ETSI EN 302 878-5-2011 Access Terminals Transmission and Multiplexing (ATTM) Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems Part .pdf

1、 ETSI EN 302 878-5 V1.1.1 (2011-11) Access, Terminals, Transmission and Multiplexing (ATTM); Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems; Part 5: Security Services; DOCSIS 3.0 European Standard ETSI ETSI EN 302 878-5 V1.1.1 (2011-11) 2Reference D

2、EN/ATTM-003006-5 Keywords access, broadband, cable, data, IP, IPCable, modem ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (0

3、6) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the refere

4、nce version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or chang

5、e of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright

6、Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2011. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks

7、of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI EN 302 878-5 V1.1.1 (2011-11) 3Cont

8、ents Intellectual Property Rights 10g3Foreword . 10g31 Scope 11g31.1 Introduction and Purpose 11g31.2 Requirements 11g31.3 Conventions 11g32 References 11g32.1 Normative references . 12g32.2 Informative references 13g33 Definitions and abbreviations . 14g33.1 Definitions 14g33.2 Abbreviations . 14g3

9、4 Void 16g35 Overview 16g35.1 New DOCSIS 3.0 Security Features. 16g35.2 Technical Overview . 17g35.2.1 BPI+ Architecture. 17g35.2.1.1 Packet Data Encryption . 17g35.2.1.2 Key Management Protocol 17g35.2.1.3 DOCSIS Security Associations . 18g35.2.1.4 QoS SIDs and DOCSIS SAIDs . 19g35.2.1.5 BPI+ Enfor

10、ce. 19g35.2.2 Secure Provisioning 20g35.3 Operation 20g35.3.1 Cable Modem Initialization 20g35.3.1.1 Network Admission Control . 21g35.3.1.2 EAE and Authentication Reuse . 21g35.3.1.3 Configuration Registration Enforcement 21g35.3.2 Cable Modem Key Update Mechanism 22g35.3.3 Cable Modem Secure Softw

11、are Download . 22g36 Encrypted DOCSIS MAC Frame Formats . 22g36.1 CM Requirements. 22g36.2 CMTS Requirements 22g36.3 Variable-Length PDU MAC Frame Format . 23g36.3.1 Baseline Privacy Extended Header Formats . 24g36.4 Fragmentation MAC Frame Format . 25g36.5 Registration Request (REG-REQ-MP) MAC Mana

12、gement Messages. 26g36.6 Use of the Baseline Privacy Extended Header in the MAC Header . 28g37 Baseline Privacy Key Management (BPKM) Protocol 28g37.1 State Models . 28g37.1.1 Introduction. 28g37.1.1.1 Authorization State Machine Overview 28g37.1.1.2 TEK State Machine Overview 30g37.1.2 Encrypted Mu

13、lticast 31g37.1.2.1 Signaling of Dynamic and Static Multicast Session SAs when MDF is Disabled 32g37.1.2.2 Signaling of Dynamic and Static Multicast Session SAs when MDF is Enabled . 32g37.1.2.2.1 Requirements Specific to the Signaling of Dynamic SAs for Dynamic Multicast Sessions . 32g37.1.2.2.2 Re

14、quirements Specific to the Signaling of Dynamic SAs for Static Multicast Sessions . 33g37.1.3 Selecting Cryptographic Suites . 33g37.1.4 Authorization State Machine 34g37.1.4.1 Brief Description of States 35g37.1.4.1.1 Start . 35g3ETSI ETSI EN 302 878-5 V1.1.1 (2011-11) 47.1.4.1.2 Auth Wait 35g37.1.

15、4.1.3 Authorized 35g37.1.4.1.4 Reauth Wait 35g37.1.4.1.5 Auth Reject Wait 35g37.1.4.1.6 Silent . 36g37.1.4.2 Brief Description of Messages 36g37.1.4.2.1 Authorization Request (Auth Request) 36g37.1.4.2.2 Authorization Reply (Auth Reply) 36g37.1.4.2.3 Authorization Reject (Auth Reject) . 36g37.1.4.2.

16、4 Authorization Invalid (Auth Invalid) . 36g37.1.4.2.5 Authentication Information (Auth Info) 36g37.1.4.3 Brief Description of Events . 37g37.1.4.3.1 Initiate Authentication . 37g37.1.4.3.2 Timeout 37g37.1.4.3.3 Auth Grace Timeout 37g37.1.4.3.4 Reauth 37g37.1.4.3.5 Auth Invalid . 37g37.1.4.3.6 Perm

17、Auth Reject . 37g37.1.4.3.7 Auth Reject 37g37.1.4.3.8 EAE Disabled Auth Reject 37g37.1.4.4 Events sent to TEK State Machine 37g37.1.4.4.1 TEK Stop . 38g37.1.4.4.2 TEK Authorized 38g37.1.4.4.3 Auth Pend 38g37.1.4.4.4 Auth Comp 38g37.1.4.5 Brief Description of Timing Parameters . 38g37.1.4.5.1 Authori

