Objects - Typepad
Download
Report
Transcript Objects - Typepad
Security Framework for IoT
a Plug-and-Play identification & authentication scheme for the Internet of Things
• Thierry Van de Velde, IP & Optical Networks (ION) BG, Packet Core BU
• [email protected]
• 02-06-2016
1
© Nokia 2016
<Confidential>
Introduction
The demand for a new Security Framework for the IoT
• Mobile and Fixed Internet Service Providers need a uniform Security Framework to
extend their services from SIM-based or Home-based user equipment to Objects (End
Entities) authenticated via X.509 Security Certificates (Cert)
• The Security Framework should allow today’s mobile and fixed subscribers to enrol
(claim) Objects in a simple, intuitive and ubiquitous way : scanning a QR code printed
on the object or inside the package (hidden by a peelable label)
• By claiming these Objects they get attached to the MSISDN/ISDN number, placed in a
virtual Home environment (L2/L3/L7) and they become portable to any other ISP
together with the mobile or fixed subscription
• The Security Framework should allow validating the authenticity of each object before
admitting it to the virtual Home environment : counterfeit objects shall be rejected on the
basis that the scanned QR code is not the result of a hash of the Factory Certificate,
encrypted via the Object’s Private Key
2
© Nokia 2016
<Confidential>
Authentication, Authorization & Security Framework for the IoT
ePDG
PGW
Post-Load Client
MDM
AAA
SMP
RootCA
Cert
CA
PLC
Bluetooth Device Detection Alert
(Connected Object name)
M2M template
Factory
CertABC
SCA
Router
ePDG discovery by resolving Factory certificate’s
or NAT IssuerName.epdg.3gppnetworks.org
ePDG connection establishment
Connected Object
Validiated via
CMS SubCA Cert
EAP-TLS auth (Factory CertABC)
CMPv2 cr (cert request) to any URL
CMPv2 using IAK
Signed using CMS
cr (cert request) or p10cr
SubCA Private Key
(PKCS#10)
ePDG discovery via
Operator Certificate’s
OperatorID.epdg.3gppnetworks.org
© Nokia 2016
Validiated via
CMS SubCA Cert
EAP-TLS auth (Operator CertXYZ)
<Confidential>
Factory
SubCA
Factory generates
public-private key
pair for an Object
Manual or CMPv2 cr
(Subject,
SubjectPublicKeyInfo)
Initial Auth Key X
Stores QR code
at Private URL
cp cert response
(EncCert)
PKCS#12 RFC7292?
SafeContents {(Signed
Factory Cert, QR code)}
ePDG/PGW redirects any CMPv2 cr to the Operator’s CMS RVA
Operator
CertXYZ
SCA
FSCA
Cert’
FSCA
Registration
& Validation
Authority
SubCA
Cert
SCA
QR code scan leads to Private URL being validated (PGW enriches http header with MSISDN)
CMPv2 cp (cert response) with certifiedKeyPair (Operator Cert, privateKey)
A second Cert is generated by the Operator’s
CMS RVA and signed by the CMS SubCA
3
CMS
RVA
RVA demands Proof of Possession of
Factory Private Key, then generates a
Factory Cert for the Object
Execute Bluetooth Command
(Activate BT 4.2 IPSP)
IPv6
Operator CMS
RootCA SubCA
Object Cert & Factory algorithm
are used to generate each QR
Code from each Factory Cert
preinstalls Factory
Cert and private key
in each Object
Object
Manufacturer
This new Security Framework for IoT is original, scalable and superior to
SIMs
• SIM cards can be inserted in counterfeit objects, which may then attack or spy on other
objects in the virtual Home (vHome) to which they get connected
• The New Security Framework fro IoT is access-agnostic : each new Object must be
claimed via a pre-authenticated other Object (smartphone or tablet with QR scanner)
but it may access the ePDG via any technology (Bluetooth, Wi-Fi, etc)
• By convention the Objects should :
- discover their ePDG or VPN gateway by submitting the Subject name on their Certificate to public
DNS
•
format : ManufacturerOrOperator.epdg.3gppnetworks.org
- Thereafter issue a CMPv2 Certificate Request as long as the Factory Certificate is being used to
access the ePDG/PGW
4
•
The PGW should block all other traffic except CMPv2 or DNS
•
The Operator Certificate is then installed by the Registration & Validation Authority (Plug & Play)
© Nokia 2016
<Confidential>
The ultra-connected home
Challenges with existing residential service model
• Consumer viewpoint
-
Connected home
-
Phone
Tablet
Bed room
Laptop
Smart
phone
Home office
Health
monitoring
Exposed to increasing home network
complexity
Full visibility on home networking issues
•
But lacking tools and skills to troubleshoot
issues
•
No means to control or review device usage
policies
✕ Paying for service but lacking the
experience
Bathroom
• Service provider viewpoint
Gaming
console
Den
IPTV
Home utility
management
Living room
Home
security
-
•
•
Hall
IP: 192.168.4.x
5
© Nokia 2016
Home network is “hidden” behind a single
IP
No visibility on home networking issues
Poor in-home wiring or Wi-Fi reachability issues
In-home routing or device connectivity issues
✕ Delivering the service but lacking in support
Confidential
SROS
14R1 – Beta Quality
14R3 - GA
Virtualized Residential Gateway architecture
Reducing complexity by moving selected RGW functionality into the
network…
Helpdesk
Home
Agent
Dashboard
User Cloud
Dashboard
Analytics
Dashboard
Home Device
Management
TR-069
Data collection
Bridged
RGW
Access
Radius
vRGW
Aggregation
Service Edge
…and extending the home network with network-centric and cloud-based service capabilities
6
© Nokia 2016
Confidential
Authentication, Authorization & Security Framework for Bridged Residential GW
BRG
vRGW
MNO
PGW
AAA
Operator CMS
RootCA SubCA
RootCA
Cert
CA
QR code scan leads to Private URL
being validated (MNO can enrich the
HTTP header with the MSISDN)
EAPOL
CMPv2 using IAK
Signed using CMS
cr (cert request) or p10cr
SubCA Private Key
(PKCS#10)
Object is placed
in quarantine
CMPv2 cr (cert request) to any URL
EAPOL
EAP-TLS over RADIUS (Operator CertXYZ)
DHCP Discover, Offer, Request, Ack
7
© Nokia 2016
Operator
CertXYZ
SCA
Validiated via
CMS SubCA Cert
Object is connected to virtual Home
<Confidential>
Factory generates
public-private key
pair for an Object
Initial Auth Key X
Stores QR code
at Private URL
PKCS#12 RFC7292?
SafeContents {(Signed
Factory Cert, QR code)}
ePDG/PGW redirects any CMPv2 cr to the Operator’s CMS RVA
CMPv2 cp (cert response) with certifiedKeyPair (Operator Cert, privateKey)
A second Cert is generated by the Operator’s
CMS RVA and signed by the CMS SubCA
Factory
SubCA
Manual or CMPv2 cr
(Subject,
SubjectPublicKeyInfo)
cp cert response
(EncCert)
Connected Object
Factory
CertABC
SCA
FSCA
Cert’
FSCA
Registration
& Validation
Authority
SubCA
Cert
SCA
RVA demands Proof of Possession of
Factory Private Key, then generates a
Factory Cert for the Object
Validiated via
CMS SubCA Cert
EAP-TLS over RADIUS (Factory CertABC)
DHCP Discover, Offer, Request, Ack
CMS
RVA
Object Cert & Factory algorithm
are used to generate each QR
Code from each Factory Cert
preinstalls Factory
Cert and private key
in each Object
Object
Manufacturer
5G for people and things
Expanding the human possibilities of technology
Give back 2hrs/day…
never be in a rush
Everyone is an innovator –
easier and faster to innovate
Towards zero road fatalities, > half a million lives saved
Zero loss water distribution
Healthier people with connected
wearables, remote medics
Never lost - always find an
address – always on time
Less transport costs
and fuel consumption
50% higher industry productivity by
connected cyber physical systems
Safer in connected homes
Individual
8
© Nokia 2016
Public
Society
Economy
2017 : Cloudification / Hyperscale / DevOps
Separation of virtualised control plane and virtualised or physical user planes
(NPU)
Analytics
5G mMTC 5G cMTC
5G eMBB
LTE-M NB LTE-M
EC-GSM
NetAct VNFM SDM AAA
SDL
vRAN
Macro RAN
2G
cWLC
vSR
cMM cMG
VSP
VNF
3G
Service Capability
Exposure Framework
Virtualised Service
Functions
Small Cells
PE
IAR
IP/MPLS
Internet
IMS
Video optimisation
Caching
…
DataCenter Edge / SSG
MG-UP
(AGW)
REST API
Enterprise
SR-UP
eMBB
PE
physical
EPC
Airscale Wi-Fi
Fixed Broadband
mMTC
9
© Nokia 2016
cMTC
<Confidential>
• PE/IAR : 7950 XRS Provider Edge / Internet Access Router
• SeGW : 7750 SR Security Gateway (IPSec)
• WLAN GW : 7750 SR Trusted WLAN Access GW & Proxy
• BNG : 7750 SR Broadband Network Gateway
• cFNS : cloud Flexi Network Server (MME/SGSN)
• cWLC : cloud WireLess Controller (for Wi-Fi)
• SDL : Nokia Shared Data Layer
• SDM : Subscriber Data Manager (HLR/HSS/AuC)
• vMG : virtualised Mobile Gateway (SPGW, ePDG, TDF/SFC)
• vSR : virtualised Service Router (PE, vBNG, vWLGW)
• VSP : Nuage Virtualised Services Platform (SDN)
• VNFM : Virtualised Network Function Manager
• vRAN : virtualised RAN (BBU)
• eMBB : enhanced Mobile BroadBand
• mMTC : massive Machine Type Communications
• cMTC : critical Machine Type Communications
Overview of the IoT market
The devices’ perspective
Potentially 20 Bn Objects
could move in here!
