Bootstrapping Remote Secure Key Infrastructure (BRSKI)

Richardson, Michael C.; Behringer, Michael; Pritikin, Max; Eckert, Toerless; Watsen, Kent

doi:10.17487/rfc8995

Cited by 11 publications

(13 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, how to securely provision a time source is an open issue. The latest available relevant standards, such as BRSKI, allow IoT devices to ignore the certificate validity periods during initial authentication if the device has not yet been given a reliable current time [25]. In the following, we assume that the deployment-specific bootstrapping issues have been solved.…”

Section: Deployment and Initial Enrollmentmentioning

confidence: 99%

AutoPKI: public key infrastructure for IoT with automated trust transfer

Höglund,

Bouget,

Furuhed

et al. 2024

Int. J. Inf. Secur.

View full text Add to dashboard Cite

IoT deployments grow in numbers and size, which makes questions of long-term support and maintainability increasingly important. Without scalable and standard-compliant capabilities to transfer the control of IoT devices between service providers, IoT system owners cannot ensure long-term maintainability, and risk vendor lock-in. The manual overhead must be kept low for large-scale IoT installations to be economically feasible. We propose AutoPKI, a lightweight protocol to update the IoT PKI credentials and shift the trusted domains, enabling the transfer of control between IoT service providers, building upon the latest IoT standards for secure communication and efficient encodings. We show that the overhead for the involved IoT devices is small and that the overall required manual overhead can be minimized. We analyse the fulfilment of the security requirements, and for a subset of them, we demonstrate that the desired security properties hold through formal verification using the Tamarin prover.

show abstract

Section: Deployment and Initial Enrollmentmentioning

confidence: 99%

AutoPKI: public key infrastructure for IoT with automated trust transfer

Höglund,

Bouget,

Furuhed

et al. 2024

Int. J. Inf. Secur.

View full text Add to dashboard Cite

show abstract

“…With the goal of radically simplifying the deployment of HTTPS in the web context, the Automatic Certificate Management Environment (ACME), specified in IETF RFC 8555 [39], describes a protocol by which an applicant can obtain a signed certificate from a CA. The Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol, specified in IETF RFC 8995 [35], provides a solution for the automated bootstrapping of a remote secure key infrastructure of new (unconfigured) devices using manufacturer-installed X.509 certificates.…”

Section: Approaches Presented In Standards Predominantly Originating ...mentioning

confidence: 99%

“…[22,23] PROFINET 1st IEC Spec. [22,23] TAMP draft [24] Certificate and CRL Profile RFC [12] CMC RFC [19] OPC UA Part 2: Security, V1.01 [25] IEEE 802.1AR 1st [26] TAMP RFC [24] EST draft [27] Fischer et al [28] Fernbach et al [29] Hausmann et al [30] OCSP Stapling Draft [31] OCSP RFC [15] OCSP Stapling RFC [31] EST RFC [27] Kim et al [32] Falk et al [33] Runde et al [34] BRSKI draft [35] OPC UA Part 12: GDS, V1.03 [36] CIP Security [37] OPC UA Part 2: Security, V1.03 [38] ACME draft [39] EALS draft [40] Karthikeyan et al [41] Duan et al [42] OPC UA Part 12: GDS, V1.04 [43] IEC/IEEE 60802 draft 0.0 [44] IEEE 802.1AR 2nd [26] Danilchenko et al [45] ACME RFC [39] Höglund et al [46] Boudagdigue et al [47] Park et al [48] SCEP RFC [17] Kulik et al [49] Yunakovsky et al [50] Astorga et al [11] Kohnhauser et al [51] PROFINET IEC Spec. 2.4MU2 [52] BRSKI RFC […”

Section: Approaches Presented In Standards Predominantly Originating ...mentioning

confidence: 99%

A Survey on Life-Cycle-Oriented Certificate Management in Industrial Networking Environments

Göppert,

Walz,

Sikora

2024

JSAN

View full text Add to dashboard Cite

Driven by the Industry 4.0 paradigm and the resulting demand for connectivity in industrial networking, there is a convergence of formerly isolated operational technology and information technology networks. This convergence leads to attack surfaces on industrial networks. Therefore, a holistic approach of countermeasures is needed to protect against cyber attacks. One element of these countermeasures is the use of certificate-based authentication for industrial components communicating on the field level. This in turn requires the management of certificates, private keys, and trust anchors in the communication endpoints. The work at hand surveys the topic of certificate management in industrial networking environments throughout their life cycle, from manufacturing until their disposal. To the best of the authors’ knowledge, there is no work yet that surveys the topic of certificate management in industrial networking environments. The work at hand considers contributions from research papers, industrial communication standards, and contributions that originate from the IT domain. In total, 2042 results from IEEE Xplore, Science Direct, Scopus, and Springer Link were taken into account. After applying inclusion and exclusion criteria and title, abstract, and full-text analysis, 20 contributions from research papers were selected. In addition to the presentation of their key contributions, the work at hand provides a synopsis that compares the overarching aspects. This comprises different proposed entity architectures, certificate management functions, involvement of different stakeholders, and consideration of life cycle stages. Finally, research gaps that are to be filled by further work are identified. While the topic of certificate management has already been addressed by the IT domain, its incorporation into industrial communication standards began significantly later and is still the subject of research work.

show abstract

“…A method for efficient and regular distribution of new keys is discussed by Gunleifsen et al [16]. Protocols like BRSKI [29] may also be used for key and certificate distribution.…”

Section: A Assumptionsmentioning

confidence: 99%

Secure Service Function Chaining in the Context of Zero Trust Security

Bradatsch

Haeberle

Steinert

et al. 2022

2022 IEEE 47th Conference on Local Computer Networks (LCN)

View full text Add to dashboard Cite

Service Function Chaining (SFC) enables dynamic steering of traffic through a set of service functions based on classification of packets, allowing network operators finegrained and flexible control of packet flows. New paradigms like Zero Trust (ZT) pose additional requirements to the security of network architectures. This includes client authentication, confidentiality, and integrity throughout the whole network, while also being able to perform operations on the unencrypted payload of packets. However, these requirements are only partially addressed in existing SFC literature. Therefore, we first present a comprehensive analysis of the security requirements for SFC architectures. Based on this analysis, we propose a concept towards the fulfillment of the requirements while maintaining the flexibility of SFC. In addition, we provide and evaluate a proof of concept implementation, and discuss the implications of the design choices.

show abstract

Bootstrapping Remote Secure Key Infrastructure (BRSKI)

Cited by 11 publications

References 0 publications

AutoPKI: public key infrastructure for IoT with automated trust transfer

AutoPKI: public key infrastructure for IoT with automated trust transfer

A Survey on Life-Cycle-Oriented Certificate Management in Industrial Networking Environments

Secure Service Function Chaining in the Context of Zero Trust Security

Contact Info

Product

Resources

About