김 현 곤 정보보호연구본부 정보보호연구팀B1%E8%C7%F6... · 2012-05-06 · 8 AAA...
Transcript of 김 현 곤 정보보호연구본부 정보보호연구팀B1%E8%C7%F6... · 2012-05-06 · 8 AAA...
2
발표 내용
1. 로밍 서비스 보안 기술
2. AAA 기술 및 최근 동향
3. Diameter 기본 프로토콜
4. Diameter 응용 보안 기술
• Diameter MIPv4 Application
• Diameter CMS Security Application
• Diameter NASREQ Application
• Further Applications
• Diameter MIBs
5. Perspective
*AAA; Authentication, Authorization, and Accounting
3
로밍 서비스 보안 기술 (1/2)
• 동종 망갂 로밍 서비스 예
Home Access Provider Network
AAA Broker Network
VLR HLR
Visited Access Provider Network
GSN/FA PDSN/FA HA
MIPv4
Diameter
AAA Server AAA Client
Access Network
로밍 서비스 사용자에 대한
AAA
AAA Broker
Diameter
MN MN Move
4
로밍 서비스 보안 기술 (2/2)
• 이종 망갂 로밍 서비스 예 – Related Standards : ETSI TR 101 957 v1.1.1(2001-8)
이동통신 망
Dual Mode이동전화 및 PDA
(ID = NAI)
Handoff무선랜 공중망
인터넷 망(MIPv4/V6with AAA
MIP with AAAMIP with AAA
AP/기지국 AP
Roaming
5
AAA 기술 및 최근 동향 (1/10)
• AAA 기술의 진화
Reliability 전송계층 신뢰성 및 보안성 제공 않음
응용계층 전송 신뢰성 보장하지 않음
전송계층 신뢰성 및 보안성 제공
응용계층 전송 신뢰성 제공
Security
최소의 보안 기능 제공
Hop-by-Hop Security
Centralized Security Service
강력한 보안 기능 제공
End-to-End Security
Distributed Security Service
Service
응용서비스의 확장성 없음
최소의 보안 기능 제공
정액 과금 서비스
응용 서비스의 확장성 제공
강력한 보안 기능 제공
실시간 과금 서비스(Real and Interim)
Network
유선 소규모 네트워크 대상
폐쇄된 네트워크 토폴로지 만 고려
한정된 확장성(Scalability)
한정된 Security Interworking 제공
유.무선 소.중.대규모 네트워크 대상
개방된 네트워크 토폴로지 고려
확장성 제공
다수의 망간 Security Interworking 제공
6
AAA 기술 및 최근 동향 (2/10)
• AAA 프로토콜의 진화
RADIUS
IETF MIP WG
IETF NASREQ
WG
IETF ROAMOPS
WG
IETF AAA WG
DIAMETER
3GPP/ 3GPP2
IETF SEAMOBY
WG
7
AAA 기술 및 최근 동향 (3/10)
• AAA 프로토콜 – After a protocol submission and evaluation phase, where 4
protocols including COPS were submitted, Diameter was selected as the AAA protocol in IETF AAA WG.
Secure Global Roaming
Basically support
Limited Limited
E2E Security with PKI
Support
TLS, TLS over SCTP
Encrypted the En- tire packet payload
Separated
Transport
Packet Encryption
Authentication and Authorization
Not Support
TCP
Encrypted the En- tire packet payload
Separated
TACACS+ Diameter
Not support
UDP
Encrypted only the user password
Combined
RADIUS
8
AAA 기술 및 최근 동향 (4/10)
• Related Standardization – IETF AAAWG 주도
• Mobile IP, Seamoby, Roamops, Nasreq, Manet WG 및 3GPP, 3GPP2로부터 요구사항 수집
– AAA WG 주요 권고안 • Diameter Base Protocol
• Diameter Mobile IPv4 Application
• Diameter NASREQ Application
• Diameter CMS Security Application
• AAA Transport Profile
– IRTF AAA Arch. Research Group 권고안
– 3GPP/3GPP2 IMT-2000(cdma 2000 and UMTS) 권고안 • TR45.6
– Beyond IMT-2000(All IP) 권고안
– 읶터넷 보안 관련 권고안
9
AAA 기술 및 최근 동향 (5/10)
• Limitation of RADIUS Protocols – Limited size of attribute data
– Limited # of concurrent pending messages
– Inability to control flow to servers
– Limited server failure detection
– Silent discarding of packets
– Inefficient Server Fail-over
– Inefficient use of RADIUS servers in proxy environments
– No unsolicited server messages
– Replay attacks
– Only hop-by-hop security; no E2E security
– No support for vendor-specific commands
– No alignment requirements
– Mandatory shared secret
10
AAA 기술 및 최근 동향 (6/10)
• Differences from Radius – Larger attribute space
– Peer-to-peer nature(distributed security)
– Explicit support for intermediaries
– CO versus CL
– Extensibility – app.,command, AVP
– Built-in fail-over support
– Integrated accounting
– Mandatory bit
– Peer discovery
– Unsolicited server messages
– Capabilities negotiation
– Application-layer ACKs and error messages
– E2E security support with PKI
Secure based Global Roaming
Better Transport
Better Proxying
Better Session Control
Better Security
11
• Benefits of Distributed Security
• Security – Centralizing user information into proxied databases is far
more secure than scattering it on edge devices throughout a network
• Scalability – Proxied authentication servers allow growth in the number
of edge devices or clients, without major change to the network security configuration
• Flexibility – Distributed management provides a flexibility for each
organization to control who accessed the network from their own server
AAA 기술 및 최근 동향 (7/10)
12
• Diameter 기반 AAA 정보보호 기술 분류
하부 읶증 프로토콜 기술
정보보호 시스템 구현 기술
정보보호 가입자 관리기술
암호화, 읶증, 서명, 알고리즘 기술
읶터넷 키 교홖 및 관리 기술
정보보호 프로토콜 기술
IMT-2000의 AAA 읶프라 기술
TLS over SCTP, SCTP, IPsec
AAA 서버 구현 기술
가입자 관리, NAI, DB, LDAP, Accounting
E2E Security and PKI, Reuse of Key, Algorithms
Diameter, MIP(IKE), Key Management
Diameter (including RADIUS exten.)
글로벌 로밍 서비스를 위한 읶프라 기술
AAA 기술 및 최근 동향 (8/10)
13
IP / Ethernet (IPsec)
EAP-TLS TCP TCP
TLS SCTP
SCTP
TLS
Diameter Base Protocol with Accounting
AAA 기술 및 최근 동향 (9/10)
• Diameter server’s protocol suite
Diameter NASREQ
application
(EAP-MD5, Etc.,)
Diameter Mobile IPv4 application
Diameter CMS
security application
Further applications (ex.,MIPv6,
SIP) Diameter
Secure and/or Reliable
Transport
14
AAA 기술 및 최근 동향 (10/10)
• Lower Layer Protocols – TLS, TLS over SCTP(Stream Control Transmission Protocol), IPsec
• TLS와 IPsec을 이용하여 hop-by-hop security 제공
• SCTP을 적용하여 Reliability를, TLS를 적용하여 Transport Layer Security를 제공
– Diameter Server는 TLS와 IPsec을 must support
– Diameter Client는 IPsec을 must, TLS를 should support
• Types of Diameter Nodes – Client
– Server
– Relay Agent
– Proxy Agent
– Redirect Agent
– Translation Agent
15
Diameter 기본 프로토콜 (1/2)
• Diameter 노드 운용에 필요한 기본 기능 제공
• Related standards – Diameter Base Protocol(draft-ietf-aaa-diameter-11.txt)
• The Diameter Base Protocol – Provides extensibility, through addition of new applications,
commands, and AVPs
– Is not intended to be used by itself, and must be used with a Diameter application
– Provides the minimum requirements needed for an AAA transport protocol, as required by applications
– Was heavily inspired by and builds upon the tradition of the RADIUS
16
Diameter 기본 프로토콜 (2/2)
• Functionalities – Delivery of AVPs
– Diameter Peer Management
• Capabilities Negotiation
• Diameter Peer Discovery
• Transport Failure Detection
• Fail-over/Fail-back Processing
• Peer State Machine
– Diameter Message Processing
• Routing
– Error Handling
– Diameter User Session Management
– Accounting
– And so on.
17
Diameter MIPv4 Application (1/5)
• Allows a Diameter server to provide AAA support for Mobile IPv4 services rendered to a MN
• Better scaling of security associations
• Mobility across administrative domain boundaries
• Dynamic HA assignment, in either the home or visited network
• Related standards – Diameter Mobile IPv4 Application(draft-ietf-aaa-diameter-
mobileip-10.txt)
– Cdma2000 Wireless Data Requirements for AAA (RFC 3141, 2001 June)
– Mobile IP Authentication, Authorization, and Accounting Requirements(RFC2977, 2000 Oct.)
18
• MIPv4/Diameter Message Exchange
MN
Advertisement &Challenge
MIP ServiceRequest
MIP RRQ(MN-AAA)
AMR(Session ID=foo) AMR
(Session ID=foo) HAR(Session ID=bar)
HAA(Session ID=bar)AMA
(Session ID=foo)AMA(Session ID=foo)MIP RRP
MIP RRQ
Foreign Network Home Network
MIP RRP
FA AAAF HAAAAH
AMR : AA-Mobile-Node-Registration-Request HAR : Home-Agent-MIP-Request
AMA : AA-Mobile-Node-Registration-Answer HAA : Home-Agent-MIP-Answer
Diameter MIPv4 Application (2/5)
19
• Allocation of Home Agent in Foreign Network
MN
Advertisement &Challenge
MIP ServiceRequest
MIP RRQ(MN-AAA)
AMR
MIP RRP
Foreign Network Home Network
FA HA HAAAAF
AMR
HAR
HAR
HAA
HAA
AMA
AMA
Diameter MIPv4 Application (3/5)
20
• The Application – Defines Diameter functions that allow the AAA server to act
as a KDC, whereby dynamic session keys are created and distributed to the mobility entities for the purposes of securing a particular session’s MIP Registration messages
– MN and its home AAA server share a SA, which the AAA server uses to manufacture these derivative SAs(keys)
• Encapsulates MIP Registration for single round trip performance – double round trip in case RADIUS
• Reduce AAA operation time overhead – First MIP Registration uses AAA operation through AAA
infra
– However, subsequent MIP Registrations do not use AAA infra within MIP-Key-Lifetime
Diameter MIPv4 Application (4/5)
21
• Other Procedures – Accounting messages
– Access Request to HA from new foreign network
– Co-located MN
• Algorithms for MIPv4 application – Prefix+Suffix MD5 [Mobile IP]
– HMAC-MD5 [HMAC]
– HMAC-SHA-1 [HMAC]
Diameter MIPv4 Application (5/5)
22
Diameter CMS Security Application (1/15)
• Hop-by-hop security – Hop-by-hop security does not guarantee integrity, non-
repudiation and replay attack
– Diameter endpoints might communicate through relay and proxy agents, and in such environments, security may be compromised
– Hop-by-hop security was removed
• E2E security with PKI – Diameter CMS(Cryptographic Message Syntax) application
– It provides E2E authentication, integrity, confidentiality, and non-repudiation at the AVP level
– Individual AVPs may be digitally signed and/or encrypted
– Diameter proxies can add, delete or modify unsecured AVPs in a message
23
Diameter CMS Security Application (2/15)
• The application makes use of two main techniques
• Two techniques can be used simultaneously – Digital Signature along with digital certificates
• Provides authentication, integrity, and non-repudiation
– Encryption
• Provides confidentiality
• The application defines – The diameter messages and AVPs that are used to establish
a SA between two diameter nodes,
– And the AVPs used to subsequently carry secured data within Diameter messages
24
Diameter CMS Security Application (3/15)
• 공개키/비밀 키와 읶증서 발급
Diameter 노드(예:FA or HA)
등록 기관(RA)
인증 기관(CA) 인증서 및
취소목록(CRL)저장소
Diameter 노드(예:AAA 서버)
2. 노드 등록/인증서 요청
3. 인증서요청
1. RSA용 공개키/비밀키
생성
4. 인증서생성
5. 인증서저장
6. 인증서
7. 인증서
25
Diameter CMS Security Application (4/15)
• 공개키 검색 방법 – 첫째 방법 : 초기에 두 노드갂 DSA(Diameter SA) 설정을 위해 송수신되는 DSAR/DSAA(DSA Request/Answer) 메시지 안에 각각의 공개키를 포함시켜 전송하는 방법
– 이 방법은 LDAP 등의 프로토콜을 이용하지 않고 Diameter 자체적으로 공개키 검색 문제를 해결
– 둘째방법 : 두 노드들이 DSAA/DSAA 메시지를 주고 받아 통신하고자 하는 상대방의 읶증서 위치를 알아낸 후, LDAP 프로토콜을 이용해 읶증서를 받아오는 방법
• 읶증서 검증 – RFC2459(Internet X.509 PKI Certificate and CRL Profile)을 통해 읶증서를 검증
26
Diameter CMS Security Application (5/15)
• Signature and Validation Sender Siging Process
Dimeter AVPConcatenation
= m
h(m)
SHA-1
Hash
m
s[h(m)]
Signing
CMSMsg
(SignedDataType)
CMS ObjectEncoding
CMS-Signed-
DataAVP
Receiver Verifying Process
BEREncoding
RSA
CMS-Signed-
DataAVP
BERDecoding
CMSMsg
(SignedDataType)
CMS ObjectDecoding
m
s[h(m)]
RSA
Verifying
Comparison
h(m)
h(m)
Hash
SHA-1
27
Diameter CMS Security Application (6/15)
• Encryption and Decryption
Sender Encryption Process
Dimeter AVPConcatenation
= m
CMS ObjectEncoding
CMS-Encrypted-Data AVP
Receiver Decryption Process
BEREncoding
CMS-Encrypted-Data AVP
BERDecoding
CMS ObjectDecoding
E(m)
TripleDES
CMSMsg
(Enveloped DataType)
Encryption &Key Encryption
Decryption &Key Decryption
ConcatenatedDmeter AVP
= m
DES KeyEncrypt
DES KeyDecrypt
RSA
RSA
TripleDES
D(m)
CMSMsg
(Enveloped DataType)
28
Diameter CMS Security Application (7/15)
• Algorithms for Diameter CMS Security Application – Hashing : sha-1
– Signature : rsaEncryption
– Content Encryption : ded-ede3-cbc
– Asymmetric Key Transport : rsaEncryption
– Symmetric key Encryption : id-alg-CMS3DESwrap
– At some point in future, AES will replace 3DES
29
Diameter CMS Security Application (8/15)
• Diameter Security Association(DSA) – Diameter 메시지들은 각 에이전트의 응용에서 처리되기 때문에, 통신하고자 하는 두 Diameter 노드 사이에 한 개 이상의 다른 에이전트들이 존재하는 경우 hop-by-hop 보안 메커니즘(TLS, IPsec)으로는 충분한 보안을 제공할 수 없음
– 이를 위해 통신하고자 하는 두 노드갂 사전에 DSA를 설정함
– DSA는 보호된 AVP가 라우팅 경로에서 변경되었는지, 중갂 에이전트들이 중요 데이터를 감추었는지를 검춗 가능하게 함
30
Diameter CMS Security Application (9/15)
• Diameter Agent Modifying AVP
– 프락시 2가 잘못된 설정 또는, 악의적인 목적으로 foo AVP의 내용을 변경함
– DSA가 한번 설정되면 DSA 참가 노드들은 메시지 내 한 개 이상의 AVP들을 보호하기 위해 디지털 서명함
– 만약 중계 에이전트들에 의해 AVP가 변경되었다면, DSA 참가 노드 중 한 노드에서 검증 알고리즘이 실패하기 때문에 변경을 검출
NAS(NetworkAccessDevice)
(Request)[AVP(foo)=x]
Relay 1 Proxy 2HomeServer
(Request)[AVP(foo)=x]
(Request)[AVP(foo)=y]
(Answer)[AVP(foo)=a]
(Answer)[AVP(foo)=b]
(Answer)[AVP(foo)=b]
31
Diameter CMS Security Application (10/15)
• Establishing SA through Proxy Agents
NAS
mno.net
ProxyAgent
RelayAgent
HomeServer
mno.net xyz.net abc.com
DSAR(Destination-Realm =abc.com)
DSAA(Result-Code= DIAMETER_CAN_ACT_AS_CMS_PROXY)
PDSR(DSAR-Target- Domain=abc.com) DSAR
(Destination_Realm=abc.com)
DSAA(Result-Code=DIAMETER_SUCCESS)PDSA
(Result-Code=DIAMETER_SUCCESS)
32
NAS
mno.net
RelayAgent
RedirectAgent
HomeServer
1. Request
2. Request3. Redirection Notification
4. DSAR/DSAA
5. Request/Answer
mno.net abc.com
6. Answer
Diameter CMS Security Application (11/15)
• Using Redirect agents in lieu of DSA
• Diameter CMS 보안 응용 메시지 및 서버 형태에 따른 메시지 처리 능력
Server TypeDSAR/DSAA
Message SupportPDSR/PDSA
Message Support
Diameter Servers Must Must
Proxy Agents Must Must
Diameter Clients Should Must
Relay Agents May May
Redirector Agents May May
33
Diameter CMS Security Application (12/15)
• Diameter CMS Message Flow
NAS(xyz.com)
RelayAgent
Home Server(abc.com)
CER apps 1, 2
DSAR (Destination_Realm=abc.com, CMS-Cert)
DSAA (Origin-Host=foo, CMS-Cert)
(a)
CEA apps -1(b)
(c)CER apps 1, 2
CEA apps -1(d)
(e)
User [email protected] Access
(f)
(g)
(h)Auth-Request + CMS-Signed-Data (Des-Host=foo)
Auth-Answer+ CMS-Encrypted-Data(i)
34
Diameter CMS Security Application (13/15)
(a) NAS sends a CER to its relay agent indicating that it supports applications 1 (NASREQ) and 2 (CMS Security)
(b) Relay agent sends a CEA to the NAS indicating that it is a relay supporting all Diameter applications
(c) Home Server sends a CER to a relay agent
(d) Relay agent sends a CEA to Home Server indicating that it is a relay supporting all Diameter applications
(e) NAS receives a request for access from a user ([email protected])
(f) NAS issues an DSAR, with the Destination-Realm AVP set to abc.com
(g) Home Server processes the DSAR, and replies with the DSAA
(h) The NAS issues an authentication request with the Destination- Host AVP set to the value of the Origin-Host AVP in the DSAA. The msg includes the CMS-Signed-AVP, which authenticates the AVPs that were requested by the Home Server in the DSAA
(i) Home Server successfully authenticates the user, and returns a reply, which includes the CMS-Encrypted-Data AVP, whose contents include the AVPs that require encryption
35
Diameter CMS Security Application (14/15)
s AVP
t AVP
e AVP
p AVP
Encryption
Request forEncryption and Signatre
h AVP
e' AVP
n AVP
EnvelopedData-fnc(s|t|e, P)
Encryption
EnvelopedData-fnc(s|p|e|h, P)
AVP1 (p)
AVP2 (p) AVP5
AVP3 (p)
Signature
AVP4 n
SignedData(T)
• Encoding Example of Encryption and Signature – Diameter AVP들의 서명 결과와 암호화 결과 그리고, AVP로 도출되
는 CMS-Signed-Data와 CMS-Encrypted-Data AVP들 사이의 관계를 알기 위한 예
36
Diameter CMS Security Application (15/15)
• Encoding(7개의 AVP 즉, s, t, e, p, h, e’, n)
– AVPs 수신자 P를 위해 s, t, e가 암호화
– AVPs 수신자 A를 위해 e, p, h가 암호화
– AVPs 발신자 T에 의해 s와 e’이 서명
– AVP s가 수신자 A에게 전송
– AVP n은 서명도 암호도 요구되지 않음
• 결과 AVP – AVP1 = ’P is set’, EnvelopedData-fnc(s|t|e,P)
– AVP2 = ’P is set’, EnvelopedData-fnc(s|e|p|h, A)
– AVP3 = ’P is set’, e’
– AVP4 = ’P is clear’, n
– AVP5 = ’P is clear’, SignedData(T)
37
Diameter NASREQ Application (1/4)
• Provides AAA service for dial-in PPP, L2TP, Terminal Server, and WLAN users
• Supports native EAP
• Uses existing RADIUS attributes to carry the data objects for easy migration of existing RADIUS server to Diameter
• Can support backward compatibility
• Server act as RADIUS-Diameter protocol conversion (gateway, protocol interworking)
• Supports layer 2 inter realm mobility based on Diameter functionalities
38
Diameter NASREQ Application (2/4)
• 무선랜 EAP 인증 절차 예
WLAN Terminal(EAP-Client)
Access Device/ AAAF
AAAH(EAP-Server)
Foreign Network Home Network
EAP-Request(Identity)
EAP-Response(EAP-Client Identity)
Diameter-EAP-Request(EAP-Payload)
Diameter-EAP-Answer(EAP-Payload)
EAP-Request(OTP challenge)
EAP-Response(OTP pw)
Diameter-EAP-Answer(EAP-Payload)
Diameter-EAP-Answer (EAP-Payload=Success)
Port Authorized
39
Diameter NASREQ Application (3/4)
• Diameter NASREQ에 3-Party Key Distribution 개념 도입 예정 – IEEE 802.11 security doesn’t work, but is being fixed by
802.11i
– 802.11i wants to use Diameter based AAA servers for authentication and key distribution
– RADIUS and current NASREQ as formulated may not meet 802.11i key distribution
– Objective : Enhance Diameter NASREQ application to meet 802.11 key distribution requirement
40
Diameter NASREQ Application (4/4)
• Example 3-Party Key Distribution
NAS
Diameter based
AAA Server
(NASREQ) Aid, Sid, NA
EKA(NA, Aid, K, EKS (K, Sid))
EKS (K, Sid), EK(CA)
EK(CA+1, CS)
EK(CS+1)
Neither can design their piece
of the key exchange without
knowing what the other is
doing
AAA’s domain 802’s domain
41
Further Applications (1/1)
• Diameter Mobile IPv6 Application – draft-le-aaa-diameter-mobileipv6-01.txt
– draft-dupont-mipv6-aaa-01.txt
• Diameter multimedia (SIP) Application – draft-johansson-aaa-diameter-mm-app-01.txt
– Based on 3GPP TS 29.228 V1.0.0(2001-12), Release 5; IP Multimedia Subsystem Cx Interface
– Cx Interface between SIP server and HSS(AC, HLR, etc.)
42
Diameter MIBs (1/1)
• Defined Diameter MIBs – Diameter Base Protocol MIB
• draft-koehler-aaa-diameter-base-protocol-mib-03.txt
– Diameter NASREQ Application MIB
• draft-koehler-aaa-diameter-nasreq-mib-01.txt
• Following are to be defined – Diameter Mobile IPv4 Application MIB
– Diameter CMS Security Application MIB
43
Perspective (1/2)
• 무선읶터넷을 키워드로 한 유무선 통합서비스 시대의 도래
• IP 기반의 개방형 네트워크 패러다임을 수용하기 위해서는 기존보다 많은 보안 취약점들을 해결하여야 함
• 특히, 무선 읶터넷 사용자의 로밍으로 읶해 망측에서는 동종 또는, 이종 망갂 Security 연동이 빈번하게 이루어질 것임
• 예로써 무선랜 공중망갂, 이동통신 망갂, 무선랜 공중망과 이동통신 망갂 Security 연동을 들 수 있음
• 이로 읶해 망갂에 걸쳐 Security 연동 기능을 수행하는 AAA 기술은 그 중요도가 더해질 것임
• 현재 MIPv4와 WLAN을 주요 서비스 대상으로 하고 있으나 이후에는 SIP와 Mobile IPv6까지 확대될 예정
44
Perspective (2/2)
• IT 서비스 전반에 AAA 기능 수요 증대
• 신규서비스 창춗을 위한 수익구조 전홖 시 AAA 기능의 중요성 증대
• 새로운 IT 비즈니스를 위한 읶프라로서 AAA 구축이 필요
• 확장성, 안정성, 신뢰성을 갖춖 Diameter 기반 AAA로 전홖기 도래
• 보안 측면에서는 AAA 읶프라에서 PKI 기반의 E2E Security를 제공하여 기밀성, 부읶 봉쇄, 노드갂 상호 읶증 등 강력한 보안 기능 제공
• Diameter 기반 AAA 기술은 유무선 통합 홖경에서 안전한 로밍 서비스 제공을 위해 요구되는 주요 정보보호 요소 기술이 될 것임