Pre-Shared Key TLS with GBA support Thesis presentation 22.4.2008 ESPOO, Finland

advertisement
Pre-Shared Key TLS with GBA support
Thesis presentation
22.4.2008
ESPOO, Finland
Guoqing Zhang
Company Confidential
1
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Outline
Theory:
• Pre-Shared Key TLS protocol
• Key selection in PSK-TLS
• Generic Bootstrapping Architecture
• Combination of PSK-TLS with GBA
Own works:
• Implementation of PSK-TLS on Symbian OS
• Design problem in key agreement of PSK-TLS
• Improvement Proposal on Key agreement of PSK-TLS
• Conclusions
Company Confidential
2
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Pre-Shared Key TLS protocol
• Key Selection
• What is PSK-TLS
• PSK-TLS is a new transport layer protocol for
establishing secure connection via pre-shared
symmetric key between client and server
• PSK-TLS is otherwise the same as TLS but
introduce its own way of generating pre-master
secret.
It is very likely in practice that there are difficult PSKs
available for different usage. When multiple PSKs coexists in the device, PSK-TLS provides a mechanism
to help client and server agree on which PSK should
be used.
• Why PSK-TLS
PSK-TLS avoids public key operation which is heavy
for power-limited device like mobile phone
• How the Pre-shared key is used
The pre-shared key is used to generated pre-master
secret in TLS protocol as below:
u int 16(length( PSK )) : 00...00 : u int 16(length( PSK )) : PSK octet
length( PSK )
Company Confidential
3
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Key Selection in PSK-TLS
• The client indicates its willingness to use PSKTLS by including PSK cipher suites in ClientHello
• The server provides PSK-Identity-Hint in
ServerKeyExchange to help the client agree on
the PSK
• The client sends PSK-Identity back to the server
to inform about the key it chooses
Client
Server
Client Hello
Server Hello
Server Key Exchange*
Server Hello Done
Client Key Exchange
Unsolved problem:
Change Cipher Spec
Finished
The PSK-TLS only specifies how to use PSK but doesn’t give a
solution on how to get the PSK in place. How to get symmetric
key installed among communication entities? The security of
PSK-TLS lies on the Pre-shared key. For the two entities which
has never communicated before, how to make them share the
same symmetric key which will use to establish secure
connection later.
Company Confidential
4
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Change Cipher Spec
Finished
Application Data
Generic Bootstrapping Architecture - Background
• GBA is a generic architecture which reuse the existing infrastructure in mobile
network to install symmetric key into client (UE) and server (NAF)
• It is specified by 3GPP and promoted to be widely used for service protection in
mobile network.
• GBA is a service which should be provided by Operators.
• Operator performs a trust authority to both mobile phone users and Service
providers
• GBA brings more business opportunities to operators.
Company Confidential
5
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Generic Bootstrapping Architecture – How GBA works
• Model for bootstrapping
• GBA is run on Ub interface. BSF is located in operator domain. The aim of GBA is
to install shared key in both UE and NAF. NAF can be web server for instance
• HTTP Digest AKA is the protocol over Ub interface
Company Confidential
6
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Generic Bootstrapping Architecture – How GBA works
Continue…
• When user subscribe to operator, the SIM
card with secret key is issued to the
subscriber. It is shared between operator’s
HLR database and SIM. The secret key is
the base of GBA
• The NAF key is generated from Ks
K s _ NAF
 KDF ( K s , " gba  me" , RAND, IMPI , NAF _ ID )
• NAF requests the key from BSF after
bootstrapping
• NAF_ID is composed by FQDN of NAF
plus ID of algorithm on Ua interface
Company Confidential
7
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Combination of PSK-TLS with GBA
• GBA installs Ks_NAF in both UE and NAF and the key can be used as PSK in PSK-TLS to generate pre-master
secret
• Since Ks_NAF is calculated from NAF FQDN, the PSK-TLS needs to support TLS extension specified in RFC3546
for the case where one physical server has multiple virtual hostnames.
• The ServerKeyExchange contains “3GPP-bootstrapping” as PSK-Identity-Hint
• The ClientKeyExchange contains B-TID as PSK-Identity
• The server provides B-TID and hostname to BSF for Ks_NAF derivation
Company Confidential
8
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Networking Subsystem
Implementation of PSKTLS with GBA support on
Symbian OS
«executable»
TLS
«call»
Security Subsystem
TLS provider API
«call»
• The aim of the implementation is to
make PSK-TLS available to
applications using TLS stack
automatically without extra
changes from them.
«executable»
TLS Provider
«call»
Crypto Token API
«executable»
Crypto Token Framework
TLS Token Interface
Crypto Token FW Specific Interface
«call»
«derived»
«derived»
«instance»
«executable»
SW TLS Token Ecom Plug-in
• TLS stack will choose the key
sharing plus-in for the key
agreement based the PSK-identityhint from the server
«executable»
ECOM
«call»
«call»
«executable»
PSK TLS Token Ecom Plug-in
Key Sharing Interface
«instance»
«derived»
«call»
«executable»
GBA
GBA API
«executable»
GBA Ecom Plugin
«executable»
Key Sharing ECom Plugin 2
Company Confidential
9
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Design problem in key agreement of PSK-TLS
When multiple key sharing methods available:
• In current design of key agreement in PSK-TLS, it relies on PSK-Identity-Hint in
ServerKeyExchange to inform the key sharing method to use for PSK agreement It
causes handshake failure if the requested key sharing method is not supported by the
client
• To decrease the possibility of handshake failure, client could indicate the supported
key sharing method already in the beginning of handshake, namely at the time when
ClientHello is sent
When client and server from different Operation Domains:
• When GBA is used as key agreement methods, the roaming situation should be take
into account otherwise PSK couldn’t be agreed even though both client and server
support GBA.
• PSK-TLS needs improvements on the key agreement methods !
Company Confidential
10
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Improvement Proposal on Key agreement of PSK-TLS
• New format of PSK related cipher suites in PSK-TLS
Old format
TLS_PSK_WITH_RC4_128_SHA
New format
TLS_PSKGBA_WITH_RC4_128_SHA
• Using TLS extension to deliver operation identity for key agreement in PSK-TLS with GBA
in roaming situation
enum ExtensionType
{
host_name(0)
max_fragment_length(1)
client_certificate_url(2)
trusted_ca_keys(3)
truncated_hmac(4)
status_request(5)
gba(6)
}
• This requires changes to RFC 4279 and TS 33.220 in 3GPP. It is not accepted yet so we
didn’t take it into account when implementing the PSK-TLS.
Company Confidential
11
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Conclusions
• PSK-TLS with GBA support provides a good solution to mobile network security.
It is promoted to be widely used. Symbian OS as the world-leading mobile OS
must support is for business reason
• It is possible to make PSK-TLS transparent to applications using TLS stack.
Making the mechanism easy to use would encourage the application designer to
select it as their security solutions.
• The improvements on PSK-TLS will decrease possibility of handshake failure
dramatically.
• In future, we should provide API that allows applications to set PSK also. For
those applications that know PSK, they can use the API to set the wanted PSK
into use. For those applications that do not have the information they can rely on
the TLS stack to handle it.
Company Confidential
12
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Questions ?
Company Confidential
13
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Thank you !
Company Confidential
14
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Download