IRP - the Identity Registration Protocol L AW R E N C E E. HUGHES CO- F O U N D E R AND C TO S I X S CAPE C O M M U N I C ATIONS, P TE. LTD.

Similar documents
Some New Technologies for the Smart Nation Platform

User s Guide to IRP Client v0.8

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Owner of the content within this article is Written by Marc Grote

But where'd that extra "s" come from, and what does it mean?

Introduction to the DANE Protocol

APNIC Trial of Certification of IP Addresses and ASes

Transport Layer Security

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

Introducción al RPKI (Resource Public Key Infrastructure)

Understanding Traffic Decryption

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

The SafeNet Security System Version 3 Overview

10/4/2016. Advanced Windows Services. IPv6. IPv6 header. IPv6. IPv6 Address. Optimizing 0 s

Security Statement Revision Date: 23 April 2009

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

SCION: PKI Overview. Adrian Perrig Network Security Group, ETH Zürich

Let s Encrypt and DANE

Public-key Infrastructure Options and choices

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

CS 356 Internet Security Protocols. Fall 2013

QUANTUM SAFE PKI TRANSITIONS

HIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Innovative uses as result of DNSSEC

APNIC Trial of Certification of IP Addresses and ASes

Lecture Notes 14 : Public-Key Infrastructure

Deploying a New Hash Algorithm. Presented By Archana Viswanath

DNS Security. Wolfgang Nagele DNS Group Manager

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

CERN Certification Authority

CSCE 813 Internet Security Final Exam Preview

Syllabus: The syllabus is broadly structured as follows:

Table of Contents 1 IKE 1-1

Deploying DDS on a WAN and the GIG: The DDS Routing Service. Gerardo Pardo-Castellote, Ph.D. The Real-Time Middleware Experts

Configuring SSL CHAPTER

Implementing Security in Windows 2003 Network (70-299)

Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007

Lecture 15 Public Key Distribution (certification)

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

A Free, Automated, and Open Certificate Authority. Josh Aas Co-Founder, Executive Director

Getting to Grips with Public Key Infrastructure (PKI)

Crypto meets Web Security: Certificates and SSL/TLS

DNS Security. Wolfgang Nagele DNS Services Manager

6 March 2012

Overview. SSL Cryptography Overview CHAPTER 1

Key Management and Distribution

Techological Advantages of Mobile IPv6

Service Mesh and Microservices Networking

CSCE 715: Network Systems Security

Some Lessons Learned from Designing the Resource PKI

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Understanding Traffic Decryption

CSE 565 Computer Security Fall 2018

Securing MQTT. #javaland

Configuring OpenVPN on pfsense

Security+ SY0-501 Study Guide Table of Contents

Designing and Managing a Windows Public Key Infrastructure

Digital Certificates Demystified

Cryptography in Lotus Notes/Domino Pragmatic Introduction for Administrators

Chapter 8 Web Security

Aventail ExtraNet Center v3.3: A Technical Architecture

Managing SSL Security in Multi-Server Environments

VMware AirWatch Integration with RSA PKI Guide

TFS WorkstationControl White Paper

VMware AirWatch Integration with SecureAuth PKI Guide

The Device Has Left the Building

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

The Identity-Based Encryption Advantage

Certificate Enrollment for the Atlas Platform

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

Firepower Threat Defense Site-to-site VPNs

Configuring SSL. SSL Overview CHAPTER

Secure Agent Communications

VIRTUAL PRIVATE NETWORK

Configuring SSL. SSL Overview CHAPTER

Certificate Management

Internet security and privacy

CTS2134 Introduction to Networking. Module Network Implementation

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

Slide 1. Slide 2. Slide 3. Technological Advantages of Mobile IPv6. Outline of Presentation. Earth with 2 Billion Mobile devices

One Year of SSL Internet Measurement ACSAC 2012

SSH Communications Tectia SSH

Veeam Cloud Connect. Version 8.0. Administrator Guide

April 24, 1998 Expires in six months. SMTP Service Extension for Secure SMTP over TLS. Status of this memo

Workshop on the IPv6 development in Saudi Arabia 8 February 2009; Riyadh - KSA

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Host Identity Protocol, PLA, and PSIRP

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810

Remote Desktop Services. Deployment Guide

Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

Implementing Secure Socket Layer

KEY DISTRIBUTION AND USER AUTHENTICATION

Transcription:

IRP - the Identity Registration Protocol L AW R E N C E E. HUGHES CO- F O U N D E R AND C TO S I X S CAPE C O M M U N I C ATIONS, P TE. LTD. L HUGHES@SIXSC APE.COM

The IPv4 Internet is Broken By the mid-1990 s we realized that public IPv4 addresses would run out by 2000 or so, at the then current allocation rate There was no successor protocol that could be rolled out in time. As a temporary measure, we splintered the monolithic IPv4 Internet into millions of private internets hiding behind the few precious public addresses, using NAT. That gave us another 10-15 years, but those years are over now. The successor protocol (IPv6) is now mature and being deployed globally.

