View
1.124
Download
0
Category
Tags:
Preview:
DESCRIPTION
Paul Madsen, Ping Identity Discussing a security and identity model for things that do not make the existing password problem orders of magnitude worse (perhaps using identity protocols like OAuth & OpenID Connect), and how our things might facilitate our own interactions with applications.
Citation preview
IDENTITY IN THE IOT – THEIRS AND OURS
Paul Madsen, Office of the CTO
2
Agenda
1. Things – their identities 2. Things - our identities
3
Agenda
1. Things – their identities 2. Things - our identities
4
What does it mean for a thing to have an identity? • Things will have attributes that distinguish it from other things • Things will have means to prove to other things that they a) belong to
a class of things or b) are a particular thing • Things will have means to verify that other things a) belong to a class
of things or b) are a particular thing • Things will be provisioned with certain attributes at origin but over
time may add additional attributes • Things have a finite lifetime, at the end of which some portions of their
identity may need to be cancelled • In their 50s, things will have an identity crisis – divorce their spouse,
join a gym and buy a sports car. 5
6
You (mostly) can’t have security without iden7ty
7
Security
Authen7ca7on
Iden7ty
Confiden7ality Audit
Things will operate on behalf of ….
8
Things will operate on behalf of ….
9
Gym Track
Beer keg
Cars
Bridge
Things will operate on behalf of ….
10
Gym Track
Beer keg
Cars
Bridge
11
How do we give users meaningful control over their things and their ability to operate on their behalf? 1. Ini7al authoriza7on 2. Ongoing visibility 3. Eventual revoca7on
Copyright © 2013 Ping Identity Corp. All rights reserved. 12
13
How are passwords working out for us?
Password anti-pattern
Sites asks YOU for your GOOGLE password so it can access your Google stuff.
Tsk tsk! • Client must store passwords • Teaches users to be indiscriminate with their
passwords • More difficult to move to multi-factor and federated
authentication • Doesn’t support granular permissions, e.g. X can
read but not write • Doesn’t support knowledge/differentiation of the
access granted • Doesn’t support (easy) revocation – to be sure of
turning off access users must change password
Tokens instead of passwords
Copyright © 2013 Ping Identity Corp. All rights reserved. 16
• Rather than clients using passwords on their API messages, token authentication models have the client first exchange the password for a token and then use tokens on subsequent messages
• Token can represent the authorized combination of client & user
• Advantages
– Allows for granular consent
– Revocable
– No need to store passwords on device/thing
• OAuth 2.0 and OpenID Connect 1.0 key standards
1
3
4 2
3
4
5
1
3
4 2
3
4
5
OAuth/Connect
OAuth/Connect
OAuth/Connect
1
3
4 2
3
4
5
OAuth/Connect
OAuth/Connect
OAuth/Connect
OAuth/Connect?
OAuth/Connect?
State of the art?
Copyright © 2013 Ping Identity Corp. All rights reserved. 20
IoT protocols Security
MQTT
CoAP
TLS/DTLS
passwords
Binding OAuth to MQTT
21
• Paul Fremantle has been exploring using OAuth access tokens on MQTT messages as alterna7ve to passwords (as MQTT spec now supports)
• An Arduino obtains an OAuth token from an authoriza7on server and then uses on Connect message
• hXp://www.slideshare.net/pizak/securing-‐the-‐internet-‐of-‐things
Agenda
1. Things – their identities 2. Things - our identities
22
Authentication Taxonomy
Copyright © 2014 Ping Identity Corp. All rights reserved. 23
Ini7a7on
Ac7ve/explicit
Passive/implicit
Once Con7nuous Sampling
Authentication Taxonomy
Copyright © 2014 Ping Identity Corp. All rights reserved. 24
Ini7a7on
Ac7ve/explicit
Passive/implicit
Once Con7nuous Sampling
Password, OTP, mobile, fingerprint, voice
Somethings are changing
Copyright © 2014 Ping Identity Corp. All rights reserved. 25
Know
Have
Are
Know
Have
Are
Trend
Have and have nots
Copyright © 2013 Ping Identity Corp. All rights reserved. 26
RSA SecureID Wallet cards etc USB tokens
Authentication Taxonomy
Copyright © 2014 Ping Identity Corp. All rights reserved. 27
Ini7a7on
Ac7ve/explicit
Passive/implicit
Once Con7nuous Sampling
IP address, geo-‐loca7on
Password, OTP, mobile, fingerprint, voice
Explicit giving way to implicit
Copyright © 2014 Ping Identity Corp. All rights reserved. 28
Explicit factors
Implicit factors
Trend
Explicit factors
Implicit factors
29
The things that we more and more surround ourselves with can enable ‘con7nuous authen7ca7on’
Copyright © 2014 Ping Identity Corp. All rights reserved. 30
Ini7a7on
Ac7ve/explicit
Passive/implicit
Once Con7nuous Sampling
IP address, geo-‐loca7on
Keystroke, EKG, voice, proximity, transac7onal
IP address, geo-‐loca7on
Authentication Taxonomy
Password, OTP, mobile, fingerprint, voice
Continuous authentication modes
Copyright © 2014 Ping Identity Corp. All rights reserved. 31
• Identify the gait
• Recognize the face
• Listen to the voice
• Sense how user holds phone
• Measure pushup pace ….
Demands local sensors
32
My things thank your things for their aXen7on
Recommended