SECURITY AREA MEETING (Security Area Advisory Group, SAAG) Friday 23 March 2007, 09:00, Prague, Czech Republic Minutes by Donald Eastlake 3rd Edited by Area Directors San Hartman and Tim Polk INTRODUCTION AND AGENDA Sam introduces Tim. Sam: At my first IETF at Chicago I was amazed when this Tim guy, at SAAG, described the exciting and vibrant progress PKIX had made. Tim: It is exciting to do a SAAG from the front of the room. It will be hard to live up to my introduction. A Friday SAAG is weird. Agenda WG Reports BoF Report Invited Presentations Open Mike SECURITY WORKING GROUPS AND BOFS HOKEY, Charles Clancy Presented EAP-EMSK keying hierarch EPR - candidate Hokey protocol 3 - party keying - convergence KRB-WG, Jeff Hutzleman During the discussion of the krb-wg report, the chair said that it would be nice to have consistent position on ECC IPR across the security area. Tim and Sam will work on that. SECURITY LEADERSHIP TRANSITION Sam: Russ has had a higher calling. I'm looking forward to an IESG he's running. Thanks to Russ for his leadership of the Security Area. Russ's theme has been incremental improvement. It has been a wonderful pleasure working with Russ and I hope to continue to do so. Tim: Have worked with Russ for some time. I've been a chair under him as AD. I've co-authored documents with him. The most frightening thing is having to follow Russ as AD. Passing the Baton to Tim, Russ Housley. Security Area Leadership... Asked people to volunteer for membership in the Security Directorate and SAAG "Security Area cannot remain my focus, but it will always be my roots" INVITED PRESENTATIONS: New Security-Related Work in W3C Thomas Roessler as channeled by Steve Farrell Three things happening: (1) Web security context, (2) Forms, (3) XML signature and encryption ++ Web Security Context /TR/usc-usecases/ Draft in June. www.w3.org/2006/WSC/ HTML Form Annotations Have form fields have meta-data like "I am a user name" or need protection or whatever... www.w3.org/MarkUp/Forms or www.w3.org/html/wg/ XML Signature and Friends Fix known minor problems quickly (next slide) Document other issues but don't resolve them. Then follow up work. XML Security Maintenance WG chartered through 2007 Workshop some time in late summer... TLR at IETF Chicago? www.w3.org/2007/xmlsec/ Plan to submit as an Internet Draft for IETF review. Thomas Roessler tlr@w3.org. Paul: concerned about meeting over the summer and then coming to IETF. Steve: well usually their workshops are several days. Paul: canonicalization is boring but critical. Steve: Inclusive XML Canonicalization is broken but I thought Exclusive XML canonicalization was OK. Paul: No really. Tim: I would like to be sure that the IETF RFCs don't drift too far from what the W3C is doing. EKR: XML Security is way too complex due to many requirements placed on it by W3C people. Donald Eastlake: These questions are more complex than they seem See my RFC 3930 "The Protocol versus Document Points of View in Computer Protocols" for explanation of the W3C document point of view. Issues of SAAG Interest in USGIPv6 V1.0 Profile: Security Issues in draft Profile for IPv6 in the U.S. Government, Doug Montgomery What's going on with government IPv6 test program? Acquisition Profile: SP ... www.antd.nist.gove/usgv6-v1-comments.html, comments still solicited. Policy free, applicable to non classified Federal IT systems. Define compliant hosts, routers, etc... Development of Testing Program Linkages to USG Policies Final USGv6-V1 Profile What's of SAAG Interest Specsmanship is particularly challenging in the IPsec area. Device Profiles USGv6: Hosts, Routers, Network Protection Devices (NPD) IETF: Hosts, Routers NPD NIST just provides the normative text IPsec Old or new IPsec/iKE? And when? AH mandated or optional? Currently optional... More comfortable with a concise specification and some devices/cases declared outside the scope of that specification rather than lots of exceptions in the specification. Algorithms 3DES-CBC still mandatory AES-CBC-128 mandatory Null-Auth optional AES-GCM/AES-GMAC optional IKEv2 ... Base Protocol ad dressing SEND/CGA, SEND/3971(S+), CGA/3972(S+) Privacy Addresses/3401(S) - some thoughts that an IP address is Personally Identifying Information (PII) ? Tim: This would put the government off the Internet. I still have problems with people telling me that telephone numbers are PII so I can't carry them around with me but I have to be able to call various individuals in case of emergency... Comments are still solicited: sp500-267-comments@antd.nist.gov. Tim: I want to be sure IETF documents are appropriately interpreted and used in this NIST effort. And I want to encourage participation but time is short. Suggest downloading and reading on your plane home. Extensions to the Internet Threat Model, Lakshminath Dondeti RFC 3552 describe the Internet Threat Model Network Asset Classification As long as the critical assets are not compromised, things work Security at the edge of the network. Edge devices in the access network are vulnerable to physical compromise. WLAN/WMAN devices may be hanging off a wall. Compromise of Edge Devices ATMs, some banking systems use secure co-processors What does it take to extract keys form the IBM 4758? Access control enforcement belongs at the edge What happens if an Enforcement Point is compromised? Edge Device as a Key Distributor Using Access Router as a Key Distributor. Best to keep the AR as a non-critical asset. We may need to extend the Internet threat model. Need to provide more guidance to security protocol designers. Asset classification guidance might help. Guidelines on mapping security functions to network entities might prove useful. Tim: Mostly good guidance but many points have exceptions. In the past some security criteria, on being written down, have taken on a life of their own and get applied outside their intended applicability. Lakshminath: That's why I mentioned other things like women with guns. Pasi: Does not look like an Internet Threat model but an access network threat model with layer-2 handover, etc. But it doesn't even apply there. For example, GSM access router is protected, not on the wall. Limited applicability. Lakshminath: Yes, ARs are usually protected, but not in some wireless networks. Pasi: We can't necessarily write this. IEEE 802.11, for example, can write it for their stuff because they known the range of their signals, etc. Bernard Aboba: I second that, some APs are critical and some are not... It is important to be able to write down what you are trying to guarantee and then show that your are actually guaranteeing it. For example, keys have other criteria than distribution (freshness...) Paul Feguson: slide 5: seems very mobility centric. The MUST NOT at the bottom would be nice but... Lakshminath: Using an RFC 2119 keyword was a mistake. This is just an example diagram I happened to have around... Paul: Confused about what this is really geared toward... ... very mobility centric X: It's not even mobility centric. If an AR is compromised, the whole system may stop, as has been explained many time on the mailing list... Lakshminath: It depends... ... Lakshminath: You should use end-to-end security for confidentiality. There are different types of compromise. Joe Saloway: It is important to consider what happens when an entity in the network is compromised. This isn't a general model but no general model may exist. I'm uncomfortable with your critical/non-critical classification. Lakshminath: Sometimes you can move to an alternative access when one is compromised. Routing helps... Joe: Denial of Service... EKR: My understanding of the point you are making is that if you have a system with >2 components, you should consider what happens when any one is compromised. And I agree with that. Most of our security work has been based on simple system models but we are now dealing with more complex systems... Lakshminath: The purpose of the presentation was to stimulate discussion. EKR: It is a very hard problem. Pasi: Interesting that you consider the boxes to be the assets. Usually the assets are the service or the like, which are enabled by the boxes (integrity of the charging information, protection of customer traffic, ...). So if you break into one AR, can you get keys to read traffic for other ARs, violates Housley criteria. Lakshminath: I'm looking for help in improving the document. I have only considered billing info a little. X: In many systems ARs are also NASes. In WiMax and DSL, if an AR is compromised, your whole security system is compromised. OPEN MIKE Dan Harkins: Very concerned that TLS is considering using EAP for authentication. (Gives complex example of multiple nestings including PEAP at one layer.) This sort of thing enables complex descent of nested security mechanisms... Tunneled authentications can have MITM [Gives long example of stack of methods including peap] Sam: If you remove PEAP, all the others in the descent you mention would give you real mutual authentication. EAP inside, I think people understand the problems. TLS needs to provide mutual authentication and your session needs to fail if it can't. Dan: I don't think people understand this. EAP is a virus getting out of control. Sam: EAP does have a strong applicability statement and should only be used within that or we need to be very careful of the security for any use outside that. For Example, ISMS has been told it can't use EAP. Paul Hoffman: This is a can of Worms: during the NIST presentation, people were grumbling about IPsec... Remind people that IPsec is a security requirement of IPv6. Sam: Current state of affairs: RFC 4301 says you MUST do IPsec and IKE for IPv6. Node requirements document was revised to say you MUST do RFC 2401 with crappy algorithms. Then IETF approved 6lowpan knowing it didn't have IPsec. People are going to implement IPsec if they need it and not if they don't and we really can't do anything about that. You can't change algorithms when going to Draft so you get stuck with old algorithms... Derek Atkins: What can the IETF do when vendors don't follow or break our specifications? ... recent mail product that messes up on multi-part encrypted... Sam: Don't think that's actually part of our mission. Tim: Have the same sort of problems in the U.S. Government with FIPS (Federal Information Processing Standard). Russ Housley: The Internet works because people cooperate, not because anyone has a stick, so you should find a carrot. Russ: Follow up on Dan Harkins. Greatly concerned on EAP methods that use protocols that can carry EAP methods ... could be an endless descent. The parser has to deal with this. Let's keep it simple. EKR: I don't think the problem is implementation complexity. The problem is that to this day, you can still run IPsec but you can't talk to people you don't know securely. Bernard Aboba: 6lowpan is an extreme case with tiny sensors that have to go a long time on batteries. Generally in the past we profiled IPsec for special cases... I was never an advocate... Bernard: Customers say we have way too many EAP methods already, they want us to work on interoperability. Jeff Hutzlman: The EAP methods we have all suck. Nico Williams: The reason people put EAP in is that the EAP community has the energy to work on mechanisms that work with all kinds of credentials. And we don't seem to have the energy to put those credentials into our other methods. Would be nice is we could generalize EMU. Make IPsec more useful, BTNS. Clint Chaplin: I think you need a reality check. Can the IETF community enforce the IETF standards? We are all on the same page but we have to educate the world as to who the IETF is. Most of the world just implements stuff and has never heard of the IETF. Tim: I'm not sure all 1400 of us are on the same page. But our work has been accepted. People do find what we do useful. X: GSSAPI and SASL are similar to EAP... Tim: Thanks to everyone for hanging around until 11:30 Friday. ADJOURN