Key Material and Random Numbers
Download
Report
Transcript Key Material and Random Numbers
Information Security 2 (InfSi2)
3 Data Link Layer Security
Prof. Dr. Andreas Steffen
Institute for Internet Technologies and Applications (ITA)
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 1
Security Protocols for the OSI Stack
Communication layers Security protocols
Application layer
Transport layer
Platform Security, Web Application
Security, VoIP Security, SW Security
TLS
Network layer
IPsec
Data Link layer
[PPTP, L2TP], IEEE 802.1X,
IEEE 802.1AE, IEEE 802.11i (WPA2)
Physical layer
Quantum Cryptography
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 2
Information Security 2 (InfSi2)
3.1 Port-Based Network
Access Control - IEEE 802.1X
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 3
IEEE 802.1X Access Control using EAP Methods
L2
EAPOL*
802.1X Supplicant
802.1X Authenticator
(WLAN AP, LAN Switch)
User Credentials
•
EAP RADIUS
802.1X Authentication
Server
User Credentials
802.1X Supplicants and Authenticators are both Port Access Entities (PAEs)
* EAP over LAN (Ethertype 0x888E)
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 4
Information Security 2 (InfSi2)
3.2 Secure Device Identity
IEEE 802.1AR - DevID
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 5
IEEE 802.1AR Secure Device Identifier
•
•
•
•
DevID
Secure Device Identifier
• Secure Device Identifier
IDevID Initial Device Identifier
• Created during manufacturing and cannot be modified
Either reaches end of lifetime (certificate) or can be disabled
LDevID Locally Significant Device Identifier
• One or several may be created by network administrator
DevID Module
• Hardware module which stores the DevID secrets, credentials
and the entire credential chain up to the root certificate
• Contains a strong Random Number Generator (RNG)
• Implements Asymmetric Algorithms (2048 bit RSA and/or
256 bit ECDSA)
• Implements SHA-256 Hash Function
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 6
IEEE 802.1AR DevID Module
Applications & Operating System
Management Interface
Service Interface
Storage
Asymmetric
Cryptography
DevID Secret[s]
Random Number
Generator
DevID
Credentials[s]
Hash Algorithms
Credential Chain
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 7
Use of DevIDs
•
•
•
•
DevID use EAP-TLS Authentication
•
Device authentication can be based on its DevID certificate.
DevID use in Consumer Devices
• Similar but more secure than access control based on a MAC
address list which can easily be spoofed, a switch, router or
access point can allow access based on a registered
commonName (CN), serialNumber (SN) or a subjectAltName
contained in the DevID certificate.
DevID use in Enterprise Devices
• Similar to the consumer device use case but the DevID is
usually registered with a centralAAA server.
DevID Module based on Trusted Platform Module (TPM)
• Each TPM has a unique non-erasable Endorsement Key (EK)
to which DevID secrets and credentials can be bound.
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 8
Information Security 2 (InfSi2)
3.3 Media Access Layer Security
IEEE 802.1AE - MACsec
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 9
Four Stations Attached to a LAN
PAE
PAE
PAE
PAE
Port Access Entity
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 10
Connectivity Association (CA)
CAK (CA Key)
CAK
CAK
SecY
MAC Security Entity
•
Station D is not part of the CA
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 11
Secure Channel (SC) and Secure Association (SA)
•
Each SC comprises a succession of SAs
each with a different SAK (SA Key)
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 12
Secure Channel and Secure Association Identifiers
Association Number
System Identifier
Port
Identifier
SCI
Secure Channel Identifier
SAI
Secure Association Identifier
•
The Association Number (2 bits) allows the overlapping
rekeying of the Secure Association during which two
different SAKs co-exist.
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 13
Two Stations in a point-to-point LAN
PAE
PAE
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 14
Connectivity Association (CA)
CAK
SecY
CAK
SecY
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 15
Secure Channel (SC) and Secure Association (SA)
CKN (CAK Name)
CKN
CAK
CAK
SecY
SecY
SAA SAKA0 , SAKA1 , …
SAB SAKB0 , SAKB1 , …
SAA SAKA0 , SAKA1 , …
SAB SAKB0 , SAKB1 , …
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 16
IEEE 802.1AE MACsec Frame Format
VLAN
Tag
PT
MAC Addresses
DA
User Data
MSDU
PT
SA
User Data
Data Integrity
8 or 16
DA
SA
Optional Encryption
SecTag
MAC Addresses
•
•
•
MSDU – MAC Service Data Unit
MPDU – MACsec Protocol Data Unit
ICV – Integrity Check Value
Secure Data
8 to 16
ICV
FCS
MPDU
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 17
SecTag – Security Tag
•
•
•
•
•
•
2
1
1
4
0 or 8
0x88E5
TCI AN
SL
PN
SCI (optional encoding)
MACsec Ethertype – is 0x88E5
TCI – TAG Control Information (6 bits)
AN – Association Number (2 bits)
SL – Short Length (6 bits) – length of User Data if < 48 octets, 0 otherwise
PN – Packet Number – replay protection and IV for encryption
SCI – Secure Channel Identifier – identifies Secure Association (SA).
In point-to-point links the SCI consists of the Source MAC Address
and the Port Identifier 00-01 and thus the SCI doesn’t have to be
encoded.
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 18
TCI – TAG Control Information Bits
Bit
•
•
•
•
•
•
8
7
6
5
4
3
V=0
ES
SC
SCB
E
C
2
1
AN
V – Version (currently 0)
ES – End Station – if set means that the Source MAC Address is part of
the SCI and the SCI shall not be explicitly encoded.
SC – shall be set only if an explicitly encoded SCI is present
SCB – Single Copy Broadcast capability – if ES and SCB are set then the
implicit SCI comprises a reserved Port Identifier of 00-00.
E – Encryption – if set encryption is enabled
C – Changed Text – if clear the Secure Data exactly equals User Data
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 19
Authenticated Encryption with Associated Data
SCI
PN
0
SCI
PN
Key K
SCI
1
Key K
PN
2
•
AEAD is based on special
block cipher modes:
•
•
•
•
Block size: 128 bits
Key size: 128/256 bits
Tag size : 128 bits
Nonce size: 128 bits
SCI
64 bits
•
PN
Counter
32 bits
32 bits
AES-Galois/Counter Mode
AES-GMAC (auth. only)
Hash Subkey Derivation
0………………..0
Key K
ICV
Hash Subkey H
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 20
Information Security 2 (InfSi2)
3.4 MACsec Key Agreement
IEEE 802.1X - MKA
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 21
MKA distributes random SAK using CAK
MKPDU
•
•
•
•
•
MKPDU – MACsec Key Agreement Protocol Data Unit – carried via EAPOL
CAK – Connectivity Association Key – pairwise or group root key
ICK – ICV Key – used for MKPDU Data Integrity
KEK – Key Encrypting Key – used for AES Key Wrap in MKPDU
SAK – Secure Association Key
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 22
MKA Key Derivation Function - KDF
•
The MKA KDF is a Pseudo Random Function (PRF) based on
AES-CMAC with a 128 or 256 bit key.
Output KDF(Key, Label, Context, Length)
•
KEK KDF(CAK, IEEE8021 KEK, CKN[0..15], 128/256)
•
ICK KDF(CAK, IEEE8021 ICK, CKN[0..15], 128/256)
•
SAK KDF(CAK, IEEE8021 SAK, KS-nonce | MI-value list | KN,
128/256)
KS – Key Server – either elected or EAP Authenticator
MI – Member Identifier – all members of a CA
KN – Key Number – assigned by Key Server
•
•
•
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 23
Connectivity Association Key – CAK
•
•
CAK as a Pre-Shared-Key (PSK)
• Can be used either as a pairwise CAK or group CAK
• Statically configured PSK
• CKN can be chosen arbitrarily with a size of 1..32 octets
CAK via EAP
• Can be used as a pairwise CAK.
• Dynamically derived CAK and CKN between two PAEs via EAP
CAK KDF(MSK[0..15]/MSK[0..31], IEEE8021 EAP CAK,
mac1 | mac2, 128/256)
CKN KDF(MSK[0..15]/MSK[0..31], IEEE8021 EAP CKN ,
EAP Session-ID | mac1 | mac2, 128/256)
where mac1 < mac2 are the MAC addresses of the PAEs
and the Master Session Key (MSK) and Session-ID of the
EAP method (EAP-TLS, EAP-PEAP, etc) is included.
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 24
Use of Pairwise CAKs to Distribute a Group CAK
MKPDU
MKPDU
MKPDU
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 25
IEEE 802.1AE Enabled Products
•
Cisco Catalyst 3750-X / 3560-X LAN Access Switch
• Supports MACsec and MKA on both user/downlink and
network/uplink ports
•
Juniper EX Series Switches
• 802.1AE available with the controlled version of Junos OS
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 26