1 / 6

SeGW Certificate Revocation

S40-20090119-002. 3GPP2 TSG-S WG4. SeGW Certificate Revocation. Source: QUALCOMM Incorporated Contact(s) Anand Palanigounder ( apg@qualcomm.com ) Recommendation: Discuss and adopt. FAP/SeGW certificate revocation. FAP device certificate is not needed

vienna
Télécharger la présentation

SeGW Certificate Revocation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. S40-20090119-002 3GPP2 TSG-S WG4 SeGW Certificate Revocation Source: QUALCOMM Incorporated Contact(s) Anand Palanigounder (apg@qualcomm.com) Recommendation: Discuss and adopt

  2. FAP/SeGW certificate revocation • FAP device certificate is not needed • FAP authentication and authorization used • E.g., based on FEID, the Femto AAA authorize service during device authentication • SeGW server certificate support is noted as FFS • if SeGW server cert is compromised, how does the FAP know about it? • E.g. private key of the server cert compromised, etc

  3. Options • CRLs (Certificate Revocation List) • Can become quite large • Requires more processing at the femto • OCSP (Online Certificate Status Protocol) • Simple Request/Response protocol to a server (OCSP) server • See RFC 2560

  4. OCSP Architecture • OCSP can be either from FAP manufacturer or a 3rd party CA provider • Depends on who owns the CA used for signing FAP certificates

  5. Conclusion/Proposal • It is proposed that OCSP is used to verify the status of SeGW server certificate

  6. IKEv2 profile for FAP/SeGW • Current profile for IKEv2: • Confidentiality: AES with 128-bit keys in CBC mode; • Pseudo-Random Function: AES-XCBC-PRF-128; • Integrity: AES-XCBC-MAC-96; • Diffie -Hellman group 2048-bit MODP; • Editor’s Note: Whether we mandate support for 2048-bit MODP (or) 1028-bit MODP and integrity functions (AES-XCBC-MAC-96 or HMAC-SHA1-96) needs to be confirmed. • Proposed resolution for Editor’s note: • keep AES based transforms for PRF and integrity • Replace “Diffie-Hellman group 2048-bit MODP” with “Diffie-Hellman group 2 (1024-bit MODP)” • Rationale: • Diffie-Hellman group 2 mandatory for support according to IKEv2 RFC 4306 • Alignment with the non-legacy cryptographic suite in WLAN interworking (TS 33.234)

More Related