Pre-Shared Key TLS with GBA support Thesis presentation 22.4.2008 ESPOO, Finland Guoqing Zhang Company Confidential 1 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Outline Theory: • Pre-Shared Key TLS protocol • Key selection in PSK-TLS • Generic Bootstrapping Architecture • Combination of PSK-TLS with GBA Own works: • Implementation of PSK-TLS on Symbian OS • Design problem in key agreement of PSK-TLS • Improvement Proposal on Key agreement of PSK-TLS • Conclusions Company Confidential 2 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Pre-Shared Key TLS protocol • Key Selection • What is PSK-TLS • PSK-TLS is a new transport layer protocol for establishing secure connection via pre-shared symmetric key between client and server • PSK-TLS is otherwise the same as TLS but introduce its own way of generating pre-master secret. It is very likely in practice that there are difficult PSKs available for different usage. When multiple PSKs coexists in the device, PSK-TLS provides a mechanism to help client and server agree on which PSK should be used. • Why PSK-TLS PSK-TLS avoids public key operation which is heavy for power-limited device like mobile phone • How the Pre-shared key is used The pre-shared key is used to generated pre-master secret in TLS protocol as below: u int 16(length( PSK )) : 00...00 : u int 16(length( PSK )) : PSK octet length( PSK ) Company Confidential 3 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Key Selection in PSK-TLS • The client indicates its willingness to use PSKTLS by including PSK cipher suites in ClientHello • The server provides PSK-Identity-Hint in ServerKeyExchange to help the client agree on the PSK • The client sends PSK-Identity back to the server to inform about the key it chooses Client Server Client Hello Server Hello Server Key Exchange* Server Hello Done Client Key Exchange Unsolved problem: Change Cipher Spec Finished The PSK-TLS only specifies how to use PSK but doesn’t give a solution on how to get the PSK in place. How to get symmetric key installed among communication entities? The security of PSK-TLS lies on the Pre-shared key. For the two entities which has never communicated before, how to make them share the same symmetric key which will use to establish secure connection later. Company Confidential 4 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Change Cipher Spec Finished Application Data Generic Bootstrapping Architecture - Background • GBA is a generic architecture which reuse the existing infrastructure in mobile network to install symmetric key into client (UE) and server (NAF) • It is specified by 3GPP and promoted to be widely used for service protection in mobile network. • GBA is a service which should be provided by Operators. • Operator performs a trust authority to both mobile phone users and Service providers • GBA brings more business opportunities to operators. Company Confidential 5 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Generic Bootstrapping Architecture – How GBA works • Model for bootstrapping • GBA is run on Ub interface. BSF is located in operator domain. The aim of GBA is to install shared key in both UE and NAF. NAF can be web server for instance • HTTP Digest AKA is the protocol over Ub interface Company Confidential 6 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Generic Bootstrapping Architecture – How GBA works Continue… • When user subscribe to operator, the SIM card with secret key is issued to the subscriber. It is shared between operator’s HLR database and SIM. The secret key is the base of GBA • The NAF key is generated from Ks K s _ NAF KDF ( K s , " gba me" , RAND, IMPI , NAF _ ID ) • NAF requests the key from BSF after bootstrapping • NAF_ID is composed by FQDN of NAF plus ID of algorithm on Ua interface Company Confidential 7 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Combination of PSK-TLS with GBA • GBA installs Ks_NAF in both UE and NAF and the key can be used as PSK in PSK-TLS to generate pre-master secret • Since Ks_NAF is calculated from NAF FQDN, the PSK-TLS needs to support TLS extension specified in RFC3546 for the case where one physical server has multiple virtual hostnames. • The ServerKeyExchange contains “3GPP-bootstrapping” as PSK-Identity-Hint • The ClientKeyExchange contains B-TID as PSK-Identity • The server provides B-TID and hostname to BSF for Ks_NAF derivation Company Confidential 8 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Networking Subsystem Implementation of PSKTLS with GBA support on Symbian OS «executable» TLS «call» Security Subsystem TLS provider API «call» • The aim of the implementation is to make PSK-TLS available to applications using TLS stack automatically without extra changes from them. «executable» TLS Provider «call» Crypto Token API «executable» Crypto Token Framework TLS Token Interface Crypto Token FW Specific Interface «call» «derived» «derived» «instance» «executable» SW TLS Token Ecom Plug-in • TLS stack will choose the key sharing plus-in for the key agreement based the PSK-identityhint from the server «executable» ECOM «call» «call» «executable» PSK TLS Token Ecom Plug-in Key Sharing Interface «instance» «derived» «call» «executable» GBA GBA API «executable» GBA Ecom Plugin «executable» Key Sharing ECom Plugin 2 Company Confidential 9 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Design problem in key agreement of PSK-TLS When multiple key sharing methods available: • In current design of key agreement in PSK-TLS, it relies on PSK-Identity-Hint in ServerKeyExchange to inform the key sharing method to use for PSK agreement It causes handshake failure if the requested key sharing method is not supported by the client • To decrease the possibility of handshake failure, client could indicate the supported key sharing method already in the beginning of handshake, namely at the time when ClientHello is sent When client and server from different Operation Domains: • When GBA is used as key agreement methods, the roaming situation should be take into account otherwise PSK couldn’t be agreed even though both client and server support GBA. • PSK-TLS needs improvements on the key agreement methods ! Company Confidential 10 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Improvement Proposal on Key agreement of PSK-TLS • New format of PSK related cipher suites in PSK-TLS Old format TLS_PSK_WITH_RC4_128_SHA New format TLS_PSKGBA_WITH_RC4_128_SHA • Using TLS extension to deliver operation identity for key agreement in PSK-TLS with GBA in roaming situation enum ExtensionType { host_name(0) max_fragment_length(1) client_certificate_url(2) trusted_ca_keys(3) truncated_hmac(4) status_request(5) gba(6) } • This requires changes to RFC 4279 and TS 33.220 in 3GPP. It is not accepted yet so we didn’t take it into account when implementing the PSK-TLS. Company Confidential 11 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Conclusions • PSK-TLS with GBA support provides a good solution to mobile network security. It is promoted to be widely used. Symbian OS as the world-leading mobile OS must support is for business reason • It is possible to make PSK-TLS transparent to applications using TLS stack. Making the mechanism easy to use would encourage the application designer to select it as their security solutions. • The improvements on PSK-TLS will decrease possibility of handshake failure dramatically. • In future, we should provide API that allows applications to set PSK also. For those applications that know PSK, they can use the API to set the wanted PSK into use. For those applications that do not have the information they can rely on the TLS stack to handle it. Company Confidential 12 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Questions ? Company Confidential 13 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Thank you ! Company Confidential 14 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials