Authorization for Internet of Things

using OAuth 2.0Samuel Erdtman

samuel.erdtman@nexusgroup.com

Hannes Tschofenighannes.tschofenig@arm.com

© TechCon 2015 2

Agenda Design Patterns Architecture Technology Big Picture Demo Summary

© TechCon 2015 3

Design Patterns A design pattern is a general reusable solution to a

commonly occurring problem. A few design patterns have emerged in the IoT space, as

described in RFC 7452 and recent Internet Society IoT whitepaper.

© TechCon 2015 4

Backend Data Portability Devices upload data to the cloud operated by a specific vendor. Backend data sharing of protected data via OAuth-alike mechanisms

and RESTful APIs.

https://developer.carvoyant.com/page

http://www.mapmyfitness.com/

© TechCon 2015 5

Device talks directly to other device (often smart phone). Security based on direct relationship between the device (pairing).

Vendor A Vendor BE.g. Bluetooth Smart, Thread

Device-to-Device Communication

© TechCon 2015 6

Examples

Wahoo Heart-Rate Monitor

Beacons

Cadence SensorParrot

Hearing Aid

© TechCon 2015 7

What if? IoT devices need to be accessed by multiple

users securely? Access rights dynamically change? Access rights are fine-grained? Number of IoT devices is large? Access policies need to be managed

centrally? Access rights can be delegated? System has to be integrated in a larger

context (e.g., other, existing identity management infrastructures)

Architecture

© TechCon 2015 9

Client

Authorization Server

Resource Server

Device Management

Server

Response

Request

Token

Token

Client Info

© TechCon 2015 10

HMAC-SHA256 (AS-RS Key)HMAC-SHA256 (PoP Key)

Request Example

Head

Body

{ “action” : “open”}

Head

{ “alg” : “HMAC-SHA256” “exp” : “1300819380” “iv” : “<iv>”}Body

{ “scope” : “open”, “audience” : “door lock foo-bar”, “key” : “<encrypted key”>}

{ “alg” : “HMAC-SHA256”, “token” : “<access token>”, “timestamp” : “1300919380”}

Request Access Token

Technology Big Picture

© TechCon 2015 12

ACE WG Authentication and Authorization for Constrained

Environments (ace) aims to standardize solutions for interoperable security for IoT.

Relevant documents: IoT Use Cases – draft-ietf-ace-usecases OAuth 2.0 Profile for IoT – draft-seitz-ace-oauth-authz

Charter: http://datatracker.ietf.org/wg/ace/charter/

© TechCon 2015 13

OAuth WG Authorization protocol widely used on the Web and on smart

phones. Core OAuth 2.0 functionality specified in RFC 6749 Charter: https://tools.ietf.org/wg/oauth/ Proof of Possession Security Extension

Architecture – draft-ietf-oauth-pop-architecture Key Distribution – draft-ietf-oauth-pop-key-distribution JSON Web Token (JWT) – RFC 7519 JWT Key Claim – draft-ietf-oauth-proof-of-possession

Browser views allow for a secure browser context inside the native app now available for Android and IOS (described in draft-wdenniss-oauth-native-apps). Example code available for Android and IOS.

© TechCon 2015 14

COSE WG Concise Binary Object Representation (CBOR),  RFC

7049, defines an efficient binary encoding based on the JSON data model.

CBOR Object Signing and Encryption (COSE) offers security services for CBOR-based structures.

Functions: Signing, Encryption, Key Exchange, and Key Representation

Charter: https://datatracker.ietf.org/wg/cose/charter/

© TechCon 2015 15

OpenID Connect Builds on OAuth 2.0 and provides support for federated

login and the ability to convey authentication information.

Organization offers self-certification program. Work done in working groups, such as the Heart

working group. Main specifications can be found at

http://openid.net/developers/specs/ Additional information about the organization can be

found at http://openid.net

© TechCon 2015 16

UMA User Managed Access (UMA) OAuth-based protocol designed to give users a unified

control point for authorizing who and what can get access to their data and devices.

Separates resource owner from requesting party. More information available at: http://

kantarainitiative.org/confluence/display/uma/Home

© TechCon 2015 17

OMA LWM2M Lightweight Machine-to-Machine Communication

(LWM2M) http://openmobilealliance.org Specification available for download at http://

technical.openmobilealliance.org/Technical/technical-information/release-program/current-releases/oma-lightweightm2m-v1-0

Functionality: Device management Key Provisioning Firmware Updates

© TechCon 2015 18

FIDO The FIDO (Fast IDentity Online) Alliance was formed in

July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords.

Specifications at https://fidoalliance.org/specifications Universal Second Factor (U2F) protocol Universal Authentication Framework (UAF) protocol

More info about the alliance, certification programs and tutorials at https://fidoalliance.org

Demo

© TechCon 2015 20

Technologies used in Demo Setup OAuth 2.0 & Extensions

OAuth 2.0 Proof of Possession OAuth 2.0 IoT profile

JSON Web Token (JWT) Bluetooth Smart ARM mbed Android app

Nordic nRF51-DK

© TechCon 2015 21

© TechCon 2015 22

Summary There are ongoing standardization efforts. Help us

make the specifications better. Technologies and eco-systems can be re-used to solve

IoT security challenges. Code is available. We are planning to add more to make

development easier.