18、ze Wait Timeout (Auth Wait Timeout) . 38g37.1.4.5.2 Reauthorize Wait Timeout (Reauth Wait Timeout). 38g37.1.4.5.3 Authorization Grace Time (Auth Grace Timeout). 38g37.1.4.5.4 Authorize Reject Wait Timeout (Auth Reject Wait Timeout) . 38g37.1.4.6 Timers . 38g37.1.4.6.1 Authorization Request . 38g37.1

19、.4.6.2 Authorization Reject 38g37.1.4.6.3 Authorization Grace 38g37.1.4.7 Actions 39g37.1.5 TEK State Machine . 41g37.1.5.1 Brief Description of States 42g37.1.5.1.1 Start . 42g37.1.5.1.2 Op Wait . 42g37.1.5.1.3 Op Reauth Wait 42g37.1.5.1.4 Op . 42g37.1.5.1.5 Rekey Wait . 42g37.1.5.1.6 Rekey Reauth

20、Wait . 42g37.1.5.2 Brief Description of Messages 42g37.1.5.2.1 Key Request 42g37.1.5.2.2 Key Reply 43g37.1.5.2.3 Key Reject . 43g37.1.5.2.4 TEK Invalid . 43g37.1.5.3 Brief Description of Events . 43g37.1.5.3.1 Stop 43g37.1.5.3.2 Authorized . 43g37.1.5.3.3 Auth Pend 43g37.1.5.3.4 Auth Comp 43g37.1.5.

21、3.5 TEK Invalid . 43g37.1.5.3.6 Timeout 43g37.1.5.3.7 TEK Refresh Timeout 43g37.1.5.4 Brief Description of Timing Parameters . 43g37.1.5.4.1 Operational Wait Timeout . 44g37.1.5.4.2 Rekey Wait Timeout 44g37.1.5.4.3 TEK Grace Time . 44g37.1.5.5 Timers . 44g37.1.5.5.1 Key Request Retry . 44g3ETSI ETSI

22、 EN 302 878-5 V1.1.1 (2011-11) 57.1.5.5.2 TEK Refresh 44g37.1.5.6 Actions 44g37.2 Key Management Message Formats. 46g37.2.1 Packet Formats 46g37.2.1.1 Authorization Request (Auth Request) . 48g37.2.1.2 Authorization Reply (Auth Reply) 48g37.2.1.3 Authorization Reject (Auth Reject) . 49g37.2.1.4 Key

23、Request 49g37.2.1.5 Key Reply . 50g37.2.1.6 Key Reject . 50g37.2.1.7 Authorization Invalid 51g37.2.1.8 TEK Invalid. 51g37.2.1.9 Authentication Information (Auth Info) 51g37.2.1.10 SA Map Request (MAP Request) . 52g37.2.1.11 SA Map Reply (Map Reply) . 52g37.2.1.12 SA Map Reject (Map Reject) 52g37.2.2

24、 BPKM Attributes 53g37.2.2.1 Serial-Number. 54g37.2.2.2 Manufacturer-ID . 54g37.2.2.3 MAC-Address . 55g37.2.2.4 RSA-Public-Key . 55g37.2.2.5 CM-Identification 55g37.2.2.6 Display-String . 56g37.2.2.7 Auth-Key . 56g37.2.2.8 TEK . 56g37.2.2.9 Key-Lifetime . 56g37.2.2.10 Key-Sequence-Number . 57g37.2.2

25、.11 HMAC-Digest . 57g37.2.2.12 SAID . 57g37.2.2.13 TEK-Parameters 57g37.2.2.14 CBC-IV . 58g37.2.2.15 Error-Code 58g37.2.2.16 Vendor-Defined 59g37.2.2.17 CA-Certificate. 59g37.2.2.18 CM-Certificate 60g37.2.2.19 Security-Capabilities . 60g37.2.2.20 Cryptographic-Suite 60g37.2.2.21 Cryptographic-Suite-

26、List . 61g37.2.2.22 BPI-Version 61g37.2.2.23 SA-Descriptor . 61g37.2.2.24 SA-Type 62g37.2.2.25 SA-Query 62g37.2.2.26 SA-Query-Type . 63g37.2.2.27 IPv4-Address . 63g37.2.2.28 Download-Parameters . 63g37.2.2.29 CVC-Root-CA-Certificate 63g37.2.2.30 CVC-CA-Certificate . 64g38 Early Authentication and En

27、cryption (EAE) 64g38.1 Introduction 64g38.2 EAE Signaling 64g38.3 EAE Encryption . 66g38.4 EAE Enforcement. 66g38.4.1 CMTS and CM behaviours when EAE is Enabled . 66g38.4.2 EAE enforcement determination . 67g38.4.2.1 Ranging-Based EAE Enforcement 67g38.4.2.2 Capability-Based EAE Enforcement . 67g38.

28、4.2.3 Total EAE Enforcement 67g38.4.3 EAE Enforcement of DHCP Traffic . 67g38.4.4 CMTS and CM Behaviour when EAE is Disabled . 67g38.4.5 EAE Exclusion List 67g38.4.6 Interoperability issues . 68g3ETSI ETSI EN 302 878-5 V1.1.1 (2011-11) 68.5 Authentication Reuse . 68g38.6 BPI+ Control by Configuratio

29、n File . 68g38.6.1 EAE Enabled 68g38.6.2 EAE Disabled . 69g39 Secure Provisioning 69g39.1 Introduction 69g39.2 Encryption of Provisioning Messages 69g39.3 Securing DHCP 69g39.3.1 Securing DHCP on the Cable Network Link 69g39.3.2 DHCPv6 69g39.4 TFTP Configuration File Security 70g39.4.1 Introduction.

30、 70g39.4.2 CMTS Security Features for Configuration File Download . 70g39.4.2.1 TFTP Proxy. 70g39.4.2.2 Protecting TFTP Server Addresses . 70g39.4.2.3 Configuration File Name Authorization 70g39.4.2.4 Configuration File Learning 71g39.4.2.5 TFTP Options for CMs MAC and IP Address . 71g39.5 Securing

31、REG-REQ-MP Messages 71g39.6 Source Address Verification. 71g39.7 Address Resolution Security Considerations . 73g310 Using Cryptographic Keys . 74g310.1 CMTS . 74g310.2 Cable Modem . 76g310.3 Authentication of Dynamic Service Requests 77g310.3.1 CM 77g310.3.2 CMTS . 77g311 Cryptographic Methods 77g3

32、11.1 Packet Data Encryption 77g311.2 Encryption of the TEK . 78g311.3 HMAC-Digest Algorithm . 79g311.4 TEKs, KEKs and Message Authentication Keys . 79g311.5 Public-Key Encryption of Authorization Key 79g311.6 Digital Signatures . 80g311.7 The MMH-MIC 80g311.7.1 The MMH Function 80g311.7.1.1 MMH16, ,

33、 1 80g311.7.1.2 MMH16, , n 82g311.7.1.3 MMH16, , 4 82g311.7.1.4 Handling Variable-Size Data 82g311.7.2 Definition of MMH-MAC 82g311.7.3 Calculating the DOCSIS MMH-MAC 83g311.7.4 MMH Key Derivation for CMTS Extended MIC . 84g311.7.5 Shared Secret Recommendations 85g311.7.6 Key Generation Function 85g

34、312 Physical Protection of Keys in the CM 85g313 BPI+ X.509 Certificate Profile and Management 86g313.1 BPI+ Certificate Management Architecture Overview 86g313.2 Cable Modem Certificate Storage and Management in the CM . 88g313.3 Certificate Processing and Management in the CMTS . 89g313.3.1 CMTS C

35、ertificate Management Model. 89g313.3.2 Certificate Validation 89g313.4 Certificate Revocation 90g313.4.1 Certificate Revocation Lists 90g313.4.1.1 CMTS CRL Support . 91g313.4.2 Online Certificate Status Protocol 91g314 Secure Software Download 92g314.1 Introduction 92g3ETSI ETSI EN 302 878-5 V1.1.1

36、 (2011-11) 714.2 Overview 92g314.3 Software Code Upgrade Requirements 94g314.3.1 Code File Processing Requirements . 94g314.3.2 Code File Access Controls 95g314.3.2.1 Subject Organization Names . 95g314.3.2.2 Time Varying Controls . 95g314.3.3 Cable Modem Code Upgrade Initialization 95g314.3.3.1 Man

37、ufacturer Initialization 96g314.3.3.2 Network Initialization . 96g314.3.3.2.1 Processing the Configuration File CVC 97g314.3.3.2.2 Processing the SNMP CVC . 97g314.3.4 Code Signing Guidelines 98g314.3.5 Code Verification Requirements . 98g314.3.5.1 Cable Modem Code Verification Steps . 98g314.3.6 DO

38、CSIS Interoperability 99g314.3.7 Error Codes . 99g314.4 Security Considerations (Informative) . 100g3Annex A (normative): TFTP Configuration File Extensions . 102g3A.1 Encodings . 102g3A.1.1 Baseline Privacy Configuration Setting . 102g3A.1.1.1 Internal Baseline Privacy Encodings 102g3A.1.1.1.1 Auth

39、orize Wait Timeout . 102g3A.1.1.1.2 Reauthorize Wait Timeout 102g3A.1.1.1.3 Authorization Grace Time . 103g3A.1.1.1.4 Operational Wait Timeout . 103g3A.1.1.1.5 Rekey Wait Timeout . 103g3A.1.1.1.6 TEK Grace Time . 103g3A.1.1.1.7 Authorize Reject Wait Timeout 103g3A.1.1.1.8 SA Map Wait Timeout 103g3A.

