Embed Size (px)
Citation preview
Securing Millions of Devices
Régis Piccand Verisign, Inc.Kai Hudalla Bosch Software Innovations GmbH
What is the Problem?
Photon by particle.io
very little RAM
limited power supply
few MHz only
low bandwidth
must be cheap
out in the field(≠ LAN)
Industrial scale IoT solutions require cheap, small & power efficient sensors & connectivity but still require strong security (authentication, confidentiality, integrity).
Cloud/Data Center
1..[mb]illions 0..n
Securely connecting a dozen of these in your lab is easy. Connecting & managing [mb]illions of these via internet is a challenge.
Lightweight M2M.. is a protocol (stack) from the Open Mobile Alliance specifically designed for managing constrained devices.
UDP SMS
DTLS
CoAP
LW-M2M
Resources
Connectionless communication suitable for low power/bandwidth environments
Datagram TLS for confidentiality and integrity (RFC 6347)
REST like web transfer protocol targeted at constrained environments with small bandwidth (10s of kbit/s) (RFC 7252)
Device management operations/interactions:bootstrap & register device, read/write/execute/observe resource(s)
Management objects (pre-defined & custom):Device, LWM2M Server, Firmware Update, Location, Connectivity Monitoring etc.
Example Object & RequestThe Device object (ID: 3) provides metadata about the device and is mandatory for all LWM2M Clients to implement.
URI format: /{ObjectID}/{InstanceID}/{ResourceID}
Cloud/Data Center
LWM2M Client LWM2M Server
GET /3/0/0
“Particle”
GET /3/0/1
Manufacturer
Device
single instance only
Model Number
“Photon”
Photon by particle.io
Your Solution
Leshan
Eclipse Leshan… provides libraries that help people develop their own Lightweight M2M server and client.
Californium
Pure Java implementation of Datagram TLS supporting PSK, X.509 & RawPublicKey based authentication, ECDHE based key exchange
Pure Java implementation of CoAP over UDP, easy to use API for accessing & implementing resources
Pure Java implementation of LWM2M:- set of JARs (easily embeddable)- fat JAR for running standalone (test) server- OSGi Managed Service implementation- Standard LWM2M Objects + (some) IPSO Smart Objects supported out-of-the-box- Custom Objects supported by means of API & XML files
Scandium
Projects are being developed within the context of the Eclipse IoT Working Group. For more information go to:
The Provisioning Problem
● Devices must know where they should be connecting to (bootstrap server, message broker, cloud service, etc.)
● Hard-coding the configuration is limiting - not every device should connect to the same services, service endpoints can change overtime…
https://mantivities.wordpress.com
● LWM2M provides 4 bootstrapping modes○ 2 hard-coded options, either in flash or smartcard○ 2 dynamic options;
■ either client or server initiates bootstrap process■ bootstrap server writes config data to the device
● How does a device reliably and securely determine the correct endpoint?
Tiaki To The Rescue
● Tiaki is a Secure Service Discovery SDK
● Tiaki allows clients to look up service details (endpoint, port, priority, weight, type) and configuration securely from DNS
● Tiaki is based on the DNS Service Discovery (DNS-SD) and DNS Security Extensions (DNSSEC) IETF Standards
● Tiaki validates signatures to authenticate the origin and integrity of data
● Tiaki is available for C, Java and as a command-line interface
Service Discovery Logical Flow
_services._dns-sd._udp.example.com. PTR _mqtt._tcp.example.com_mqtt._tcp.example.com. PTR eclipse-broker._mqtt._tcp.example.comeclipse-broker._mqtt._tcp.example.com. SRV iot.eclipse.org 1883
eclipse-broker._mqtt._tcp.example.com. TXT "server=Mosquitto" "qos=2“
DNS Security Extensions Logical Flow
How To Use TiakiCommand line$ java -jar iot-discovery-jcli-1.0.jar -i -s mqtt -d example.com
iot.eclipse.org:1883 "server=Mosquitto" "version=1.3.1“
Java SDKDnsServicesDiscovery discoverer = new DnsServicesDiscovery();
Fqdn fullyQualifiedDomainName = new Fqdn("example.com");
CompoundLabel serviceType = new CompoundLabel("mqtt");
Set<ServiceInstance> discoveryResult = discoverer.listServiceInstances(fullyQualifiedDomainName, serviceType);
for (ServiceInstance instance : discoveryResult) {
System.out.println(instance);
}
https://projects.eclipse.org/projects/iot.tiaki
https://github.com/verisign/iot-discovery-jcli | https://github.com/verisign/iot-discovery-services
What you should take away
★ LWM2M is great for managing constrained devices!★ Californium 1.0 release expected for Nov 2015★ Leshan 1.0 release to follow up shortly after★ Tiaki helps with initial provisioning of devices (e.g. LWM2M clients) thanks to
SECURE Service Discovery★ Initial Contribution being processed
Tiaki not (yet) targeted at constrained devices, your help is needed to make that happen!
