[Search] [txt|pdfized|bibtex] [Tracker] [Email] [Nits]
Versions: 00                                                            
6lo                                                          B. Sarikaya
Internet-Draft                                                Huawei USA
Intended status: Standards Track                            June 3, 2013
Expires: December 5, 2013

     Secure Bootstrapping Solution for Resource-Constrained Devices


   We present a solution to initially configure the network of resource
   constrained nodes securely, a.k.a., secure bootstrapping.  The
   solution is based on EAP-TLS authentication with the use of raw
   public keys as certificates.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 5, 2013.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Sarikaya                Expires December 5, 2013                [Page 1]

Internet-Draft           Bootstrapping Solution                June 2013

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Secure Bootstrapping Architecture  . . . . . . . . . . . . . .  3
   3.  Secure Bootstrapping Solution using Raw Public Keys  . . . . .  4
   4.  Transporting EAP Messages  . . . . . . . . . . . . . . . . . .  6
   5.  Future Work  . . . . . . . . . . . . . . . . . . . . . . . . .  7
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  9
   8.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . .  9
   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  9
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . .  9
     10.1.  Normative References  . . . . . . . . . . . . . . . . . .  9
     10.2.  Informative References  . . . . . . . . . . . . . . . . . 10
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12

Sarikaya                Expires December 5, 2013                [Page 2]

Internet-Draft           Bootstrapping Solution                June 2013

1.  Introduction

   Bootstrapping is any processing required before the network can
   operate.  The bootstrapping problem is not specific to any MAC or
   PHY.  This problem exists across any two nodes which have no previous
   knowledge of each other.  In particular, this problem is complicated
   when the nodes are resource-constrained and may not have an advanced
   user interface.

   Bootstrapping needs to be secure to make sure that the network
   operation is secure and hence secure bootstrapping ensures that only
   the authorized nodes can get access to the network.  Because of this
   secure bootstrapping needs to preceed IP address configuration.

   [I-D.jennings-core-transitive-trust-enrollment] defines a protocol
   that enables sensors to securely connect into a system that uses
   them.  The protocol which is being defined is based on the Device
   using HTTP or COAP [I-D.ietf-core-coap] to communicate with the
   Controller.  This seems to assume that the device is already
   configured with an IP address.  Such an assumption violates the
   assumption we have in this document on secure bootstrapping.

   Transport Layer Security (TLS) is commonly used protocol to secure
   web browsing, emailing, or other client-server applications.  In TLS,
   the client and the server present their certificates and authenticate
   each other.  Recently, raw public key extension is defined to be used
   as certificates [I-D.ietf-tls-oob-pubkey].  In this document we use
   the raw public keys in EAP-TLS.

   The document continues in Section 2 on bootstrapping architecture, in
   Section 3 on secure bootstrapping solution, in Section 4 on
   transporting EAP messages, in Section 5 on future work.

2.  Secure Bootstrapping Architecture

   Security bootstrapping architecture is structured in a hierarchy of
   nodes going from the least resource constraint to the most resource
   constraint.  At the top there is a root node.  The root node is
   called Coordinator or Trust Center in Zigbee and 6LowPAN Border
   Router (6LBR) in 6LoWPAN ND.

   At the next level there are interior Routers.  Routers are able to
   run a routing protocol between other routers and the root.  Routers
   are called 6LowPAN Routers (6BR) in 6LoWPAN ND.

   At the lowest level there are the nodes.  The nodes do not run a
   routing protocol.  They can connect to the nearest router over a

Sarikaya                Expires December 5, 2013                [Page 3]

Internet-Draft           Bootstrapping Solution                June 2013

   single radio link.  The nodes are called End Devices in Zigbee and
   hosts in 6LoWPAN ND.

   Routers first join the network as a node and go through security
   bootstrapping operations in order to create a Master Session Key
   (MSK).  Next, routers execute routing protocol, e.g.  [RFC6550]
   specific steps to create session keys with their neighbors and to
   establish upstream and downstream next hop parents.

   At each node hierarachy level described above, there are lower-layer
   and higher-layer protocols to bootstrap their ciphering keys, where
   the lower-layer refers to layers below IP layer including IEEE
   802.15.4 MAC layer and LoWPAN adaptation layer and the higher-layer
   refers to IP layer and the above.  In general, required bootstrapping
   procedures depend on the bootstrapping protocols to use.  Section
   Section 3 describes the bootstrapping procedures where EAP
   (Extensible Authentication Protocol) [RFC3748] and other protocols
   are used as the bootstrapping protocols.

3.  Secure Bootstrapping Solution using Raw Public Keys

   When a new resource-constrained device is deployed, it configures its
   global unique IPv6 address first.  This is done by 6LoWPAN Neighbor
   Discovery (6LoWPAN-ND)'s Router Solicitation/Router Advertisement
   message exchange [RFC6775].  The newly generated IPv6 address can not
   be used until the joining device is authenticated and securely joins
   the network.  After the authentication, the joining device receives
   the current group key of the network, so that the IPv6 registration
   and further communication can be protected by the link layer
   ciphering e.g. 802.15.4, then it can start using its global unique
   IPv6 address for communication.

   For authentication, Extensible Authentication Protocol (EAP) MUST be
   used.  EAP authentication framework is explained in [RFC5247].

   The EAP method EAP-TLS [RFC5216] can be used for the resource-
   constrained device authentication.  Instead of X.509 certificates,
   raw public key of the device MUST be used.  EAP-TLS is executed
   between the joining device and the AAA server which acts as the
   Authentication Server (AS).  After a successful authentication, the
   device and the AAA server establish a Master Session Key (MSK), and
   then the AAA server exports the MSK to the authenticator.  Upon
   receipt of the MSK, the authenticator distributes the group key to
   the joining device within the authentication success message.  The
   group key is encrypted by a Key Encryption Key derived from the MSK.

   The resource-constrained device initiates the EAP authentication

Sarikaya                Expires December 5, 2013                [Page 4]

Internet-Draft           Bootstrapping Solution                June 2013

   process by sending a message of initiation to the authenticator, i.e.
   the root node or 6LBR.  The root node requests the identity from the
   device by sending an EAP-Request/Identity packet.  The device replies
   with an EAP-Response/Identity containing the device's ID.  The
   identity information includes the device's network access ID (NAI).
   When the root node receives NAI of the device, it sends the identity
   information to the AS.

   The AS starts the EAP-TLS authentication process by sending a EAP-
   TLS/Start packet which is an EAP-Request packet with EAP-Type=EAP-TLS
   to the device.  The device generates a client random number and
   responds with an EAP-Response/TLS-Client-Hello message which contains
   the TLS version, a client random number, a set of cipher suites.
   Only one cipher suite MUST be offered in Client-Hello message with
   RC4-SHA1.  EAP-Response packet MUST have the EAP-Type value set at
   EAP-TLS Figure 1.

   The device MUST add an extension of type client certificate type and
   server certificate type defined in [I-D.ietf-tls-oob-pubkey] to
   Client-Hello message.  Both of these types MUST be set to

   Upon receipt of Client Hello, if the AS supports raw public key
   extension, it generates a server random number, a new session ID,
   server certificate type set to RawPublicKey and includes only the
   SubjectPublicKeyInfo part of the certificate with its raw public key,
   rather than the whole certificate in the Certificate message and then
   sends them to the device with an EAP-Request/TLS-Server-Hello
   message.  Server-Key-Exchange message contains a temporary key for
   the client to encrypt Client Key Exchange message.  For the device,
   the server adds certificate request message to ask for the device's
   RawPublicKey using client certificate type message.

   Device receives AS's RawPublicKey.  Device SHOULD verify the key
   using out of band mechanisms.  Device sends Client Certificate
   message containing the device's RawPublicKey.  With the client and
   server random number, the device generates a pre_master_secret, then
   sends it in Client-Key-Exchange field of EAP-Response/
   TLS-Client-Finished message to the AS encrypting pre_master_secret
   with the temporary key in Server-Key-Exchange message.  Device
   includes Change Cypher Spec message to indicate that all messages
   that follow Client Finished message will be encrypted.

   The AS derives the Master Session Key (MSK) and replies with EAP-
   Request/TLS-Server-Finished message.  In this message, the server
   includes Change Cypher Spec message to indicate that the server will
   beging encrypting messages with the keys negotiated.  The device also
   derives the MSK after receiving the Server Finished and acknowledges

Sarikaya                Expires December 5, 2013                [Page 5]

Internet-Draft           Bootstrapping Solution                June 2013

   with EAP-Response/EAP-TLS message.

   The AS then exports the MSK to the authenticator in RADIUS Access-
   Accept message, the authenticator subsequently sends the EAP-Success
   message to the device.  The AS MUST send the group key in this
   message and the EAP-TLS ends.

     Device             Authenticator       Authentication
      |                                          Server
      Device connects to      |                       |
      Network                 |                       |
      |client certificate type|                       |
      |server certificate type|                       |
      |<-TLS Server Hello-----|<----EAP-Request-------|
      |                       |server certificate type|
      |                       | Server Certificate    |
      |                       |client certificate type|
      |                       | Certificate Request   |
      |                       | Server Key Exchange   |
      |                       | Server Hello Done     |
      |Client Key Exchange    |                       |
      |Change Cipher Spec     |                       |
      |Client Finished        |                       |
      |<TLS Change Cipher Spec|<----EAP-Request-------|
      |                       | Server Finished       |
      |TLS null-------------->|----EAP-Response------>|
      |      EAP-Success      |<----EAP-Success-------|
      |Authentication finished|                       |

                    Figure 1: Authentication Call Flow

4.  Transporting EAP Messages

   EAP can be transported between the device and the authenticator
   either in Layer 3 using PANA [RFC5191] or in Layer 2 using IEEE
   802.1X [802.1x].

   EAP is transported using RADIUS [RFC2865] between the authenticator
   and authentication server.

   When a device is not a direct neighbor of the authenticator, its
   parent node MUST act as relay.  Different EAP encapsulation protocols

Sarikaya                Expires December 5, 2013                [Page 6]

Internet-Draft           Bootstrapping Solution                June 2013

   have different mechanisms for the relay function, such as the PANA
   Relay Element (PRE).

   After the keys are established from a successful EAP method (such as
   EAP-TLS), the device runs neighbor discovery protocol to get an IPv6
   address assigned [RFC6775].  Data transfer can be secured using DTLS
   or IPSec.  Keys derived from EAP TLS are used in either generating
   DTLS ciphering keys after a successful DTLS handshake or IPSec ESP
   ciphering keys after a successful IKEv2 handshake.

5.  Future Work

   The nodes in a constrained network called devices have wide range of
   capabilities and are used in diverse number of applications.
   Different secure bootstrapping solutions may apply to different
   applications and different types of nodes.  In all cases, it is
   assumed in this document that the devices are IPv6 enabled.

   The solution described in Section 3 has the most stringent
   requirements on the devices and therefore is not suitable on less
   constrained nodes.  It seems that the devices used in smart metering
   may have enough resources to run the bootstrapping protocol and they
   do not suffer from power constraints compared with most other devices
   such as light switches.

   One possible optimization in Figure 1 applies to the case where the
   device does not have a RawPublicKey.  In this case the device sends
   only server_certificate_type set to RawPublicKey in Client-Hello
   message.  In response, AS sends its RawPublicKey in Server Hello
   message.  As a result the messages are much simpler than in Figure 1.

   Further optimizations to the EAP-TLS call flow in Figure 1 are TBD.

   Simpler devices such as light switches, environmental sensors, etc.
   may have much less resources, much less constrained IPv6 stack and
   they may not stay on for long periods of times required from the
   execution of the secure bootstrapping protocol.

   Identification of a set of applications with similar device
   capabilities is TBD.

   Modification of the protocol defined in Section 3 to define a secure
   bootstrapping protocol for each set is TBD.

Sarikaya                Expires December 5, 2013                [Page 7]

Internet-Draft           Bootstrapping Solution                June 2013

6.  Security Considerations

   When security bootstrapping resource constraint nodes is undertaken,
   several attacks are possible and security bootstrapping methods
   described in this document do not protect the nodes against such
   attacks.  These attacks are similar to the ones described in
   [RFC3971] and mainly stem from unsecured link layer.  Link layer must
   be secured on each node before the node can begin security

   If a bootstrapping protocol does not rely on a pre-shared key for
   peer authentication, it must rely on an online or offline third-party
   (e.g., an authentication server, a key distribution center in
   Kerberos, a certification authority in PKI, a private key generator
   in ID-based cryptography and so on) to prevent man-in-the-middle
   attacks during peer authentication.  Depending on use cases, a
   resource-constrained device may not always have access to an online
   third-party for peer authentication.

   Depending on use cases, a bootstrapping protocol may deal with
   authorization separately from authentication in terms of timing and
   signaling path.  For example, two resource-constrained devices A and
   B may perform mutual authentication using authentication credentials
   provided by an offline third-party X whereas resource-constrained
   device A obtains authorization for running a particular application
   with resource-constrained device B from an online third-party Y
   before or after the authentication.  In some use cases,
   authentication and authorization are tightly coupled, e.g.,
   successful authentication also means successful authorization.  A
   bootstrapping protocol supports various types of authentication and
   authorization or different bootstrapping protocols may be used for
   different types of authentication and authorization.

   If authorization information includes cryptographic keys, a special
   care must be taken for dealing with the keys, e.g., guidelines for
   AAA-based key management are described in [RFC4962].  A
   recommissioning use case may require revocation and re-installation
   of authentication credentials (i.e., a certificate or a shared secret
   and identity information, etc.) to a large number of resource-
   constrained devices that are already deployed.  Re-installation of
   authentication credentials must be as secure as the initial
   installation regardless of whether the re-installation is done
   manually or automatically.

   If resource-constrained devices use a multicast group key for peer
   authentication or message authentication or encryption, the group key
   must be securely distributed to the current members of the group for
   both initial key distribution and key update.  Protocols designed for

Sarikaya                Expires December 5, 2013                [Page 8]

Internet-Draft           Bootstrapping Solution                June 2013

   group key management such as GSAKMP [RFC4535], GDOI [RFC3547] and
   MIKEY [RFC3830] may be used for group key distribution.
   Alternatively, key wrap attributes for securely encapsulating group
   key may be defined in network access authentication protocols such as
   PANA [RFC5191] and EAP-TTLSv0 [RFC5281].  Those protocols use an end-
   to-end, point-to-point communication channel with a pair-wise
   security association between a key distribution center and each key
   recipient.  Further considerations may be needed for more efficient
   group key management to support a large number of resource-
   constrained devices.

7.  IANA Considerations

   This memo includes no request to IANA.

8.  Contributors


9.  Acknowledgements


10.  References

10.1.  Normative References

              IEEE Std 802.15.4-2006, "Wireless Medium Access Control
              (MAC) and Physical Layer (PHY) Specifications for Low Rate
              Wireless Personal Area Networks (WPANs)", September 2006.

              Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., and
              T. Kivinen, "Out-of-Band Public Key Validation for
              Transport Layer Security (TLS)",
              draft-ietf-tls-oob-pubkey-07 (work in progress),
              February 2013.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2865]  Rigney, C., Willens, S., Rubens, A., and W. Simpson,
              "Remote Authentication Dial In User Service (RADIUS)",

Sarikaya                Expires December 5, 2013                [Page 9]

Internet-Draft           Bootstrapping Solution                June 2013

              RFC 2865, June 2000.

   [RFC3748]  Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
              Levkowetz, "Extensible Authentication Protocol (EAP)",
              RFC 3748, June 2004.

   [RFC4919]  Kushalnagar, N., Montenegro, G., and C. Schumacher, "IPv6
              over Low-Power Wireless Personal Area Networks (6LoWPANs):
              Overview, Assumptions, Problem Statement, and Goals",
              RFC 4919, August 2007.

   [RFC5191]  Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A.
              Yegin, "Protocol for Carrying Authentication for Network
              Access (PANA)", RFC 5191, May 2008.

   [RFC5216]  Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
              Authentication Protocol", RFC 5216, March 2008.

   [RFC5548]  Dohler, M., Watteyne, T., Winter, T., and D. Barthel,
              "Routing Requirements for Urban Low-Power and Lossy
              Networks", RFC 5548, May 2009.

   [RFC5673]  Pister, K., Thubert, P., Dwars, S., and T. Phinney,
              "Industrial Routing Requirements in Low-Power and Lossy
              Networks", RFC 5673, October 2009.

10.2.  Informative References

   [802.1x]   IEEE Std 802.1X-2010, "IEEE 802.1X Port-Based Network
              Access Control", February 2010.

   [C1222]    American National Standard, "Protocol Specification For
              Interfacing to Data Communication Networks", ANSI C12.22-
              2008, 2008.

              Shelby, Z., Hartke, K., and C. Bormann, "Constrained
              Application Protocol (CoAP)", draft-ietf-core-coap-17
              (work in progress), May 2013.

              Jennings, C., "Transitive Trust Enrollment for Constrained
              draft-jennings-core-transitive-trust-enrollment-01 (work
              in progress), October 2012.

              The Smart Grid Interoperability Panel -  Cyber Security

Sarikaya                Expires December 5, 2013               [Page 10]

Internet-Draft           Bootstrapping Solution                June 2013

              Working Group, "Guidelines for Smart Grid Cyber Security:
              Vol. 1,  Smart Grid Cyber Security Strategy, Architecture,
              and High-Level Requirements", NISTIR 7628, vol. 1, 2010.

   [RFC3547]  Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The
              Group Domain of Interpretation", RFC 3547, July 2003.

   [RFC3830]  Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K.
              Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830,
              August 2004.

   [RFC3971]  Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
              Neighbor Discovery (SEND)", RFC 3971, March 2005.

   [RFC3972]  Aura, T., "Cryptographically Generated Addresses (CGA)",
              RFC 3972, March 2005.

   [RFC4279]  Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites
              for Transport Layer Security (TLS)", RFC 4279,
              December 2005.

   [RFC4347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security", RFC 4347, April 2006.

   [RFC4423]  Moskowitz, R. and P. Nikander, "Host Identity Protocol
              (HIP) Architecture", RFC 4423, May 2006.

   [RFC4535]  Harney, H., Meth, U., Colegrove, A., and G. Gross,
              "GSAKMP: Group Secure Association Key Management
              Protocol", RFC 4535, June 2006.

   [RFC4962]  Housley, R. and B. Aboba, "Guidance for Authentication,
              Authorization, and Accounting (AAA) Key Management",
              BCP 132, RFC 4962, July 2007.

   [RFC5204]  Laganier, J. and L. Eggert, "Host Identity Protocol (HIP)
              Rendezvous Extension", RFC 5204, April 2008.

   [RFC5247]  Aboba, B., Simon, D., and P. Eronen, "Extensible
              Authentication Protocol (EAP) Key Management Framework",
              RFC 5247, August 2008.

   [RFC5281]  Funk, P. and S. Blake-Wilson, "Extensible Authentication
              Protocol Tunneled Transport Layer Security Authenticated
              Protocol Version 0 (EAP-TTLSv0)", RFC 5281, August 2008.

   [RFC5295]  Salowey, J., Dondeti, L., Narayanan, V., and M. Nakhjiri,
              "Specification for the Derivation of Root Keys from an

Sarikaya                Expires December 5, 2013               [Page 11]

Internet-Draft           Bootstrapping Solution                June 2013

              Extended Master Session Key (EMSK)", RFC 5295,
              August 2008.

   [RFC5996]  Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
              "Internet Key Exchange Protocol Version 2 (IKEv2)",
              RFC 5996, September 2010.

   [RFC6550]  Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R.,
              Levis, P., Pister, K., Struik, R., Vasseur, JP., and R.
              Alexander, "RPL: IPv6 Routing Protocol for Low-Power and
              Lossy Networks", RFC 6550, March 2012.

   [RFC6775]  Shelby, Z., Chakrabarti, S., Nordmark, E., and C. Bormann,
              "Neighbor Discovery Optimization for IPv6 over Low-Power
              Wireless Personal Area Networks (6LoWPANs)", RFC 6775,
              November 2012.

   [ROMER04]  Romer, K. and F. Mattern, "The design space of wireless
              sensor networks", IEEE Wireless Communications, vol. 11,
              no. 6, pp. 54-61, December 2004.

   [SE2.0]    ZigBee Alliance, "Smart Energy Profile 2.0 Technical
              Requirements Document", April 2010.

Author's Address

   Behcet Sarikaya
   Huawei USA
   5340 Legacy Dr.
   Plano, TX  75024

   Email: sarikaya@ieee.org

Sarikaya                Expires December 5, 2013               [Page 12]