OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)

OAuth 2.0 and The Internet of ThingsA brief overview of security architecture in the world of IoTJacob Ideskog – Identity Specialist at Twobo Technologies

OAuth 2.0

Actors

Resource Owner (RO) Authorization Server (AS)

ClientResource Server (RS)

Actors

This user

Actors

Wants this app

Actors

To access data HERE

Actors

Resource Owner (RO)

Authorization Server (AS)

Authentication Server

The client requests access to a Resource

Resource Owner (RO)

Client

Resource Server (RS)

The AS requires the RO to authenticate

Resource Owner (RO)

Client

The AS issues the tokens

Resource Owner (RO)

Client

The Client presents the token to the RS

Resource Owner (RO)

Client

The RS validates the Token

Resource Owner (RO)

Access!

Resource Owner (RO)

Client

A note about the access token

Why did that work?

Zoom in

Resource Owner (RO)

Client

Zoom in

Resource Owner (RO)

Client

Resource Owner (RO)

Client

- Everybody must use TLS- We know who we talk to- We use Bearer tokens- We encrypt the communication- Massive trust infrastructure

Constrained environments

Problems

- Battery powered- Mostly or always offline- Limited calculation

capabilities- Attractive target for attack

Protocols

HTTPHTTP/2CoAP

Custom

Protocols

HTTPHTTP/2CoAP

Custom

Security

Example 1

We’re lacking the central point of trust (PKI)

Back to OAuth

Prove who you are

User Authentication Device Authentication

Start as usual

authorization_code = XYZ

Start as usual

authorization_code = XYZ

The user is authenticated

OAuth with Proof of Possession

client_id = device123client_secret = supersecretscope = read_ekgaudience = ekg_device_ABCauthorization_code = XYZ...key = a_shortlived_key

Request access token

Provide ephemeral key

access_token = 0ddfbmd-dnndjv…

Response with access token

Token is ”bound” to the key_id

access_token = 0ddfbmd-dnndjv…

Response with access token

Token is ”bound” to the key_id

The client is authenticated

access_token”start_session”

Authorization Server (AS)access_token

Authorization Server (AS)key

Disconnected devices

Example 2

Disconnected flow

Client Resource Server (RS)

client_id = ekg_device_ABCclient_secret = supersecretscope = read_resultaudience = connected_tube_123token = original_token...key = a_shortlived_key

Disconnected flow

access_token (JWT)

The JWT with a JWE

Header:{ "alg": "RS256", ... }

Body:{ "iss": "issuer.company.com", "sub": "24400320”, "aud": "connected_tube_123", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "cnf": { "jwe": "eyJhbGciOiJSU0...”}

Header:{ "alg": "RSA-OAEP", "enc": "A128CBC-HS256”}

Body:{ ... "kty": "oct", "alg": "HS256", "k": "ZoRSOrFzN_FzUA5XKMYoVHyzf...” ... }

signed encrypted

But with IoT we can use:

CWTCBOR Web Token (CWT)

Pre-provisoned with AS Trust

Disconnected flow

access_token (JWT)

Disconnected flow

1. Validate JWT2. Extract JWE3. Decrypt JWE

Disconnected flow

Summary

• OAuth is all about Trust• OAuth depends on TLS

• With Proof of Posession it can solve IoT

• Constrained environments can be

• Online or offline• Pre-provisioned with Trust• Does not depend on TLS

OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)

Technology

OAuth 2 - Sesar Labsesar.di.unimi.it/corsi/SOASecurity/slide/OAuth2.0from...OAuth 2.0 From scratch What is OAuth 2 •OAuth 2 is an authorization framework that enables applications

Entendiendo oAuth

Identity Workshopinnovbfa.viabloga.com/files//Cloud_Identity_Summit... · OAuth 2.0 OAuth 1 + OAuth-WRAP + IETF = OAuth 2.0 Expanded participation with other major vendors such as

OAuth: Trust Issues

OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012

OAuth big picture

OAuth for TeraGrid Gateways - …security.ncsa.illinois.edu/teragrid-oauth/OAuthforTGGateways...OAuth for TeraGrid Gateways Jim Basney Jeff Gaynor

The OAuth 2.0 Authorization Protocol - cleesh.com · The OAuth 2.0 Authorization Protocol draft-ietf-oauth-v2-25 Abstract The OAuth 2.0 authorization protocol enables a third-party

Security Analysis on Consumer and Industrial IoT …jin.ece.ufl.edu/papers/ASPDAC16_IOT.pdfSecurity Analysis on Consumer and Industrial IoT Devices Jacob Wurm 1, Khoa Hoang , Orlando

The OAuth 2.0 Authorization Frameworkself-issued.info/docs/draft-ietf-oauth-v2-30.pdf · 2012. 7. 15. · The OAuth 2.0 Authorization Framework draft-ietf-oauth-v2-30 Abstract The

Twitter oauth

OAuth Tokens

Understanding OAuth 2.0

Security Analysis on Consumer and Industrial IoT Devicesjinyier/papers/ASPDAC16_IOT.pdf · Security Analysis on Consumer and Industrial IoT Devices Jacob Wurm 1, Khoa Hoang , Orlando

Implementing OAuth

Demystifying OAuth

OAuth Passport

The Essential OAuth Primer: Understanding OAuth for Securing Cloud

OAuth you said

OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu