cis14: identifying things (and things identifying us)

IDENTITY IN THE IOT – THEIRS AND OURS

Paul Madsen, Office of the CTO

Agenda

1. Things – their identities 2. Things - our identities

3

Agenda


4

What does it mean for a thing to have an identity? •  Things will have attributes that distinguish it from other things •  Things will have means to prove to other things that they a) belong to

a class of things or b) are a particular thing •  Things will have means to verify that other things a) belong to a class

of things or b) are a particular thing •  Things will be provisioned with certain attributes at origin but over

time may add additional attributes •  Things have a finite lifetime, at the end of which some portions of their

identity may need to be cancelled •  In their 50s, things will have an identity crisis – divorce their spouse,

join a gym and buy a sports car. 5

6

You (mostly) can’t have security without iden7ty

7

Security

Authen7ca7on

Iden7ty

Confiden7ality Audit

Things will operate on behalf of ….

8


9

Gym Track

Beer keg

Cars

Bridge


10

Gym Track

Beer keg

Cars

Bridge

11

How do we give users meaningful control over their things and their ability to operate on their behalf? 1.  Ini7al authoriza7on 2.  Ongoing visibility 3.  Eventual revoca7on

13

How are passwords working out for us?

Password anti-pattern

Sites asks YOU for your GOOGLE password so it can access your Google stuff.

Tsk tsk! •  Client must store passwords •  Teaches users to be indiscriminate with their

passwords •  More difficult to move to multi-factor and federated

authentication •  Doesn’t support granular permissions, e.g. X can

read but not write •  Doesn’t support knowledge/differentiation of the

access granted •  Doesn’t support (easy) revocation – to be sure of

turning off access users must change password

Tokens instead of passwords


•  Rather than clients using passwords on their API messages, token authentication models have the client first exchange the password for a token and then use tokens on subsequent messages

•  Token can represent the authorized combination of client & user

•  Advantages

–  Allows for granular consent

–  Revocable

–  No need to store passwords on device/thing

•  OAuth 2.0 and OpenID Connect 1.0 key standards

1

3

4 2

3

4

5

1

3

4 2

3

4

5

OAuth/Connect

OAuth/Connect

OAuth/Connect

1

3

4 2

3

4

5

OAuth/Connect

OAuth/Connect

OAuth/Connect

OAuth/Connect?

OAuth/Connect?

State of the art?


IoT protocols Security

MQTT

CoAP

TLS/DTLS

passwords

Binding OAuth to MQTT

21

•  Paul Fremantle has been exploring using OAuth access tokens on MQTT messages as alterna7ve to passwords (as MQTT spec now supports)

•  An Arduino obtains an OAuth token from an authoriza7on server and then uses on Connect message

•  hXp://www.slideshare.net/pizak/securing-‐the-‐internet-‐of-‐things

Agenda


22

Authentication Taxonomy


Ini7a7on

Ac7ve/explicit

Passive/implicit

Once Con7nuous Sampling



Ini7a7on

Ac7ve/explicit

Passive/implicit


Password, OTP, mobile, fingerprint, voice

Somethings are changing


Know

Have

Are

Know

Have

Are

Trend

Have and have nots


RSA SecureID Wallet cards etc USB tokens



Ini7a7on

Ac7ve/explicit

Passive/implicit


IP address, geo-‐loca7on


Explicit giving way to implicit


Explicit factors

Implicit factors

Trend

Explicit factors

Implicit factors

29

The things that we more and more surround ourselves with can enable ‘con7nuous authen7ca7on’


Ini7a7on

Ac7ve/explicit

Passive/implicit



Keystroke, EKG, voice, proximity, transac7onal




Continuous authentication modes


•  Identify the gait

• Recognize the face

• Listen to the voice

• Sense how user holds phone

• Measure pushup pace ….

Demands local sensors

32

My things thank your things for their aXen7on

cis14: identifying things (and things identifying us)

Technology

things things

ping identity corp

class of things

implicit copyright

particular thing things

passwords copyright

additional attributes

identity crisis