Embed Size (px)
Citation preview
1
MC
PTT C
onnect
2
MC
PTT C
onnect OPENID CONNECT: MISSION CRITICALAdam Lewis – Motorola Solutions – Chief Technology Office
3
MC
PTT C
onnect
Who We Are
4
MC
PTT C
onnect
5
MC
PTT C
onnect
COUNTRIES AROUND THE WORLD CONVERGED ON LTE
AS THE TECHNOLOGY TO SUPPORT
PUBLIC SAFETY BROADBAND
6
MC
PTT C
onnect
THERE IS A NEED FOR STANDARDIZATION OF
PUBLIC SAFETY APPLICATION LAYER
7
MC
PTT C
onnect
PUBLIC SAFETY COMMUNITY DECIDED THAT 3GPP WAS
ONE-STOP SHOPPINGCOUNTRIES JOINED RANK & LOBBIED 3GPP TO CREATE
PUBLIC SAFETY WG
8
MC
PTT C
onnect
EACH OF THESE APPLICATIONS IS GOING TO NEED TO KNOW WHO THE
RESPONDER ISAND WHAT THEY ARE AUTHORIZED TO DO
9
MC
PTT C
onnect
First things First: Who’s on First?
Access Network Identity?
IMS Identity?
Human User Identity!
10
MC
PTT C
onnect
Interoperableacross vendors, across security domains
Flexiblesupport for public deployments, private deployments
Pluggable Authentication Methodspasswords, FIDO, GBA, SIP digest …
Scalable… from 10’s of users to hundreds of thousands of users
Extensiblea common framework for MCPTT (… and beyond)
SA6 Requirements
11
MC
PTT C
onnect
UA client SIP core oidc kms mcptt configmgmt
groupmgmt
user authentication
Authentication
GET/as/authorization.oauth2?response_type=code&client_id=mcptt_client&code_challenge=0x123456789abcdef&code_challenge_method=S256 &scope=openid3gpp:mcptt_server&redirect_uri=http://3gpp.mcptt/cb&state=abc123&acr_values=3gpp:acr:password
HTTP/1.1 302 Found Location:http://mcptt_client/cb?code=SplxlOBeZQQYbYS6WxSbIA &state=abc123
grant_type=authorization_code&code=&client_id=mcptt_client&code_verifier=0x123456789abcdef&redirect_uri=http%3A%2F%2F3gpp.mcptt%2Fcb
"access_token":"eyJhb...XQA","refresh_token":"Y7NSzUJuS0Jp7G4SKpBKSOJVHIZxFbxqsqCIZhOEk9","id_token":"eyJhb...wCfPZo","token_type": "Bearer",
12
MC
PTT C
onnect
Token Profiles
id_token{
alg: "RS256"}.{
sub: "1234567890", aud: "mcptt-client", iss: "IdMS.server.com:9031", iat: 1453498158, exp: 1453498458, mcptt_id: “[email protected]"}.[signature]
access_token{
alg: "RS256"}.{
mcptt_id: "[email protected]" exp: 1453506121, scope: [
"openid", "3gpp:mcptt:ptt_server", "3gpp:mcptt:kms_server", "3gpp:mcptt:group-mgmt_server", "3gpp:mcptt:config-mgmt_server" ], client_id: "mcptt-client"}.[signature]
JWT
minimalclaim set
13
MC
PTT C
onnect
UA client SIP core oidc kms mcptt configmgmt
groupmgmt
Identity Based Encryption (IBE)
/GET IBE keys for backend resource servers | access_token
public IBE keys to derive enc/int key for backend services, as well as client’s private keys
14
MC
PTT C
onnect
UA client SIP core oidc kms mcptt configmgmt
groupmgmt
Register for MCPTT service
Generate symmetric key K
Token verification. Identity binding between the signalling layer identitiesand the MCPTT user identities.
SIP REGISTER(IMPI, RES, {access-token}K, {K}IBE_mcptt
)
SIP REGISTER(IMPU, {access-token}K, {K}IBE_mcptt)
15
MC
PTT C
onnect
UA client SIP core oidc kms mcptt configmgmt
groupmgmt
Retrieve the First Responder profile
Generate symmetric key K
SIP SUBSCRIBE {access-token}K, {K}IBE_config-mgmt
SIP SUBSCRIBE ({access-token}K, {K}IBE_config-mgmt)Decrypt K with IBE
Decrypt access-token with K
/GET user profile for first responder | access_token
User profile for first responder (incl. TGs)
16
MC
PTT C
onnect
UA client SIP core oidc kms mcptt configmgmt
groupmgmt
Fetch the Crypto Keys
Generate symmetric key K
SIP SUBSCRIBE {access-token}K, {K}IBE_group-mgmt
SIP SUBSCRIBE ({access-token}K, {K}IBE_group-mgmt)
Decrypt K with IBEDecrypt access-token with K
/GET crypto keys for encryption | access_token
Crypto keys for secure group communications
17
MC
PTT C
onnect
Next …
Inter-connect: Federating OAuth
Proof-of-Possession
Mission Critical Video, Data
18
MC
PTT C
onnect
And in Closing …
• Questions? • Comments?• Scrutiny?
• Thank you! :-)[email protected]
