Network Working Group Shuyi Chen Internet-Draft ZTE Corporation Intended status: Informational Yuting Liu Expires: April 18, 2011 Xiaofeng Qiu Cheng Cheng Chunhong Zhang MINE lab,Beijing University of Posts and Telecommunication October 15, 2010 X.509 Extension with Security Information draft-chen-pkix-securityinfo-00 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 18, 2011. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Chen, et al. Expires April 18, 2011 [Page 1] Internet-Draft X.509extension with Security Information October 2010 Abstract This document defines an X.509v3 certificate extension. It binds a list of security information to the subject of a certificate, which may be used to cognize the security posture of the subject. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Conventions used in this documents . . . . . . . . . . . . 3 2. X.509 Extension with security information . . . . . . . . . . . 3 2.1 OID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 Criticality . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3 X.509 Security Information extension Syntax . . . . . . . . 5 2.4 X.509 Security Information extension semantics . . . . . . 7 3. Security Considerations . . . . . . . . . . . . . . . . . . . . 9 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 9 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.1 Normative References . . . . . . . . . . . . . . . . . . . 9 5.2 Informative References . . . . . . . . . . . . . . . . . . 10 Appendix - ASN.1 Modules . . . . . . . . . . . . . . . . . . . . 10 Authors' Address . . . . . . . . . . . . . . . . . . . . . . . . 12 Chen, et al. Expires April 18, 2011 [Page 2] Internet-Draft X.509extension with Security Information October 2010 1. Introduction This document describes an X.509v3 certificate extension that states the safety status of the certificate subject. This certificate extension binds security information to the subject. Through this extend certificate, the subject's safety status can be obtained by the authentication entity when identity authenticating, thus to be aware of security attributes of the subject. If one entity with extend certificate with security information wants to join a certain network, network manager can evaluate entity's safety status according to its assessment standards, then make certain strategies, such as partition security level or security domain, to guarantee network safety; if the entity wants to communicate with another, it can also implements security strategy to ensure a safe between transactions, such as resource access control. The issuer of the certificate is a trusted entity (or a trusted third party) that can identify and verify one subject's security information.Generically, security information is obtained through remote scanning measures. If can't, it is gained through local scanning by entity itself. Security threats and security protection software installed in the entity reflect the safety status of the subject directly and indirectly. When a X.509 certificate contains an extension with security information, the extension MUST be critical, and MUST contain either a NULL to indicate that no security information is provided or explicit security information to indicate that the security information is provided. 1.1 Conventions used in this documents The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. X.509 Extension with security information Conventional security mechanisms, such as security domain and boundary protection system, didn't take underlay safety status of the entity into consideration, which limit their range of applicability. Especially for distributed network, security protection of the nodes on underlay will influence the security degree of distributed network. Thus nodes with weak protection in underlay will greatly deteriorate security of the distributed network. Chen, et al. Expires April 18, 2011 [Page 3] Internet-Draft X.509extension with Security Information October 2010 This certificate extension keeps underlay security information of the subject, and provides a basis for security strategy formulation. Based on X.509 extension certificate with security information, one entity or node can cognize another's security posture, then adjusts strategy to avoid attacks from malicious entities. The issuer of the certificate is a trusted entity (or a trusted third party) that can identify and verify one subject's security information. Usually, security information is obtained by a trusted third party through remote scanning. Specially, if it is unable to get information through this method, it can be obtained through local scanning by the entity itself. In general, security information is reflected in two ways. On one hand, security protection software such as Antivirus, Firewall and Operating System (OS) installed in the user reflect safety condition of the subject directly or indirectly. On the other hand, security threats such as malicious plug-ins exists in the user can also represent security status of one subject. The more threats exist, the more unsafe the entity is. Other retrievable information that can make sense for security properties of subjects can also be added according to certain needs. Parameters of security protection software SHOULD be as specific as possible. But for private information, such as operating system software parameters, it SHOULD be abstracted as a security score, ranges in [0, 99]. The traditional X.509 certificate (without security information) has a validity period indicating the time interval during which the CA warrants that it will maintain information about the status of the certificate. Normally, it updates when the validity period is due or the key pair is no longer safe. But for certificate with extend security information, security information changes frequently. In order to ensure the accuracy of the security information in the certificate, security information MUST contain a validity period, while month or week is the unit. When this validity period is due, the certificate SHOULD be renewed. For security information updates per month/week, it increases the whole certificate update frequency. Higher update frequency increases costs. Therefore, when certificate update is caused by security information, certificate update process SHOULD be simplified. Only update the security information of one subject without changing any other personal information that should be authenticated in certificate generation. Thus, certificate update only need to reload security information, thus there is no need of original complicated Chen, et al. Expires April 18, 2011 [Page 4] Internet-Draft X.509extension with Security Information October 2010 examination process about subject personal information which is related to its identity. An example of one use of the extend X.509 certificate with security information is a user using it to control the access of other users. Suppose both user A and B contain X.509 certificate with security information. If user A has some certain resources, and only permits access for those whose Operating System score is equal to or greater than 85. User B wants to access this resource. User A can obtain security information of user B through B's X.509 extension certificate, and determine whether it is qualified. If proved, user B can get access to the resources, else user A SHOULD refuse its access request. X.509 extension with security information formats are as follows. 2.1 OID The OID for this extension is id-pe-securityInfo. id-pe-securityInfo OBJECT IDENTIFIER ::= { id-pe 25 } where [RFC5280] defines: id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) } id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } 2.2 Criticality This extension SHOULD be CRITICAL. The intended use of this extension is to indicate safety status of the identified subject. The issuer uses extended certificate to convey the notion that a relying party MUST understand the semantics of the extension to make use of the certificate for the purpose it was issued. Newly created applications that use certificates containing this extension are expected to recognize the extension. 2.3 X.509 Security Information extension Syntax The syntax for the X.509 extension is: SecurityInfo ::= CHOICE { none NULL, --No security info provided secInfo SecurityInformation --Explicit security info } Chen, et al. Expires April 18, 2011 [Page 5] Internet-Draft X.509extension with Security Information October 2010 SecurityInformation ::= SEQUENCE { secValidityPeriod ValidityPeriod, infoTime GeneralizedTime, secData SecurityData } ValidityPeriod ::= SEQUENCE { notBefore GeneralizedTime, notAfter GeneralizedTime } SecurityData ::= SEQUENCE { antivirus (0) AntivirusData OPTIONAL, firewall (1) FirewallData OPTIONAL, operatingSystem (2) OSData OPTIONAL, vulnerabilityDatabase (3) VDData OPTIONAL, maliciousPlug-in (4) MPIData OPTIONAL, otherSecData (5...MAX) ANY defined security data OPTIONAL } AntivirusData ::= SEQUENCE { antivirusBase BasicInfo, otherAntivirusData ANY defined AntivirusData OPTIONAL } FirewallData ::= SEQUENCE { firewallBase BasicInfo, supFTPFileFilter BOOLEAN, supAntivirus BOOLEAN, supConFilter BOOLEAN, defDOS BOOLEAN, rtInRes BOOLEAN, autoLogScan BOOLEAN, otherFirewallData ANY defined FirewallData OPTIONAL } BasicInfo ::= SEQUENCE { version IA5String, manufacturer IA5String, renewal BOOLEAN } OSData ::= INTERGER VDData ::= BOOLEAN MPIData ::= SEQUENCE { malPlugIn ANY defined malicious Plug-In } Chen, et al. Expires April 18, 2011 [Page 6] Internet-Draft X.509extension with Security Information October 2010 2.4 X.509 Security Information extension semantics SecurityInfo is a CHOICE; it is represented either by NULL or SecurityInformation. If the issuer selects NULL, it indicates that no SecurityInfo is provided. If the issuer selects SecurityInfomation, it is explicitly stating that a SecurityInfo is provided, and type SecurityInformation MUST provide details about that SecurityInfo. SecurityInfomation is a SEQUENCE consisting of three elements: secValidityPeriod, infoTime and secData. It contains all security information of one subject. SecValidityPeriod is provided using the ValidityPeriod type. ValidityPeriod is a SEQUENCE of two GeneralizedTime values. The first (notBefore) GeneralizedTime value MUST indicate the date and time that the security information becomes valid, and the second(notAfter) GeneralizedTime value MUST indicate the date and time that the security information expires. The period of validity is in months or weeks. InfoTime is a GeneralizedTime. It is recorded when the security information is obtained by the issuer. InfoTime type indicates when the security information is obtained exactly. SecData is provided using the SecurityData type. SecurityData is a SEQUENCE containing security protection software and security threats. Software including antivirus, firewall and operating system are optional. Security threats MAY be reflected by vulnerabilityDatabase and maliciousPlug-in. Other software that is verified being installed in the user can also be added into this sequence. If any of software or threat elements exists in one user, its corresponding data type will be selected, then the data type in SecurityData MUST provide details of the element. If other unmentioned security data is included in the user, one can only use it after type definition. Antivirus is provided using the AntivirusData type. AntivirusData MUST contain information about the antivirusBase and MAY contain other antivirus Data that are defined afterwards. AntivirusBase information is provided by BasicInfo type. This sequence records antivirus information, which indicates its antiviral capacity to some extent. Firewall is provided using the FirewallData type. FirewallData is a SEQUENCE, it MUST contain firewallBase information and six boolean values, and MAY contain other Firewall Data. Element firewallBase is also provided using BasicInfo type. Chen, et al. Expires April 18, 2011 [Page 7] Internet-Draft X.509extension with Security Information October 2010 Element supFTPFileFilter is Boolean. Value one indicates this firewall support FTP (File Transfer Protocol) file filter, and allows FTP to prevent certain types of documents through this firewall; value zero is just the opposite. Element supAntivirus is Boolean. Value one indicates this firewall support antivirus function, such as scanning the attachments of the DOC and ZIP files in E-mails to find dangerous information it may contain; value zero is just the opposite. Element supConFilter is Boolean. If value of this element is one, it means this firewall support content filter, and MAY control the information flow according to the filter criteria. Filter content mainly refers to the URL, HTTP information--the Subject, To, From domain in Java Applet, JavaScript, ActiveX and e-mail. Value zero indicates the opposite. Element defDOS is Boolean. Value one indicates this firewall can prevent or reduce the DOS (Denial of Service) attacks to a certain extent, while value zero is the opposite. Element rtInRes is Boolean. It indicates whether this firewall can provide real-time intrusion prevention function. If value of this element is one, this firewall can adjust the dynamic response when invasion happens, and block malicious message. If value is zero, it indicates this firewall don't support this function. Element autoLogScan is Boolean which indicates whether the firewall has automatic analysis and scan log function. If value is one, autoLogScan can obtain detailed log statistical results through scanning. Value zero indicates the opposite. OtherFirewallData MAY also be added to the sequence, and can be used after definition. BasicInfo is a SEQUENCE of two IA5Strings and a Boolean value which together specify the basis performance of the certain software. Element version contains version number information of the software. Element manufacturer use IA5String to indicate the developer of the software. The last element (renewal) MUST indicate whether the corresponding software is up-to-date. For example, an up-to-date KAPERSRY Anti-Virus V5.3 is represented as: version = 5.3 manufacturer = KAPERSRY renewal = 1 Chen, et al. Expires April 18, 2011 [Page 8] Internet-Draft X.509extension with Security Information October 2010 OperatingSystem is provided by OSData type, which is an INTEGER because OS data is private. OSData is abstracted as a security score, which indicates Operating System security status of the subject. Security score is an integer