docsis
Post on 24-Nov-2014
119 Views
Preview:
TRANSCRIPT
11/5/2002© Cable Television Laboratories, Inc.
2002. All Rights Reserved.Used With Permission.
1
DOCSIS & PacketCable DOCSIS & PacketCable Device EnrollmentDevice EnrollmentIETF Enrollment Workshop
11/5/2002© Cable Television Laboratories, Inc.
2002. All Rights Reserved.Used With Permission.
2
CertificatesCertificates
• Devices:– DOCSIS uses a Cable Modem to
provide high speed internet access– PacketCable uses a Multimedia
Terminal Adapter (MTA) to provide Voice-over-IP services
– Both devices use certificates that are embedded at manufacture time – no certificate enrollment is necessary.
11/5/2002© Cable Television Laboratories, Inc.
2002. All Rights Reserved.Used With Permission.
3
DOCSIS Security OverviewDOCSIS Security Overview-- BPI+ ---- BPI+ --
CMTS
CM
PC
Internet
Data Encryption(DES)
Key Management(RSA, Tri-DES)
CM Authentication(X.509 Certificates)
Secure Software Download
(X.509 Certificate)
TFTP Server New CM Code
......
Digitally Signed by: Manufacturer
Mfg Certificate......
Digitally Signed by: DOCSCSIS Root CM Certificate......
Digitally Signed by: Mfg CA
CM Code File
x$a9E!
abcdef
abcdef
11/5/2002© Cable Television Laboratories, Inc.
2002. All Rights Reserved.Used With Permission.
4
PacketCable Security PacketCable Security OverviewOverview
CMTSCM
DOCSIS Security
MTA
Service Provider Network
Key Distribution Center
Call Management Server
Provisioning Server
TFTP Server
Phone
Kerberos/PKINIT
SNMPv3 security
Config File
Kerberized Key Management
IPsec ESP secures NCS protocolKerberized Key Management
authenticated with hash delivered via secured SNMPv3
11/5/2002© Cable Television Laboratories, Inc.
2002. All Rights Reserved.Used With Permission.
5SHA-1 HMAC
Encrypted
PacketCable & KerberosPacketCable & Kerberos
MTAKDC
App Server
(Prov Server or
CMS)
AS Request
AS Reply
Kerberos/PKINIT
Kerberized Key Managementfor SNMPv3 and IPsec
MTA
AP Request
AP Reply
MTA RSA Signature
Mfg CA Certificate......Digitally Signed by: PacketCable Root
MTA Certificate......Digitally Signed by: Mfg CA
MTA DH Public Value
KDC RSA Signature
Service Provider CA Certificate......Digitally Signed by: Service Provider Root KDC Certificate......Digitally Signed by: Service Provider CA
KDC DH Public Value
Encrypted Session Key
Kerberos Ticket
Sequence #
Application Specific Data – IPsec or SNMPv3Key Management Data – key lifetime, should client rekey?
Chosen Ciphersuite
SHA-1 HMAC
Application Specific Data – IPsec or SNMPv3Key Management Data – key lifetime, should client rekey?
Kerberos Ticket
List of Ciphersuites
Subkey
Encrypted
Sequence #
Subkey
11/5/2002© Cable Television Laboratories, Inc.
2002. All Rights Reserved.Used With Permission.
6
DOCSIS Certificate ProfilesDOCSIS Certificate ProfilesDOCSIS Root CA DOCSIS Manufacturer CA DOCSIS Cable
Modem
Subject DN
C=USO=Data Over Cable
Service Interface Specification
OU=Cable ModemsCN=DOCSIS Cable
Modem Root Certificate Authority
C=<Country of Manufacturer>[ST=<State/Province>][L=<City>]O=<Company Name>OU=DOCSIS[OU=<Manufacturing
Location>]CN=<Company Name> Cable
Modem Root Certificate Authority
C=<Country of Manufacturer>
O=<Company Name>OU=<Manufacturing
Location>CN=<Serial Number>CN=<MAC Address>
Issuer Self-signed DOCSIS Root CA Manufacturer CA
Algorithm & Modulus
RSA, 2048 RSA, 1024 RSA, 1024
Validity Period
20 years 20 years 20 years
Extensions
basicContraints(cA=true, pathLenConstraint=1)keyUsage(keyCertSign, cRLSign)
basicConstraints(cA=true)keyUsage(keyCertSign, cRLSign)
Others extensions are optional
Extensions are optional
11/5/2002© Cable Television Laboratories, Inc.
2002. All Rights Reserved.Used With Permission.
7
DOCSIS Certificate ProfilesDOCSIS Certificate Profiles
DOCSIS Manufacturer Code Verification Certificate
DOCSIC Co-signer Code Verification Certificate
Subject DN C=<Country>O=<Subject code-signing agent>OU=DOCSISCN=Code Verification Certificate
C=<Country>O=<Subject code-signing agent>OU=DOCSISCN=Code Verification Certificate
Issuer DOCSIS Root CA DOCSIS Root CA
Algorithm & Modulus
RSA, 1024, 1536, 2048 RSA, 1024, 1536, 2048
Validity Period
2-10 years 2-10 years
Extensions extKeyUsage(id-kp-codeSigning) extKeyUsage(id-kp-codeSigning)
• Code Verificaton Certificates are used by CMs to verify code images before accepting them.
11/5/2002© Cable Television Laboratories, Inc.
2002. All Rights Reserved.Used With Permission.
8
PacketCable Certificate PacketCable Certificate ProfilesProfilesMTA Device Root
CAMTA Manufacturer CA MTA
Subject DN
C=USO=CableLabsOU=PacketCableCN=PacketCable Root
Device Certificate Authority
C=<Country>O=<Company Name>[ST=<State/Province>][L=<City>]OU=PacketCable[OU=<Manufacturer’s
Facility>]CN=<Company Name>
PacketCable CA
C=<Country>O=<Company Name>[ST=<State/Province>][L=<City>]OU=PacketCable[OU=<Product Name>][OU=<Manufacturer’s
Facility>]CN=<MAC Address>
Issuer Self-signed MTA Root CA MTA Manufacturer CA
Algorithm & Modulus
RSA, 2048 RSA, 2048 RSA, 1024
Validity Period
30 years 20 years 20 years
Extensions
keyUsage(keyCertSign, cRLSign)subjectKeyIdentifier, basicContraints(cA=true, pathLenConstraint=1)
keyUsage(keyCertSign, cRLSign)subjectKeyIdentifier, authorityKeyIdentifier,basicContraints(cA=true, pathLenConstraint=0)
keyUsage(digitalSignature, keyEncipherment),authoritykeyIdentifier
11/5/2002© Cable Television Laboratories, Inc.
2002. All Rights Reserved.Used With Permission.
9
PacketCable Certificate PacketCable Certificate ProfilesProfiles
Service Provider Root CA
Service Provider CA & Local System CA
Key Distribution Center
Subject DN
C=USO=CableLabsCN=CableLabs Service
Provider Root Certificate Authority
C=<Country>O=<Company>[OU=<Local System Name>]CN=<Company> CableLabs
Service Provider CA
C=<Country>O=<Company>[OU=<Local System
Name>]OU=CableLabs Key
Distribution CenterCN=<DNS Name>
Issuer Self-signed Service Provider Root CA or Service Provider CA
Service Provider CA or Local System CA
Algorithm & Modulus
RSA, 2048 RSA, 2048 RSA, 1024, 1536, or 2048
Validity Period
30 years 20 years 20 years
Extensions
keyUsage(keyCertSign, cRLSign)subjectKeyIdentifier,basicContraints(cA=true)
keyUsage(keyCertSign, cRLSign)subjectKeyIdentifier,authorityKeyIdentifier,basicContraints(cA=true, pathLenConstraint=1 or 0)
keyUsage(digitalSignature),authorityKeyIdentifier,subjectAltName(KDC principal name encoded in otherName)
11/5/2002© Cable Television Laboratories, Inc.
2002. All Rights Reserved.Used With Permission.
10
CableLabs SpecificationsCableLabs Specifications
• DOCSIS:– http://www.cablemodem.com/specifications/
• PacketCable:– http://www.packetcable.com/specifications/
• CableHome:– http://www.cablehome.net/specifications/
• OpenCable– http://www.opencable.com/specifications/
11/5/2002© Cable Television Laboratories, Inc.
2002. All Rights Reserved.Used With Permission.
11
For More Information…For More Information…
CableLabs
Eric Rosenfeld
PacketCable Security Architect
Cable Television Laboratories, Inc.400 Centennial Parkway
Louisville, Colorado 80027-1266Phone: 303-661-9100Direct: 303-661-3841
Fax: 303-661-9199Email: e.rosenfeld@cablelabs.com
http://www.cablelabs.com
®
11/5/2002© Cable Television Laboratories, Inc.
2002. All Rights Reserved.Used With Permission.
12
For More Information…For More Information…
CableLabs
Oscar Marcia
Chief Security Architect
Cable Television Laboratories, Inc.400 Centennial Parkway
Louisville, Colorado 80027-1266Phone: 303-661-9100Direct: 303.661-3350
Fax: 303-661-9199Email: o.marcia@cablelabs.com
http://www.cablelabs.com
®
top related