• Particular identities limited to particular connections

– Factory Autonomous Wireless Devices (AWD’s)– Suppliers, vendors, guests/visitors– Machines not up-to-date with AV s/w only allowed to reach AV

update server• Limitations:

– This only limits pair-wise peer connections– Does not address file-content limitations (e.g., ITAR documents)

Rule-Based Policy Enforcement







May 2005 doc.: IEEE 802.11-05/0373r0Application to Boeing Enterprise

• Secure, identity-based client-to-client communications• Allows moving most hosts outside of security perimeter• Office/home/Starbucks Connections essentially identical

• Backwards compatible• Works within existing IP network and routing architecture• Non HIP-aware hosts could still be allowed, depending on

network policy• Mobile

• HIP’s Multi-homing capability allows hosts to seamlessly cross subnet boundaries or even wireless domains (802.11, cellular, etc.)

• Key enabler for VOIP over WLAN (“VoWLAN”)– High-speed roaming across subnets and network domains– Inexpensive IP telephony for the factory

Advantages








• Network-based policy enforcement using middleboxes• Allows connectivity limits using identity, not IP or MAC

– Smarter, easier to manage than ACL’s• Allows special policies/limitations for classes of hosts/users

– AWD’s like printers, machine tools, etc.– Users like vendors, suppliers, guests

• Delegatible authorization through PKI• Supervisor can set up new AWD machine tool on network

with predefined limited access– No NCC interaction required

• Cross-trust relationships with vendors, suppliers, DoD, etc. automatically reflected in network policy

• Works seamlessly across IPv4IPv6 connections• Applications use DNS namespace for connections, not IP

addresses

Advantages (Cont.)








• Bringing HIP into IETF Standards track• Much depends on success of early adopters

• Integrating SMA architecture into Boeing Enterprise• Affects Directory Services, Perimeter Security, Wireless

Services, NAMS[ng], etc.• Windows modules would have to be included in standard

computing images• Backwards compatibility hardware needed for legacy

equipment• Scalability

• DNS/Directory query traffic– Publish/Subscribe architecture for location & PDP/PEP?– Reverse lookups

• Rendezvous Server implementation• NAT support

Challenges







May 2005 doc.: IEEE 802.11-05/0373r0CY’05 Plans

• Development Activities• Integration of Windows HIP client• Preliminary implementation of new HIP API• Legacy API shim for Windows and Linux platforms• Publish/subscribe architecture for directory changes• SIM-chip-based wireless bridge device prototype for AWD’s• Prototype middlebox for network policy enforcement

• Pilot SMA evaluations in Bellevue and Everett• Move to production DNS namespace (mobile.boeing.com)• 802.11 Location services interoperating with Cisco

infrastructure (probably Aeroscout)• Security review and buy-off for external access• Detailed business case development and analysis







May 2005 doc.: IEEE 802.11-05/0373r0

Q & A

secure mobile architecture notice: this document has been prepared to assist ieee 802.11. it is...

Documents