1 / 26

Information Security 2 (InfSi2)

Information Security 2 (InfSi2). 3 Data Link Layer Security. Prof . Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA). Communication layers. Security protocols. Application layer. Platform Security, Web Application Security, VoIP Security, SW Security.

reidar
Télécharger la présentation

Information Security 2 (InfSi2)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security 2 (InfSi2) 3 Data Link Layer Security Prof. Dr. Andreas SteffenInstitute for Internet Technologies andApplications (ITA)

  2. Communication layers Security protocols Application layer Platform Security, Web Application Security, VoIP Security, SW Security Transport layer TLS Network layer IPsec Data Link layer [PPTP, L2TP], IEEE 802.1X,IEEE 802.1AE, IEEE 802.11i (WPA2) Physical layer Quantum Cryptography Security Protocols for the OSI Stack

  3. Information Security 2 (InfSi2) 3.1 Port-Based NetworkAccess Control - IEEE 802.1X

  4. IEEE 802.1X Access Control using EAP Methods L2 EAPOL* EAP RADIUS 802.1X SupplicantUser Credentials 802.1X Authenticator(WLAN AP, LAN Switch) 802.1X AuthenticationServerUser Credentials • 802.1X SupplicantsandAuthenticatorsareboth Port Access Entities (PAEs) * EAP over LAN (Ethertype 0x888E)

  5. Information Security 2 (InfSi2) 3.2 Secure Device IdentityIEEE 802.1AR - DevID

  6. IEEE 802.1AR Secure Device Identifier • DevIDSecure Device Identifier • Secure Device Identifier • IDevIDInitial Device Identifier • CreatedduringmanufacturingandcannotbemodifiedEitherreaches end oflifetime (certificate) orcanbedisabled • LDevIDLocallySignificant Device Identifier • Oneorseveralmaybecreatedbynetworkadministrator • DevIDModule • Hardware modulewhichstorestheDevIDsecrets, credentialsandtheentirecredentialchainuptotherootcertificate • Contains a strong Random Number Generator (RNG) • ImplementsAsymmetricAlgorithms (2048 bit RSA and/or256 bit ECDSA) • Implements SHA-256 Hash Function

  7. IEEE 802.1AR DevID Module Applications & Operating System Management Interface Service Interface Storage AsymmetricCryptography DevID Secret[s] Random Number Generator DevID Credentials[s] Hash Algorithms Credential Chain

  8. UseofDevIDs • DevIDuseEAP-TLS Authentication • Device authenticationcanbebased on itsDevIDcertificate. • DevIDuse in Consumer Devices • Similar but moresecurethanaccesscontrolbased on a MAC addresslistwhichcaneasilybespoofed, a switch, routeroraccesspointcanallowaccessbased on a registered commonName (CN), serialNumber (SN) or a subjectAltNamecontained in theDevIDcertificate. • DevIDuse in Enterprise Devices • Similartotheconsumerdeviceusecase but theDevIDisusually registered with a centralAAAserver. • DevID Module based on TrustedPlatform Module (TPM) • Each TPM has a unique non-erasableEndorsement Key (EK)towhichDevIDsecretsandcredentialscanbebound.

  9. Information Security 2 (InfSi2) 3.3 Media Access Layer SecurityIEEE 802.1AE - MACsec

  10. FourStationsAttachedto a LAN PAE PAE PAE PAEPort Access Entity

  11. Connectivity Association (CA) CAK (CA Key) CAK CAK SecYMAC Security Entity • Station D is not partofthe CA

  12. Secure Channel (SC) and Secure Association (SA) • Each SC comprises a successionof SAseachwith a different SAK (SA Key)

  13. Secure Channel and Secure Association Identifiers Association Number PortIdentifier System Identifier SCI Secure Channel Identifier SAI Secure Association Identifier • The AssociationNumber (2 bits) allowstheoverlappingrekeyingofthe Secure Associationduringwhichtwo different SAKs co-exist.

  14. TwoStations in a point-to-point LAN PAE PAE

  15. Connectivity Association (CA) CAK CAK SecY SecY

  16. Secure Channel (SC) and Secure Association (SA) CKN CAK CKN (CAK Name) CAK SecY SecY SAA SAKA0,SAKA1, …SAB SAKB0,SAKB1, … SAA SAKA0,SAKA1, …SAB SAKB0,SAKB1, …

  17. IEEE 802.1AE MACsec Frame Format PT VLAN Tag User Data MAC Addresses MSDU User Data PT DA SA Data Integrity Optional Encryption 8 or 16 8 to 16 DA SA SecTag Secure Data ICV FCS MAC Addresses MPDU • MSDU – MAC Service Data Unit • MPDU – MACsec Protocol Data Unit • ICV – Integrity Check Value

  18. SecTag – Security Tag 2 1 1 4 0 or 8 PN 0x88E5 TCI AN SCI (optional encoding) SL • MACsecEthertype– is 0x88E5 • TCI – TAG Control Information (6 bits) • AN – AssociationNumber (2 bits) • SL – Short Length (6 bits) – lengthof User Data if < 48 octets, 0 otherwise • PN – Packet Number – replayprotectionand IV forencryption • SCI – Secure Channel Identifier – identifies Secure Association (SA). In point-to-point links the SCI consistsofthe Source MAC Addressandthe Port Identifier 00-01 andthusthe SCI doesn’thavetobeencoded.

  19. TCI – TAG Control Information Bits Bit 8 7 6 3 2 1 5 4 ES AN V=0 SC E SCB C • V – Version (currently 0) • ES – End Station – ifsetmeansthatthe Source MAC Addressispartofthe SCI andthe SCI shall not beexplicitlyencoded. • SC – shallbesetonlyif an explicitlyencoded SCI ispresent • SCB – Single Copy Broadcast capability– if ES and SCB aresetthentheimplicit SCI comprises a reserved Port Identifier of 00-00. • E – Encryption – ifsetencryptionisenabled • C – Changed Text – ifclearthe Secure Data exactlyequals User Data

  20. AuthenticatedEncryptionwithAssociated Data SCI PN 2 SCI PN 0 SCI PN 1 • AEAD isbased on specialblock ciphermodes: • Block size: 128 bits • Key size: 128/256 bits • Tag size : 128 bits • Noncesize: 128 bits 64 bits 32 bits 32 bits • AES-Galois/Counter ModeAES-GMAC (auth. only) Key K Key K SCI PN Counter HashSubkey Derivation 0………………..0 ICV Key K HashSubkey H

  21. Information Security 2 (InfSi2) 3.4 MACsec Key AgreementIEEE 802.1X - MKA

  22. MKA distributesrandom SAK using CAK MKPDU • MKPDU – MACsec Key Agreement Protocol Data Unit – carriedvia EAPOL • CAK – Connectivity Association Key – pairwiseorgrouprootkey • ICK – ICV Key – usedfor MKPDU Data Integrity • KEK – Key Encrypting Key – usedforAES Key Wrap in MKPDU • SAK – Secure Association Key

  23. MKA Key Derivation Function - KDF • The MKA KDF is a Pseudo Random Function (PRF) based onAES-CMAC with a 128 or 256 bitkey.Output  KDF(Key, Label, Context, Length) • KEKKDF(CAK, IEEE8021 KEK, CKN[0..15], 128/256) • ICK KDF(CAK, IEEE8021 ICK, CKN[0..15], 128/256) • SAK KDF(CAK, IEEE8021 SAK, KS-nonce | MI-valuelist | KN,128/256) • KS – Key Server – eitherelectedor EAP Authenticator • MI – Member Identifier – all membersof a CA • KN – Key Number – assignedby Key Server

  24. Connectivity Association Key – CAK • CAK as a Pre-Shared-Key (PSK) • Can beusedeitheras a pairwise CAK orgroup CAK • Staticallyconfigured PSK • CKN canbechosenarbitrarilywith a sizeof 1..32 octets • CAK via EAP • Can beusedas a pairwise CAK. • Dynamicallyderived CAK and CKN betweentwo PAEs via EAP CAKKDF(MSK[0..15]/MSK[0..31], IEEE8021 EAP CAK,mac1 | mac2, 128/256) CKN KDF(MSK[0..15]/MSK[0..31], IEEE8021 EAP CKN , EAP Session-ID | mac1| mac2, 128/256) wheremac1 < mac2arethe MAC addressesofthe PAEsandthe Master Session Key (MSK) and Session-ID oftheEAP method (EAP-TLS, EAP-PEAP, etc) isincluded.

  25. UseofPairwise CAKs toDistribute a Group CAK MKPDU MKPDU MKPDU

  26. IEEE 802.1AE Enabled Products • Cisco Catalyst3750-X / 3560-X LAN Access Switch • Supports MACsecand MKA on bothuser/downlinkandnetwork/uplinkports • JuniperEX Series Switches • 802.1AE availablewiththecontrolledversionof Junos OS

More Related