What are the main differences between the legacy IPv4 and new IPv6 Internets? Real address scopes (interface, link, site, global, etc) Working, scalable multicast More robust ICMP, now including IP address resolution Autonomous address generation by nodes But the two biggies are: Ample global addresses NO NAT!!!

So what cool new things can we do on our shiny new NAT-less IPv6 Internet? For the first time since the mid-1990 s any node can, in theory, connect directly to any other node in the world. We can leap past Client/Server architecture (made necessary by NAT) to Direct End2End connections! BUT we need better address resolution to make this possible. DNS is not really up to the challenge. DNS has no per-user authentication, so anyone can change registered addresses DNS takes a long time for new registrations to propagate (not good for mobile devices that may change addresses multiple times in a single day) DNS is woefully insecure, and it is very difficult to roll out DNSSEC on such a large, existing critical infrastructure (20M servers worldwide). DNS registers the address of nodes, not of people (or more precisely, the last place some person has used their IRP-aware application).

Benefits of Direct End2End Connections No need for intermediary servers - No bottlenecks, reliability or security issues at intermediary nodes Traffic is decentralized only goes over shortest path between the two communicating nodes More reliable so long as there is network connectivity between the two nodes, communication can happen Higher performance if the two nodes are in same site, bandwidth is not limited by ISP connection (could be Gigabit) Security is better harder to monitor or block traffic than in the current Client/Server model Overall system capacity much higher Apps can use Diffie-Hellman for symmetric key exchange

IRP the Next Generation Address Registry IRP allows any app to register the current IPv6 address of the loggedin user at any time It includes a user directory to provide per-user authentication, and linking the registered address to a person, not a node Connections to the IRP server can be IPv4 or IPv6, and are over explicit TLS (only one port required) Authentication to IRP server can be username/password, but it normally uses X.509 client certificate cryptographic authentication IRP includes full PKI certificate management request, download, revoke, renew certs, plus obtain other users certs, check cert validity and revocation status, get CA certs, etc. This allows hiding PKI complexity in the apps making it mostly invisible to the users. IRP is XML based for easy implementation and extensions.

IRP Security Issues Connections over IRP are secured with TLS 1.2, usually with X.509 certificate based strong client authentication. These certs can be obtained from the Domain Identity Registry (DIR) servers. Once obtained, these client certs can also be used for website cryptographic authentication, S/MIME, network access, etc. IRP provides the necessary PKI for validity and revocation checking. Like DNSSEC, all registered information is digitally signed on the server, and those signatures are delivered along with the information. Unlike DNS, the DNSSEC aspects are designed in from the start no complex transition after a massive infrastructure is in place. The key management for the DNSSEC aspects are built in.

IRP Decentralized Deployment There is one Domain Identity Registry server for each Internet domain (just like DNS). The collection of all DIR servers is a Global Identity Registry. The nodename of the DIR server for a given domain is published in DNS via SRV records no need to configure the DIR address. Any node can easily find the DIR server that issued a certificate in order to check validity and revocation status. Like DNS, this allows the service to scale to the global level potentially billions of addresses and client certificates. Current PKI can handle server certs, but the volume of client certs is orders of magnitude greater. It must be decentralized, like DNS.

IRP Submitted to IANA, Issued Port 4604 I submitted the basic specification of IRP to IANA. It was reviewed by Lars Eggert (chair of IRTF). It was determined to be viable and novel (did not duplicate any existing IETF protocols), so it was issued port 4604. I have created engineering prototypes of the Domain Identity Registry server and a first client (SixChat kind of a decentralized Whatsapp with true end2end automated security). Sixscape Communications is now productizing these and will be creating additional products that leverage IRP: Microsoft Outlook add-in to simplify S/MIME email Microsoft Office add-in for signing, encrypting and securely exchanging documents

SixChat Protocol Submitted to IANA, Issued Port 4605 The SixChat protocol allows true End2End secure communications over IPv6 no intermediary nodes required for normal use. It includes a new Peer to Peer handshake equivalent to the one in TLS using Diffie-Hellman for symmetric key exchange and client certs for mutual strong authentication (SSL/TSL is hopelessly tied to Client/Server architecture). Sixchat currently supports chat and S/MIME email, soon will support file transfer, and later voice and video. SixChat User Agents can originate and accept multiple connections. SixChat User Agents depend on IRP for address resolution and PKI.

In case you are wondering what inspired our name and logo Netscape Communications made an enormous contribution to the IPv4 Internet with the first viable web browser, first viable web server, SSL and many other innovations. Sixscape Communications intends to make the same kind of contributions to the IPv6 Internet, with the Global Identity Registry, IRP and SixChat protocols, and End2End Direct connectivity.

THANK YOU

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback