3 Data Link Layer Security

Transcription

1 Information Security 2 (InfSi2) 3 Data Link Layer Security Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) A. Steffen, , 03-DataLinkLayer.pptx 1

2 Security Protocols for the OSI Stack Communication layers Security protocols Application layer Transport layer Platform Security, Web Application Security, VoIP Security, SW Security TLS Network layer IPsec Data Link layer Physical layer [PPTP, L2TP], IEEE 802.1X, IEEE 802.1AE, IEEE i (WPA2) Quantum Cryptography A. Steffen, , 03-DataLinkLayer.pptx 2

3 Information Security 2 (InfSi2) 3.1 Port-Based Network Access Control - IEEE 802.1X A. Steffen, , 03-DataLinkLayer.pptx 3

4 IEEE 802.1X Access Control using EAP Methods L2 EAPOL* EAP RADIUS 802.1X Supplicant User Credentials 802.1X Authenticator (WLAN AP, LAN Switch) 802.1X Authentication Server User Credentials 802.1X Supplicants and Authenticators are both Port Access Entities (PAEs) * EAP over LAN (Ethertype 0x888E) A. Steffen, , 03-DataLinkLayer.pptx 4

5 Information Security 2 (InfSi2) 3.2 Secure Device Identity IEEE 802.1AR - DevID A. Steffen, , 03-DataLinkLayer.pptx 5

6 IEEE 802.1AR Secure Device Identifier DevID Secure Device Identifier Secure Device Identifier IDevID Initial Device Identifier Created during manufacturing and cannot be modified Either reaches end of lifetime (certificate) or can be disabled LDevID Locally Significant Device Identifier One or several may be created by network administrator DevID Module Hardware module which stores the DevID secrets, credentials and the entire credential chain up to the root certificate Contains a strong Random Number Generator (RNG) Implements Asymmetric Algorithms (2048 bit RSA and/or 256 bit ECDSA) Implements SHA-256 Hash Function A. Steffen, , 03-DataLinkLayer.pptx 6

7 IEEE 802.1AR DevID Module Applications & Operating System Management Interface Service Interface Storage Asymmetric Cryptography Random Number Generator DevID Secret[s] DevID Credentials[s] Hash Algorithms Credential Chain A. Steffen, , 03-DataLinkLayer.pptx 7

8 Use of DevIDs DevID use EAP-TLS Authentication Device authentication can be based on its DevID certificate. DevID use in Consumer Devices Similar but more secure than access control based on a MAC address list which can easily be spoofed, a switch, router or access point can allow access based on a registered commonname (CN), serialnumber (SN) or a subjectaltname contained in the DevID certificate. DevID use in Enterprise Devices Similar to the consumer device use case but the DevID is usually registered with a centralaaa server. DevID Module based on Trusted Platform Module (TPM) Each TPM has a unique non-erasable Endorsement Key (EK) to which DevID secrets and credentials can be bound. A. Steffen, , 03-DataLinkLayer.pptx 8

9 Information Security 2 (InfSi2) 3.3 Media Access Layer Security IEEE 802.1AE - MACsec A. Steffen, , 03-DataLinkLayer.pptx 9

10 Four Stations Attached to a LAN PAE PAE PAE PAE Port Access Entity A. Steffen, , 03-DataLinkLayer.pptx 10

11 Connectivity Association (CA) CAK (CA Key) CAK CAK SecY MAC Security Entity Station D is not part of the CA A. Steffen, , 03-DataLinkLayer.pptx 11

12 Secure Channel (SC) and Secure Association (SA) Each SC comprises a succession of SAs each with a different SAK (SA Key) A. Steffen, , 03-DataLinkLayer.pptx 12

13 Secure Channel and Secure Association Identifiers Association Number System Identifier Port Identifier SCI Secure Channel Identifier SAI Secure Association Identifier The Association Number (2 bits) allows the overlapping rekeying of the Secure Association during which two different SAKs co-exist. A. Steffen, , 03-DataLinkLayer.pptx 13

14 Two Stations in a point-to-point LAN PAE PAE A. Steffen, , 03-DataLinkLayer.pptx 14

15 Connectivity Association (CA) CAK CAK SecY SecY A. Steffen, , 03-DataLinkLayer.pptx 15

16 Secure Channel (SC) and Secure Association (SA) CKN (CAK Name) CAK CKN CAK SecY SecY SA A SAK A0, SAK A1, SA B SAK B0, SAK B1, SA A SAK A0, SAK A1, SA B SAK B0, SAK B1, A. Steffen, , 03-DataLinkLayer.pptx 16

