doc.: ieee15-12-0231-00-0009-hip-over-tg9 submission may 2012 robert moskowitz, verizon slide 1...
TRANSCRIPT
May 2012
Robert Moskowitz, Verizon
Slide 1
doc.: IEEE15-12-0231-00-0009-HIP-over-TG9
Submission
Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)
Submission Title: HIP over TG9Date Submitted: May 15, 2012Source: Robert Moskowitz, VerizonAddress 1000 Bent Creek Blvd, MechanicsBurg, PA, USAVoice:+1 (248) 968-9809, e-mail: [email protected]: HIP KMP over TG9
Abstract: HIP KMP over TG9
Purpose: To add Key Management capabilities to 15.4 and 15.7
Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15.
May 2012
Robert Moskowitz, Verizon
Slide 2
doc.: IEEE15-12-0231-00-0009-HIP-over-TG9
Submission
HIP KMP over TG9
Robert Moskowitz
Atlanta, GA
May 15, 2012
May 2012
Robert Moskowitz, Verizon
Slide 3
doc.: IEEE15-12-0231-00-0009-HIP-over-TG9
Submission
Abstract Present the HIP protocol
– Both BEX and DEX Use cases for HIP for 802.15 Deployment recommendations Specifics for use over TG9
– Pairwise and Group keys for BEX– Authentication methods
• ACLs and RADIUS
May 2012
Robert Moskowitz, Verizon
Slide 4
doc.: IEEE15-12-0231-00-0009-HIP-over-TG9
Submission
The HIP protocol Defined in RFCs
– In revision– Plus draft for DEX (Diet Exchange)
Key Management between peers– Exchange of secure identities– 4 packet session key establishment
• BEX is SIGMA compliant
Mobility features not needed for TG9
May 2012
Robert Moskowitz, Verizon
Slide 5
doc.: IEEE15-12-0231-00-0009-HIP-over-TG9
Submission
The HIP protocol Secure Identities
– HIP is based on the principle that each device has a secure identity which is the public key of an asymmetric key pair. This is called the HI – Host Identity
• BEX supports most algorithms• DEX only supports ECDH
May 2012
Robert Moskowitz, Verizon
Slide 6
doc.: IEEE15-12-0231-00-0009-HIP-over-TG9
Submission
The HIP protocol Secure Identities
– HIT (Host Identity Tag) is a hash of the HI
• Used as an index for SAs– Including authentication
• As an IPv6 address for applications
– HIT is an ORCHID and a valid IPv6 address
– Some work on hierarchical HITs that include domain information
May 2012
Robert Moskowitz, Verizon
Slide 7
doc.: IEEE15-12-0231-00-0009-HIP-over-TG9
Submission
The HIP protocol HIP BEX – Base EXchange
Initiator I1: Trigger exchange
R1: {Puzzle, D-H(R) HI(R), ESP Transform, HIP Transform }SIG
I2: {Solution, LSI(I), SPI(I), D-H(I), ESP Transform, HIP Transform,
{H(I)}SK }SIG
R2: {LSI(R), SPI(R), HMAC}SIG
HIP SA
HIP
SA
Responder
IMAC SA
IMAC SA
May 2012
Robert Moskowitz, Verizon
Slide 8
doc.: IEEE15-12-0231-00-0009-HIP-over-TG9
Submission
The HIP protocol HIP DEX – Diet EXchange
Initiator I1: Trigger exchange
R1: {Puzzle, HI(R)}
I2: {Solution, HI(I), {SKx}DHk }MAC
R2: {HI(R), {Sky}DHk, {PTK, GTK}SKy}MAC
IMAC SA
HIP SA
HIP
SA
Responder
IMAC SA
May 2012
Robert Moskowitz, Verizon
Slide 9
doc.: IEEE15-12-0231-00-0009-HIP-over-TG9
Submission
Use Cases for HIP Use cases
– Constrained Sensors• Code space, CPU• Light switches, Temp sensors, door
locks
– Single KMP for all layers• MAC, IP, DTLS-PSK
May 2012
Robert Moskowitz, Verizon
Slide 10
doc.: IEEE15-12-0231-00-0009-HIP-over-TG9
Submission
HIP Deployment Recommendations Opportunistic
– Initial exchange assumed to be in a trusted environment and HITs accepted and populate auth table
HIT displayed on device or packaging– QR code scanned with phone app that
loads auth table
May 2012
Robert Moskowitz, Verizon
Slide 11
doc.: IEEE15-12-0231-00-0009-HIP-over-TG9
Submission
HIP specifics for TG9 BEX items
– No ESP transform– BEX currently only creates session
key• Need to add PTK and GTK support as
in DEX
DEX items– No ESP transform
May 2012
Robert Moskowitz, Verizon
Slide 12
doc.: IEEE15-12-0231-00-0009-HIP-over-TG9
Submission
HIP specifics for TG9 Authentication of devices to PAN
– ACL• Used in single controller PAN (star)
– RADIUS back end• For any PAN architecture• Device HIT and MAC in RADIUS
Request– Existing RADIUS function, no change
to existing RADIUS servers– MAC MAY be 'null'
– X.509 certs supported for BEX only• More for controller auth