a. steffen, 30.09.2013, 03-datalinklayer.pptx 1 information security 2 (infsi2) prof. dr. andreas...
TRANSCRIPT
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 1
Information Security 2 (InfSi2)
Prof. Dr. Andreas Steffen
Institute for Internet Technologies and Applications (ITA)
3 Data Link Layer Security
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 2
Security Protocols for the OSI Stack
Application layer Platform Security, Web Application Security, VoIP Security, SW SecurityTransport layer TLS
Network layer IPsec
Data Link layer [PPTP, L2TP], IEEE 802.1X,IEEE 802.1AE, IEEE 802.11i (WPA2)Physical layer Quantum Cryptography
Communication layers
Security protocols
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 3
Information Security 2 (InfSi2)
3.1 Port-Based NetworkAccess Control - IEEE 802.1X
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 4
IEEE 802.1X Access Control using EAP Methods
802.1X Supplicant
User Credentials
802.1X AuthenticationServer
User Credentials
802.1X Authenticator(WLAN AP, LAN Switch)
EAP RADIUSEAPOL*L2
* EAP over LAN (Ethertype 0x888E)
• 802.1X Supplicants and Authenticators are both Port Access Entities (PAEs)
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 5
Information Security 2 (InfSi2)
3.2 Secure Device IdentityIEEE 802.1AR - DevID
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 6
IEEE 802.1AR Secure Device Identifier
• DevID Secure Device Identifier• Secure Device Identifier
• IDevID Initial Device Identifier• Created during manufacturing and cannot be modified
Either reaches end of lifetime (certificate) or can be disabled
• LDevID Locally Significant Device Identifier• One or several may be created by network
administrator• DevID Module
• Hardware module which stores the DevID secrets, credentials and the entire credential chain up to the root certificate
• Contains a strong Random Number Generator (RNG)• Implements Asymmetric Algorithms (2048 bit RSA
and/or256 bit ECDSA)
• Implements SHA-256 Hash Function
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 7
IEEE 802.1AR DevID Module
Storage
Random Number Generator
Hash Algorithms
AsymmetricCryptography
Service InterfaceManagement
Interface
DevID Secret[s]
DevID Credentials[s]
Credential Chain
Applications & Operating System
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 8
Use of DevIDs
• DevID use EAP-TLS Authentication• Device authentication can be based on its DevID certificate.
• DevID use in Consumer Devices• Similar but more secure than access control based on a
MAC address list which can easily be spoofed, a switch, router or access point can allow access based on a registered commonName (CN), serialNumber (SN) or a subjectAltName contained in the DevID certificate.
• DevID use in Enterprise Devices• Similar to the consumer device use case but the DevID
is usually registered with a centralAAA server.• DevID Module based on Trusted Platform Module (TPM)
• Each TPM has a unique non-erasable Endorsement Key (EK)to which DevID secrets and credentials can be bound.
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 9
Information Security 2 (InfSi2)
3.3 Media Access Layer Security
IEEE 802.1AE - MACsec
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 10
Four Stations Attached to a LAN
PAEPort Access Entity
PAE
PAE
PAE
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 11
Connectivity Association (CA)
• Station D is not part of the CA
SecYMAC Security Entity
CAK (CA Key)
CAK
CAK
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 12
Secure Channel (SC) and Secure Association (SA)
• Each SC comprises a succession of SAseach with a different SAK (SA Key)
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 13
Secure Channel and Secure Association Identifiers
System IdentifierPort
Identifier
Association Number
SCISecure Channel Identifier
SAISecure Association Identifier
• The Association Number (2 bits) allows the overlapping rekeying of the Secure Association during which two different SAKs co-exist.
