Approach for Air-Ground Security in Doc 9880

advertisement
ACP-WG M-13/WP-20
International Civil Aviation Organization
WORKING PAPER
Aeronautical Communication Panel
Working Group M – Maintenance
November 18-21, 2008
Montreal Canada
Approach
for
Air-Ground Security
in
Doc 9880
Prepared by: FAA, ATO-P, AJP 1740
Agenda Item 2 (b)
SUMMARY
This paper proposes incorporating air-ground security provisions into Doc 9880 using the
IETF Internet Key Exchange version 2 (IKEv2) protocol for key establishment in place
of the Doc 9705 procedure using Context Management. This would be the same airground key establishment method specified in Doc 9896 for the ATN IPS. This paper
also proposes using a “Secure Mode” application approach which adds an authentication
tag to application messages in place of the Doc 9705 procedure where security is in the
Upper Layer Communication Service (ULCS). The working group is invited to
consider the proposed approach.
1
1. Introduction
This paper proposes incorporating security provisions into Doc 9880 using the IETF
Internet Key Exchange version 2 (IKEv2) protocol for key establishment in place of the
Doc 9705 procedure using Context Management. This paper also proposes using a
“Secure Mode” application approach which adds the authentication tag to application
messages in place of the Doc 9705 procedure where security is in the Upper Layer
Communication Service (ULCS).
2. Background: Doc 9705 Air-Ground Security
Figure 1 depicts the method of air-ground security in Doc 9705. With the Doc 9705
approach, keys are established during Context Management for other applications.
6. Aircraft derives
Shared CM Session Key
1. Aircraft Signs CM Logon
Message
Airborne CM
Airborne CPDLC
5. Ground CM sends:
it's Public Key Certificate
and CPDLC's public key
in a CM Response Message
with a
Message Authentication Code
2. Aircraft Sends
Signed CM Logon
Message
3.Ground CM
retrieves Aircraft’s
CM Public Key
Certificate and
authenticates the
CM Logon
Message.
It also retrieves the
CPDLC Public Key
Certificate
10. Aircraft CPDLC derives
Shared CPDLC Session Key
7. Aircraft authenticates CM
Response Message
Ground
Context
Management
(CM)
8. Ground CPDLC retrieves sessionunique parameters to derive a Shared
CPDLC Session Key
11. CPDLC Start and
subsequent Messages sent
with a
Message Authentication Code
Ground
CPDLC
9. Ground CPDLC derives a
Shared
CPDLC Session Key
4. Ground CM derives
Shared CM Session Key
Figure 1: Doc 9705 Air-Ground Security
The process begins (step 1) with a logon message when the aircraft CM application
invokes the ULCS indicating that key establishment is to be performed. This will cause
2
the dialogue service to invoke the Security Application Service Object (SASO) which in
turn invokes the Security Service Object (SSO) which will add a digital signature to the
logon message. The ULCS architecture with Doc 9705 security is depicted in Figure 2.
Air/Ground User Application
Air/Ground AE
Control
Function
(CF)
System
Security
Object
(SSO)
Air/Ground
Application Service
Element (ASE)
Security
Application Service
Object (SASO)
ASE
Service
Boundary
Dialogue
Service
Boundary
Association Control
Service Element
(ACSE)
Figure 2: Doc 9705 ULCS Security Architecture
The signed message (step 2) is sent to the ground CM application. The Ground CM
application (step 3) retrieves the Aircraft’s CM Public Key Certificate and using the
public key validates the signed logon message. The Ground CM also retrieves the
CPDLC Public Key Certificate. Using the Aircraft’s CM public key and its own CM
private key, the Ground CM derives a shared CM session key (step 4) using the DiffieHellman key agreement technique. The Ground CM then sends its public key certificate
and the CPDLC public key in a the logon response message (step 5). The message is
tagged with a Message Authentication Code using the shared CM session key. Note that
the CPDLC public key is sent as part of the application message. The message also
contains a set of session unique parameters. The Aircraft derives the shared CM session
key (step 6) using its own CM private key and the Ground CM’s public key. The Aircraft
authenticates the logon response message (step 7). At this point the Aircraft and Ground
CMs have authenticated one another and the Aircraft is in possession of the Ground
CPDLC public key.
When the Ground CPDLC initiates a secure CPDLC session with the Aircraft, it first
retrieves the session unique parameters and derives a CPLDC session key (step 9) using
the Aircraft’s CPDLC public key and its own CPDLC private key. The Aircraft also
derives this session key using its own CPDLC private key and the Ground CPDLC public
3
key (step 10). The CPDLC start and subsequent messages (step 11) are tagged by the
sender with a Message Authentication Code that is verified by the receiver.
3. Doc 9880 Approach to Air-Ground Security
3.1 The Internet Key Exchange Version 2
The approach proposed for Doc 9880 security is to use IKEv2 to exchange keys rather
then the CM exchange method defined in Doc 9705. Figure 3 depicts the messages
exchanged with IKEv2.
