11/5/2002© Cable Television Laboratories, Inc.

2002. All Rights Reserved.Used With Permission.

1

DOCSIS & PacketCable DOCSIS & PacketCable Device EnrollmentDevice EnrollmentIETF Enrollment Workshop

11/5/2002© Cable Television Laboratories, Inc.

2002. All Rights Reserved.Used With Permission.

2

CertificatesCertificates

• Devices:– DOCSIS uses a Cable Modem to

provide high speed internet access– PacketCable uses a Multimedia

Terminal Adapter (MTA) to provide Voice-over-IP services

– Both devices use certificates that are embedded at manufacture time – no certificate enrollment is necessary.

11/5/2002© Cable Television Laboratories, Inc.

2002. All Rights Reserved.Used With Permission.

3

DOCSIS Security OverviewDOCSIS Security Overview-- BPI+ ---- BPI+ --

CMTS

CM

PC

Internet

Data Encryption(DES)

Key Management(RSA, Tri-DES)

CM Authentication(X.509 Certificates)

Secure Software Download

(X.509 Certificate)

TFTP Server New CM Code

......

Digitally Signed by: Manufacturer

Mfg Certificate......

Digitally Signed by: DOCSCSIS Root CM Certificate......

Digitally Signed by: Mfg CA

CM Code File

x$a9E!

abcdef

abcdef

11/5/2002© Cable Television Laboratories, Inc.

2002. All Rights Reserved.Used With Permission.

4

PacketCable Security PacketCable Security OverviewOverview

CMTSCM

DOCSIS Security

MTA

Service Provider Network

Key Distribution Center

Call Management Server

Provisioning Server

TFTP Server

Phone

Kerberos/PKINIT

SNMPv3 security

Config File

Kerberized Key Management

IPsec ESP secures NCS protocolKerberized Key Management

authenticated with hash delivered via secured SNMPv3

11/5/2002© Cable Television Laboratories, Inc.

2002. All Rights Reserved.Used With Permission.

5SHA-1 HMAC

Encrypted

PacketCable & KerberosPacketCable & Kerberos

MTAKDC

App Server

(Prov Server or

CMS)

AS Request

AS Reply

Kerberos/PKINIT

Kerberized Key Managementfor SNMPv3 and IPsec

MTA

AP Request

AP Reply

MTA RSA Signature

Mfg CA Certificate......Digitally Signed by: PacketCable Root

MTA Certificate......Digitally Signed by: Mfg CA

MTA DH Public Value

KDC RSA Signature

Service Provider CA Certificate......Digitally Signed by: Service Provider Root KDC Certificate......Digitally Signed by: Service Provider CA

KDC DH Public Value

Encrypted Session Key

Kerberos Ticket

Sequence #

Application Specific Data – IPsec or SNMPv3Key Management Data – key lifetime, should client rekey?

Chosen Ciphersuite

SHA-1 HMAC

Application Specific Data – IPsec or SNMPv3Key Management Data – key lifetime, should client rekey?

Kerberos Ticket

List of Ciphersuites

Subkey

Encrypted

Sequence #

Subkey

11/5/2002© Cable Television Laboratories, Inc.

2002. All Rights Reserved.Used With Permission.

6

DOCSIS Certificate ProfilesDOCSIS Certificate ProfilesDOCSIS Root CA DOCSIS Manufacturer CA DOCSIS Cable

Modem

Subject DN

C=USO=Data Over Cable

Service Interface Specification

OU=Cable ModemsCN=DOCSIS Cable

Modem Root Certificate Authority

C=<Country of Manufacturer>[ST=<State/Province>][L=<City>]O=<Company Name>OU=DOCSIS[OU=<Manufacturing

Location>]CN=<Company Name> Cable

Modem Root Certificate Authority

C=<Country of Manufacturer>

O=<Company Name>OU=<Manufacturing

Location>CN=<Serial Number>CN=<MAC Address>

Issuer Self-signed DOCSIS Root CA Manufacturer CA

Algorithm & Modulus

RSA, 2048 RSA, 1024 RSA, 1024

Validity Period

20 years 20 years 20 years

Extensions

basicContraints(cA=true, pathLenConstraint=1)keyUsage(keyCertSign, cRLSign)

basicConstraints(cA=true)keyUsage(keyCertSign, cRLSign)

Others extensions are optional

Extensions are optional

11/5/2002© Cable Television Laboratories, Inc.

