doc.: ieee15-12-0231-00-0009-hip-over-tg9 submission may 2012 robert moskowitz, verizon slide 1...

May 2012

Robert Moskowitz, Verizon

Slide 1

doc.: IEEE15-12-0231-00-0009-HIP-over-TG9

Submission

Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)

Submission Title: HIP over TG9Date Submitted: May 15, 2012Source: Robert Moskowitz, VerizonAddress 1000 Bent Creek Blvd, MechanicsBurg, PA, USAVoice:+1 (248) 968-9809, e-mail: [email protected]: HIP KMP over TG9

Abstract: HIP KMP over TG9

Purpose: To add Key Management capabilities to 15.4 and 15.7

Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15.

May 2012


Slide 2


Submission

HIP KMP over TG9

Robert Moskowitz

Atlanta, GA

May 15, 2012

May 2012


Slide 3


Submission

Abstract Present the HIP protocol

– Both BEX and DEX Use cases for HIP for 802.15 Deployment recommendations Specifics for use over TG9

– Pairwise and Group keys for BEX– Authentication methods

• ACLs and RADIUS

May 2012


Slide 4


Submission

The HIP protocol Defined in RFCs

– In revision– Plus draft for DEX (Diet Exchange)

Key Management between peers– Exchange of secure identities– 4 packet session key establishment

• BEX is SIGMA compliant

Mobility features not needed for TG9

May 2012


Slide 5


Submission

The HIP protocol Secure Identities

– HIP is based on the principle that each device has a secure identity which is the public key of an asymmetric key pair. This is called the HI – Host Identity

• BEX supports most algorithms• DEX only supports ECDH

May 2012


Slide 6


Submission

The HIP protocol Secure Identities

– HIT (Host Identity Tag) is a hash of the HI

• Used as an index for SAs– Including authentication

• As an IPv6 address for applications

– HIT is an ORCHID and a valid IPv6 address

– Some work on hierarchical HITs that include domain information

May 2012


Slide 7


Submission

The HIP protocol HIP BEX – Base EXchange

Initiator I1: Trigger exchange

R1: {Puzzle, D-H(R) HI(R), ESP Transform, HIP Transform }SIG

I2: {Solution, LSI(I), SPI(I), D-H(I), ESP Transform, HIP Transform,

{H(I)}SK }SIG

R2: {LSI(R), SPI(R), HMAC}SIG

HIP SA

HIP

SA

Responder

IMAC SA

IMAC SA

May 2012


Slide 8


Submission

The HIP protocol HIP DEX – Diet EXchange

Initiator I1: Trigger exchange

R1: {Puzzle, HI(R)}

I2: {Solution, HI(I), {SKx}DHk }MAC

R2: {HI(R), {Sky}DHk, {PTK, GTK}SKy}MAC

IMAC SA

HIP SA

HIP

SA

Responder

IMAC SA

May 2012


Slide 9


Submission

Use Cases for HIP Use cases

– Constrained Sensors• Code space, CPU• Light switches, Temp sensors, door

locks

– Single KMP for all layers• MAC, IP, DTLS-PSK

May 2012


Slide 10


Submission

HIP Deployment Recommendations Opportunistic

– Initial exchange assumed to be in a trusted environment and HITs accepted and populate auth table

HIT displayed on device or packaging– QR code scanned with phone app that

loads auth table

May 2012


Slide 11


Submission

HIP specifics for TG9 BEX items

– No ESP transform– BEX currently only creates session

key• Need to add PTK and GTK support as

in DEX

DEX items– No ESP transform

May 2012


Slide 12


Submission

HIP specifics for TG9 Authentication of devices to PAN

– ACL• Used in single controller PAN (star)

– RADIUS back end• For any PAN architecture• Device HIT and MAC in RADIUS

Request– Existing RADIUS function, no change

to existing RADIUS servers– MAC MAY be 'null'

– X.509 certs supported for BEX only• More for controller auth

doc.: ieee15-12-0231-00-0009-hip-over-tg9 submission may 2012 robert moskowitz, verizon slide 1...

Documents