PlutoPlus: Policy and PKI Plans for FY00

1
PlutoPlusPolicy and PKI Plans for FY00

• Sheila Frankel
• Systems and Network Security Group
• Computer Security Division
• NIST
• sheila.frankel_at_nist.gov

2
PlutoPlus 99

• Peer authentication
• pre-shared secret keys
• Policy
• Same policy for all peers
• Initiator proposes single policy
• Responder must accept proposed policy

3
Y2K PlutoPlus

• Peer authentication choice of pre-shared secret
  keys, digital signature, or public key encryption
• Policy
• Flexible policy database
• Different policies for different peers
• Initiator proposes multiple policies
• Responder selects most preferable policy

4
What Constitutes Policy?

• Encryption algorithm DES, 3DES, Blowfish, IDEA,
  RC5
• Encryption Key Length
• Authentication algorithm HMAC-MD5, HMAC-SHA1
• Diffie-Hellman group prime with 96, 128, or 192
  bytes
• Encapsulation mode tunnel or transport

5
Policy Database Elements (contd)

• Peer authentication pre-shared secret key,
  digital signature, public key encryption
• Negotiated Security Associations Lifetime
  seconds and/or kilobytes protected
• Perfect Forward Secrecy for negotiated keys

6
Why PKI Interaction?

• Peer authentication with pre-shared keys
• pre-shared secret key used to prove identity
• limited scalability
• opportunistic encryption impossible
• Peer authentication with PKI
• digital signature or public key used to prove
  identity
• scalable
• opportunistic encryption possible