UPnP Security

Vic Lortz

Chair, Security WC

Intel Corporation

UPnP Today UPnP is about empowering ordinary

people automatic networking no need for technical expertise convenient, “it just works” presumes a secure network

The Universe Is Getting Bigger (and More Dangerous)

Wireless, apartments, dorms, hotels, enterprise networks…

Remote access

Hackers

Viruses

Hacked users don’t feel empowered!Hacked users don’t feel empowered!

Scenarios and requirements defined early 2001

Security Working Committee established August, 2001

Version 0.9 completed December, 2002 Review/reconsideration of specs early-mid

2003 (see next slide) Process is back on track, Steering

Committee vote is underway

What’s Missing: Security

Current Status In April ’03, Steering Committee directed

UPnP Security WC to investigate closer alignment with WS-Security

After extensive meetings and much debate… Conclusion: the UPnP Security design is

substantially aligned with WS-Security, but not identical (interop will require proxies). Majority of WC felt any benefits of closer alignment were outweighed by costs (complexity, schedule)

WC decided to retain original design with the following changes/improvements: Changed to use standard canonicalization method Clarifications in processing model were made Additional documentation (ceremonies white

paper), formalized schema of XML data structures

Current Status (2)

Draft specifications were made public in August ’03 to solicit wider review by security community

Updates have been made to sample implementations, certification test tool Sample implementations by: Atinav, Intel, LGE,

Siemens(2), Sony

Specs are in process of Steering Committee vote (voting period ends 11/14/03)

DeviceSecurity – service implemented by most secure devices

SecurityConsole – service for device with UI for configuring security of other devices, discovery of control points, and storage of certificates

Spec documents

Brief Technical Intro

User Experience

User takes ownership of devices using a Security Console (SC). Control points advertise their security IDs to the SC.

SC allows user to grant permissions on owned devices to control points (permissions are device-specific abstractions)

Granted permissions are stored in device Access Control Lists (ACLs) and/or authorization certificates

Only authorized control points can use secure devices

Crypto Strategy and Summary UPnP Security is applied at the SOAP

message layer (like WS-Security)

Device and control point identities are established using public keys (RSA)

Symmetric session keys exchanged via public keys are used for routine operations (with HMAC-SHA1 for message signing and AES for privacy)

Initial ownership/trust bootstrapping is obtained using a shared secret discovered through an out-of-band mechanism (like a label)

DevSC

Select & name

Security ID

Password

SSDP

Security ID

Password

TakeOwnership

GetPublicKeys

G L S B

Take Ownership Ceremony

Note: (Security ID is cryptographic hash of public key)Note: (Security ID is cryptographic hash of public key)

Control Point Discovery

CPSC

Select & name

Security ID

SSDP

Security ID

PresentKey

Once names are given, the user no longer deals with Security IDsOnce names are given, the user no longer deals with Security IDs

ACLs and Certificates User edits access control lists (ACL) of

owned devices using SecurityConsole

ACL Entries contain: Subject (Security ID of control point or group) Authorization (permission) May-not-delegate (control over delegation rights) Validity (expiration time of permission)

Certificates include the above plus: Issuer’s Security ID Device’s Security ID

Access Control Model

Signed?

Good?

Verifysignature

Set sender= unknown

Auth’d?

Verifyauthorization

Action 1 Action 2 DAEFail . . .

N

Y

Y

N

N

Y

Resources http://upnp.org/members/45day.asp

http://xml.coverpages.org/ni2003-08-22-a.html

For the interconnected lifestyle