AN AUTHENTICATION FRAMEWORK FOR THE IOT

John Bradley

Copyright © 2014 Ping Identity Corp. All rights reserved. 1

Premise

Copyright © 2014 Ping Identity Corp. All rights reserved. 2

•  The full promise of the Internet of Things (IoT) can only be realized if the many and varied interactions between users, things, cloud services and applications can be authenticated. •  User delegated consent will be necessary for any scenario

where potentially privacy sensitive data is collected and transferred (wearables, home automation, health, etc). •  OAuth 2.0 and OpenID Connect 1.0 are two authentication

and authorization standards that promise to serve as important tools for the IoT’s authentication and authorization requirements

Who are the actors

Copyright © 2014 Ping Identity Corp. All rights reserved. 3

• Things/devices

• Users

• Applications

• Clouds

• Gateways

Who are the actors

Copyright © 2014 Ping Identity Corp. All rights reserved. 4

• Things/devices

• Users

• Applications

• Clouds

• Gateways

All of which need to be authenticated

Authentication & Authorization Model

Copyright © 2014 Ping Identity Corp. All rights reserved. 5

•  IoT Actors authenticate by presenting security tokens on their calls/messages to each other

•  Tokens represent relationship between the relevant user and the calling actor (and any consents/permissions associated with that relationship

•  Upon receiving a message, an actor validates the token to verify the request is consistent with the relationship/permissions

•  If consent is removed, token is revoked, and access disabled

•  OAuth 2.0 & OpenID Connect 1.0 are two authentication & authorization frameworks that enable this model

OAuth 2.0

Copyright © 2014 Ping Identity Corp. All rights reserved. 6

•  OAuth 2.0 is an IETF standard authentication & authorization framework for securing application access to RESTful APIs

•  OAuth allows a Client (an application that desires information) to send an API query to a Resource Server (RS), the application hosting the desired information, such that the RS can authenticate that the message was indeed sent by the Client.

•  The Client authenticates to the RS through the inclusion of an access token on its API call—a token previously provided to the Client by an Authorization Server (AS).

•  In those scenarios that the API in question protects access to a User’s identity attributes, it may be the case that the access token will only be issued by the AS after the User has explicitly given consent to the Client accessing those attributes.

OpenID Connect 1.0

Copyright © 2014 Ping Identity Corp. All rights reserved. 7

•  OpenID Connect 1.0 is an OIDF standard that profiles and extends OAuth 2.0 to add an identity layer—creating a single framework that promises to secure APIs, mobile native applications and browser applications in a single, cohesive architecture.

•  OpenID Connect adds two notable identity constructs to OAuth’s token issuance model.

–  An identity token—the delivery of which, from one party to another, can enable a federated SSO user experience for a user.

–  A standardized identity attribute API—at which a client can retrieve the desired identity attributes for a given user.

•  If your use case requires something more than authentication and authorization of API calls, Connect’s features that go beyond OAuth become relevant.

Representative IoT architecture

Copyright © 2014 Ping Identity Corp. All rights reserved. 8

• Fitbit makes Aria smart scale

• Scale syncs through home Wifi to Fitbit cloud for display & analysis through web & native applications

• 3rd party services can access weight data to provide additional insight

Architecture requirements

Copyright © 2014 Ping Identity Corp. All rights reserved. 9

• User weight data is personal and must be protected against compromise

• Additionally, weight data must only be shared by Fitbit when consistent with user policy

Architecture

Copyright © 2014 Ping Identity Corp. All rights reserved. 10

FitBit Proprietary

3rd party services

REST API REST API

Architecture

Copyright © 2014 Ping Identity Corp. All rights reserved. 11

FitBit Proprietary

3rd party services

REST API REST API

Lets examine how OAuth & Connect can apply here

Cloud to cloud

Copyright © 2014 Ping Identity Corp. All rights reserved. 12

•  TrendWeight offers additional insight & analysis of weight data •  Pulls scale data from Fitbit cloud

REST endpoints •  TrendWeight should use OAuth to

authenticate their API calls as being on behalf of particular user •  Because user is involved in token

issuance, privacy enabling model

Cloud to Cloud

Copyright © 2014 Ping Identity Corp. All rights reserved. 13

Login & consent

Weight data

Revocation of authorization

Copyright © 2014 Ping Identity Corp. All rights reserved. 14

User can remove permissions assigned 3rd parties

Native Application

Copyright © 2014 Ping Identity Corp. All rights reserved. 15

•  Users can view their weight data & trends from ioS & Android native applications •  Native applications pull data from

Fitbit cloud REST endpoints •  Native applications should use

OAuth to authenticate their API calls as being on behalf of particular user

Device to gateway

Copyright © 2014 Ping Identity Corp. All rights reserved. 16

•  Devices communicate with each other and the gateway via the local network— sharing data, sending control messages, etc. •  These local interactions may not use HTTP, but instead a

application protocol more optimized to the constraints (CPU size, battery, etc.) of devices. •  Such application protocols include XMPP, MQTT and CoAP. • Work has begun in exploring how to bind OAuth & Connect to

such IoT optimized protocols, e.g. ACE effort in IETF

Conclusion

Copyright © 2014 Ping Identity Corp. All rights reserved. 17

• Authentication & authorization of actors is fundamental to IoT security

• Mechanisms must be secure, scalable and privacy respecting

• OAuth & Connect promise to provide important pieces of authn & authz framework for IoT