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 14
Two Stations in a point-to-point LAN
PAEPAE
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 15
Connectivity Association (CA)
CAK
SecY
CAK
SecY
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 16
Secure Channel (SC) and Secure Association (SA)
SAA SAKA0 , SAKA1 ,
…SAB SAKB0 , SAKB1 ,
…
SAA SAKA0 , SAKA1 ,
…SAB SAKB0 , SAKB1 ,
…
CKN (CAK Name)
CAK
SecY
CKN
CAK
SecY
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 17
IEEE 802.1AE MACsec Frame Format
Secure Data FCSDA SA SecTag
MAC Addresses
ICV
MPDU
Optional Encryption
Data Integrity
User DataDA SA
MSDUMAC Addresses
User DataVLANTag
PT
PT
• MSDU – MAC Service Data Unit• MPDU – MACsec Protocol Data Unit• ICV – Integrity Check Value
8 or 16 8 to 16
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 18
SecTag – Security Tag
PN SCI (optional encoding)0x88E5
• MACsec Ethertype – is 0x88E5• TCI – TAG Control Information (6 bits)• AN – Association Number (2 bits)• SL – Short Length (6 bits) – length of User Data if < 48 octets, 0
otherwise• PN – Packet Number – replay protection and IV for encryption• SCI – Secure Channel Identifier – identifies Secure Association
(SA). In point-to-point links the SCI consists of the Source MAC
Address and the Port Identifier 00-01 and thus the SCI doesn’t have to be encoded.
2 0 or 8
TCI AN
1 4
SL
1
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 19
TCI – TAG Control Information Bits
• V – Version (currently 0)• ES – End Station – if set means that the Source MAC Address is part
of the SCI and the SCI shall not be explicitly encoded.
• SC – shall be set only if an explicitly encoded SCI is present• SCB – Single Copy Broadcast capability – if ES and SCB are set then
the implicit SCI comprises a reserved Port Identifier of 00-00.
• E – Encryption – if set encryption is enabled• C – Changed Text – if clear the Secure Data exactly equals User
Data
V=0
8
ES
7 6
SC SCB E C
3
AN
15 4 2Bit
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 20
Authenticated Encryption with Associated Data
• AEAD is based on specialblock cipher modes:
• Block size: 128 bits• Key size: 128/256 bits• Tag size : 128 bits• Nonce size: 128 bits
64 bits 32 bits 32 bits
• AES-Galois/Counter ModeAES-GMAC (auth. only)
SCI PN Counter
SCI PN 0 SCI PN 1 SCI PN 2
Key K Key K
Hash Subkey H
0………………..0
Key K
Hash Subkey Derivation
ICV
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 21
Information Security 2 (InfSi2)
3.4 MACsec Key Agreement
IEEE 802.1X - MKA
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 22
MKA distributes random SAK using CAK
• MKPDU – MACsec Key Agreement Protocol Data Unit – carried via EAPOL
• CAK – Connectivity Association Key – pairwise or group root key• ICK – ICV Key – used for MKPDU Data Integrity • KEK – Key Encrypting Key – used for AES Key Wrap in MKPDU• SAK – Secure Association Key
MKPDU
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 23
MKA Key Derivation Function - KDF
• The MKA KDF is a Pseudo Random Function (PRF) based onAES-CMAC with a 128 or 256 bit key.
Output KDF(Key, Label, Context, Length)
• KEK KDF(CAK, IEEE8021 KEK, CKN[0..15], 128/256)
• ICK KDF(CAK, IEEE8021 ICK, CKN[0..15], 128/256)
• SAK KDF(CAK, IEEE8021 SAK, KS-nonce | MI-value list | KN, 128/256)
• KS – Key Server – either elected or EAP Authenticator• MI – Member Identifier – all members of a CA• KN – Key Number – assigned by Key Server
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 24
Connectivity Association Key – CAK
• CAK as a Pre-Shared-Key (PSK)• Can be used either as a pairwise CAK or group CAK• Statically configured PSK• CKN can be chosen arbitrarily with a size of 1..32
octets • CAK via EAP
• Can be used as a pairwise CAK.• Dynamically derived CAK and CKN between two PAEs
via EAP
CAK KDF(MSK[0..15]/MSK[0..31], IEEE8021 EAP CAK, mac1 | mac2, 128/256)
CKN KDF(MSK[0..15]/MSK[0..31], IEEE8021 EAP CKN , EAP Session-ID | mac1 | mac2, 128/256)
where mac1 < mac2 are the MAC addresses of the PAEsand the Master Session Key (MSK) and Session-ID of theEAP method (EAP-TLS, EAP-PEAP, etc) is included.
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 25
Use of Pairwise CAKs to Distribute a Group CAK
MKPDU
MKPDUMKPDU
A. Steffen, 30.09.2013, 03-DataLinkLayer.pptx 26
IEEE 802.1AE Enabled Products
• Cisco Catalyst 3750-X / 3560-X LAN Access Switch• Supports MACsec and MKA on both user/downlink and
network/uplink ports
• Juniper EX Series Switches• 802.1AE available with the controlled version of Junos
OS