Network Working Group Scott Bradner
Harvard University
Allison Mankin
USC/ISI
Jeffrey I. Schiller
Massachusetts Institute of Technology
Feb, 2001
A Framework for Purpose Built Keys (PBK)
<draft-bradner-pbk-frame-00.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
This memo defines a framework for the consideration of a particular
class of the need to authenticate the source of a network
communication. The class consists of those cases where the actual
identity of the source is not important but the knowledge that the
source is the same one as started the communication and the assurance
that the source cannot be spoofed are important. This memo defines
the use of specially generated public/private key pairs, known as
Bradner, Mankin & Schiller [Page 1]
Purpose Built Keys Framework Feb 2001
Purpose Built Keys (PBKs), to provide this knowledge and assurance.
1.0 Introduction
There are many cases in Internet protocols where cryptographic
mechanisms can add significant security improvement. However most
such mechanisms rely on associating keys to entities, ultimately
requiring an enterprise wide or potentially globally deployed Public
Key Infrastructure (PKI).
In the absence of security mechanisms, many protocols are
continuously vulnerable to attack.
However there are many circumstances where we can improve overall
security by narrowing the window of vulnerability, so that if we
assume that some operation is performed securely, we can secure all
future transactions.
There are also cases where the actual identity of the initiator of a
network communication is not an important piece of information, yet
it is important to know that successive packets are from that same
source. One example of this is in mobile IPv6. Mobile IPv6 contains
a rebinding option that enables a mobile node to tell the other end
of a communication that the IP address for the mobile node has
changed. It is clearly important to know that any such rebinding
request actually came from the correct mobile node even if the
identity of the user of that mobile node does not need to be known.
Note that it is not that the identity of the user here is unimportant
to the network (the node user may well authenticate to a AAA server
at the start of network activity), but rather that it is unimportant
to accomplish that level of authentication for the purpose of
rebinding. Another example of this class of authentication would be
continuing a connection through local renumbering of its site.
This memo describes the use of a temporary public/private key pair
which is generated by a host for each case where the consistency of
authentication needs to be assured. For example, a new key pair
would be generated before each mobile IP session and discarded when
the session was complete.
This use of these host-generated temporary keys is confined to the
parties in a communication and does not require that the keys be
registered with or known by any third party. Thus this mechanism
does not require that any support infrastructure exist outside of the
protocol support in the corresponding hosts and can be deployed
incrementally as host support becomes available. It also scales well
Bradner, Mankin & Schiller [Page 2]
Purpose Built Keys Framework Feb 2001
since the operations are confined to the end systems involved in the
communication.
By not using registered keys, this mechanism preserves user anonymity
as long as the identity of the users are not obtained by some other
process during the communication.
This mechanism does not require the use of a reliable protocol and it
is a mechanism that fits under transports or under applications, and
differs from IPSec in that it is applied on demand by an application
or transport.
When this mechanism is used with applications it can be used in ways
similar to the use of web cookies but the use is under the control of
the node that initiates the connection rather than under the control
of the server. This mechanism gives the user control over the scope
of the use of a particular identity.
2.0 Conceptual Overview
Following is a conceptual step-by-step description of the PBK process
when operating below the transport layer.
First some definitions:
initiating node: the node initiating the conversation
receiving node: the node at the other end of the conversation
Before a initiating node initiates a connection during which it will
need to prove that it is the same node that started the connection
it creates a public/private key pair for use during the connection.
This is known as a purpose-built key (PBK) pair.
The initiating node then creates an Endpoint ID (EID) by performing a
cryptographic hash of the public part of the PBK. This EID will be
used as an identity token for the node.
The initiating node then initiates the connection. The EID is sent
along with the initial packets in the connection. In IPv6 this could
be done in an end-to-end option header, in IPv4 as a header option.
(These option ideas are for transport level use of the PBK - if the
PBK was used from within HTTP or another application, its position
would not be have to be in the IP header). The EID does not need to
appear in all of the packets; it just has to be reliably conveyed to
the receiving node.
The receiving node stores the EID and the source IP address in the
received packet in a table.
Bradner, Mankin & Schiller [Page 3]
Purpose Built Keys Framework Feb 2001
At some time in the connection before the proof of identity is
needed, the initiating node sends its public key to the receiving
node. This again could be done in IP-level options or in an
application-level exchange. The receiving node verifies that the
received public key hashes to the previously provided EID.
When the initiating node wants to perform some operation, such as a
mobile IPv6 address rebinding, it sends the operation request along
with the EID. The message is signed using the private part of the
PBK. If replay protection is necessary, a nonce value (a
monotonically increasing value) or timestamp may be included with the
operation request.
When the receiving node gets such an operation request, it fetches
the previously sent public key from session state. This key is then
used to verify the digital signature on the operation request. If the
protocol calls for a nonce value, it verifies that the nonce value is
larger then any previously received nonce. The protocol may use a
timestamp, in which case the receiving node determines if the
timestamp is timely for the operation request.
The PBKs would normally be discarded at the end of the communication
but in those cases where a continuity of identity is needed over
multiple sessions the PBKs could be retained until the requirement
was over.