gained through local scanning of OS data information and specified calculation, ranged in [0, 99]. The bigger the numerical value is, the more safe it will be. OS data information CAN include version, manufacturer, update cycle and so on. VulnerabilityDatabase is provided by VDDate, which is a BOOLEAN value indicates whether the vulnerability database is up-to-date. A value of zero indicates the Vulnerability Database of the subject is outdated; a value of one indicates the Vulnerability Database of the subject is up to date, which is safe. MaliciousPlug-in is provided by MPIData. MPIData is a SEQUENCE contains any defined malicious plug-in with its details, such as name, manufacturer. The more malicious plug-in exists in the user, the less safe it is. 3. Security Considerations This X.509 extension contains private security information, i.e., operation system information, so we abstract it into security scores to ensure confidentiality of specific information. The trusted entity (or a trusted third party) MUST ensure that the correct values for the security information are inserted in each issued certificate, otherwise a user may reject a particular certificate if it encounters information it doesn't recognize or cannot process. 4. IANA Considerations Certificate extensions and extended key usage values are identified by object identifiers (OIDs). The OIDs used in this document are derived from X.509 [X.509-97]. No further action by the IANA is necessary for this document or any anticipated updates. 5. References 5.1 Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Chen, et al. Expires April 18, 2011 [Page 9] Internet-Draft X.509extension with Security Information October 2010 [RFC5280] D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. [X.690] ITU-T Recommendation X.690 (1997) | ISO/IEC 8825-1:1998, "Information Technology - ASN.1 Encoding Rules: Specification of Basic Encoding Rules(BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)". 5.2 Informative References [RFC 4059] Linsenbardt, D., Pontius, S., Sturgeon, A., "Internet X.509 Public Key Infrastructure Warranty Certificate Extension", RFC4059, May 2005. [RFC 3779] Lynn, C., Kent, S., Seo, K., "X.509 Extensions for IP Addresses and AS Identifiers", RFC 3779, June 2004. [X.509-97] ITU-T. Recommendation X.509: The Directory-Authentication Framework. 1997. Appendix - ASN.1 Modules DEFINITIONS IMPLICIT TAGS ::= BEGIN -- OID Arcs id-pe OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1)security(5) mechanisms(5) pkix(7) 1 } --Security Information Extension id-pe-securityInfo OBJECT IDENTIFIER ::= { id-pe 25 } SecurityInfo ::= CHOICE { none NULL, --No security info provided secInfo SecurityInformation --Explicit security info } SecurityInformation ::= SEQUENCE { secValidityPeriod ValidityPeriod, infoTime GeneralizedTime, secData SecurityData } Chen, et al. Expires April 18, 2011 [Page 10] Internet-Draft X.509extension with Security Information October 2010 ValidityPeriod ::= SEQUENCE { notBefore GeneralizedTime, notAfter GeneralizedTime } SecurityData ::= SEQUENCE { antivirus (0) AntivirusData OPTIONAL, firewall (1) FirewallData OPTIONAL, operatingSystem (2) OSData OPTIONAL, vulnerabilityDatabase (3) VDData OPTIONAL, maliciousPlug-in (4) MPIData OPTIONAL, otherSecData (5...MAX) ANY defined security data OPTIONAL } AntivirusData ::= SEQUENCE { antivirusBase BasicInfo, otherAntivirusData ANY defined AntivirusData OPTIONAL } FirewallData ::= SEQUENCE { firewallBase BasicInfo, supFTPFileFilter BOOLEAN, supAntivirus BOOLEAN, supConFilter BOOLEAN, defDOS BOOLEAN, rtInRes BOOLEAN, autoLogScan BOOLEAN, otherFirewallData ANY defined FirewallData OPTIONAL } BasicInfo ::= SEQUENCE { version IA5String, manufacturer IA5String, renewal BOOLEAN } OSData ::= INTERGER VDData ::= BOOLEAN MPIData ::= SEQUENCE { malPlugIn ANY defined malicious Plug-In } END Chen, et al. Expires April 18, 2011 [Page 11] Internet-Draft X.509extension with Security Information October 2010 Authors' Addresses Shuyi Chen ZTE Corpoporation 17/F, ZTE Plaza, No.19, East HuaYuan Road Haidian District, Beijing P.R.China, 100191 Tel:+86-10-82963667 Fax:+86-10-59932043 Email:chen.shuyi@zte.com.cn Yuting Liu Mobile lIfe and New mEdia Lab, BUPT. P.O. Box 92, No.10, Xitucheng Road BeiJing, Haidian District 100876 P.R.China Email: viviytliu@gmail.com Xiaofeng Qiu Mobile lIfe and New mEdia Lab, BUPT. P.O. Box 92, No.10, Xitucheng Road BeiJing, Haidian District 100876 P.R.China Email: qiuxiaofeng@gmail.com Cheng Cheng Mobile lIfe and New mEdia Lab, BUPT. P.O. Box 92, No.10, Xitucheng Road BeiJing, Haidian District 100876 P.R.China Email: chengcheng20090901@gmail.com Chunhong Zhang Mobile lIfe and New mEdia Lab, BUPT. P.O. Box 92, No.10, Xitucheng Road BeiJing, Haidian District 100876 P.R.China Email: zhangch.bupt.001@gmail.com Chen, et al. Expires April 18, 2011 [Page 12]