Application for a Simple Device Authentication ...

10 downloads 636 Views 267KB Size Report
management program calls the IPsec configuration provider from the smart card. ((3) in Fig.3 and Fig.5) It sends an IP security policy file to the linux box. Thus ...
Application for a Simple Device Authentication Framework: Device Authentication Middleware using Novel Smart Card Software Manabu Hirano1, Takeshi Okuda2, Suguru Yamaguchi2 1 Toyota National College of Technology, Toyota, Aichi 471-0565, Japan 2 Nara Institute of Science and Technology, Ikoma, Nara 630-0192, Japan [email protected], {okuda, suguru}@is.naist.jp Abstract Our proposed simple device authentication framework [1] aims to provide device-oriented authentication and authorization mechanisms for non-PC Internet-ready information appliances. The purpose of the framework is to prevent device spoofing, and to restrict unauthorized access to the device in a future ubiquitous network. We have developed the novel smart card software to achieve peer to peer device-oriented PKI authentication and authorization on the secure tamper-resistant smart card. We assume that the smart card will be attached to a device such as an information appliance. In this paper, we show the prototype implementation of authentication middleware using our novel smart card software and the IKEv1 program. The IKEv1 program cooperates with our novel smart card software to achieve peer to peer production-level identity authentication for devices. Thus, our framework and its application shown in this paper will help to realize secure ubiquitous computing for Internet-ready home appliances.

1. Introduction Future ubiquitous networks will be connected to a large number of non-PC Internet-ready information appliances. We have proposed an authentication framework not for human beings but for devices [1]. In our proposal, a home appliance attached with our proposed smart card can call our device-oriented authentication and authorization APIs from the smart card. Our proposed smart card can register a device’s identity for device-oriented authentication, and an owner’s attributes for access control for the devices. A non-PC device such as a home appliance generally has only a minimum human interface, unlike a traditional PC with a full keyboard and display, making it difficult to input complex authentication data. Our proposal for novel smart card software with special configuration tools [1]

Home network

Mutual device authentication between two devices using smart card Internet-ready TV with smart card

Public network (Hot spot)

Peer-to-Peer Device Security

Digital camera with smart card

Office network Color photo printer with smart card

Figure 1. Example of device-oriented authentication Simple Device Authentication Framework

Manufacturer

Register production-level identity

Authenticate production-level identity

Register owner-level attributes

Authorize owner-level attributes

Owner

Accessed device

Figure 2. Use case diagram for proposed framework will enable users to set up device-oriented authentication data, despite a poor user interface, by separating deviceoriented authentication and authorization functions from the device itself. Consequently, the accessed device is able to call device-oriented authentication and authorization APIs from the smart card. As a result, the smart card that is attached to Internet-ready appliances can realize a peer-to-peer PKI (Public Key Infrastructure) authentication and authorization mechanism without an extensive interface. Fig.1 shows an example of deviceoriented authentication in a ubiquitous network.

2. Overview of simple device authentication framework

Java card program Methods

Variables

Fig.2 shows the use case diagram for proposed framework. Our novel smart card software for the simple device authentication framework provides two functions described in section 2.1., 2.2.

2.1. Production-level identity using public key certificate

authentication

During the production phase, our framework allows manufacturers to register a production-level identity such as manufacturer’s unique ID and device’s serial number into a smart card. To achieve production-level authentication mechanism, we employ the device’s X.509 Public Key Certificate (PKC) [2] and its attribute fields to store its public key and production-level identities. The product is shipped with this initialized smart card. As a result, the initialized smart card can handle the device’s production-level identity. We have developed an initialization tool for manufacturers to set up a production-level identity for the smart card [1]. In section 3, we will show the prototype implementation of the production-level identity authentication middleware using the IKEv1 protocol.

Private key Public key certificate Trusted CA certificate

Authentication module

(1)

Attribute certificate

Authorization module

(2)

Access control list IP security policy

Tamper-resistant smart card

IPsec configuration provider

(3)

ISO-7816 Interface

Figure 3. Design of the novel smart card software Table 1. Smart card specification Smart card Reader Library

Schlumberger Cyberflex e-gate 32k (ST Microelectronics ST19XT34) Schlumberger e-gate token connector Sun microsystems Java Card API 2.1.1

2.2. Owner-level attributes authorization using attribute certificate After purchasing the product, our framework enables users to register owner-level attributes (distinguishable unique names assigned by the owner) on to their smart card. To achieve owner-level attributes authorization mechanism, we employ an Attribute Certificate (AC) [3] to store owner-level attributes, and an Access Control List (ACL) to restrict the access using the peer connecting device’s attribute. As a result, a user can set up her or his own device to restrict access from other devices. We have developed a personalization tool for the device owner to set up owner-level attributes to the smart card [1]. We assume that authorization functions in the smart card are called by the device-controlling application.