IKE_SA_INIT
HDR,SAi,KEi,Ni
Notation
HDR,SAr,KEr,Nr,
[CERTREQ]
AUTH – Authentication Data
CERT – Public Key Certificate
CERTREQ – Certificate Request
HDR – Header
ID_I, ID_R – Initiator, Responder Identifier
KE – Key Exchange (DH Public Values)
Ni, Nr – Initiator/Responder Nonce
SAi, SAr – Intiator/Responder
Security Association
TSi, TSr – Initiator, Responder
Traffic Selector
IKE_SA_AUTH
HDR, SK(ID_I,[CERT], [CERTREQ]
[ID_R], AUTH,SAi,TSi,TSr)
HDR, SK(ID_R,[CERT],AUTH,
SAr2,TSi, TSr)
Figure 3: IKEv2 Exchanges
In the IKE_SA_INIT exchange the initiator and responder exchange Security Association
(SA) payloads, Key Exchange (KE) payloads containing Diffie-Hellman public values,
and Nonces (N). The SA payload identifies what cryptographic suite is to be used for the
IKE_SA. The KE and N values are used to generate a shared key SKEYSEED from
which other keys are derived. The derived keys are used in the IKE_SA_AUTH
exchange to authenticate the identity of the Aircraft and Ground CPDLC entities and to
authenticate subsequent messages under the Security Association.
In the IKE_SA_AUTH exchange the identities (ID) of the SA entities are exchanged. SA
payloads for the CHILD_SA are exchanged as well as traffic selectors (TS) which may
be used to indicate what types of traffic are to be protected. The AUTH payload contains
the type of authentication method used and the authentication data. IKEv2 permits
authentication using digital signatures, shared secrets, or using Extensible Authentication
Protocol (EAP) methods.
4
IKEv2 is an update to the previous IKEv1 version. IKEv2 is considered to be a
significant improvement to the IKEv1 protocol which was available when the security
provisions of Doc 9705 were developed. IKEv1 was specified in three separate
documents. IKEv1 had 8 exchange types for the first phase of operations and could
operate in two modes. Along with the latency to establish Security Associations (SAs),
this led to interoperability problems. It was also vulnerable to certain Denial of Service
attacks.
3.2 Air-Ground Security using IKEv2
Figure 4 depicts the proposed Doc 9880 approach to air-ground security.
3. Aircraft IKEv2 derives a
shared CPDLC Session Key
Using IKE_SA_INIT paremeters
Airborne CPDLC
4. CPDLC Start and
subsequent Messages sent
with a
Message Authentication Code
1 Aircraft and
Ground IKEv2 entities exchange
IKE_SA_INIT
And
IKE_SA_AUTH
Messages
Ground
CPDLC
2. Ground IKEv2 derives a
shared CPDLC Session Key
Using IKE_SA_INIT paremeters
Figure 3: Air-Ground Security with IKEv2
As depicted in (step 1) the Aircraft and Ground IKEv2 entities will first exchange
IKE_SA_INIT and IKE_SA_AUTH messages in accordance with the IKEv2 protocol.
This may be accomplished using pre-determined cryptographic suites for IKEv2 and for
application authentication and a pre-determined set of traffic selectors for ATN
application messages. It is recommended that the same suite of cryptographic protocols
specified in Doc 9896 for the ATN IPS be used. The Aircraft IKEv2 and Ground IKEv2
entities may each (steps 2 and 3) derive a shared CPDLC Session Key using the
SKEYSEED value which was derived from the public Diffie-Hellman values (KE) and
Nonces (N) of the two entities. The CPDLC start and subsequent messages (step 4) are
tagged by the sender with a Message Authentication Code (MAC) that is verified by the
5
receiver. Note that authentication using a keyed MAC is the same approach as was in
Doc 9705 security. However, in this case it is proposed that this not be performed in the
ULCS but rather that a “Secure Mode” version of CPDLC be used where the tag is added
and checked by the CPDLC ASE. Thus the ULCS would not need to be modified to use
the SASO and SSO depicted in Figure 2. Figure 5 depicts the protocol architecture for
the proposed approach for the CPDLC application. In the Internet Protocol Suite
environment IKEv2 runs over UDP. It is recommended that this same approach be used
in the OSI environment with UDP running over CLNP instead of IP.
SM CPDLC
ULCS
FB Presentation
IKEv2
FB Session
UDP
TP4
IDRP
CLNP
Figure 5: Protocol Architecture using IKEv2 and “Secure Mode” CPDLC
The use of IKEv2 and secure mode applications also has the benefit that Context
Management would not require modification to support air-ground security. Note
however that CM itself could be secured following the same approach of using IKEv2 to
establish keys and added a keyed MAC tag to its application messages.
4. Recommendation
1) It is recommended that the Working Group adopt the proposed approach to AirGround security described in this working paper.
If agreed, then it is recommended that:
2) The technical provisions for the security section of Doc 9880 be developed primarily
by reference to Internet Engineering Task Force (IETF) Request for Comment (RFC)
specifications.
3) The Doc 9705 security provisions in the ULCS not be brought into Doc 9880.
6
Download