17 IEEE 802.1AE MACsec Frame Format VLAN Tag PT User Data MAC Addresses MSDU DA SA PT User Data Data Integrity Optional Encryption 8 or 16 8 to 16 DA SA SecTag Secure Data ICV FCS MAC Addresses MPDU MSDU MAC Service Data Unit MPDU MACsec Protocol Data Unit ICV Integrity Check Value A. Steffen, , 03-DataLinkLayer.pptx 17

18 SecTag Security Tag or 8 0x88E5 TCI AN SL PN SCI (optional encoding) MACsec Ethertype is 0x88E5 TCI TAG Control Information (6 bits) AN Association Number (2 bits) SL Short Length (6 bits) length of User Data if < 48 octets, 0 otherwise PN Packet Number replay protection and IV for encryption SCI Secure Channel Identifier identifies Secure Association (SA). In point-to-point links the SCI consists of the Source MAC Address and the Port Identifier and thus the SCI doesn t have to be encoded. A. Steffen, , 03-DataLinkLayer.pptx 18

19 TCI TAG Control Information Bits Bit V=0 ES SC SCB E C AN V Version (currently 0) ES End Station if set means that the Source MAC Address is part of the SCI and the SCI shall not be explicitly encoded. SC shall be set only if an explicitly encoded SCI is present SCB Single Copy Broadcast capability if ES and SCB are set then the implicit SCI comprises a reserved Port Identifier of E Encryption if set encryption is enabled C Changed Text if clear the Secure Data exactly equals User Data A. Steffen, , 03-DataLinkLayer.pptx 19

20 Authenticated Encryption with Associated Data SCI PN 0 SCI PN 1 SCI PN 2 Key K Key K AEAD is based on special block cipher modes: Block size: 128 bits Key size: 128/256 bits Tag size : 128 bits Nonce size: 128 bits SCI PN Counter 64 bits 32 bits 32 bits AES-Galois/Counter Mode AES-GMAC (auth. only) Hash Subkey Derivation 0..0 Key K ICV Hash Subkey H A. Steffen, , 03-DataLinkLayer.pptx 20

21 Information Security 2 (InfSi2) 3.4 MACsec Key Agreement IEEE 802.1X - MKA A. Steffen, , 03-DataLinkLayer.pptx 21

22 MKA distributes random SAK using CAK MKPDU MKPDU MACsec Key Agreement Protocol Data Unit carried via EAPOL CAK Connectivity Association Key pairwise or group root key ICK ICV Key used for MKPDU Data Integrity KEK Key Encrypting Key used for AES Key Wrap in MKPDU SAK Secure Association Key A. Steffen, , 03-DataLinkLayer.pptx 22

23 MKA Key Derivation Function - KDF The MKA KDF is a Pseudo Random Function (PRF) based on AES-CMAC with a 128 or 256 bit key. Output KDF(Key, Label, Context, Length) KEK KDF(CAK, IEEE8021 KEK, CKN[0..15], 128/256) ICK KDF(CAK, IEEE8021 ICK, CKN[0..15], 128/256) SAK KDF(CAK, IEEE8021 SAK, KS-nonce MI-value list KN, 128/256) KS Key Server either elected or EAP Authenticator MI Member Identifier all members of a CA KN Key Number assigned by Key Server A. Steffen, , 03-DataLinkLayer.pptx 23

24 Connectivity Association Key CAK CAK as a Pre-Shared-Key (PSK) Can be used either as a pairwise CAK or group CAK Statically configured PSK CKN can be chosen arbitrarily with a size of octets CAK via EAP Can be used as a pairwise CAK. Dynamically derived CAK and CKN between two PAEs via EAP CAK KDF(MSK[0..15]/MSK[0..31], IEEE8021 EAP CAK, mac1 mac2, 128/256) CKN KDF(MSK[0..15]/MSK[0..31], IEEE8021 EAP CKN, EAP Session-ID mac1 mac2, 128/256) where mac1 < mac2 are the MAC addresses of the PAEs and the Master Session Key (MSK) and Session-ID of the EAP method (EAP-TLS, EAP-PEAP, etc) is included. A. Steffen, , 03-DataLinkLayer.pptx 24

25 Use of Pairwise CAKs to Distribute a Group CAK MKPDU MKPDU MKPDU A. Steffen, , 03-DataLinkLayer.pptx 25

26 IEEE 802.1AE Enabled Products Cisco Catalyst 3750-X / 3560-X LAN Access Switch Supports MACsec and MKA on both user/downlink and network/uplink ports Juniper EX Series Switches 802.1AE available with the controlled version of Junos OS A. Steffen, , 03-DataLinkLayer.pptx 26