1 / 20

Naming Operations for SCF

Naming Operations for SCF. Wes Eddy MTI Systems, Inc. Introduction. To mitigate potential threats to network, data, and application security SCF needs ways for: Applications (end-applications and agents) to validate received data End-applications to protect transmitted data

skylar
Download Presentation

Naming Operations for SCF

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Naming Operations for SCF Wes Eddy MTI Systems, Inc

  2. Introduction • To mitigate potential threats to network, data, and application security SCF needs ways for: • Applications (end-applications and agents) to validate received data • End-applications to protect transmitted data • Agents to validate end-applications that attempt to utilize them • Agents to validate one another when in contact • Basic idea in this proposal for SCF naming is to use certificates to convey capabilities to send/receive data using a given name • Names come in two forms: locators and identifiers • Locators are hierarchical; also known as addresses • Identifiers are not necessarily hierarchical, and may be human readable

  3. Outline • Specify: • How to create a namespace • How to allocate names within the namespace • How to locally query for names known within a local processing system or connected subnetwork • How to validate ownership of a given name • How to authenticate data from a given name • How to encrypt data to a given name • Discuss issues: • Revoking names

  4. How to Create a Namespace • Create a namespace ownership certificate: • Generate a GUID for the namespace • Generate a public/private keypair for the namespace owner • Use private key to digitally sign a Namespace-Identification (NSI) certificate containing the: • GUID • Public key • Create an empty database of granted names • Schema: name (string), allocated_time (time), name_owner_pubkey (hex string / binary data), revoked_time (time)

  5. Creating a Namespace Namespace Owner NSI Creates the NSI Creates Database for the Namespace

  6. Notes on Generating a GUID • A 128-bit GUID/UUID can be generated per RFC 4122 • Contains bits for a timestamp, sequence number, and spatially-unique node identification • Not human-readable • But this doesn’t matter, since applications will either be preconfigured with the GUIDs identifying the namespaces they operate within, or a directory can map GUIDs to human-readable names

  7. GUID per RFC 4122 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | time_low | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | time_mid | time_hi_and_version | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |clk_seq_hi_res | clk_seq_low | node (0-1) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | node (2-5) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

  8. Notes on Crypto Algorithms • There are numerous crypto algorithms available for generating the needed key pairs, digital signatures, etc., as well as specifications for certificate encoding and other aspects • Due to nature of SCF and design principles of SCF, need to Keep It Simple • Select one public key crypto suite: e.g. ECC per NSA Suite B (256-bit prime modulus ECDH and ECDSA) • Select one block cipher: e.g. AES-128 CTR • Select one hash algorithm: e.g. SHA-256 • Etc. • NSI certificate can indicate which algorithms are to be used for operations within the namespace

  9. How to Allocate Names Within a Namespace • Need to obtain a Proof-of-Name (PoN) certificate from the namespace owner • Requesting a specific name (used for identifiers): • Provide your public key to the namespace owner • The namespace owner checks its database to see if it’s available (assume it is here) • Namespace owner marks it as in-use, storing the public key • Return PoN certificate for the name, signed by the namespace owner • Requesting an empty name (used for locators): • Namespace owner gets to choose what name to allocate • E.g. may be hierarchically assigned, supporting addressing as just another type of namespace that happens to have structure controlled by the owner • May support requesting a batch of names (a sub-namespace); this allows for secure prefix-delegation in an addressing system

  10. Allocating a Name Name Requester Namespace Owner 1. Provide Public-Key and Request Name PoN 2. Update Database 3. Return/Publish PoN

  11. PoN Certificate • Namespace GUID (matching the NSI) • Name granted • Public key of name-holder • Signature from namespace owner • Uncertain parts: • Timestamps? • Sequence number?

  12. How to Locally Query for Names • Several options: 1. Namespace owner’s database holds all pairs of public keys and names that have been allocated • No expectation that it has current locators though! 2. Neighbor discovery protocol can locally broadcast PoN certificates • Can be used to learn “fresh” nearby locators 3. Gossiping query protocol can spread PoN certificates on-demand

  13. How To Validate Ownership of a Given Name • The NSI generated by the namespace owner is either preconfigured or distributed to all applications operating within the namespace • The NSI holds the same public key from the namespace owner that’s used to sign PoN certificates, so it can be used to validate PoN certificates • This proves that the name has been given out to someone with a given public key • To prove ownership, you just need to show that you can decrypt something that was encrypted using the public-key in the PoN certificate • This proves that the PoN certificate was given to you

  14. Validating Ownership of a Name Relay/Mule Data Source 1. Send PoN PoN PoN 2. Encrypt Challenge 3. Decrypt Challenge

  15. How to Authenticate Data from a Given Name • The sender signs the data using the private key corresponding to the public key in the sender’s PoN being used • The receiver uses the PoN public key to check the signature

  16. Authenticating Data from a Name Relay/Mule Data Source 1. Send PoN NSI PoN PoN 2. Use NSI to Validate PoN 3. Send Signed Containers

  17. How to Encrypt Data To a Given Name • The sender uses the public key in the destination’s PoN to encrypt data • The receiver uses the private key portion of the keypair identified in its PoN in order to decrypt the data it receives

  18. Issue: Revoking Names • Names should have an expiration date • But supporting this goes back to the time synchronization requirement that SCF needs to avoid. However, for this purpose, it could be much “rougher” than the rough sync that DTN/BP currently requires. • Do not support non-repudiation • Namespace owner destroys the namespace if it revokes its own certificate

  19. Hierarchical Namespaces • Modifications to basic operations: • PoN certificate’s name field needs to indicate a range of names that have been allocated • Namespace owner’s database needs to handle ranges of names • All PoN certificate holders become namespace owners and need to hold their own database of any PoNs they grant within the delegated subset of the namespace • When Hierarchical PoN (HPoN) certificates are given out from the subsets of the namespace, they’re just like PoNs, but include a copy of the sub-namespace owner’s PoN as well • This is needed in order to validate the HPoNs using (and trusting) only the NSI certificate

  20. NSI PoN

More Related