40、1.1.1.9 SA Map Max Retries . 103g3A.2 Parameter Guidelines . 104g3Annex B (normative): TFTP Options . 105g3Annex C (normative): DOCSIS 1.1/2.0 Dynamic Security Associations . 113g3C.1 Introduction 113g3C.2 Theory of Operation . 113g3C.3 SA Mapping State Model . 114g3C.3.1 Brief Description of States

41、 . 115g3C.3.1.1 Start 115g3C.3.1.2 Map Wait 115g3C.3.1.3 Mapped 115g3C.3.2 Brief Description of Messages . 115g3C.3.2.1 Map Request . 115g3C.3.2.2 Map Reply 116g3C.3.2.3 Map Reject 116g3C.3.3 Brief Description of Events 116g3C.3.3.1 Map . 116g3C.3.3.2 Unmap . 116g3C.3.3.3 Map Reply . 116g3C.3.3.4 Ma

42、p Reject 116g3C.3.3.5 Timeout . 116g3C.3.3.6 Max Retries . 116g3C.3.3.7 Brief Description of Parameters 116g3C.3.3.8 SA Map Wait Timeout 116g3C.3.3.9 SA Map Max Retries 116g3C.3.4 Actions . 117g3ETSI ETSI EN 302 878-5 V1.1.1 (2011-11) 8Annex D (normative): BPI/BPI+ Interoperability 118g3D.1 DOCSIS B

43、PI/BPI+ Interoperability Requirements 118g3D.2 BPI 40-bit DES Export Mode Considerations 119g3D.3 System Operation . 120g3D.3.1 CMTS with BPI Capability 120g3D.3.2 CMTS with BPI+ Capability 120g3Annex E (informative): Example Messages, Certificates, PDUs and Code File . 121g3E.1 Notation 121g3E.2 Au

44、thentication Info. 121g3E.2.1 CA Certificate details . 122g3E.3 Authorization Request 123g3E.3.1 CM Certificate details 124g3E.4 Authorization Reply . 126g3E.4.1 RSA encryption details . 126g3E.4.2 RSA decryption details . 128g3E.4.3 Hashing details . 129g3E.4.3.1 KEK 129g3E.4.3.2 Message authentica

45、tion keys. 129g3E.4.3.3 Mask-generation function . 130g3E.5 Key Request . 130g3E.5.1 HMAC digest details 131g3E.6 Key Reply . 132g3E.6.1 TEK encryption details . 133g3E.6.2 HMAC details 134g3E.7 Packet PDU encryption (DES) . 134g3E.7.1 CBC only 135g3E.7.2 CBC with residual block processing 135g3E.7.

46、3 Runt frame 136g3E.7.4 40-bit key 137g3E.8 Encryption of PDU with Payload Header Suppression (DES) . 138g3E.8.1 Downstream . 138g3E.8.2 Upstream 139g3E.9 Fragmented packet encryption (DES) 140g3E.10 Packet PDU encryption (AES) . 141g3E.10.1 CBC only 141g3E.10.2 CBC with residual block processing 14

47、2g3E.10.3 Runt frame 143g3E.11 Encryption of PDU with Payload Header Suppression (AES) . 144g3E.11.1 Downstream . 144g3E.11.2 Upstream 144g3E.12 Fragmented packet encryption (AES) 145g3E.13 Secure Software Download CM Code File 147g3Annex F (informative): Example of Multilinear Modular Hash (MMH) Al

48、gorithm Implementation 163g3Annex G (informative): Certificate Authority and Provisioning Guidelines 171g3G.1 Certificate Format and Extensions . 171g3G.1.1 tbsCertificate.validity.notBefore and tbsCertificate.validity.notAfter 171g3G.1.2 tbsCertificate.serialNumber 171g3ETSI ETSI EN 302 878-5 V1.1.

49、1 (2011-11) 9G.1.3 tbsCertificate.signature and signatureAlgorithm 172g3G.1.4 tbsCertificate.issuer and tbsCertificate.subject . 172g3G.1.4.1 DOCSIS Root CA Certificate . 172g3G.1.4.2 Centralized Mfg CA Certificate 172g3G.1.4.3 Manufacturer CA Certificate 172g3G.1.4.4 CM Device Certificate 173g3G.1.5 tbsCertificate.issuerUniqueID and tbsCertificate.subjectUniqueID . 174g3G.1.6 tbsCertificate.extensions . 174g3G.1.6.1 CM Device Certificates 174g3G.1.6.2 Manufacturer CA Certificates . 174g3G