We believe that we are on the verge of the Internet of ... · Recursive DNS Server IoT Platform...

We believe that we are on the verge of the Internet of Things explosion. Now is the time to make sure that IoT incorporates everything we’ve learned about digital security and infrastructure resiliency over the last 20 years of the Internet.

1

IDENTITY

SECURITY BEGINS WITH

IDENTITY User name and password

IDENTITY Smartcard

IDENTITY Biometrics

IDENTITY Certificate

IDENTITY API KEY

AE5021 B3209A FEA409

IDENTITY TRUST

IDENTITY TRUST

IDENTITY APPLYING THESE MECHANISMS TO IOT AND M2M

AE5021 B3209A FEA409

IDENTITY PROGRAMMATIC PHYSICAL

AE5021 B3209A FEA409

IDENTITY PROGRAMMATIC PHYSICAL

CERTIFICATES PUBLIC KEY INFRASTRUCTURE (PKI)

l  Trusted and well established technology l  Allows for mutual authentication

l  Can be used for message signing

CERTIFICATES

CERTIFICATES

CERTIFICATES

CERTIFICATES COST

$$$$$ $$$$$ $$$$$

CERTIFICATES COST

$$$$$ $$$$$ $$$$$

CERTIFICATES SECURITY

CERTIFICATES SECURITY - Revocation

Certificate Revocation List

Online Certificate Status Protocol

CERTIFICATE AUTHORITY

CERTIFICATES SECURITY - Revocation

Certificate Revocation List

Online Certificate Status Protocol

CERTIFICATE AUTHORITY

CERTIFICATES SECURITY - Revocation

Certificate Revocation List

Online Certificate Status Protocol

CERTIFICATE AUTHORITY

CERTIFICATES SECURITY - TRUST

CERTIFICATE AUTHORITY

CERTIFICATES SECURITY - TRUST

CERTIFICATE AUTHORITIES

CERTIFICATES SECURITY - TRUST

CERTIFICATE AUTHORITIES

device123.example.com

device123.example.com

Certificate Authority A

Certificate Authority B

CERTIFICATES MANAGEMENT

CERTIFICATES INTEROPERABILITY

FOO.COM CERTIFICATE AUTHORITY

BAR.COM CERTIFICATE AUTHORITY

CERTIFICATES INTEROPERABILITY

FOO.COM CERTIFICATE AUTHORITY

BAR.COM CERTIFICATE AUTHORITY

CHALLENGES How do we deploy PKI at Internet of Things scale. l  Keep cost low l  Be interoperable l  Deploy at scale l  Improve security

DANE

DNS-BASED AUTHENTICATION OF NAMED ENTITIES

DNSSEC Provides a secure global registry l  Highly scalable

DNSSEC Provides a secure global registry l  Highly scalable l  Globally distributed

DNSSEC Provides a secure global registry l  Highly scalable l  Globally distributed l  Resilient

DNSSEC Provides a secure global registry l  Highly scalable l  Globally distributed l  Resilient l  Standards based

DNSSEC Provides a secure global registry l  Highly scalable l  Globally distributed l  Resilient l  Standards based l  Ubiquitous

DNSSEC Provides a secure global registry l  Highly scalable l  Globally distributed l  Resilient l  Standards based l  Ubiquitous l  Secure

DNSSEC Provides a secure global registry l  Secure

l  Cryptographically signed l  Supports delegation

. root key

.com key

.example.com key

zone.example.com

….... ….... …....

DANE RFC 6698 - establishes new record types for DNS Allows publishing of certificate data in DNS Data integrity validated by cryptographic signature

zone.example.com

….... ….... …....

DANE RFC 6698 - establishes new record types for DNS l  Effectively replaces local CA store as means of validating certificates l  Allows records to be queried in real time l  Allows records to be cached for specific amount of time l  Removes the need for CRLs and OCSP l  Can work with CA issued certificates or self signed certificates

Sensor

Keys

DNS Registry

device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com

deviceX.example.com

…....

Device provisioning

Public key is published in DNS Device creates public/private keypair

Sensor

Keys

DNS Registry

device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com

deviceX.example.com

…....

DNS “TLSA” record maps device name to public key

Device only needs name does not need published IP address

Sensor

Keys

DNS Registry

device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com

deviceX.example.com

…....

IoT Platform

Sensor initiates TLS connection to IoT Platform

Sensor

Keys

DNS Registry

device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com

deviceX.example.com

…....

IoT Platform

TLS handshake includes device name and public key

Sensor

Keys

IoT Platform

DNS Registry

device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com

deviceX.example.com

….... Recursive DNS Server

IoT Platform queries secure DNS

for public key for device

Sensor

Keys

IoT Platform

DNS Registry

device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com

deviceX.example.com

….... Recursive DNS Server

IoT Platform retrieves public key from secure DNS Server

Sensor

Keys

DNS Registry

device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com

deviceX.example.com

…....

IoT Platform compares device's published

key with the key used during negotiation

= ?

Sensor

Keys

DNS Registry

device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com

deviceX.example.com

…....

The keys match so the client certificate

is validated

DANE Advantages of DANE l  Highly scalable l  Economically viable l  Highly secure

l  Limited scope of trust l  Instant revocation l  Transparency

WHAT NOW ?

50

COMMUNITY ENGAGEMENT Working with the community on DANE enablement across the stack including crypto libraries and common runtime frameworks.

FEEDBACK We'd love to talk! email us at iot@verisign.com