Facing the Challenges of M2M Security and Privacy Phil Hawkes Principal Engineer at Qualcomm Inc. onem2m

Similar documents
ONEM2M TECHNICAL SPECIFICATION

ETSI TS V1.0.0 ( )

ETSI TS V2.4.1 ( )

3GPP security. Valtteri Niemi 3GPP SA3 (Security) chairman Nokia

onem2m AND SMART M2M INTRODUCTION, RELEASE 2/3

The onem2m standard Horizontal Service Layer

Combining LwM2M and OneM2M

Federated Identity Management and Network Virtualization

CIP Security Phase 1 Secure Transport for EtherNet/IP

onem2m and its role in achieving interoperability in IoT

ETSI standards are enabling a global M2M solution. Enrico Scarrone, ETSI TC M2M Chairman, Telecom Italia 3 ETSI M2M workshop, Mandelieu, France, EU

onem2m - A Common Service Layer for IoT Basic principles and architecture overview

Connecting Securely to the Cloud

Open source onem2m Platforms

3GPP TR V7.0.0 ( )

Security Common Functions Architecture

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

How onem2m fits into the landscape of IoT technologies

M2M INTEROPERABILITY DEMONSTRATIONS

2 - onem2m Common Architecture for IoT

Harvesting IOT data. (Using IP networks) Ericsson 2014

Server-based Certificate Validation Protocol

ETSI TS V6.4.0 ( )

ETSI TS V ( )

ETSI M2M workshop Nov 2013

Certificate Enrollment for the Atlas Platform

ONEM2M TECHNICAL SPECIFICATION

ETSI TS V ( )

onem2m Standards Activities - IoT/M2M Service Layer -

Standards to enable an IoT Eco System

High Level Architecture (HLA)

COOPERATIVE ITS SECURITY STANDARDIZATION AND ACTIVITIES ON EUROPEAN C ITS TRUST MODEL AND POLICY

Status of Machine to Machine Standards work in TC M2M and onem2m. Many thanks to the various contributors from TC M2M

CSE 565 Computer Security Fall 2018

ONEM2M FOR SMART CITIES

ETSI M2M Release 2. Enrico Scarrone, ETSI TC Smart M2M Vice-Chairman, Telecom Italia 4 ETSI M2M workshop, Mandelieu, France, EU

temp heat I/O A/C flow valve pump

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Solutions to Enhance IoT Authentication Using SIM Cards (UICC)

Secure automotive on-board networks

IoT security based on the DPK platform

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

An Overview of the User Services Platform (USP) (Broadband Forum TR-369)

Security Monitoring of LwM2M Protocol

TS-M2M-0003v onem2m Technical Specification Security Solutions

3GPP security hot topics: LTE/SAE and Home (e)nb

SIP Proxy Deployment Guide. SIP Server 8.1.1

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

ETSI TS V ( )

Industrial Internet Connectivity Framework (IICF)

Securing IoT applications with Mbed TLS Hannes Tschofenig

Securing V2X communications with Infineon HSM

Internet of Things (various aspects), applications, challenges, Standards, current status, etc.

to Serve the Internet of Things: the onem2m Initiative

ETSI TR V ( )

ETSI TS V (201

onem2m ADAPTED FOR SMART CITIES ETSI IOT M2M WORKSHOP 2016 NOV 15 TH 2016

Wireless e-business Security. Lothar Vigelandzoon

ETSI TS V ( )

ETSI TS V5.2.0 ( )

Credential Management for Internet of Things Devices

SRA A Strategic Research Agenda for Future Network Technologies

Using EAP-TLS with TLS 1.3 draft-mattsson-eap-tls IETF 101, EMU, MAR John Mattsson, MOHIT sethi

onem2m Common Architecture for IoT interoperability

Lightweight Machine to Machine Requirements

Strong Customer Authentication and common and secure communication under PSD2. PSD2 in a nutshell

Securing MQTT. #javaland

Session 3: Lawful Interception

Link Security Considerations in the. Enterprise

onem2m-ts-0008-coap Protocol Binding-V CoAP Protocol Binding Technical Specification

Network Security and Cryptography. December Sample Exam Marking Scheme

ETSI GS MEC 026 V2.1.1 ( )

Smart Grid Security. Selected Principles and Components. Tony Metke Distinguished Member of the Technical Staff

Partners: TEST ACTIVITIES. Presented by Sebastian Müller. Project Manager ETSI Centre for Testing and Interoperability. All rights reserved

The Role and Contribution of OMA in Service Delivery Platform Standardization

ETSI TS V (201

Web of Things Architecture and Use Cases. Soumya Kanti Datta, Christian Bonnet Mobile Communications Department

Inland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE

Deploying DDS on a WAN and the GIG: The DDS Routing Service. Gerardo Pardo-Castellote, Ph.D. The Real-Time Middleware Experts

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Platform Economy and Trustworthiness Standardization

3GPP TSG SA WG3 Security SA3#33 S May 2004 Beijing, China

HOP Ubiquitous Overview

3GPP TS V7.6.0 ( )

Breaking out of the cloud: Local trust management and rendezvous in Named Data Networking of Things

ARM mbed Technical Overview

Olli Jussila Adaptive R&D TeliaSonera

About FIPS, NGE, and AnyConnect

It Just (Net)works. The Truth About ios' Multipeer Connectivity Framework. Alban

Transport Layer Security (TLS) Configuration Note

Secure Lightweight Activation and Lifecycle Management

WAP Security. Helsinki University of Technology S Security of Communication Protocols

PacketCable 2.0. HSS Technical Report PKT-TR-HSS-V RELEASED. Notice

Chapter 8 Information Technology

Configuring SSL Security

Emerging Mobile IoT Technologies: Use Cases, Business and Security Requirements

eidas Interoperability Architecture Version November 2015

Systems Engineering for Software-Defined Network Virtualisation. John Risson, Solutions Engineering Manager IP and Transport Engineering, Telstra

Cisco Wireless LAN Controller Module

onem2m A Common Service Platform for IoT

Transcription:

Facing the Challenges of M2M Security and Privacy Phil Hawkes Principal Engineer at Qualcomm Inc. phawkes@qti.qualcomm.com onem2m www.onem2m.org 1

Overview onem2m Architecture: a quick review Challenges 1. Large variety of scenarios 2. Any device in any deployment 3. A device cannot make autonomous judgment calls on privacy Solutions A. Secure communication B. Remote provisioning C. Access control policies Future Challenges 2

onem2m Architecture: A Quick Review Entities Nodes (=Devices) Common Service Entity (CSE) Application Entity (AE) Interactions: Mca: AE-to-CSE Mcc, Mcc : CSE-to-CSE RESTful For more info see webinar Taking a look inside onem2m AE Field Domain Infrastructure Domain CSE CSE AE CSE CSE CSE AE AE AE AE AE CSE 3

Challenges 1. Large variety of scenarios 2. Any device in any deployment 3. A device cannot make autonomous judgment calls on privacy 4

Challenges 1. Large variety of deployments Assets that need protecting can be unique to a deployment Content confidentiality, content integrity, anonymity, traffic efficiency Environment can be unique to a deployment Does wired or wireless transport layer provide adequate security? Tamper-resistance considerations (Continued on next slide) 2. Any device in any deployment 3. A device cannot make autonomous judgment calls on privacy 5

Challenges 1. Large variety of deployments (continued) Variety of authentication scenarios Pre-shared Key provisioned to both by end-points PKI/Certificates (asymmetric cryptography) Centralized authentication 2. Any device in any deployment 3. A device cannot make autonomous judgment calls on privacy 6

Challenges 1. Large variety of deployment scenarios 2. Any device in any deployment Interoperability: agree on minimal set of cipher suites Credential management a. Provisioning at manufacture b. Human-assisted provisioning during deployment e.g. manual entry, via USB c. Remote provisioning of fielded devices d. Derivation from pre-existing credentials (e.g. transport network) Note: a, b are enabled but not specified by onem2m 3. A device cannot make autonomous judgment calls on privacy 7

Challenges 1. Large variety of scenarios 2. Any device in any deployment 3. A device cannot make autonomous judgment calls on privacy M2M/IoT may expose information about our lives without our awareness Privacy = who can access information about me CSE needs to determine: Should I allow access? Can t ask human to make case-by-case judgment call CSE needs clear rules 8

Challenges & Solutions 1. Large variety of scenarios A. Secure communication various authentication options 2. Any device in any deployment B. Remote provisioning various authentication options 3. A device cannot make judgment calls on privacy C. Access Control Policies expresses wide variety of rules 9

Secure Communication: Example Field Domain Sensor Gateway AE1 CSE1 E-Health Web-application AE2 CSE2 M2M SP s Server Web App Server Infrastructure Domain 10

Secure Communication: 1. AE1 passes sensor reading to CSE1 Example Sensor AE1 CoAP UDP Gateway CSE1 Field Domain AE2 Web App Server CSE2 M2M SP s Server Infrastructure Domain 11

Secure Communication: 1. AE1 passes sensor reading to CSE1 2. CSE1 forwards sensor reading to CSE2 Example Sensor AE1 CoAP UDP Gateway CSE1 HTTP TCP Field Domain AE2 Web App Server CSE2 M2M SP s Server Infrastructure Domain 12

Secure Communication: 1. AE1 passes sensor reading to CSE1 2. CSE1 forwards sensor reading to CSE2 3. AE2 retrieves sensor reading from CSE2 Example Sensor AE1 AE2 Web App Server CoAP UDP HTTP TCP Gateway CSE1 CSE2 Field Domain HTTP TCP M2M SP s Server Infrastructure Domain 13

Secure Communication Hop-by-Hop Transited CSEs see clear text Trusted to behave Sensor AE1 Gateway CSE1 Field Domain AE2 Web App Server CSE2 M2M SP s Server Infrastructure Domain 14

Secure Communication Hop-by-Hop TLS/DTLS v1.2 DTLS if UDP transport Sensor AE1 CoAP DTLS UDP Gateway CSE1 Field Domain AE2 Web App Server CSE2 M2M SP s Server Infrastructure Domain 15

Secure Communication Hop-by-Hop TLS/DTLS v1.2 DTLS if UDP transport Sensor AE1 Gateway CSE1 Field Domain TLS if TCP transport Sometimes write (D)TLS or just TLS for both AE2 CSE2 HTTP TLS TCP M2M SP s Server Web App Server HTTP TLS TCP Infrastructure Domain 16

Secure Communication Hop-by-Hop TLS/DTLS v1.2 AE-CSE Sensor AE1 C S Gateway CSE1 Field Domain AE: TLS Client (C) CSE: TLS Server (S) AE2 C S CSE2 M2M SP s Server Web App Server Infrastructure Domain 17

Secure Communication Hop-by-Hop TLS/DTLS v1.2 AE-CSE AE: TLS Client (C) Sensor AE1 C S Gateway CSE1 C Field Domain CSE: TLS Server (S) CSE-CSE CSE1: TLS Client (C) CSE2: TLS Server (S) AE2 Web App Server C S CSE2 S M2M SP s Server Infrastructure Domain 18

Authentication Options Pre-Shared Key (PSK) TLS Client & Server provisioned with a shared key # Certificate TLS Client & Server both have certificates M2M Authentication Function (MAF) MAF operated by 3 rd Party or M2M Service Provider TLS Client and MAF provisioned with a shared key # MAF assists authentication of TLS Client & Server # This shared key can be remotely provisioned 19

Certificates Somewhat aligned with CoAP Security RFC7252 X.509/PKIX (RFC 5280) RawPublicKey Certificates Contains only X.509 SubjectPublicKeyInfo element Suits less complex deployments & debugging Certificates chaining to a trust anchor. E.g. Device Certificate (e.g. manufacturer issued) M2M SP issued certificate identifying CSE or AE 20

Remote Provisioning Process provisioning a shared key to two entities M2M Enrolment Function (MEF) Assists remote provisioning Operated by 3 rd Party or M2M Service Provider Mechanisms for establishing shared key TLS Client & MEF perform (D)TLS, export shared key PSK Certificates Derived from Network Access credentials Network Access Provider assists in mutual authentication Generic Bootstrapping Architecture (GBA) 3GPP TS 33.220 21

Access Control Requirements onem2m uses a RESTful architecture API: request to perform an operation on a resource Operations: Create, Retrieve, Update, Delete Webinar Taking a look inside onem2m has more info CSEs can t make resource access judgement calls CSE need clear rules dictating, for each resource WHO (which CSEs and AEs) are authorized to access, WHAT operations (see above), and under WHICH circumstances (e.g. time, location of entity) 22

Access Control Policies (ACP) Resources Resource1 links ACP1 contains ACP Rule1 Resource2 Resource3 ACP2 ACP Rule2 Resource4 ACP3 ACP Rule3 Resource access is authorized upon satisfying at least one ACP rule in one of the linked ACPs 23

Access Control Policies (ACP) Resource1 links ACP1 Resources contains with conditions on ACP Rule1 WHO: entities CSE-ID AE-ID Resource2 Resource3 ACP2 ACP Rule2 WHAT: operations Create, Retrieve Update Delete Resource4 ACP3 ACP Rule3 WHICH: circumstances Time, location, IP address ACP rule is satisfied if WHO and WHAT and WHICH are satisfied by requesting entity, requested operation and circumstances 24

onem2m Security Documents TR-0008 Analysis of Security Solutions for the onem2m System http://onem2m.org/images/files/deliverables/onem2m_tr-0008-security-v1_0_0.doc TS-0003 Security Solutions http://onem2m.org/images/files/deliverables/ts-0003-security_solutions-v-2014-08.pdf Latest versions available from ftp://ftp.onem2m.org/work%20programme/wi0007/ 25

Limitations of initial release A minimum deployable solution addressing short term needs Focus: Vertically deployed industrial applications Centralized client-server architectures Most devices have limited number of static connections Deployments are managed by skilled workforce Nodes are trusted to behave Our solutions meet these needs while having a place in future M2M/IoT (consumer) scenarios 26

Future Challenges Decentralization Increasingly complex interactions Sharing Information between deployments Complex authentication and authorization scenarios Confidentiality & integrity concerns Unskilled Consumers managing their Things Technological Challenges: End-to-End (multi-hop) message security Many connections per device Authentication & Authorization mechanisms 27

Conclusion: Challenges & Solutions 1. Large variety of scenarios A. Secure communication various authentication options 2. Any device in any deployment B. Remote provisioning various authentication options 3. A device cannot make judgment calls on privacy C. Access Control Policies expresses wide variety of rules 28

Join us for the next webinar On Management, Abstraction & Semantics by Dr. Yongjing Zhang Standard Research Project Lead at Huawei Technologies Co., Ltd 27 November 2014 at 0700 UTC http://www.onem2m.org/btchannel.cfm 29

Check out the recorded webinars How standardization enables the next internet evolution by Marc Jadoul Strategic Marketing Director, Alcatel-Lucent Taking a look inside by Nicolas Damour Senior Manager for Business and Innovation Development, Sierra Wireless http://www.onem2m.org/btchannel.cfm 30

Join us at the onem2m showcase event OneM2M project partners, rationale and goals OneM2M Service Layer Specification release Showcase demos that demonstrate onem2m live" 9 December 2014, Sophia-Antipolis, France (free of charge, but online registration is required) http://www.onem2m.org/showcase Followed by the ETSI M2M workshop 31

Q & A 32

Backup Slides 33

PSK-Based Authentication Client Server 34

PSK 1. Provision identical PSK, PSK-ID to A, B Client PSK, PSK-ID Server PSK, PSK-ID 35

PSK Client PSK, PSK-ID 2. TLS/DTLS A provides PSK-ID B identifies PSK from PSK-ID Server PSK, PSK-ID 36

PSK Client PSK, PSK-ID Advantages: Simple Concept 2. (D)TLS A provides PSK-ID B identifies PSK from PSK-ID Server Challenges: May need multiple keys provisioned Doesn t scale well PSK, PSK-ID 37

PKI/Certificate-Based Authentication Client Server 38

PKI 1. Provision certificate 1. Provision certificate Client s Cert Client Server Server s Cert 39

PKI 2. Configure trust anchors 2. Configure trust anchors Client s Cert Client s Trust Anchors Client Server Server s Cert Server s Trust Anchors 40

PKI Client s Cert Client s Trust Anchors Client Validate server s cert against client s trust anchors 2. (D)TLS Server Server s Cert Server s Trust Anchors Validate client cert against server s trust anchors 41

MAF Assisted (D)TLS Client (D)TLS Server MAF 42

MAF Assisted 1. Provision symmetric key Km, KmId Km, KmID (D)TLS Client (D)TLS Server Km, KmId MAF 43

MAF Assisted Km, KmID (D)TLS Client Kc, KcId 2. Generate Kc, KcId from Km (D)TLS Server Km, KmId MAF Kc, KcId 44

MAF Assisted (D)TLS Client 3a. (D)TLS: KcId (D)TLS Server MAF Kc, KcId Kc, KcId 45

MAF Assisted (D)TLS Client Kc, KcId 3a. (D)TLS: KcId (D)TLS 3b. KcId Server MAF Kc, KcId 46

MAF Assisted (D)TLS Client Kc, KcId 3a. (D)TLS: KcId (D)TLS 3b. KcId Server Kc, KcId 3c. Kc MAF Kc, KcId 47

MAF Assisted (D)TLS Client Kc, KcId 3a. (D)TLS: KcId (D)TLS 3b. KcId Server (D)TLS w/ Kc Kc, KcId 3b. Kc MAF Kc, KcId 48

Remote Provisioning PArticipants Process provisions a shared key to two entities M2M Enrolment Function (MEF) Assists remote provisioning Operated by 3 rd Party or M2M Service Provider Enrolee Entity requesting to be provisioned Enrolment Target Other entity that will ends up with the shared key 49

Remote Provisioning Enrolee M2M Enrolment Function Enrolment Target 50

Remote Provisioning Enrolee M2M Enrolment Function Mutual Authentication Enrolment Target 51

Remote Provisioning Ke, KeId Enrolee M2M Enrolment Function Ke, KeId Mutual Authentication Generate Ke, KeId Generate Ke, KeId Enrolment Target 52

Remote Provisioning Ke, KeId Enrolee M2M Enrolment Function Ke, KeId Enrolment Target 53

Remote Provisioning Ke, KeId Enrolee M2M Enrolment Function Ke, KeId KeId Enrolment Target 54

Remote Provisioning Ke, KeId + Enrolment Target ID Enrolee M2M Enrolment Function Ke, KeId + Enrolment Target ID Shared Key KeId Shared Key Enrolment Target 55

Remote Provisioning Enrolee M2M Enrolment Function Shared Key KeId Shared Key Shared Key Enrolment Target 56

Remote Provisioning Enrolee M2M Enrolment Function Shared Key Shared Key Enrolment Target 57

Network Access Credentials UE GBA Network Access Credentials Network Access Authentication Server (HSS, HLR, AAA) (hosts TLS Client) TLS Server GBA Bootstrap Server Function (plays role of MEF) 58

Network Access Credentials UE GBA Network Access Credentials Network Access Authentication Server (HSS, HLR, AAA) (hosts TLS Client) TLS Server GBA Bootstrap Server Function (plays role of MEF) 59

Network Access Credentials UE GBA Network Access Credentials Network Access Authentication Server (HSS, HLR, AAA) (hosts TLS Client) B-TID, Ks TLS Server B-TID, Ks GBA Bootstrap Server Function (plays role of MEF) 60

GBA UE Network Access Authentication Server (HSS, HLR, AAA) (hosts TLS Client) B-TID, Ks (D)TLS: B-TID TLS Server B-TID, Ks GBA Bootstrap Server Function (plays role of MEF) 61

GBA UE Network Access Authentication Server (HSS, HLR, AAA) B-TID, Ks B-TID, Ks (hosts TLS Client) (D)TLS: B-TID TLS Server B-TID GBA Bootstrap Server Function (plays role of MEF) 62

GBA UE Network Access Authentication Server (HSS, HLR, AAA) (hosts TLS Client) B-TID, Ks (D)TLS: B-TID Shared Key TLS Server FQDN TLS Server B-TID B-TID, Ks GBA Bootstrap Server Function (plays role of MEF) Shared Key 63

GBA UE Network Access Authentication Server (HSS, HLR, AAA) (hosts TLS Client) (D)TLS: B-TID Shared Key TLS Server Shared Key B-TID Shared Key GBA Bootstrap Server Function (plays role of MEF) Shared Key 64

GBA UE Network Access Authentication Server (HSS, HLR, AAA) (hosts TLS Client) (D)TLS: B-TID Shared Key Continue (D)TLS TLS Server Shared Key GBA Bootstrap Server Function (plays role of MEF) 65

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback