OAuth 2.0 and The Internet of ThingsA brief overview of security architecture in the world of IoTJacob Ideskog – Identity Specialist at Twobo Technologies
Copyright © 2016 Twobo Technologies AB. All rights reserved
OAuth 2.0
Copyright © 2016 Twobo Technologies AB. All rights reserved
Copyright © 2016 Twobo Technologies AB. All rights reserved
OAuth
Copyright © 2016 Twobo Technologies AB. All rights reserved
Actors
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
ClientResource Server (RS)
Actors
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
ClientResource Server (RS)
This user
Actors
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
ClientResource Server (RS)
Wants this app
Actors
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
ClientResource Server (RS)
To access data HERE
Actors
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Authentication Server
The client requests access to a Resource
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
The AS requires the RO to authenticate
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
The AS issues the tokens
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
The Client presents the token to the RS
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
Authorization Server (AS)
The RS validates the Token
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
ClientResource Server (RS)
Authentication Server
Access!
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
A note about the access token
Copyright © 2016 Twobo Technologies AB. All rights reserved
$
Why did that work?
Copyright © 2016 Twobo Technologies AB. All rights reserved
TLSCopyright © 2016 Twobo Technologies AB. All rights reserved
Zoom in
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
Zoom in
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
Copyright © 2016 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Client
Authorization Server (AS)
Resource Server (RS)
Authentication Server
- Everybody must use TLS- We know who we talk to- We use Bearer tokens- We encrypt the communication- Massive trust infrastructure
Copyright © 2016 Twobo Technologies AB. All rights reserved
Constrained environments
Copyright © 2016 Twobo Technologies AB. All rights reserved
Copyright © 2016 Twobo Technologies AB. All rights reserved
Copyright © 2016 Twobo Technologies AB. All rights reserved
Problems
Copyright © 2016 Twobo Technologies AB. All rights reserved
- Battery powered- Mostly or always offline- Limited calculation
capabilities- Attractive target for attack
Protocols
Copyright © 2016 Twobo Technologies AB. All rights reserved
XMPP
HTTPHTTP/2CoAP
Custom
Protocols
Copyright © 2016 Twobo Technologies AB. All rights reserved
XMPP
HTTPHTTP/2CoAP
Custom
Security
Copyright © 2016 Twobo Technologies AB. All rights reserved
Example 1
Copyright © 2016 Twobo Technologies AB. All rights reserved
We’re lacking the central point of trust (PKI)
Copyright © 2016 Twobo Technologies AB. All rights reserved
Back to OAuth
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Prove who you are
Copyright © 2016 Twobo Technologies AB. All rights reserved
Prove who you are
Copyright © 2016 Twobo Technologies AB. All rights reserved
User Authentication Device Authentication
Start as usual
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Authentication Server
Start as usual
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Authentication Server
Start as usual
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Authentication Server
Start as usual
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Authentication Server
Start as usual
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Authentication Server
authorization_code = XYZ
Start as usual
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Authentication Server
authorization_code = XYZ
The user is authenticated
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
client_id = device123client_secret = supersecretscope = read_ekgaudience = ekg_device_ABCauthorization_code = XYZ...key = a_shortlived_key
Request access token
Provide ephemeral key
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
access_token = 0ddfbmd-dnndjv…
Response with access token
Token is ”bound” to the key_id
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
access_token = 0ddfbmd-dnndjv…
Response with access token
Token is ”bound” to the key_id
The client is authenticated
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
access_token”start_session”
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)access_token
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)key
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
OK
OAuth with Proof of Possession
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Disconnected devices
Copyright © 2016 Twobo Technologies AB. All rights reserved
Example 2
Copyright © 2016 Twobo Technologies AB. All rights reserved
Disconnected flow
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Client Resource Server (RS)
client_id = ekg_device_ABCclient_secret = supersecretscope = read_resultaudience = connected_tube_123token = original_token...key = a_shortlived_key
Disconnected flow
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Client Resource Server (RS)
access_token (JWT)
The JWT with a JWE
Copyright © 2016 Twobo Technologies AB. All rights reserved
Header:{ "alg": "RS256", ... }
Body:{ "iss": "issuer.company.com", "sub": "24400320”, "aud": "connected_tube_123", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "cnf": { "jwe": "eyJhbGciOiJSU0...”}
Header:{ "alg": "RSA-OAEP", "enc": "A128CBC-HS256”}
Body:{ ... "kty": "oct", "alg": "HS256", "k": "ZoRSOrFzN_FzUA5XKMYoVHyzf...” ... }
signed encrypted
But with IoT we can use:
Copyright © 2016 Twobo Technologies AB. All rights reserved
CWTCBOR Web Token (CWT)
Pre-provisoned with AS Trust
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Client Resource Server (RS)
Disconnected flow
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Client Resource Server (RS)
access_token (JWT)
Disconnected flow
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Client Resource Server (RS)
1. Validate JWT2. Extract JWE3. Decrypt JWE
Disconnected flow
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Client Resource Server (RS)
OK
Disconnected flow
Copyright © 2016 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
Client Resource Server (RS)
Summary
Copyright © 2016 Twobo Technologies AB. All rights reserved
• OAuth is all about Trust• OAuth depends on TLS
• With Proof of Posession it can solve IoT
• Constrained environments can be
• Online or offline• Pre-provisioned with Trust• Does not depend on TLS