1 / 21

Eat-out, put-together or cook

Gain a comprehensive understanding of web security standards and the unique security requirements of the IoT landscape. Compare and contrast security concerns across these two worlds and explore Layer 7 protocols, with a focus on Layer 6 and 5. Dive into SASL, MQTT, and AMQP, examining their benefits, security considerations, brokers, and workarounds.

rodriguesl
Download Presentation

Eat-out, put-together or cook

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Eat-out, put-together or cook • Web standards for IoTSecurity • BhuvanaRamkumar • Staff Software Engineer, Application Security Team, Predix, GE Digital

  2. Intent • Take a look at web security standards • Take a look at the IoT land • Compare and contrast security concerns across these two worlds • Reinvent ? • Reengineer ? • Recombine ?

  3. What to expect from the session ? • Gain an overall perspective of security protocols • Explore unique security requirements of IoT landscape • Focus on Layer 7 protocols with details of Layer 6 and 5 • i.e : Application, Presentation and Session layers

  4. Focus • SASL : • MQTT : • AMQP : • Brief overview • Security considerations • Brokers • Workarounds • Benefits

  5. What is SASL ? • Authentication mechanism/framework • Independent of Application protocols • Inbuilt support for integrity (message digest) • Inbuilt support for confidentiality (SCRAM, hashing, encryption) • Support for proxy authorization • Users can assume authentication credentials • Can work complementary to TLS

  6. Benefits of SASL • Abstracts away security implementation details • Inbuilt support for network encryption • No hard requirement for choice of protocols • Simple handshake mechanism between parties • Support for a range of options during connection establishment • Negotiated challenge response based protection. • OAUTHBEARER support : SASL profile combined with OAuth token • Supported by AMQP • Not supported by MQTT

  7. MQTT : Brief Overview Source : MQTT, A practical protocol for the Internet of Things, Bryan Boyd, IBM

  8. AMQP : Brief Overview Source : AMQP and Rabbit MQ, Intro and Messaging patterns, Javier Arias Losada, Telefonica

  9. Authentication , Authorization and Access Control : AMQP • Authentication in AMQP : • OAuth plugins • SASL certificates • Authorization in AMQP : • vhost level • Broker level support, for example, RabbitMQ supports : • Per operation (read, write, configure) • per resource (queue, exchange) • rabbitmqctlset_permissions -p /myvhosttonyg "^tonyg-.*" ".*" ".*” • ACL’s cached on per-connection or per-channel basis. • Reconnect request needed for effecting operational changes. • Operations on resources restricted by ACL’s

  10. Authentication , Authorization and Access Control : MQTT • Authentication in MQTT : • Username and Password fields in CONNECT message • Client Identifier • X.509 certificate • Authorization in MQTT : • Broker level support, for example, HiveMQ supports : • Topic permissions • Allowed topic • Allowed operation • Allowed QOS tunability • OpenSource Plugin support : OnAuth Callback

  11. BasicAuth (MQTT) vs OAuth (AMQP) • BasicAuth : • Username and password, standard HTTP headers, Base64 encoding • No encryption, no hashing • Single point of failure if server gets compromised, replay attacks • No cached session or cookies, no token management • Password or key rotation helps • Scheduling, configuring and management of key rotation • Rotation over a deployment of 1K-1M devices

  12. BasicAuthvs OAuth : Continued • OAuth : • Private key never leaves the host • No single point of failure • Attack surface is significantly minimized • Access token as bearer in Auth header • Token management with TTL, grant types • Configurable scopes

  13. Connected Cars & OAuth Dynamic scope configuration Run time access control Privilege management Source : UIEvolution & Wikipedia

  14. OAuth : Limitations • OAuth is a big step in IoT • Lack of anonymity : single sign-on across devices • Limited spread of OAuth client support • Grant bearer token : abstract concept • Web, enterprise and IoT worlds. • OAuth itself is not sufficient (for fine grained ACL’s ?) • OAuth + ACS ? • https://github.com/predix/acs

  15. MQTT vs AMQP • MQTT is still very popular • Low foot print : simple pub-sub model • Low power draw • Light on network bandwidth • Ideal for embedded devices and hence for IoT • 3 QoS levels : • Fire and forget • At least once • Exactly once

  16. Fine-grained access control • Application level support for finer control • Desired degree of configurability ? • Role based access control • Policy based access control • Operational requirements based access control • Inheritance of access privileges • Proxy and sharing of access control • Example : Predix ACS • https://github.com/predix/acs

  17. Security considerations : • Pluggable backend for authorization and authentication • Cost of a redirect loop to such backend systems • Elliptical crypto support • PKI support • Interoperability of plugins • Order of evaluation • Ease of deployment and management • Ease of run time changes to settings

  18. Web vs IoT Security • Web security standard : • HTTPS + OAuth + OpenIDConnect + Application (ACS) • IoT security : • SASL + OAuth + ?

  19. Questions ?

More Related