Identity for IoT: An Authentication Framework for the IoT
-
Upload
allseen-alliance -
Category
Technology
-
view
306 -
download
2
Transcript of Identity for IoT: An Authentication Framework for the IoT
![Page 1: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/1.jpg)
AN AUTHENTICATION FRAMEWORK FOR THE IOT
John Bradley
Copyright © 2014 Ping Identity Corp. All rights reserved. 1
![Page 2: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/2.jpg)
Premise
Copyright © 2014 Ping Identity Corp. All rights reserved. 2
• The full promise of the Internet of Things (IoT) can only be realized if the many and varied interactions between users, things, cloud services and applications can be authenticated. • User delegated consent will be necessary for any scenario
where potentially privacy sensitive data is collected and transferred (wearables, home automation, health, etc). • OAuth 2.0 and OpenID Connect 1.0 are two authentication
and authorization standards that promise to serve as important tools for the IoT’s authentication and authorization requirements
![Page 3: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/3.jpg)
Who are the actors
Copyright © 2014 Ping Identity Corp. All rights reserved. 3
• Things/devices
• Users
• Applications
• Clouds
• Gateways
![Page 4: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/4.jpg)
Who are the actors
Copyright © 2014 Ping Identity Corp. All rights reserved. 4
• Things/devices
• Users
• Applications
• Clouds
• Gateways
All of which need to be authenticated
![Page 5: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/5.jpg)
Authentication & Authorization Model
Copyright © 2014 Ping Identity Corp. All rights reserved. 5
• IoT Actors authenticate by presenting security tokens on their calls/messages to each other
• Tokens represent relationship between the relevant user and the calling actor (and any consents/permissions associated with that relationship
• Upon receiving a message, an actor validates the token to verify the request is consistent with the relationship/permissions
• If consent is removed, token is revoked, and access disabled
• OAuth 2.0 & OpenID Connect 1.0 are two authentication & authorization frameworks that enable this model
![Page 6: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/6.jpg)
OAuth 2.0
Copyright © 2014 Ping Identity Corp. All rights reserved. 6
• OAuth 2.0 is an IETF standard authentication & authorization framework for securing application access to RESTful APIs
• OAuth allows a Client (an application that desires information) to send an API query to a Resource Server (RS), the application hosting the desired information, such that the RS can authenticate that the message was indeed sent by the Client.
• The Client authenticates to the RS through the inclusion of an access token on its API call—a token previously provided to the Client by an Authorization Server (AS).
• In those scenarios that the API in question protects access to a User’s identity attributes, it may be the case that the access token will only be issued by the AS after the User has explicitly given consent to the Client accessing those attributes.
![Page 7: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/7.jpg)
OpenID Connect 1.0
Copyright © 2014 Ping Identity Corp. All rights reserved. 7
• OpenID Connect 1.0 is an OIDF standard that profiles and extends OAuth 2.0 to add an identity layer—creating a single framework that promises to secure APIs, mobile native applications and browser applications in a single, cohesive architecture.
• OpenID Connect adds two notable identity constructs to OAuth’s token issuance model.
– An identity token—the delivery of which, from one party to another, can enable a federated SSO user experience for a user.
– A standardized identity attribute API—at which a client can retrieve the desired identity attributes for a given user.
• If your use case requires something more than authentication and authorization of API calls, Connect’s features that go beyond OAuth become relevant.
![Page 8: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/8.jpg)
Representative IoT architecture
Copyright © 2014 Ping Identity Corp. All rights reserved. 8
• Fitbit makes Aria smart scale
• Scale syncs through home Wifi to Fitbit cloud for display & analysis through web & native applications
• 3rd party services can access weight data to provide additional insight
![Page 9: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/9.jpg)
Architecture requirements
Copyright © 2014 Ping Identity Corp. All rights reserved. 9
• User weight data is personal and must be protected against compromise
• Additionally, weight data must only be shared by Fitbit when consistent with user policy
![Page 10: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/10.jpg)
Architecture
Copyright © 2014 Ping Identity Corp. All rights reserved. 10
FitBit Proprietary
3rd party services
REST API REST API
![Page 11: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/11.jpg)
Architecture
Copyright © 2014 Ping Identity Corp. All rights reserved. 11
FitBit Proprietary
3rd party services
REST API REST API
Lets examine how OAuth & Connect can apply here
![Page 12: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/12.jpg)
Cloud to cloud
Copyright © 2014 Ping Identity Corp. All rights reserved. 12
• TrendWeight offers additional insight & analysis of weight data • Pulls scale data from Fitbit cloud
REST endpoints • TrendWeight should use OAuth to
authenticate their API calls as being on behalf of particular user • Because user is involved in token
issuance, privacy enabling model
![Page 13: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/13.jpg)
Cloud to Cloud
Copyright © 2014 Ping Identity Corp. All rights reserved. 13
Login & consent
Weight data
![Page 14: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/14.jpg)
Revocation of authorization
Copyright © 2014 Ping Identity Corp. All rights reserved. 14
User can remove permissions assigned 3rd parties
![Page 15: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/15.jpg)
Native Application
Copyright © 2014 Ping Identity Corp. All rights reserved. 15
• Users can view their weight data & trends from ioS & Android native applications • Native applications pull data from
Fitbit cloud REST endpoints • Native applications should use
OAuth to authenticate their API calls as being on behalf of particular user
![Page 16: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/16.jpg)
Device to gateway
Copyright © 2014 Ping Identity Corp. All rights reserved. 16
• Devices communicate with each other and the gateway via the local network— sharing data, sending control messages, etc. • These local interactions may not use HTTP, but instead a
application protocol more optimized to the constraints (CPU size, battery, etc.) of devices. • Such application protocols include XMPP, MQTT and CoAP. • Work has begun in exploring how to bind OAuth & Connect to
such IoT optimized protocols, e.g. ACE effort in IETF
![Page 17: Identity for IoT: An Authentication Framework for the IoT](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a754a71a28aba65d8b4682/html5/thumbnails/17.jpg)
Conclusion
Copyright © 2014 Ping Identity Corp. All rights reserved. 17
• Authentication & authorization of actors is fundamental to IoT security
• Mechanisms must be secure, scalable and privacy respecting
• OAuth & Connect promise to provide important pieces of authn & authz framework for IoT