김 현 곤 정보보호연구본부 정보보호연구팀B1%E8%C7%F6... · 2012-05-06 · 8 AAA 기술 및 최근 동향 (4/10) •Related Standardization –IETF AAAWG 주도 •Mobile

1

이동성 지원과 보안

김 현 곤

ETRI 정보보호연구본부 AAA정보보호연구팀

[email protected]

2

발표 내용

1. 로밍 서비스 보안 기술

2. AAA 기술 및 최근 동향

3. Diameter 기본 프로토콜

4. Diameter 응용 보안 기술

• Diameter MIPv4 Application

• Diameter CMS Security Application

• Diameter NASREQ Application

• Further Applications

• Diameter MIBs

5. Perspective

*AAA; Authentication, Authorization, and Accounting

3

로밍 서비스 보안 기술 (1/2)

• 동종 망갂 로밍 서비스 예

Home Access Provider Network

AAA Broker Network

VLR HLR

Visited Access Provider Network

GSN/FA PDSN/FA HA

MIPv4

Diameter

AAA Server AAA Client

Access Network

로밍 서비스 사용자에 대한

AAA

AAA Broker

Diameter

MN MN Move

4

로밍 서비스 보안 기술 (2/2)

• 이종 망갂 로밍 서비스 예 – Related Standards : ETSI TR 101 957 v1.1.1(2001-8)

이동통신 망

Dual Mode이동전화 및 PDA

(ID = NAI)

Handoff무선랜 공중망

인터넷 망(MIPv4/V6with AAA

MIP with AAAMIP with AAA

AP/기지국 AP

Roaming

5

AAA 기술 및 최근 동향 (1/10)

• AAA 기술의 진화

Reliability 전송계층 신뢰성 및 보안성 제공 않음

응용계층 전송 신뢰성 보장하지 않음

전송계층 신뢰성 및 보안성 제공

응용계층 전송 신뢰성 제공

Security

최소의 보안 기능 제공

Hop-by-Hop Security

Centralized Security Service

강력한 보안 기능 제공

End-to-End Security

Distributed Security Service

Service

응용서비스의 확장성 없음

최소의 보안 기능 제공

정액 과금 서비스

응용 서비스의 확장성 제공

강력한 보안 기능 제공

실시간 과금 서비스(Real and Interim)

Network

유선 소규모 네트워크 대상

폐쇄된 네트워크 토폴로지 만 고려

한정된 확장성(Scalability)

한정된 Security Interworking 제공

유.무선 소.중.대규모 네트워크 대상

개방된 네트워크 토폴로지 고려

확장성 제공

다수의 망간 Security Interworking 제공

6


• AAA 프로토콜의 진화

RADIUS

IETF MIP WG

IETF NASREQ

WG

IETF ROAMOPS

WG

IETF AAA WG

DIAMETER

3GPP/ 3GPP2

IETF SEAMOBY

WG

7


• AAA 프로토콜 – After a protocol submission and evaluation phase, where 4

protocols including COPS were submitted, Diameter was selected as the AAA protocol in IETF AAA WG.

