[dtn-security] Key Distribution

Ian Glennon <ianglennon@gmail.com> Tue, 29 November 2011 21:16 UTC

Return-Path: <ianglennon@gmail.com>
X-Original-To: dtn-security@ietfa.amsl.com
Delivered-To: dtn-security@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C2621F8B70 for <dtn-security@ietfa.amsl.com>; Tue, 29 Nov 2011 13:16:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aYAcjyiQG7Ks for <dtn-security@ietfa.amsl.com>; Tue, 29 Nov 2011 13:16:18 -0800 (PST)
Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by ietfa.amsl.com (Postfix) with ESMTP id CBEAB21F8AFE for <dtn-security@irtf.org>; Tue, 29 Nov 2011 13:16:15 -0800 (PST)
Received: by yenq9 with SMTP id q9so9859184yen.13 for <dtn-security@irtf.org>; Tue, 29 Nov 2011 13:16:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=+sNe6Vx6jBj1TdS4SB7PXrbVfq2+/gA/b5aM366ZyzU=; b=QOUMQyBrWik1COw+UQsUDSuuvXryY2ss2j0MByRxWRs2t9I4MydPHD6Fq0oW6hrvOd F5AgTgVqoVjx18Zea/Zpya3a9HKT0iOFsHwC158wb3tx2nnO1Qjti/3tEWmPiLIcgHi8 65JBsKXHP2kuJwGU10kd5bvNpgbj/acxAq0W0=
MIME-Version: 1.0
Received: by 10.68.5.162 with SMTP id t2mr692240pbt.73.1322601374856; Tue, 29 Nov 2011 13:16:14 -0800 (PST)
Received: by 10.143.163.11 with HTTP; Tue, 29 Nov 2011 13:16:14 -0800 (PST)
Date: Tue, 29 Nov 2011 21:16:14 +0000
Message-ID: <CAJCiAQ0eN3barDn_XsidpmLy5CO784cEjweMErjV2nmJDU=RXQ@mail.gmail.com>
From: Ian Glennon <ianglennon@gmail.com>
To: dtn-security@irtf.org
Content-Type: multipart/alternative; boundary=bcaec52159a520b4a804b2e62138
X-Mailman-Approved-At: Thu, 01 Dec 2011 08:08:14 -0800
Subject: [dtn-security] Key Distribution
X-BeenThere: dtn-security@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The Delay-Tolerant Networking Research Group \(DTNRG\) - Security." <dtn-security.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/dtn-security>, <mailto:dtn-security-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/dtn-security>
List-Post: <mailto:dtn-security@irtf.org>
List-Help: <mailto:dtn-security-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2011 21:16:19 -0000

I'm considering the following situation...

Nodes A, B and C are Security Aware DTN Nodes.  Node B is an intermediate
DTN node which handles bundles from Node A to Node C.

1) Node A wishes to encrypt a payload for Node C but does not have a local
copy of the public key for Node C.  Node A will sign the payload using its
private key.  How does Node A obtain the public key?

2) Assuming Node A can obtain Node C's public key, Node B wishes to verify
the integrity of the payload.  How does Node B obtain Node A's public key?

3) On receiving the bundle from Node A, Node C wishes to verify the
integrity of the payload.  How does Node C obtain Node A's public key?

Now clearly the answer to 2) will be the same as that for 3), and also
probably the same for 1).  I am considering some kind of Key Distribution
Node, which would manage the distribution of the public keys to the various
DTN nodes.  At what point, though, would the key request be made?  Would it
be made within the DTN protocol, or would it be made by some application
receiving the bundle payload?  My guess is it would be within the DTN
protocol - certainly for 2) as the verification is handled by the protocol
rather than some application overlaying the protocol.

You may see where I'm going with this - a Key Distribution Network
consisting of nodes handling the distribution of public keys - but I'm not
sure whether requests to a node within the KDNetwork needs to be integrated
into the DTN protocol, or whether it can be an application receiving
requests which sits above the DTN protocol.

Any help, guidance or advice gratefully received.

Ian Glennon
ianglennon@gmail.com