Upload
hannestschofenig
View
4.672
Download
2
Embed Size (px)
Citation preview
© TechCon 2015 2
Agenda Design Patterns Architecture Technology Big Picture Demo Summary
© TechCon 2015 3
Design Patterns A design pattern is a general reusable solution to a
commonly occurring problem. A few design patterns have emerged in the IoT space, as
described in RFC 7452 and recent Internet Society IoT whitepaper.
© TechCon 2015 4
Backend Data Portability Devices upload data to the cloud operated by a specific vendor. Backend data sharing of protected data via OAuth-alike mechanisms
and RESTful APIs.
https://developer.carvoyant.com/page
http://www.mapmyfitness.com/
© TechCon 2015 5
Device talks directly to other device (often smart phone). Security based on direct relationship between the device (pairing).
Vendor A Vendor BE.g. Bluetooth Smart, Thread
Device-to-Device Communication
© TechCon 2015 6
Examples
Wahoo Heart-Rate Monitor
Beacons
Cadence SensorParrot
Hearing Aid
© TechCon 2015 7
What if? IoT devices need to be accessed by multiple
users securely? Access rights dynamically change? Access rights are fine-grained? Number of IoT devices is large? Access policies need to be managed
centrally? Access rights can be delegated? System has to be integrated in a larger
context (e.g., other, existing identity management infrastructures)
Architecture
© TechCon 2015 9
Client
Authorization Server
Resource Server
Device Management
Server
Response
Request
Token
Token
Client Info
© TechCon 2015 10
HMAC-SHA256 (AS-RS Key)HMAC-SHA256 (PoP Key)
Request Example
Head
Body
{ “action” : “open”}
Head
{ “alg” : “HMAC-SHA256” “exp” : “1300819380” “iv” : “<iv>”}Body
{ “scope” : “open”, “audience” : “door lock foo-bar”, “key” : “<encrypted key”>}
{ “alg” : “HMAC-SHA256”, “token” : “<access token>”, “timestamp” : “1300919380”}
Request Access Token
Technology Big Picture
© TechCon 2015 12
ACE WG Authentication and Authorization for Constrained
Environments (ace) aims to standardize solutions for interoperable security for IoT.
Relevant documents: IoT Use Cases – draft-ietf-ace-usecases OAuth 2.0 Profile for IoT – draft-seitz-ace-oauth-authz
Charter: http://datatracker.ietf.org/wg/ace/charter/
© TechCon 2015 13
OAuth WG Authorization protocol widely used on the Web and on smart
phones. Core OAuth 2.0 functionality specified in RFC 6749 Charter: https://tools.ietf.org/wg/oauth/ Proof of Possession Security Extension
Architecture – draft-ietf-oauth-pop-architecture Key Distribution – draft-ietf-oauth-pop-key-distribution JSON Web Token (JWT) – RFC 7519 JWT Key Claim – draft-ietf-oauth-proof-of-possession
Browser views allow for a secure browser context inside the native app now available for Android and IOS (described in draft-wdenniss-oauth-native-apps). Example code available for Android and IOS.
© TechCon 2015 14
COSE WG Concise Binary Object Representation (CBOR), RFC
7049, defines an efficient binary encoding based on the JSON data model.
CBOR Object Signing and Encryption (COSE) offers security services for CBOR-based structures.
Functions: Signing, Encryption, Key Exchange, and Key Representation
Charter: https://datatracker.ietf.org/wg/cose/charter/
© TechCon 2015 15
OpenID Connect Builds on OAuth 2.0 and provides support for federated
login and the ability to convey authentication information.
Organization offers self-certification program. Work done in working groups, such as the Heart
working group. Main specifications can be found at
http://openid.net/developers/specs/ Additional information about the organization can be
found at http://openid.net
© TechCon 2015 16
UMA User Managed Access (UMA) OAuth-based protocol designed to give users a unified
control point for authorizing who and what can get access to their data and devices.
Separates resource owner from requesting party. More information available at: http://
kantarainitiative.org/confluence/display/uma/Home
© TechCon 2015 17
OMA LWM2M Lightweight Machine-to-Machine Communication
(LWM2M) http://openmobilealliance.org Specification available for download at http://
technical.openmobilealliance.org/Technical/technical-information/release-program/current-releases/oma-lightweightm2m-v1-0
Functionality: Device management Key Provisioning Firmware Updates
© TechCon 2015 18
FIDO The FIDO (Fast IDentity Online) Alliance was formed in
July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords.
Specifications at https://fidoalliance.org/specifications Universal Second Factor (U2F) protocol Universal Authentication Framework (UAF) protocol
More info about the alliance, certification programs and tutorials at https://fidoalliance.org
Demo
© TechCon 2015 20
Technologies used in Demo Setup OAuth 2.0 & Extensions
OAuth 2.0 Proof of Possession OAuth 2.0 IoT profile
JSON Web Token (JWT) Bluetooth Smart ARM mbed Android app
Nordic nRF51-DK
© TechCon 2015 21
© TechCon 2015 22
Summary There are ongoing standardization efforts. Help us
make the specifications better. Technologies and eco-systems can be re-used to solve
IoT security challenges. Code is available. We are planning to add more to make
development easier.