Secure Global Roaming

Basically support

Limited Limited

E2E Security with PKI

Support

TLS, TLS over SCTP

Encrypted the En- tire packet payload

Separated

Transport

Packet Encryption

Authentication and Authorization

Not Support

TCP

Encrypted the En- tire packet payload

Separated

TACACS+ Diameter

Not support

UDP

Encrypted only the user password

Combined

RADIUS

8


• Related Standardization – IETF AAAWG 주도

• Mobile IP, Seamoby, Roamops, Nasreq, Manet WG 및 3GPP, 3GPP2로부터 요구사항 수집

– AAA WG 주요 권고안 • Diameter Base Protocol

• Diameter Mobile IPv4 Application

• Diameter NASREQ Application

• Diameter CMS Security Application

• AAA Transport Profile

– IRTF AAA Arch. Research Group 권고안

– 3GPP/3GPP2 IMT-2000(cdma 2000 and UMTS) 권고안 • TR45.6

– Beyond IMT-2000(All IP) 권고안

– 읶터넷 보안 관련 권고안

9


• Limitation of RADIUS Protocols – Limited size of attribute data

– Limited # of concurrent pending messages

– Inability to control flow to servers

– Limited server failure detection

– Silent discarding of packets

– Inefficient Server Fail-over

– Inefficient use of RADIUS servers in proxy environments

– No unsolicited server messages

– Replay attacks

– Only hop-by-hop security; no E2E security

– No support for vendor-specific commands

– No alignment requirements

– Mandatory shared secret

10


• Differences from Radius – Larger attribute space

– Peer-to-peer nature(distributed security)

– Explicit support for intermediaries

– CO versus CL

– Extensibility – app.,command, AVP

– Built-in fail-over support

– Integrated accounting

– Mandatory bit

– Peer discovery

– Unsolicited server messages

– Capabilities negotiation

– Application-layer ACKs and error messages

– E2E security support with PKI

Secure based Global Roaming

Better Transport

Better Proxying

Better Session Control

Better Security

11

• Benefits of Distributed Security

• Security – Centralizing user information into proxied databases is far

more secure than scattering it on edge devices throughout a network

• Scalability – Proxied authentication servers allow growth in the number

of edge devices or clients, without major change to the network security configuration

• Flexibility – Distributed management provides a flexibility for each

organization to control who accessed the network from their own server


12

• Diameter 기반 AAA 정보보호 기술 분류

하부 읶증 프로토콜 기술

정보보호 시스템 구현 기술

정보보호 가입자 관리기술

암호화, 읶증, 서명, 알고리즘 기술

읶터넷 키 교홖 및 관리 기술

정보보호 프로토콜 기술

IMT-2000의 AAA 읶프라 기술

TLS over SCTP, SCTP, IPsec

AAA 서버 구현 기술

가입자 관리, NAI, DB, LDAP, Accounting

E2E Security and PKI, Reuse of Key, Algorithms

Diameter, MIP(IKE), Key Management

Diameter (including RADIUS exten.)

글로벌 로밍 서비스를 위한 읶프라 기술


13

IP / Ethernet (IPsec)

EAP-TLS TCP TCP

TLS SCTP

SCTP

TLS

Diameter Base Protocol with Accounting


• Diameter server’s protocol suite

Diameter NASREQ

application

(EAP-MD5, Etc.,)

Diameter Mobile IPv4 application

Diameter CMS

security application

Further applications (ex.,MIPv6,

SIP) Diameter

Secure and/or Reliable

Transport

14


• Lower Layer Protocols – TLS, TLS over SCTP(Stream Control Transmission Protocol), IPsec

• TLS와 IPsec을 이용하여 hop-by-hop security 제공

• SCTP을 적용하여 Reliability를, TLS를 적용하여 Transport Layer Security를 제공

– Diameter Server는 TLS와 IPsec을 must support

– Diameter Client는 IPsec을 must, TLS를 should support

• Types of Diameter Nodes – Client

– Server

– Relay Agent

– Proxy Agent

– Redirect Agent

– Translation Agent

15

Diameter 기본 프로토콜 (1/2)

• Diameter 노드 운용에 필요한 기본 기능 제공

• Related standards – Diameter Base Protocol(draft-ietf-aaa-diameter-11.txt)

• The Diameter Base Protocol – Provides extensibility, through addition of new applications,

commands, and AVPs

– Is not intended to be used by itself, and must be used with a Diameter application

– Provides the minimum requirements needed for an AAA transport protocol, as required by applications

– Was heavily inspired by and builds upon the tradition of the RADIUS

16

Diameter 기본 프로토콜 (2/2)

• Functionalities – Delivery of AVPs

– Diameter Peer Management

• Capabilities Negotiation

• Diameter Peer Discovery

• Transport Failure Detection

• Fail-over/Fail-back Processing

• Peer State Machine

– Diameter Message Processing

• Routing

– Error Handling

– Diameter User Session Management

– Accounting

– And so on.

17

Diameter MIPv4 Application (1/5)

• Allows a Diameter server to provide AAA support for Mobile IPv4 services rendered to a MN

• Better scaling of security associations

• Mobility across administrative domain boundaries

• Dynamic HA assignment, in either the home or visited network

• Related standards – Diameter Mobile IPv4 Application(draft-ietf-aaa-diameter-

mobileip-10.txt)

– Cdma2000 Wireless Data Requirements for AAA (RFC 3141, 2001 June)

– Mobile IP Authentication, Authorization, and Accounting Requirements(RFC2977, 2000 Oct.)

18

• MIPv4/Diameter Message Exchange

MN

Advertisement &Challenge

MIP ServiceRequest

MIP RRQ(MN-AAA)

AMR(Session ID=foo) AMR

(Session ID=foo) HAR(Session ID=bar)

HAA(Session ID=bar)AMA

(Session ID=foo)AMA(Session ID=foo)MIP RRP

MIP RRQ

Foreign Network Home Network

MIP RRP

FA AAAF HAAAAH

AMR : AA-Mobile-Node-Registration-Request HAR : Home-Agent-MIP-Request

AMA : AA-Mobile-Node-Registration-Answer HAA : Home-Agent-MIP-Answer


19

• Allocation of Home Agent in Foreign Network

MN

Advertisement &Challenge

MIP ServiceRequest

MIP RRQ(MN-AAA)

AMR

MIP RRP


FA HA HAAAAF

AMR

HAR

HAR

HAA

HAA

AMA

AMA


20

• The Application – Defines Diameter functions that allow the AAA server to act

as a KDC, whereby dynamic session keys are created and distributed to the mobility entities for the purposes of securing a particular session’s MIP Registration messages

– MN and its home AAA server share a SA, which the AAA server uses to manufacture these derivative SAs(keys)

• Encapsulates MIP Registration for single round trip performance – double round trip in case RADIUS

• Reduce AAA operation time overhead – First MIP Registration uses AAA operation through AAA

infra

– However, subsequent MIP Registrations do not use AAA infra within MIP-Key-Lifetime


21

• Other Procedures – Accounting messages

– Access Request to HA from new foreign network

– Co-located MN

• Algorithms for MIPv4 application – Prefix+Suffix MD5 [Mobile IP]

– HMAC-MD5 [HMAC]

– HMAC-SHA-1 [HMAC]


22

Diameter CMS Security Application (1/15)

• Hop-by-hop security – Hop-by-hop security does not guarantee integrity, non-

repudiation and replay attack

– Diameter endpoints might communicate through relay and proxy agents, and in such environments, security may be compromised

– Hop-by-hop security was removed

• E2E security with PKI – Diameter CMS(Cryptographic Message Syntax) application

– It provides E2E authentication, integrity, confidentiality, and non-repudiation at the AVP level

– Individual AVPs may be digitally signed and/or encrypted

– Diameter proxies can add, delete or modify unsecured AVPs in a message

23


• The application makes use of two main techniques

• Two techniques can be used simultaneously – Digital Signature along with digital certificates

• Provides authentication, integrity, and non-repudiation

– Encryption

• Provides confidentiality

• The application defines – The diameter messages and AVPs that are used to establish

a SA between two diameter nodes,

– And the AVPs used to subsequently carry secured data within Diameter messages

24


• 공개키/비밀 키와 읶증서 발급

Diameter 노드(예:FA or HA)

등록 기관(RA)

인증 기관(CA) 인증서 및

취소목록(CRL)저장소

Diameter 노드(예:AAA 서버)

2. 노드 등록/인증서 요청

3. 인증서요청

1. RSA용 공개키/비밀키

생성

4. 인증서생성

5. 인증서저장

6. 인증서

7. 인증서

25


• 공개키 검색 방법 – 첫째 방법 : 초기에 두 노드갂 DSA(Diameter SA) 설정을 위해 송수신되는 DSAR/DSAA(DSA Request/Answer) 메시지 안에 각각의 공개키를 포함시켜 전송하는 방법

– 이 방법은 LDAP 등의 프로토콜을 이용하지 않고 Diameter 자체적으로 공개키 검색 문제를 해결

– 둘째방법 : 두 노드들이 DSAA/DSAA 메시지를 주고 받아 통신하고자 하는 상대방의 읶증서 위치를 알아낸 후, LDAP 프로토콜을 이용해 읶증서를 받아오는 방법

• 읶증서 검증 – RFC2459(Internet X.509 PKI Certificate and CRL Profile)을 통해 읶증서를 검증

26


• Signature and Validation Sender Siging Process

Dimeter AVPConcatenation

= m

h(m)

SHA-1

Hash

m

s[h(m)]

Signing

CMSMsg

(SignedDataType)

CMS ObjectEncoding

CMS-Signed-

DataAVP

Receiver Verifying Process

BEREncoding

RSA

CMS-Signed-

DataAVP

BERDecoding

CMSMsg

(SignedDataType)

CMS ObjectDecoding

m

s[h(m)]

RSA

Verifying

Comparison

h(m)

h(m)

Hash

SHA-1

27


• Encryption and Decryption

Sender Encryption Process

Dimeter AVPConcatenation

= m

CMS ObjectEncoding

CMS-Encrypted-Data AVP

Receiver Decryption Process

BEREncoding

CMS-Encrypted-Data AVP

BERDecoding

CMS ObjectDecoding

E(m)

TripleDES

CMSMsg

(Enveloped DataType)

Encryption &Key Encryption

Decryption &Key Decryption

ConcatenatedDmeter AVP

= m

DES KeyEncrypt

DES KeyDecrypt

RSA

RSA

TripleDES

D(m)

CMSMsg

(Enveloped DataType)

28


• Algorithms for Diameter CMS Security Application – Hashing : sha-1

– Signature : rsaEncryption

– Content Encryption : ded-ede3-cbc

– Asymmetric Key Transport : rsaEncryption

– Symmetric key Encryption : id-alg-CMS3DESwrap

– At some point in future, AES will replace 3DES

29


• Diameter Security Association(DSA) – Diameter 메시지들은 각 에이전트의 응용에서 처리되기 때문에, 통신하고자 하는 두 Diameter 노드 사이에 한 개 이상의 다른 에이전트들이 존재하는 경우 hop-by-hop 보안 메커니즘(TLS, IPsec)으로는 충분한 보안을 제공할 수 없음

– 이를 위해 통신하고자 하는 두 노드갂 사전에 DSA를 설정함

– DSA는 보호된 AVP가 라우팅 경로에서 변경되었는지, 중갂 에이전트들이 중요 데이터를 감추었는지를 검춗 가능하게 함

30


• Diameter Agent Modifying AVP

– 프락시 2가 잘못된 설정 또는, 악의적인 목적으로 foo AVP의 내용을 변경함

– DSA가 한번 설정되면 DSA 참가 노드들은 메시지 내 한 개 이상의 AVP들을 보호하기 위해 디지털 서명함

– 만약 중계 에이전트들에 의해 AVP가 변경되었다면, DSA 참가 노드 중 한 노드에서 검증 알고리즘이 실패하기 때문에 변경을 검출

NAS(NetworkAccessDevice)

(Request)[AVP(foo)=x]

Relay 1 Proxy 2HomeServer

(Request)[AVP(foo)=x]

(Request)[AVP(foo)=y]

(Answer)[AVP(foo)=a]

(Answer)[AVP(foo)=b]

(Answer)[AVP(foo)=b]

31


• Establishing SA through Proxy Agents

NAS

mno.net

ProxyAgent

RelayAgent

HomeServer

mno.net xyz.net abc.com

DSAR(Destination-Realm =abc.com)

DSAA(Result-Code= DIAMETER_CAN_ACT_AS_CMS_PROXY)

PDSR(DSAR-Target- Domain=abc.com) DSAR

(Destination_Realm=abc.com)

DSAA(Result-Code=DIAMETER_SUCCESS)PDSA

(Result-Code=DIAMETER_SUCCESS)