2002. All Rights Reserved.Used With Permission.

7

DOCSIS Certificate ProfilesDOCSIS Certificate Profiles

DOCSIS Manufacturer Code Verification Certificate

DOCSIC Co-signer Code Verification Certificate

Subject DN C=<Country>O=<Subject code-signing agent>OU=DOCSISCN=Code Verification Certificate

C=<Country>O=<Subject code-signing agent>OU=DOCSISCN=Code Verification Certificate

Issuer DOCSIS Root CA DOCSIS Root CA

Algorithm & Modulus

RSA, 1024, 1536, 2048 RSA, 1024, 1536, 2048

Validity Period

2-10 years 2-10 years

Extensions extKeyUsage(id-kp-codeSigning) extKeyUsage(id-kp-codeSigning)

• Code Verificaton Certificates are used by CMs to verify code images before accepting them.

11/5/2002© Cable Television Laboratories, Inc.

2002. All Rights Reserved.Used With Permission.

8

PacketCable Certificate PacketCable Certificate ProfilesProfilesMTA Device Root

CAMTA Manufacturer CA MTA

Subject DN

C=USO=CableLabsOU=PacketCableCN=PacketCable Root

Device Certificate Authority

C=<Country>O=<Company Name>[ST=<State/Province>][L=<City>]OU=PacketCable[OU=<Manufacturer’s

Facility>]CN=<Company Name>

PacketCable CA

C=<Country>O=<Company Name>[ST=<State/Province>][L=<City>]OU=PacketCable[OU=<Product Name>][OU=<Manufacturer’s

Facility>]CN=<MAC Address>

Issuer Self-signed MTA Root CA MTA Manufacturer CA

Algorithm & Modulus

RSA, 2048 RSA, 2048 RSA, 1024

Validity Period

30 years 20 years 20 years

Extensions

keyUsage(keyCertSign, cRLSign)subjectKeyIdentifier, basicContraints(cA=true, pathLenConstraint=1)

keyUsage(keyCertSign, cRLSign)subjectKeyIdentifier, authorityKeyIdentifier,basicContraints(cA=true, pathLenConstraint=0)

keyUsage(digitalSignature, keyEncipherment),authoritykeyIdentifier

11/5/2002© Cable Television Laboratories, Inc.

2002. All Rights Reserved.Used With Permission.

9

PacketCable Certificate PacketCable Certificate ProfilesProfiles

Service Provider Root CA

Service Provider CA & Local System CA

Key Distribution Center

Subject DN

C=USO=CableLabsCN=CableLabs Service

Provider Root Certificate Authority

C=<Country>O=<Company>[OU=<Local System Name>]CN=<Company> CableLabs

Service Provider CA

C=<Country>O=<Company>[OU=<Local System

Name>]OU=CableLabs Key

Distribution CenterCN=<DNS Name>

Issuer Self-signed Service Provider Root CA or Service Provider CA

Service Provider CA or Local System CA

Algorithm & Modulus

RSA, 2048 RSA, 2048 RSA, 1024, 1536, or 2048

Validity Period

30 years 20 years 20 years

Extensions

keyUsage(keyCertSign, cRLSign)subjectKeyIdentifier,basicContraints(cA=true)

keyUsage(keyCertSign, cRLSign)subjectKeyIdentifier,authorityKeyIdentifier,basicContraints(cA=true, pathLenConstraint=1 or 0)

keyUsage(digitalSignature),authorityKeyIdentifier,subjectAltName(KDC principal name encoded in otherName)

11/5/2002© Cable Television Laboratories, Inc.

2002. All Rights Reserved.Used With Permission.

10

CableLabs SpecificationsCableLabs Specifications

• DOCSIS:– http://www.cablemodem.com/specifications/

• PacketCable:– http://www.packetcable.com/specifications/

• CableHome:– http://www.cablehome.net/specifications/

• OpenCable– http://www.opencable.com/specifications/

11/5/2002© Cable Television Laboratories, Inc.

2002. All Rights Reserved.Used With Permission.

11

For More Information…For More Information…

CableLabs

Eric Rosenfeld

PacketCable Security Architect

Cable Television Laboratories, Inc.400 Centennial Parkway

Louisville, Colorado 80027-1266Phone: 303-661-9100Direct: 303-661-3841

Fax: 303-661-9199Email: e.rosenfeld@cablelabs.com

http://www.cablelabs.com

®

11/5/2002© Cable Television Laboratories, Inc.

2002. All Rights Reserved.Used With Permission.

12

For More Information…For More Information…

CableLabs

Oscar Marcia

Chief Security Architect

Cable Television Laboratories, Inc.400 Centennial Parkway

Louisville, Colorado 80027-1266Phone: 303-661-9100Direct: 303.661-3350

Fax: 303-661-9199Email: o.marcia@cablelabs.com

http://www.cablelabs.com

®