Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Secure Datastore Architecture Concepts PowerPoint Presentation
Download Presentation
Secure Datastore Architecture Concepts

Secure Datastore Architecture Concepts

144 Views Download Presentation
Download Presentation

Secure Datastore Architecture Concepts

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Secure Datastore Architecture Concepts Author:

  2. 802 End-to-End Security

  3. OSI-TCP/IP Stack Comparison

  4. Application-Secured Payload Media Media SSL, TLS, etc. Platform and Security Layers IPSec, HIP, etc. Application Application OS-Session OS-Session OS-Internetworking OS-Internetworking Physical Medium Modem Modem 802.1x, etc. 802.1x, etc. • Each platform abstraction layer supports its own communications security • Note: Media security is generally platform-to-network, not platform-to-platform • Implementation of each platform abstraction should be secured • Certification of regulatory/standards compliance • Real-time attestation of implementation (“tamper-proof”) • Ability to secure sensitive data • This is not shown, but implied

  5. Media Media Discontinuity between IEEE 802 and IETF IPSec, HIP, etc. OS-Internetworking OS-Internetworking 802 Interface to the “Outside World” Physical Medium Modem Modem 802.1x, etc. 802.1x, etc.

  6. End Device Stack Network Equipment Data Link 802 IF To Upper Layers 802 MAC 802 PHY 802 IF To Network Device Layers Physical Medium

  7. Lightweight Host Identity Protocol Example Gurtov; Host Identity Protocol (HIP); Wiley, 2008; pg 131. TCP/UDP TCP/UDP HIP HIP IPSEC IPSEC Authentication Layer Authentication Layer IP IP Authentication Interaction Authenticated Control Messages Unauthenticated Control Messages ESP Payload: not encrypted, not authenticated

  8. The End-to-End LHIP Security Stack Secure Network Equipment Secure Network Equipment IF To Upper Layers IF To Upper Layers Physical Medium

  9. The End-to-End HIP/SMA Security Stack IETF’s Secure DataStore and Schema (MAP) FCC WS DB and Schema Adding HIP, TNC, and the FCC WS Work Secure Network Equipment Data Link SMA PKI Datastore People/Machines 802 IF To Upper Layers 802 MAC SMA Secure DataStore And Schema IF To Upper Layers 802 PHY 802 IF To Device Layers TNC Secure DataStore and Schema Physical Medium

  10. Application-Secured Payload Media Media SSL, TLS, etc. Summary Data TOG’s SMA Secure Datastore and Schema TOG’s SMA Secure Datastore and Schema IPSec, HIP, SMA, etc. IETF’s Secure DataStore and Schema (MAP) IETF’s Secure DataStore and Schema (MAP) Application Application OS-Session OS-Session OS-Internetworking OS-Internetworking SMA PKI Datastore People/Machines SMA PKI Datastore People/Machines 802 Interface to the “Outside World” Physical Medium Modem Modem 802.1x, etc. 802.1x, etc. TCG’s TNC Secure DataStore and Schema (IF-MAP) TCG’s TNC Secure DataStore and Schema (IF-MAP) FCC Secure WS DataStore FCC Secure WS DataStore

  11. App.-Secured Payload Media Media SSL, TLS, etc. IPSec, HIP, SMA, etc. Ideal End-to-End Security Trusted Policy Engine Trusted Policy Engine IETF/TCG/TOG/IEEE Secure DataStore and Schema (MAP) IETF/TCG/TOG/IEEE Secure DataStore and Schema (MAP) Application Application OS-Session OS-Session OS-Internetworking OS-Internetworking IP Infrastructure Modem Modem Trusted component used to verify compliance and prevent policy violation

  12. Secure Datastore Commonalities • Datastores/Schema all have similarities (FCC, SMA, LHIP, & TNC) • Location information and measurement • Geolocation, sensor measurements • Host information: • Identity, name, address, etc. • Network IDs: • MAC, IP address, etc. • Local policy databases • Spectrum policy information • Security policies database • Co-existence policies • Remote database information • DNS, Spectrum Servers, Certificate Authorities, Sensitive SW Sources (e.g. McAfee), etc. • Trust certificates • Identities of trusted third party connections • IF should/could be standardized

  13. Interfaces Need to be Defined • 802.11k SME MIB “Zero Config”-like Access • Object IDs for the MIB Entries • 802.11 SME MIB Clients • 802.16 MIB Clients • 802.21 MIB Clients • SMA Interface [SLDAP (Secure Lightweight Directory Access Protocol)] • DNS • TCG’s TNC [IF-MAP (InterFace-Metadata Access Point)] • FCC WS – interface undefined, but required fields similar

  14. End-to-End Projects Identified • Joint IEEE-IETF Task Force on end-to-end security protocols and definitions • Passing of SMA/cryptographic identity/security information from PHY to upper layers (schema?) • IEEE/802.21 project for security handoff between disparate systems (schema?) • Joint IEEE-TCG Task Force on device security at lower layers • Attesting to lower layers • Compliance with regulatory/standards policies, e.g. FCC White Spaces regulations • Interface definitions for all interfaces in 802

  15. Resolutions? HIP SMA Datastore [Secure LDAP (SLDAP)] DNS Resource Records (Not Secure) TCG’s TNC Datastore Access (SLDAP?) All schema (should be common)