3.0 Notes on the design
The hash of the public key is used as the EID so that the
relationship between an offered EID and public key can be
established. If a receiving node is in possession of the private key
and the hash of the corresponding public key matches an offered EID,
it can be sure that it has the correct EID for that public key.
Retransmission algorithms, where they are needed, must be conformant
with RFC 2914 [RFC2914].
In the cases where commands could be issued by both ends of a
communication, as would be the case in mobile IPv6 if both ends were
mobile, separate PBKs would be created by each end and the mechanism
would be run independently by each end.
3.0 Security Considerations
This whole document is about how to perform authenticated operations
in an environment where there is no security infrastructure and one
where network addresses might change during the communication.
Bradner, Mankin & Schiller [Page 4]
Purpose Built Keys Framework Feb 2001
In the absence of infrastructure, it is not always possible to
authenticate one party to another. In the absence of any
cryptographic security mechanism, internet transactions are
continuously at risk of compromise. With PBKs it is possible to
leverage an initial "leap of faith" so that presuming an initial
transaction has not been tampered with (say the exchange of EID's at
the beginning of an association between two parties), future
transactions can be secured.
6.0 Author's Addresses
Scott Bradner
Harvard University
Cambridge MA 02138
Phone +1 617 495 3864
email sob@harvard.edu
Allison Mankin
University of Southern California, Information Sciences Institute
4350 N. Fairfax Drive, Suite 620
Arlington, VA 22203
Phone: +1 703 812 3706
email: mankin@isi.edu
Jeffrey I. Schiller
Massachusetts Institute of Technology
MIT Room W92-190
77 Massachusetts Avenue
Cambridge, MA 02139-4307
Phone: +1 617 253 0161
email: jis@mit.edu
Bradner, Mankin & Schiller [Page 5]
Purpose Built Keys Framework Feb 2001
Appendix A - Mobile IPv6 Example
Let's start by discussing briefly how Mobile IPv6 works. Note: This
is not intended to be a comprehensive description of the protocol,
and important details are left out for brevity. Full information can
be obtained from [MobileIPv6].
In a Mobile IPv6 world, a node may move from location to location. As
it does, the best IP address to reach it may change, as IP addresses
are integral to the operation of routing. As a node changes its
topological location on the Internet, it needs to be reached at a
different IP address.
Yet, TCP and other transport protocols expect an IP address to remain
stable for the duration of a session. Mobile IP deals with this by
having a router close to a node's "home" address be in a position to
intercept and forward any traffic for the mobile node to the IP
address that it is currently reachable at. A mobile node's normal IP
address is called its "home" address and the IP address where it is
currently reachable is its "in care of" address.
When a mobile IP node sends a packet, it labels its return address
with that of its normal home address (via the Home Address Option),
knowing that the home router, called the "home agent" will forward
packets to it at its current "in care of" address. However this
results in a routing triangle with the home agent as the third
vertex. This is obviously inefficient from a router perspective, and
if the difference, topologically, between a node's home address and
current care of address is large, it can be very inefficient.
To deal with this, mobile IPv6 introduces the notion of a "Binding
Update" (BU) message. This message informs the mobile node's
correspondent that it is now really located at a different IP
address, the "in care of" address, and that packets destined for it
should be instead routed to the care of address. This eliminates the
triangle, resulting in efficient routing.
However it introduces a security problem. An attacker can source a
bogus BU message to cause a sender to route traffic for a particular
recipient via the attacker's infrastructure. This can be used for
denial of service (the attacker discards packets). Or it can be used
to eavesdrop on traffic (the attacker peruses the packets and then
forwards them on to their intended recipient).
This attack can be thwarted by using PBK. Specifically when a session
is initiated, the mobile node provides its EID in the first several
packets of the session. This can be done via an IPv6 option header.
This EID is noted and stored by the mobile node's correspondent. Now
Bradner, Mankin & Schiller [Page 6]
Purpose Built Keys Framework Feb 2001
when the mobile node moves, it can provide its public key and send a
BU signed with the corresponding private key. Note: Doing this will
require changes to the BU message as currently defined in
[MobileIPv6].
The correspondent can verify that the EID and public key go together
by hashing the public key and verifying that the resultant hash
matches the EID. It can then verify the signature on the BU using the
public key.
Once a destination learns a mobile node's (or any node for that
matter) EID, it is impossible for a third party attacker to forge
signed messages. If correspondents refused unsigned BUs, then it is
not possible to divert traffic.
Bradner, Mankin & Schiller [Page 7]
Purpose Built Keys Framework Feb 2001
References
[RFC2914] Floyd, S., "Congestion Control Principles", RFC 2914,
September 2000.
[MobileIPv6] Johson, David B., and Charles Perkins, "Mobility Support
in IPv6", draft-ietf-mobileip-ipv6-13.txt, November 2000.
Moskowitz, R., "Host Identity Payload Architecture", "Host Identity
Payload Protocol", http://homebase.htt-consult.com/~hip, 2001.
Full Copyright statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on An
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF INFORMATION HEREIN
WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Bradner, Mankin & Schiller [Page 8]