secure datastore architecture concepts
DESCRIPTION
Secure Datastore Architecture Concepts. Author:. 802 End-to-End Security. OSI-TCP/IP Stack Comparison. Application-Secured Payload. Media. Media. SSL, TLS, etc. Platform and Security Layers. IPSec, HIP, etc. Application. Application. OS-Session. OS-Session. OS-Internetworking. - PowerPoint PPT PresentationTRANSCRIPT
March 2009
Richard Paine, SelfSlide 1Submission 1
Secure Datastore Architecture Concepts
Name Company Address Phone email Richard Paine Self 6115 72nd Dr NE 2068548199 [email protected]
m
Author:
March 2009
Richard Paine, SelfSlide 2Submission
Project IEEE 802 Executive Committee Study Group on TV White Spaces – Secure Datastore /End-to-End Security Architecture Concepts
Title ECSG WS Study Group
Date Submitted
2009-03-09
Source(s) Contributor: Richard Paine, Affiliation Self Voice: 206-854-8199, e-mail: [email protected]
Abstract IEEE 802 ECSG on White Space slide deck to capture 802 and TVWS USE CASE Security Issues
Purpose To provide input to the ECSG and others on possible use cases that will help clarify how the TVWS spectrum might be secured and how these uses might possibly be addressed by IEEE 802 work.
Release The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.
Patent Policy and Procedures
The contributor is familiar with the IEEE-SA Patent Policy and Procedures:<http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and <http://standards.ieee.org/guides/opman/sect6.html#6.3>.Further information is located at <http://standards.ieee.org/board/pat/pat-material.html> and <http://standards.ieee.org/board/pat>.
March 2009
Richard Paine, SelfSlide 3Submission
802 End-to-End Security
March 2009
Richard Paine, SelfSlide 4Submission
OSI-TCP/IP Stack Comparison
March 2009
Richard Paine, SelfSlide 5Submission
Platform and Security Layers
802.1x, etc.
Modem
OS-Internetworking
OS-Session
Application
Modem
OS-Internetworking
OS-Session
ApplicationApplication-Secured Payload
SSL, TLS, etc.
IPSec, HIP, etc.
Physical Medium
Media Media
802.1x, etc.
• Each platform abstraction layer supports its own communications security– Note: Media security is generally platform-to-network, not platform-to-platform
• Implementation of each platform abstraction should be secured– Certification of regulatory/standards compliance– Real-time attestation of implementation (“tamper-proof”)– Ability to secure sensitive data– This is not shown, but implied
March 2009
Richard Paine, SelfSlide 6Submission
Modem Modem
802 Interface to the “Outside World”
802.1x, etc.
OS-Internetworking OS-Internetworking
IPSec, HIP, etc.
PhysicalMedium
Media Media
802.1x, etc.
Discontinuity between IEEE 802 and IETF
March 2009
Richard Paine, SelfSlide 7Submission
End Device Stack
802 PHY
802 MAC
Network Equipment
802 IFTo UpperLayers
802 IFTo NetworkDeviceLayers
Data Link
Physical Medium
March 2009
Richard Paine, SelfSlide 8Submission
Lightweight Host Identity Protocol Example
TCP/UDP TCP/UDP
HIP HIPIPSEC IPSEC
IPIP
Authentication Layer Authentication Layer
ESP Payload: not encrypted, not authenticated
Authenticated Control Messages
Authentication Interaction
Unauthenticated Control Messages
Gurtov; Host Identity Protocol (HIP); Wiley, 2008; pg 131.
March 2009
Richard Paine, SelfSlide 9Submission
Secure Network Equipment
IF To UpperLayers
The End-to-End LHIP Security Stack
Secure Network Equipment
IF To UpperLayers
Physical Medium
March 2009
Richard Paine, SelfSlide 10Submission
The End-to-End HIP/SMA Security Stack
802 PHY
802 MAC
Secure Network Equipment
IF To UpperLayers
Data Link802 IFTo UpperLayers
FCC WSDB and Schema
SMA SecureDataStoreAnd Schema
SMA PKI DatastorePeople/Machines
TNC SecureDataStore and Schema
Adding HIP, TNC, and the FCC WS Work
802 IFTo DeviceLayers
IETF’s SecureDataStore and Schema (MAP)
Physical Medium
March 2009
Richard Paine, SelfSlide 11Submission
802.1x, etc.
Modem
OS-Internetworking
Modem
OS-Internetworking
IPSec, HIP, SMA, etc.
PhysicalMedium
Media Media
802.1x, etc.
TCG’s TNC SecureDataStore and Schema (IF-MAP)
IETF’s SecureDataStore and Schema (MAP)
TCG’s TNC SecureDataStore and Schema (IF-MAP)
IETF’s SecureDataStore and Schema (MAP)
OS-Session
Application
OS-Session
ApplicationApplication-Secured Payload
SSL, TLS, etc.
FCC SecureWS DataStore
FCC SecureWS DataStore
TOG’s SMA Secure Datastore and SchemaTOG’s SMA Secure Datastore and Schema
SMA PKI DatastorePeople/Machines
SMA PKI DatastorePeople/Machines
Summary Data
802 Interface to the “Outside World”
March 2009
Richard Paine, SelfSlide 12Submission
Ideal End-to-End Security
Modem
OS-Internetworking
Modem
OS-Internetworking
IP Infrastructure
Media Media
OS-Session
Application
OS-Session
ApplicationSSL, TLS, etc.
App.-Secured Payload
IPSec, HIP, SMA, etc.
TrustedPolicyEngine
Trusted component used to verify compliance and prevent policy violation
IETF/TCG/TOG/IEEE SecureDataStore and Schema (MAP)
TrustedPolicyEngine
IETF/TCG/TOG/IEEE SecureDataStore and Schema (MAP)
March 2009
Richard Paine, SelfSlide 13Submission
Secure Datastore Commonalities
• Datastores/Schema all have similarities (FCC, SMA, LHIP, & TNC)– Location information and measurement
• Geolocation, sensor measurements
– Host information:• Identity, name, address, etc.
– Network IDs:• MAC, IP address, etc.
– Local policy databases• Spectrum policy information• Security policies database• Co-existence policies
– Remote database information• DNS, Spectrum Servers, Certificate Authorities, Sensitive SW Sources (e.g. McAfee), etc.
– Trust certificates– Identities of trusted third party connections
• IF should/could be standardized
March 2009
Richard Paine, SelfSlide 14Submission
Interfaces Need to be Defined
• 802.11k SME MIB “Zero Config”-like Access– Object IDs for the MIB Entries
• 802.11 SME MIB Clients• 802.16 MIB Clients• 802.21 MIB Clients• SMA Interface [SLDAP (Secure Lightweight Directory
Access Protocol)]• DNS• TCG’s TNC [IF-MAP (InterFace-Metadata Access Point)]• FCC WS – interface undefined, but required fields
similar
March 2009
Richard Paine, SelfSlide 15Submission
End-to-End Projects Identified
• Joint IEEE-IETF Task Force on end-to-end security protocols and definitions– Passing of SMA/cryptographic identity/security information from PHY
to upper layers (schema?)
• IEEE/802.21 project for security handoff between disparate systems (schema?)
• Joint IEEE-TCG Task Force on device security at lower layers– Attesting to lower layers– Compliance with regulatory/standards policies, e.g. FCC White Spaces
regulations
• Interface definitions for all interfaces in 802
March 2009
Richard Paine, SelfSlide 16Submission
Resolutions?
• HIP• SMA Datastore [Secure LDAP (SLDAP)]• DNS Resource Records (Not Secure)• TCG’s TNC Datastore Access (SLDAP?)• All schema (should be common)