IT Security Procedural Guide: Securing Mobile Devices and ...
Securing Millions of Devices
-
Upload
kai-hudalla -
Category
Software
-
view
653 -
download
0
Transcript of Securing Millions of Devices
![Page 1: Securing Millions of Devices](https://reader031.fdocuments.us/reader031/viewer/2022030316/5878d28f1a28ab917a8b5659/html5/thumbnails/1.jpg)
Securing Millions of Devices
Régis Piccand Verisign, Inc.Kai Hudalla Bosch Software Innovations GmbH
![Page 2: Securing Millions of Devices](https://reader031.fdocuments.us/reader031/viewer/2022030316/5878d28f1a28ab917a8b5659/html5/thumbnails/2.jpg)
What is the Problem?
Photon by particle.io
very little RAM
limited power supply
few MHz only
low bandwidth
must be cheap
out in the field(≠ LAN)
Industrial scale IoT solutions require cheap, small & power efficient sensors & connectivity but still require strong security (authentication, confidentiality, integrity).
Cloud/Data Center
1..[mb]illions 0..n
Securely connecting a dozen of these in your lab is easy. Connecting & managing [mb]illions of these via internet is a challenge.
![Page 3: Securing Millions of Devices](https://reader031.fdocuments.us/reader031/viewer/2022030316/5878d28f1a28ab917a8b5659/html5/thumbnails/3.jpg)
Lightweight M2M.. is a protocol (stack) from the Open Mobile Alliance specifically designed for managing constrained devices.
UDP SMS
DTLS
CoAP
LW-M2M
Resources
Connectionless communication suitable for low power/bandwidth environments
Datagram TLS for confidentiality and integrity (RFC 6347)
REST like web transfer protocol targeted at constrained environments with small bandwidth (10s of kbit/s) (RFC 7252)
Device management operations/interactions:bootstrap & register device, read/write/execute/observe resource(s)
Management objects (pre-defined & custom):Device, LWM2M Server, Firmware Update, Location, Connectivity Monitoring etc.
![Page 4: Securing Millions of Devices](https://reader031.fdocuments.us/reader031/viewer/2022030316/5878d28f1a28ab917a8b5659/html5/thumbnails/4.jpg)
Example Object & RequestThe Device object (ID: 3) provides metadata about the device and is mandatory for all LWM2M Clients to implement.
URI format: /{ObjectID}/{InstanceID}/{ResourceID}
Cloud/Data Center
LWM2M Client LWM2M Server
GET /3/0/0
“Particle”
GET /3/0/1
Manufacturer
Device
single instance only
Model Number
“Photon”
Photon by particle.io
![Page 5: Securing Millions of Devices](https://reader031.fdocuments.us/reader031/viewer/2022030316/5878d28f1a28ab917a8b5659/html5/thumbnails/5.jpg)
Your Solution
Leshan
Eclipse Leshan… provides libraries that help people develop their own Lightweight M2M server and client.
Californium
Pure Java implementation of Datagram TLS supporting PSK, X.509 & RawPublicKey based authentication, ECDHE based key exchange
Pure Java implementation of CoAP over UDP, easy to use API for accessing & implementing resources
Pure Java implementation of LWM2M:- set of JARs (easily embeddable)- fat JAR for running standalone (test) server- OSGi Managed Service implementation- Standard LWM2M Objects + (some) IPSO Smart Objects supported out-of-the-box- Custom Objects supported by means of API & XML files
Scandium
Projects are being developed within the context of the Eclipse IoT Working Group. For more information go to:
![Page 6: Securing Millions of Devices](https://reader031.fdocuments.us/reader031/viewer/2022030316/5878d28f1a28ab917a8b5659/html5/thumbnails/6.jpg)
The Provisioning Problem
● Devices must know where they should be connecting to (bootstrap server, message broker, cloud service, etc.)
● Hard-coding the configuration is limiting - not every device should connect to the same services, service endpoints can change overtime…
https://mantivities.wordpress.com
● LWM2M provides 4 bootstrapping modes○ 2 hard-coded options, either in flash or smartcard○ 2 dynamic options;
■ either client or server initiates bootstrap process■ bootstrap server writes config data to the device
● How does a device reliably and securely determine the correct endpoint?
![Page 7: Securing Millions of Devices](https://reader031.fdocuments.us/reader031/viewer/2022030316/5878d28f1a28ab917a8b5659/html5/thumbnails/7.jpg)
Tiaki To The Rescue
● Tiaki is a Secure Service Discovery SDK
● Tiaki allows clients to look up service details (endpoint, port, priority, weight, type) and configuration securely from DNS
● Tiaki is based on the DNS Service Discovery (DNS-SD) and DNS Security Extensions (DNSSEC) IETF Standards
● Tiaki validates signatures to authenticate the origin and integrity of data
● Tiaki is available for C, Java and as a command-line interface
![Page 8: Securing Millions of Devices](https://reader031.fdocuments.us/reader031/viewer/2022030316/5878d28f1a28ab917a8b5659/html5/thumbnails/8.jpg)
Service Discovery Logical Flow
_services._dns-sd._udp.example.com. PTR _mqtt._tcp.example.com_mqtt._tcp.example.com. PTR eclipse-broker._mqtt._tcp.example.comeclipse-broker._mqtt._tcp.example.com. SRV iot.eclipse.org 1883
eclipse-broker._mqtt._tcp.example.com. TXT "server=Mosquitto" "qos=2“
![Page 9: Securing Millions of Devices](https://reader031.fdocuments.us/reader031/viewer/2022030316/5878d28f1a28ab917a8b5659/html5/thumbnails/9.jpg)
DNS Security Extensions Logical Flow
![Page 10: Securing Millions of Devices](https://reader031.fdocuments.us/reader031/viewer/2022030316/5878d28f1a28ab917a8b5659/html5/thumbnails/10.jpg)
How To Use TiakiCommand line$ java -jar iot-discovery-jcli-1.0.jar -i -s mqtt -d example.com
iot.eclipse.org:1883 "server=Mosquitto" "version=1.3.1“
Java SDKDnsServicesDiscovery discoverer = new DnsServicesDiscovery();
Fqdn fullyQualifiedDomainName = new Fqdn("example.com");
CompoundLabel serviceType = new CompoundLabel("mqtt");
Set<ServiceInstance> discoveryResult = discoverer.listServiceInstances(fullyQualifiedDomainName, serviceType);
for (ServiceInstance instance : discoveryResult) {
System.out.println(instance);
}
https://projects.eclipse.org/projects/iot.tiaki
https://github.com/verisign/iot-discovery-jcli | https://github.com/verisign/iot-discovery-services
![Page 11: Securing Millions of Devices](https://reader031.fdocuments.us/reader031/viewer/2022030316/5878d28f1a28ab917a8b5659/html5/thumbnails/11.jpg)
What you should take away
★ LWM2M is great for managing constrained devices!★ Californium 1.0 release expected for Nov 2015★ Leshan 1.0 release to follow up shortly after★ Tiaki helps with initial provisioning of devices (e.g. LWM2M clients) thanks to
SECURE Service Discovery★ Initial Contribution being processed
Tiaki not (yet) targeted at constrained devices, your help is needed to make that happen!
![Page 13: Securing Millions of Devices](https://reader031.fdocuments.us/reader031/viewer/2022030316/5878d28f1a28ab917a8b5659/html5/thumbnails/13.jpg)