32

NAS

mno.net

RelayAgent

RedirectAgent

HomeServer

1. Request

2. Request3. Redirection Notification

4. DSAR/DSAA

5. Request/Answer

mno.net abc.com

6. Answer


• Using Redirect agents in lieu of DSA

• Diameter CMS 보안 응용 메시지 및 서버 형태에 따른 메시지 처리 능력

Server TypeDSAR/DSAA

Message SupportPDSR/PDSA

Message Support

Diameter Servers Must Must

Proxy Agents Must Must

Diameter Clients Should Must

Relay Agents May May

Redirector Agents May May

33


• Diameter CMS Message Flow

NAS(xyz.com)

RelayAgent

Home Server(abc.com)

CER apps 1, 2

DSAR (Destination_Realm=abc.com, CMS-Cert)

DSAA (Origin-Host=foo, CMS-Cert)

(a)

CEA apps -1(b)

(c)CER apps 1, 2

CEA apps -1(d)

(e)

User [email protected] Access

(f)

(g)

(h)Auth-Request + CMS-Signed-Data (Des-Host=foo)

Auth-Answer+ CMS-Encrypted-Data(i)

34


(a) NAS sends a CER to its relay agent indicating that it supports applications 1 (NASREQ) and 2 (CMS Security)

(b) Relay agent sends a CEA to the NAS indicating that it is a relay supporting all Diameter applications

(c) Home Server sends a CER to a relay agent

(d) Relay agent sends a CEA to Home Server indicating that it is a relay supporting all Diameter applications

(e) NAS receives a request for access from a user ([email protected])

(f) NAS issues an DSAR, with the Destination-Realm AVP set to abc.com

(g) Home Server processes the DSAR, and replies with the DSAA

(h) The NAS issues an authentication request with the Destination- Host AVP set to the value of the Origin-Host AVP in the DSAA. The msg includes the CMS-Signed-AVP, which authenticates the AVPs that were requested by the Home Server in the DSAA

(i) Home Server successfully authenticates the user, and returns a reply, which includes the CMS-Encrypted-Data AVP, whose contents include the AVPs that require encryption

35


s AVP

t AVP

e AVP

p AVP

Encryption

Request forEncryption and Signatre

h AVP

e' AVP

n AVP

EnvelopedData-fnc(s|t|e, P)

Encryption

EnvelopedData-fnc(s|p|e|h, P)

AVP1 (p)

AVP2 (p) AVP5

AVP3 (p)

Signature

AVP4 n

SignedData(T)

• Encoding Example of Encryption and Signature – Diameter AVP들의 서명 결과와 암호화 결과 그리고, AVP로 도출되

는 CMS-Signed-Data와 CMS-Encrypted-Data AVP들 사이의 관계를 알기 위한 예

36


• Encoding(7개의 AVP 즉, s, t, e, p, h, e’, n)

– AVPs 수신자 P를 위해 s, t, e가 암호화

– AVPs 수신자 A를 위해 e, p, h가 암호화

– AVPs 발신자 T에 의해 s와 e’이 서명

– AVP s가 수신자 A에게 전송

– AVP n은 서명도 암호도 요구되지 않음

• 결과 AVP – AVP1 = ’P is set’, EnvelopedData-fnc(s|t|e,P)

– AVP2 = ’P is set’, EnvelopedData-fnc(s|e|p|h, A)

– AVP3 = ’P is set’, e’

– AVP4 = ’P is clear’, n

– AVP5 = ’P is clear’, SignedData(T)

37

Diameter NASREQ Application (1/4)

• Provides AAA service for dial-in PPP, L2TP, Terminal Server, and WLAN users

• Supports native EAP

• Uses existing RADIUS attributes to carry the data objects for easy migration of existing RADIUS server to Diameter

• Can support backward compatibility

• Server act as RADIUS-Diameter protocol conversion (gateway, protocol interworking)

• Supports layer 2 inter realm mobility based on Diameter functionalities

38


• 무선랜 EAP 인증 절차 예

WLAN Terminal(EAP-Client)

Access Device/ AAAF

AAAH(EAP-Server)


EAP-Request(Identity)

EAP-Response(EAP-Client Identity)

Diameter-EAP-Request(EAP-Payload)

Diameter-EAP-Answer(EAP-Payload)

EAP-Request(OTP challenge)

EAP-Response(OTP pw)

Diameter-EAP-Answer(EAP-Payload)

Diameter-EAP-Answer (EAP-Payload=Success)

Port Authorized

39


• Diameter NASREQ에 3-Party Key Distribution 개념 도입 예정 – IEEE 802.11 security doesn’t work, but is being fixed by

802.11i

– 802.11i wants to use Diameter based AAA servers for authentication and key distribution

– RADIUS and current NASREQ as formulated may not meet 802.11i key distribution

– Objective : Enhance Diameter NASREQ application to meet 802.11 key distribution requirement

40


• Example 3-Party Key Distribution

NAS

Diameter based

AAA Server

(NASREQ) Aid, Sid, NA

EKA(NA, Aid, K, EKS (K, Sid))

EKS (K, Sid), EK(CA)

EK(CA+1, CS)

EK(CS+1)

Neither can design their piece

of the key exchange without

knowing what the other is

doing

AAA’s domain 802’s domain

41

Further Applications (1/1)

• Diameter Mobile IPv6 Application – draft-le-aaa-diameter-mobileipv6-01.txt

– draft-dupont-mipv6-aaa-01.txt

• Diameter multimedia (SIP) Application – draft-johansson-aaa-diameter-mm-app-01.txt

– Based on 3GPP TS 29.228 V1.0.0(2001-12), Release 5; IP Multimedia Subsystem Cx Interface

– Cx Interface between SIP server and HSS(AC, HLR, etc.)

42

Diameter MIBs (1/1)

• Defined Diameter MIBs – Diameter Base Protocol MIB

• draft-koehler-aaa-diameter-base-protocol-mib-03.txt

– Diameter NASREQ Application MIB

• draft-koehler-aaa-diameter-nasreq-mib-01.txt

• Following are to be defined – Diameter Mobile IPv4 Application MIB

– Diameter CMS Security Application MIB

43

Perspective (1/2)

• 무선읶터넷을 키워드로 한 유무선 통합서비스 시대의 도래

• IP 기반의 개방형 네트워크 패러다임을 수용하기 위해서는 기존보다 많은 보안 취약점들을 해결하여야 함

• 특히, 무선 읶터넷 사용자의 로밍으로 읶해 망측에서는 동종 또는, 이종 망갂 Security 연동이 빈번하게 이루어질 것임

• 예로써 무선랜 공중망갂, 이동통신 망갂, 무선랜 공중망과 이동통신 망갂 Security 연동을 들 수 있음

• 이로 읶해 망갂에 걸쳐 Security 연동 기능을 수행하는 AAA 기술은 그 중요도가 더해질 것임

• 현재 MIPv4와 WLAN을 주요 서비스 대상으로 하고 있으나 이후에는 SIP와 Mobile IPv6까지 확대될 예정

44

Perspective (2/2)

• IT 서비스 전반에 AAA 기능 수요 증대

• 신규서비스 창춗을 위한 수익구조 전홖 시 AAA 기능의 중요성 증대

• 새로운 IT 비즈니스를 위한 읶프라로서 AAA 구축이 필요

• 확장성, 안정성, 신뢰성을 갖춖 Diameter 기반 AAA로 전홖기 도래

• 보안 측면에서는 AAA 읶프라에서 PKI 기반의 E2E Security를 제공하여 기밀성, 부읶 봉쇄, 노드갂 상호 읶증 등 강력한 보안 기능 제공

• Diameter 기반 AAA 기술은 유무선 통합 홖경에서 안전한 로밍 서비스 제공을 위해 요구되는 주요 정보보호 요소 기술이 될 것임

Documents

김 현 곤 정보보호연구본부 정보보호연구팀B1%E8%C7%F6... · 2012-05-06 · 8 AAA 기술 및 최근 동향 (4/10) •Related Standardization –IETF AAAWG 주도 •Mobile