160 likes | 323 Views
Secure Datastore Architecture Concepts. Author:. 802 End-to-End Security. OSI-TCP/IP Stack Comparison. Application-Secured Payload. Media. Media. SSL, TLS, etc. Platform and Security Layers. IPSec, HIP, etc. Application. Application. OS-Session. OS-Session. OS-Internetworking.
E N D
Application-Secured Payload Media Media SSL, TLS, etc. Platform and Security Layers IPSec, HIP, etc. Application Application OS-Session OS-Session OS-Internetworking OS-Internetworking Physical Medium Modem Modem 802.1x, etc. 802.1x, etc. • Each platform abstraction layer supports its own communications security • Note: Media security is generally platform-to-network, not platform-to-platform • Implementation of each platform abstraction should be secured • Certification of regulatory/standards compliance • Real-time attestation of implementation (“tamper-proof”) • Ability to secure sensitive data • This is not shown, but implied
Media Media Discontinuity between IEEE 802 and IETF IPSec, HIP, etc. OS-Internetworking OS-Internetworking 802 Interface to the “Outside World” Physical Medium Modem Modem 802.1x, etc. 802.1x, etc.
End Device Stack Network Equipment Data Link 802 IF To Upper Layers 802 MAC 802 PHY 802 IF To Network Device Layers Physical Medium
Lightweight Host Identity Protocol Example Gurtov; Host Identity Protocol (HIP); Wiley, 2008; pg 131. TCP/UDP TCP/UDP HIP HIP IPSEC IPSEC Authentication Layer Authentication Layer IP IP Authentication Interaction Authenticated Control Messages Unauthenticated Control Messages ESP Payload: not encrypted, not authenticated
The End-to-End LHIP Security Stack Secure Network Equipment Secure Network Equipment IF To Upper Layers IF To Upper Layers Physical Medium
The End-to-End HIP/SMA Security Stack IETF’s Secure DataStore and Schema (MAP) FCC WS DB and Schema Adding HIP, TNC, and the FCC WS Work Secure Network Equipment Data Link SMA PKI Datastore People/Machines 802 IF To Upper Layers 802 MAC SMA Secure DataStore And Schema IF To Upper Layers 802 PHY 802 IF To Device Layers TNC Secure DataStore and Schema Physical Medium
Application-Secured Payload Media Media SSL, TLS, etc. Summary Data TOG’s SMA Secure Datastore and Schema TOG’s SMA Secure Datastore and Schema IPSec, HIP, SMA, etc. IETF’s Secure DataStore and Schema (MAP) IETF’s Secure DataStore and Schema (MAP) Application Application OS-Session OS-Session OS-Internetworking OS-Internetworking SMA PKI Datastore People/Machines SMA PKI Datastore People/Machines 802 Interface to the “Outside World” Physical Medium Modem Modem 802.1x, etc. 802.1x, etc. TCG’s TNC Secure DataStore and Schema (IF-MAP) TCG’s TNC Secure DataStore and Schema (IF-MAP) FCC Secure WS DataStore FCC Secure WS DataStore
App.-Secured Payload Media Media SSL, TLS, etc. IPSec, HIP, SMA, etc. Ideal End-to-End Security Trusted Policy Engine Trusted Policy Engine IETF/TCG/TOG/IEEE Secure DataStore and Schema (MAP) IETF/TCG/TOG/IEEE Secure DataStore and Schema (MAP) Application Application OS-Session OS-Session OS-Internetworking OS-Internetworking IP Infrastructure Modem Modem Trusted component used to verify compliance and prevent policy violation
Secure Datastore Commonalities • Datastores/Schema all have similarities (FCC, SMA, LHIP, & TNC) • Location information and measurement • Geolocation, sensor measurements • Host information: • Identity, name, address, etc. • Network IDs: • MAC, IP address, etc. • Local policy databases • Spectrum policy information • Security policies database • Co-existence policies • Remote database information • DNS, Spectrum Servers, Certificate Authorities, Sensitive SW Sources (e.g. McAfee), etc. • Trust certificates • Identities of trusted third party connections • IF should/could be standardized
Interfaces Need to be Defined • 802.11k SME MIB “Zero Config”-like Access • Object IDs for the MIB Entries • 802.11 SME MIB Clients • 802.16 MIB Clients • 802.21 MIB Clients • SMA Interface [SLDAP (Secure Lightweight Directory Access Protocol)] • DNS • TCG’s TNC [IF-MAP (InterFace-Metadata Access Point)] • FCC WS – interface undefined, but required fields similar
End-to-End Projects Identified • Joint IEEE-IETF Task Force on end-to-end security protocols and definitions • Passing of SMA/cryptographic identity/security information from PHY to upper layers (schema?) • IEEE/802.21 project for security handoff between disparate systems (schema?) • Joint IEEE-TCG Task Force on device security at lower layers • Attesting to lower layers • Compliance with regulatory/standards policies, e.g. FCC White Spaces regulations • Interface definitions for all interfaces in 802
Resolutions? HIP SMA Datastore [Secure LDAP (SLDAP)] DNS Resource Records (Not Secure) TCG’s TNC Datastore Access (SLDAP?) All schema (should be common)