Download - TNC Proposals for NEA Protocols
TNC Proposals forNEA Protocols
Presentation by Steve Hanna
to NEA WG meeting at IETF 71
March 11, 2008
March 11, 2008 TNC Proposals for NEA Protocols 2
PB-TNC
March 11, 2008 TNC Proposals for NEA Protocols 3
PB-TNC Purpose & Requirements
• PB Purpose– Carry PA messages between PBC & PBS– Carry global assessment decision from PBS to PBC– Carry other messages between PBC & PBS
• PB Challenging Requirements– MUST support half-duplex PT– MUST support grouping attributes to minimize RTs– MUST operate efficiently over low-bandwidth links– MUST carry PA message routing identifiers– SHOULD allow PBC or PBS to start assessment– MUST support adapting to user language preference– MAY include security measures or depend on PT security
March 11, 2008 TNC Proposals for NEA Protocols 4
PB-TNC Design Features
• Simple round-robin state machine– PBS or PBC can start by sending a batch– PBS & PBC take turns sending batches– End with PBS sending result or early close
• Compact batch & message format (Binary TLV)• Designed for extensibility
– No short fields, several reserved fields, versioning support– IANA process for standard extensions– Vendor IDs for non-standard extensions (cannot be required)
• PA message routing by PA message type– Optional delivery by PC/PV ID
• No PB-TNC security, depends on PT
March 11, 2008 TNC Proposals for NEA Protocols 5
PB-TNC State Machine +---------+ CRETRY +---------+ CDATA | Server |<---------| Decided | CLOSE +----------->| Working |--------->| |-------+ | +---------+ RESULT +---------+ | | ^ | | v | | | +---------------------->======= ======== | | CLOSE " End " " Init " CDATA or| |SDATA or ======= ======== CRETRY| |SRETRY ^ ^ | | | v | | | | SDATA +---------+ CLOSE | | | +-------->| Client |----------------------+ | | | Working | | | +---------+ | | CLOSE | +--------------------------------------------------+
March 11, 2008 TNC Proposals for NEA Protocols 6
PB-TNC EncapsulationPT
PB-TNC Header
PB-TNC Message (Type=PB-Batch-Type, Batch-Type=CDATA)
PB-TNC Message (Type=PB-PA)
PA Message
PB-TNC Message (Type=PB-PA)
PA Message
March 11, 2008 TNC Proposals for NEA Protocols 7
PB-TNC Header 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Batch Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
March 11, 2008 TNC Proposals for NEA Protocols 8
PB-TNC Message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | PB-TNC Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Value (Variable Length) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
March 11, 2008 TNC Proposals for NEA Protocols 9
IETF StandardPB-TNC Message Types
Message Type Definition ------------ ---------- 0 PB-Experimental - reserved for experimental use 1 PB-Batch-Type - indicates the type of the PB-TNC batch that contains this message 2 PB-PA - contains a PA message 3 PB-Access-Recommendation - includes Posture Broker Server access recommendation (also known as global assessment decision) 4 PB-Remediation-Parameters - includes Posture Broker Server remediation parameters 5 PB-Error - error indicator 6 PB-Language-Preference - sender's preferred language(s) for human-readable strings 7 PB-Reason-String - string explaining reason for Posture Broker Server access recommendation
March 11, 2008 TNC Proposals for NEA Protocols 10
PB-TNC Batch-Type Message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | PB-TNC Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |D| Reserved | Batch Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
March 11, 2008 TNC Proposals for NEA Protocols 11
PB-TNC Batch Types
Number Name------ ----1 CDATA2 SDATA3 RESULT4 CRETRY5 SRETRY
March 11, 2008 TNC Proposals for NEA Protocols 12
PB-PA Message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | PB-TNC Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | PA Message Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PA Subtype | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Posture Collector Identifier | Posture Validator Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PA Message Body (Variable Length) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
March 11, 2008 TNC Proposals for NEA Protocols 13
Questions about PB-TNC?
March 11, 2008 TNC Proposals for NEA Protocols 14
PA-TNC
March 11, 2008 TNC Proposals for NEA Protocols 15
PA-TNC Purpose & Requirements
• PA Purpose– Carry attributes between PCs & PVs
• PA Challenging Requirements– MUST support extensible set of standard attributes– MUST support extensible set of vendor-specific
attributes– MUST support Posture Request attributes– MUST support half-duplex PT– MUST support grouping attributes to minimize RTs– MUST operate efficiently over low-bandwidth links– SHOULD provide security
March 11, 2008 TNC Proposals for NEA Protocols 16
PA-TNC Design Features
• Use message routing (PA Subtype) to ID component– Anti-Virus, Firewall, HIPS, OS, VPN, etc.
• Realize that most attributes apply across all components– Manufacturer, product ID, version, operational status, attribute
request– So provide a standard way to describe these attributes, but allow
extensions• Use compact message format (Binary TLV)• Design for extensibility
– No short fields, several reserved fields– IANA process for standard extensions– Vendor IDs for non-standard extensions (cannot be required)
• Separate PA-TNC security since WG was uncertain
March 11, 2008 TNC Proposals for NEA Protocols 17
PA-TNC Within PB-TNCPT
PB-TNC Header
PB-TNC Message (Type=PB-Batch-Type, Batch-Type=CDATA)
PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS)
PA-TNC Message
PA-TNC Attribute (Type=Product Info, Product ID=Windows XP)
PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3, ...)
March 11, 2008 TNC Proposals for NEA Protocols 18
IETF StandardPA Subtypes
Number Name------ ----0 Testing1 Operating System2 Anti-Virus3 Anti-Spyware4 Anti-Malware5 Firewall6 IDPS7 VPN
March 11, 2008 TNC Proposals for NEA Protocols 19
PA-TNC Message Header 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Version | Reserved |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Message Identifier |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
March 11, 2008 TNC Proposals for NEA Protocols 20
PA-TNC Attribute 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Flags | PA-TNC Attribute Vendor ID |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| PA-TNC Attribute Type |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| PA-TNC Attribute Length |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Correlation ID |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Attribute Value (Variable Length) |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
March 11, 2008 TNC Proposals for NEA Protocols 21
IETF StandardPA-TNC Attribute Types
Number Name------ ----0 Testing1 Attribute Request2 Product Information3 Numeric Version4 String Version5 Operational Status6 Port Filter7 Installed Packages8 PA-TNC Error
March 11, 2008 TNC Proposals for NEA Protocols 22
Main Types Defined inPB-TNC and PA-TNC
• PB-TNC Message Type– PB-Batch-Type, PB-PA, etc.
• PB-TNC Batch Type– CDATA, SDATA, etc.
• PA Subtype– Operating System, Anti-Virus, etc.
• PA-TNC Attribute Type– Product Information, Numeric Version, etc.
• All easily extensible except PB-TNC Batch Type– Via PEN for vendor-specific values– Via IANA registry for standard values
March 11, 2008 TNC Proposals for NEA Protocols 23
Questions about PA-TNC?
March 11, 2008 TNC Proposals for NEA Protocols 24
PA-TNC Security
March 11, 2008 TNC Proposals for NEA Protocols 25
PA-TNC Security Purpose & Requirements
• PA-TNC Security Purpose– Secure attributes between PCs & PVs
• PA-TNC Security Challenging Requirements– SHOULD provide authentication, integrity, and
confidentiality protection of PA attributes– [If security protection is included,] MUST protect
against active and passive attacks by intermediaries and endpoints including replay attacks
– MUST operate efficiently over low-bandwidth links
March 11, 2008 TNC Proposals for NEA Protocols 26
PA-TNC Security Design Features
• Use Cryptographic Message Syntax (CMS) to secure PA-TNC messages– Avoids need for roundtrips to establish session keys– Allows for granular use of PA-TNC security only when
desired– Allows for authentication without confidentiality– Extensible for nonce and capabilities exchange
• Allow protection of multiple attributes at once– Reduces bandwidth
• Assume that PCs and PVs handle authorization
March 11, 2008 TNC Proposals for NEA Protocols 27
CMS Protected ContentPA-TNC Attribute Type
• New PA-TNC Attribute Type
• May be contained in any PA Subtype
• Contains CMS ContentInfo structure– May have signed-data or enveloped-data
March 11, 2008 TNC Proposals for NEA Protocols 28
signed-data
• Used when confidentiality protection is not needed• encapContentInfo MUST contain one or more PA-TNC
attributes• certificates MUST include signer’s certificate and
SHOULD include certificate path to trust anchor• crls MAY include CRLs• Only one SignerInfo permitted
– MUST include signedAttrs with Nonce CMS attribute
• MUST: RSA 2048 & SHA-256• MUST-: SHA-1• SHOULD: ECDSA 256
March 11, 2008 TNC Proposals for NEA Protocols 29
Nonce CMS Attribute
• Provides replay protection
• MUST be included in all signedAttrs
• Includes pcNonce and pvNonce fields– PC & PV select unpredictable initial values– Increment to 2^32-1, then reselect
March 11, 2008 TNC Proposals for NEA Protocols 30
enveloped-data
• Used when confidentiality protection is needed
• encryptedContentInfo MUST contain encrypted version of signed-data
• originatorInfo MUST include signer’s certificate and SHOULD include certificate path to trust anchor, MAY include CRLs
• recipientInfo contains encryption keys for recipients
March 11, 2008 TNC Proposals for NEA Protocols 31
enveloped-data Algorithms
Content Encryption MUST AES 128 & 256
Key Transport MUST RSA wrap AES CEK 2048
Key Agreement MUST ESDH w/ AES KEK (128 & 256)
Previously Distributed Symmetric KEK
MUST AES Key Wrap (128 & 256)
Password Based MUST Password Derived AES (128 & 256) (if sptd)
March 11, 2008 TNC Proposals for NEA Protocols 32
Security CapabilitiesPA-TNC Attribute Type
• Used to indicate prioritized list of supported algorithms
• May be contained in any PA Subtype
• May be requested with Attribute Request
• Contains signed-data with Nonce and paTncSecurityCapabilities in SignerInfo’s signedAttrs and empty encapContent
March 11, 2008 TNC Proposals for NEA Protocols 33
Concerns with PA-TNC Security
• Need review by CMS experts
• Concern about data size
• Concern about complexity for PC & PV
• Concern about difficulty of configuring PC & PV authorization
March 11, 2008 TNC Proposals for NEA Protocols 34
Questions aboutPA-TNC Security?