Internet of Things : Communication without Human Intervention
30 Bn Objects by 2025 (Machina Research 2015)
Directly Attached 3GPP IoT
3GPP UE (DCE) controlled by
Object (DTE) through
AT commands
3 Bn Objects by 2025
5G cMTC
Long
Range NB LTE-M
Object
NB CIOT
5G mMTC
LTE-M
EC-GSM
Non-3GPP IoT
No 3GPP RAN at all between
Object and PDN
Short Zigbee
Range ZWave
Object
…
Indirectly Attached 3GPP IoT
3GPP UE used as Routed, Bridged
GW or NAT by non-3GPP Object
Bluetooth Low Energy
802.3 Ethernet
5G eMBB
802.11ah
HaLow LPWA
LoRa
6LPWAN
Sigfox
Low Power Wide Area
: 4 Bn Objects by 2025
10
© Nokia 2016
<Confidential>
Connected
Object
802.11 Wi-Fi
LTE-A
LTE
3GPP
User
Equipment
3 Bn
by
2020
Another classification of these access technologies
Licensed and Unlicensed spectrum; delay tolerance; authentication
NOKIA MN
preference
Licensed Spectrum
3GPP R12/R13 eMTC
Cat-O “Cat-1.4MHz”
1.4 MHz or shared, 6 PRB
<1 Mbps, PSM--> eDRX
Delay
Sensitive
Traffic
3GPP R13
200 KHz dedicated
5G cMTC
EAP/NAS? tbd
802.1x EAP
802.11i WPA2
DHCP
LTE-A
LTE
LTE-M
NB LTE-M
NB-IoT
EC-GSM
3GPP R14 eMTC
LTE-M “Cat-200KHz”
200 KHz or shared, 1 PRB
<150 Kbps
3GPP R13 EDGE
2.4MHz or shared
10 Kbps in GERAN
5G eMBB
Bluetooth Low Energy
5G mMTC
6LPWAN
802.11 b/g/n
Halow
802.11 a/n/ac/ax
Sigfox
Unlicensed Spectrum
11
© Nokia 2016
LoRa
<Confidential>
Connected
Idle
PSM
Delay
Tolerant
Traffic
Supports
Open Interconnect
Consortium
CRUDN API
to oic://org/object?query
Specific types of UE to be expected…
In the four quadrants
Licensed Spectrum
Delay
Tolerant
Traffic
Delay
Sensitive
Traffic
Unlicensed Spectrum
12
© Nokia 2016
<Confidential>
A dilemma for the IoT Operator
Connect Things to IP networks (VPNs)?
or make them actionable through APIs?
AAA
RBAC
Storage of
reported data
DB
Mobility
Manager
SCEF/AS
resource
PDN
IP VPN
UE
RAN
IP@
MAC@
UE
Host
EUI64
Gateway UE IP@
RAN
PDN
CS
NS
AS : LoRa Application Server
NS : LoRa Network Server
CS : Customer Server
IP Service Provider model
13
© Nokia 2016
Applications Ecosystem
<Confidential>
Authentication, Authorization & Security Framework in 5G
5G
RAN
5G UE
AGC
AGW
AAA
HSS
Operator CMS
RootCA SubCA
RootCA
Cert
CA
PLC
F1-C : EAP over NAS
F6 : EAP
SWx auth
Connect to bridged context (vHome)
SWx auth
Bridge
L2
F1-U :
L2oGRE
AGW conn. establishment (PDCP-HL)
Connected Object
Factory
CertABC
SCA
5G-Uu :
Connection or
Contention
Validiated
via CMS
SubCA Cert
RVA demands Proof of Possession
(PoP) of Factory Private Key, then
generates public-private key pair
Signed using CMS
CMPv2 using IAK
SubCA Private
cr (cert request) or p10cr
Key
(PKCS#10)
QR code scan leads to Private URL being validated
CMPv2 cr (cert request) to any URL
AGW redirects any CMPv2 cr to the Operator’s CMS RVA
ePDG discovery via
Operator Certificate’s
OperatorID.epdg.3gppnetworks.org
© Nokia 2016
Operator
CertXYZ
SCA
Validiated via
CMS SubCA Cert
EAP-TLS auth (Operator CertXYZ)
<Confidential>
FSCA
Cert’
FSCA
Registration
& Validation
Authority
cp cert response
(certifiedKeyPair(EncCert,
privateKey))
EAP-TLS (Factory CertABC)
CMPv2 cp (cert response) with certifiedKeyPair (Operator Cert, privateKey)
A second Cert is generated by the Operator’s
CMS RVA and signed by the CMS SubCA
14
SubCA
Cert
SCA
CMS
RVA
Factory
SubCA
Factory generates
public-private key
pair for an Object
Manual or CMPv2 cr
(Subject,
SubjectPublicKeyInfo)
Initial Auth Key X
Stores QR code
at Private URL
PKCS#12 RFC7292?
SafeContents {(Signed
Factory Cert, QR code)}
Object private key & Factory
algorithm are used to generate
each QR Code from each Cert
preinstalls Factory
Cert and private key
in each Object
Object
Manufacturer
Qualcomm UE <> Whispernet integration for MuLTEfire MWC’16 demo
Covers the Authentication protocol extensions (EAP)
Qualcomm
UE
MLF
eNB
EAP AKA’ LTE
Emulator and
App Server
• Use case: Offload MNO traffic to Neutral Host
MuLTEfire network
• Flow: UE with MNO SIM attaches to Neutral
Host MuLTEfire network and is authenticated
with MNO AAA
• Protocol: LTE NAS modified to add EAP
(EAP-AKA’ is the actual used version)
• Evolution: Neutral Host retail scenario (e.g.
Private LTE). Only difference is Certificate
authentication (EAP-TLS; only configuration
change for Nokia)
Press release & video: Link
15
© Nokia 2016
<Change information classification in footer>
Similar Example
IBM teams with TI on 'silicon tokens' to authenticate the Internet of
Things
• IBM has announced a new cloud-based 'silicon token' authentication service to manage
the identity of embedded devices from cradle to grave.
• IBM says it's working with Texas Instruments to create a Secure Registry Service for IoT
devices - an authentication service for silicon embedded in devices and other systems.
• The service will be hosted in IBM's cloud, and will rely on a silicon token that will help
securely manage the identity of devices. It will also facilitate the transmission of data from
IoT sensors in the field back to its cloud.
• http://www.zdnet.com/article/ibm-teams-with-texas-instruments-to-authenticate-theinternet-of-things/
16
© Nokia 2016
<Change information classification in footer>
Copyright and confidentiality
The contents of this document are proprietary and
confidential property of Nokia. This document is
provided subject to confidentiality obligations of
the applicable agreement(s).
This document is intended for use of Nokia’s
customers and collaborators only for the purpose
for which this document is submitted by Nokia. No
part of this document may be reproduced or made
available to the public or to any third party in any
form or means without the prior written permission
of Nokia. This document is to be used by properly
trained professional personnel. Any use of the
contents in this document is limited strictly to the
use(s) specifically created in the applicable
agreement(s) under which the document is
submitted. The user of this document may
voluntarily provide suggestions, comments or
other feedback to Nokia in respect of the contents
of this document ("Feedback"). Such Feedback
18
© Nokia 2016
may be used in Nokia products and related
specifications or other documentation.
Accordingly, if the user of this document gives
Nokia Feedback on the contents of this document,
Nokia may freely use, disclose, reproduce,
license, distribute and otherwise commercialize
the feedback in any Nokia product, technology,
service, specification or other documentation.
Nokia operates a policy of ongoing development.
Nokia reserves the right to make changes and
improvements to any of the products and/or
services described in this document or withdraw
this document at any time without prior notice.
The contents of this document are provided "as
is". Except as required by applicable law, no
warranties of any kind, either express or implied,
including, but not limited to, the implied warranties
of merchantability and fitness for a particular
<Confidential>
purpose, are made in relation to the accuracy,
reliability or contents of this document. NOKIA
SHALL NOT BE RESPONSIBLE IN ANY EVENT
FOR ERRORS IN THIS DOCUMENT or for
any loss of data or income or any special,
incidental, consequential, indirect or direct
damages howsoever caused, that might arise
from the use of this document or any contents of
this document.
This document and the product(s) it describes
are protected by copyright according to the
applicable laws.
Nokia is a registered trademark of Nokia
Corporation. Other product and company names
mentioned herein may be trademarks or trade
names of their respective owners.