2.3. Implementation for novel smart card software Fig.3 shows the design of our proposed novel smart card software. We have implemented this software running on Axalto Cyberflex e-gate 32k smart card [1]. Our software employs Java Card API 2.1.1 [4]. Table 1 shows the smart card specification of our implementation. Our novel smart card software provides (1) Authentication module using a private key and PKC,

Figure 4. The smart card as a USB device (2) Authorization module using AC and ACL, and (3) IPsec configuration provider to configure IP security policy. We have implemented these functions as a Java program running on the smart card. Communication between the smart card and the middleware is processed using the ISO-7816 standard [5].

3. Design of peer to peer device-oriented authentication middleware using IKEv1 In this paper, we have implemented a peer to peer device-oriented authentication middleware as an application of a proposed simple device authentication framework. The two devices which are trying to connect each other make it possible to execute strong PKI authentication using the middleware to cooperate with the smart card. We employ IKEv1 (Internet Key Exchange, version 1) [6] protocol to execute mutual authentication between the two devices. We also employ IPsec [7] protocol to encrypt communication between the two devices.

Linux box

Table 2. Software used with the implementation Smart card

User space

IKEv1 program

(1) (2)

Application program

IPsec policy management program

(3)

Peer IKEv1 program

PFKEYv2

Peer application program

Kernel space

SPD

SAD

IPsec

remote control under authorization

ISO-7816 Interface

Device’s functions

Internet Protocol

Figure 5. Peer to peer device-oriented authentication middleware system Initiator

Responder

HDR, SA HDR, SA HDR, KE, Ni HDR, KE, Nr HDR*, IDii, CERT_I, SIG_I

HDR*, IDir, CERT_R, SIG_R

Figure 6. IKEv1 main mode with signature authentication Our peer to peer device-oriented authentication middleware is executed on a linux box. We assume that the linux box is attached to an information appliance by RS-232, USB or Ethernet, and so on. The linux box controls the information appliances. (ex. Recording a TV program on a DVD recorder) The linux box has to equip the smart card reader. In this paper, we utilize the smart card as a small USB device shown in Fig.4. Our developped middleware running on a linux box can call device-oriented authentication API from the smart card. The smart card software executes authentication functions and returns the result only. Consequently, the linux box can authenticate the peer device’s production-level identity described in section 2.1. Fig.5 shows our proposed peer to peer device-oriented authentication middleware system running on the linux box. At the boot time of the linux box, the IPsec policy management program calls the IPsec configuration provider from the smart card. ((3) in Fig.3 and Fig.5) It sends an IP security policy file to the linux box. Thus, the IPsec policy management program sets up the IP security policy to the SPD (Security Policy Database) [8] in the kernel.

OS IPv6/IPsec stack IKEv1 program IPsec policy management program PC/SC library

Linux kernel 2.6.11 USAGI racoon (ipsec-tools 0.5.1) setkey (ipsec-tools 0.5.1) PCSC Lite 1.2.9 beta 7

When the device is trying to connect to another device, the IKEv1 program begins to negotiate a new security association with the peer IKEv1 program. In the negotiation, the IKEv1 program calls the authentication module from the smart card. ((1) in Fig.3 and Fig.5) Fig.6 shows the IKEv1 negotiation for the main mode with signature authentication. IKEv1 has 2 phases to establish IPsec-SA [6]. IKEv1’s main mode is the “Phase 1” exchange. The authentication module in the smart card generates a signature (SIG_I for initiator, SIG_R for responder). Furthermore, the authentication module sends the PKC (CERT_I, CERT_R) related to the productionlevel identity (manufacturer’s ID and product serial number) from the smart card to the linux box. Thus, the IKEv1 program can send them to the peer IKEv1 program. Consequently, the linux box can authenticate productionlevel identity. Finally, the IKEv1 program establishes IPsec-SA and stores it to the SAD (Security Association Database) in the kernel.

4. Implementation of peer to peer deviceoriented authentication middleware Table 2 shows the software used with the implementation described in section 3. USAGI [9] is for the implementation of IPv6/IPsec stack in linux. Our implementation of the proposed system employs an USAGI stack. Racoon [10] is the proven implementation of the IKEv1 protocol. We currently employ IKEv1 protocol. To employ the new IKEv2 protocol [11], we have to change an IKEv2 program to call the authentication module from the smart card. However, the modification of the IKEv2 program is simple, because it just replaces the sign functions with the smart card functions. Our implementation employs RSA 1024 bit key and SHA-1 hash algorithm. We utilize a setkey program [10] as an IPsec policy management program to add, update, dump, or flush SAD and SPD entries in the linux kernel. Our implementation extends the setkey to load the IP security policy from the smart card. This process only executes at the boot time of the linux box.

5. Performance measurement In this section, we show the result of the performance measurement. Table 3 shows the hardware specification

Table 3. Hardware specification of the linux box CPU Memory Network

Pentium M Processor 1.6 GHz 512 MB 100Base-TX

Table 4. Process time of the IKEv1 program Load X.509 Certificate (942 byte) from the smart card Create signature of IKE phase 1 payload in the smart card

time[sec] 8.477 5.977

Table 5. Comparison of the process time of IKE phase 1 exchange Conventional IKEv1 program Proposed IKEv1 program

time[sec] 0.673 12.132

of the linux box. Table 4 shows the process time of the modified IKEv1 program. Table 5 shows the comparison of the proposed system with the conventional system. The process time of the phase 1 exchange is 12.132 sec in the proposed system.

6. Discussion In this paper, we have shown how the customized IKEv1 program can cooperate with the novel smart card software. It is one application of the proposed simple device authentication framework. This application achieves peer to peer device-oriented authentication based on production-level identity described in section 2.1. A conventional token such as a PKCS#11 [12] compliant smart card focuses on human being authentication only. In contrast, our proposed framework and the application shown in this paper can handle device’s production-level identity such as the manufacturer’s ID and the product’s serial number. Furthermore, our original novel smart card software can provide owner-level attributes authorization APIs based on AC’s attributes and ACL rules. On the other hand, the current performance of the proposed middleware is not fast. However, the processing speed of the smart card hardware may improve in the near future, and thus the processing time of our developed software will also decrease for practical usage.

7. Conclusion In this paper, we have given the prototype application of a framework not for use by human beings but for devices. We have employed smart card technology to append authentication functions to conventional devices such as home appliances. Our novel device-oriented authentication framework and its application shown in

this paper achieves production-level identity authentication between two devices using a customized IKEv1 program. In our future work, we will develop the application to achieve the controlling of real devices such as home appliances under owner-level authorization rules using our smart card software. Our framework and its application shown in this paper will help to realize secure ubiquitous computing for home appliances.

Acknowledgement The fundamental part of our smart card software was partially supported by the Ministry of Education, Science, Sports and Culture, Grant-in-Aid for Young Scientists (B), 17700082, 2005.

References [1] M. Hirano, T. Okuda, S.Yamaguchi, “A Proposal for a Simple Device Authentication Framework: Design and Implementation of Novel Smart Card Software and Its Tools", ICWMMN 2006, China, Nov. 2006. [2] R. Housley, W. Ford, W. Polk, D. Solo, “Internet X.509 Public Key Infrastructure, Certificate and Certificate Revocation List (CRL) Profile”, RFC3280, IETF, April 2002. [3] S. Farrell, R. Housley, “An Internet Attribute Certificate Profile for Authorization”, RFC3281, IETF, April 2002. [4] Sun Microsystems, Inc., “Java Card 2.1.1 API, Rev.1.0”, May 2000. [5] International Organization for Standardization, “ISO/IEC 7816: Integrated circuit(s) cards with contacts, parts 1-4”, 19972005. [6] D. Harkins, D. Carrel, “The Internet Key Exchange (IKE)”, RFC2409, IETF, Nov. 1998. [7] S. Kent, R. Atkinson, “Security Architecture for the Internet Protocol”, RFC2401, IETF, Nov. 1998. [8] D. McDonald, C. Metz, B. Phan, “PF_KEY Key Management API, Version 2”, RFC2367, IETF, July 1998. [9] M. Kanda, K. Miyazawa, H. Esaki, “USAGI IPv6 IPsec development for Linux”, 2004 Symposium on Applications and the Internet Workshops (SAINT 2004 Workshops), Tokyo, Jan. 2004, pp. 159-163. [10] IPsec-Tools project, http://ipsec-tools.sourceforge.net/. [11] C. kaufman, Ed., “Internet Key Exchange (IKEv2) Protocol”, RFC4306, IETF, Dec. 2005. [12] RSA Laboratories Inc., “PKCS#11: Cryptographic Token Interface Standard, Version 2.20.”, 2004.