using the delegated coap authentication and authorization
play

Using The Delegated CoAP Authentication and Authorization Framework - PowerPoint PPT Presentation

Oct 10, 2023 •311 likes •502 views

Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded Message Syntax draft-bergmann-ace-dcaf-cose Olaf Bergmann, Stefanie Gerdes { gerdes | bergmann } @tzi.org Presented by Carsten Bormann cabo@tzi.org

  1. Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded Message Syntax draft-bergmann-ace-dcaf-cose Olaf Bergmann, Stefanie Gerdes { gerdes | bergmann } @tzi.org Presented by Carsten Bormann cabo@tzi.org IETF-94, ACE Meeting, 2015-11-02 1 / 18

  2. Motivation ◮ draft-gerdes-ace-dcaf-authorize ◮ Secure exchange of authorization information. ◮ Establish DTLS channel between constrained nodes. ◮ Support of class-1 devices (RFC 7228). ◮ Support cross-domain, multi-owner scenarios. ◮ draft-bergmann-ace-dcaf-cose ◮ Re-use light-weight DCAF messaging ◮ Support for application-level security using COSE objects ◮ Enable piggybacked protected content use-case 2 / 18

  3. Observation: DCAF Messages are not tied to DTLS Access Request CAM SAM Access Ticket C S 3 / 18

  4. Nor is the Ticket Data Access Request CAM SAM Face: Access Ticket [server authorization info] nonce [lifetime] Client Information: C S veri fi er (session key) [client authorization info, nonce] [lifetime] 4 / 18

  5. DCAF-Messages can be protected with COSE Example: Access Request POST /client-authorize Content-Format: application/cose+cbor [ h'a1031862', # protected { content_type: application/dcaf+cbor } { alg: AES-CCM-16-64-128 # unprotected nonce: h'd6150b90e6f0eb5be42164062c', # nonce }, h'{encrypted payload w/ tag}', # encrypted DCAF payload # recipients: [ [ h'', # protected (absent for AE algorithm) { alg: A128KW, # unprotected kid: h'383261622e6161733432' # context identifier: "82ab.aas42" }, h'52ff9ed52d...' # encrypted session key ] ] ] 5 / 18

  6. DCAF-Messages can be protected with COSE Example: Access Request POST /client-authorize Content-Format: application/cose+cbor [ h'a1031862', # protected { content_type: application/dcaf+cbor } { alg: AES-CCM-16-64-128 # unprotected nonce: h'd6150b90e6f0eb5be42164062c', # nonce }, h'{encrypted payload w/ tag}', # encrypted DCAF payload # recipients: [ [ h'', # protected (absent for AE algorithm) { alg: A128KW, # unprotected kid: h'383261622e6161733432' # context identifier: "82ab.aas42" }, h'52ff9ed52d...' # encrypted session key ] ] ] 6 / 18

  7. Key Derivation CAM SAM Security Association transfer Ticket Face during setup C S derive session key use session key from Ticket Face and from Veri fi er (direct K S,SAM or derived) 7 / 18

  8. Convey Ticket Face from C to S POST /authorize Content-Format: application/cose+cbor [ h'a1031862', # protected { content_type: application/dcaf+cbor } { alg: HMAC 256/256 }, # unprotected h'{ SAI: [ "/s/tempC" ... }', # DCAF payload wrapped in CBOR binary h'....', # tag: HMAC(options+protected+payload, secret) [ [ h'', {}, h'' ] ] # recipients ] 8 / 18

  9. Convey Ticket Face from C to S POST /authorize Content-Format: application/cose+cbor [ h'a1031862', # protected { content_type: application/dcaf+cbor } { alg: HMAC 256/256 }, # unprotected h'{ SAI: [ "/s/tempC" ... }', # DCAF payload wrapped in CBOR binary h'....', # tag: HMAC(options+protected+payload, secret) [ [ h'', {}, h'' ] ] # recipients ] 9 / 18

  10. Creation of Security Context POST /authorize Content-Format: application/cose+cbor [ h'a1031862', # protected { content_type: application/dcaf+cbor } { alg: HMAC 256/256 }, # unprotected h'{ SAI: [ "/s/tempC" ... }', # DCAF payload wrapped in CBOR binary h'....', # tag: HMAC(options+protected+payload, secret) [ [ h'', {}, h'' ] ] # recipients ] 2.01 Created Content-Format: application/cose+cbor Location-Path: 238dsa29 Authorization: [ h'a1031862', # protected { alg: HMAC 256/256 }, # unprotected h'', # empty payload h'....', # tag: HMAC(options+protected, secret) [ [ h'', {}, h'' ] ] # recipients ] 10 / 18

  11. Creation of Security Context POST /authorize Content-Format: application/cose+cbor [ h'a1031862', # protected { content_type: application/dcaf+cbor } { alg: HMAC 256/256 }, # unprotected h'{ SAI: [ "/s/tempC" ... }', # DCAF payload wrapped in CBOR binary h'....', # tag: HMAC(options+protected+payload, secret) [ [ h'', {}, h'' ] ] # recipients ] used as security context identifier 2.01 Created Content-Format: application/cose+cbor derived from Location-Path: 238dsa29 Ticket Face and Authorization: [ h'a1031862', # protected K S,SAM { alg: HMAC 256/256 }, # unprotected h'', # empty payload new option h'....', # tag: HMAC(options+protected, secret) [ [ h'', {}, h'' ] ] # recipients ] 11 / 18

  12. Usage of Security Context without payload GET /r Authorization: [ h'', # protected (empty) { alg: HMAC 256/256, # unprotected kid: h'3233386473613239' # context identifier: "238dsa29" }, nil, # payload (empty) h'....', # tag: HMAC(options+protected, secret) [ [ h'', {}, h'' ] ] # recipients ] 12 / 18

  13. Usage of Security Context without payload GET /r as returned in Authorization: [ h'', # protected (empty) Location-Path { alg: HMAC 256/256, # unprotected kid: h'3233386473613239' # context identifier: "238dsa29" }, nil, # payload (empty) h'....', # tag: HMAC(options+protected, secret) [ [ h'', {}, h'' ] ] # recipients ] 13 / 18

  14. Usage of Security Context with payload GET /r as returned in Authorization: [ h'', # protected (empty) Location-Path { alg: HMAC 256/256, # unprotected kid: h'3233386473613239' # context identifier: "238dsa29" }, nil, # payload (empty) h'....', # tag: HMAC(options+protected, secret) [ [ h'', {}, h'' ] ] # recipients ] PUT /r Content-Format: application/cose+cbor [ h'a10300', # protected { content_type: text/plain } { alg: HMAC 256/256, # unprotected kid: h'3233386473613239' # context identifier: "238dsa29" }, h'48656c6c6f20576f726c6421', # payload: "Hello World!\n" h'....', # tag: HMAC(options+protected+payload, secret) [ [ h'', {}, h'' ] ] # recipients ] 14 / 18

  15. Usage of Security Context with payload GET /r as returned in Authorization: [ h'', # protected (empty) Location-Path { alg: HMAC 256/256, # unprotected kid: h'3233386473613239' # context identifier: "238dsa29" }, nil, # payload (empty) h'....', # tag: HMAC(options+protected, secret) [ [ h'', {}, h'' ] ] # recipients ] PUT /r Content-Format: application/cose+cbor [ h'a10300', # protected { content_type: text/plain } { alg: HMAC 256/256, # unprotected kid: h'3233386473613239' # context identifier: "238dsa29" }, h'48656c6c6f20576f726c6421', # payload: "Hello World!\n" h'....', # tag: HMAC(options+protected+payload, secret) [ [ h'', {}, h'' ] ] # recipients ] 15 / 18

  16. Open Issues ◮ protection of changeable CoAP options (- > CoRE WG) ◮ describe how to apply key derivation methods from draft-ietf-cose-msg 16 / 18

  17. Summary ◮ DCAF-COSE supports application-level security using COSE objects ◮ use plain COSE as described in draft-ietf-cose-msg ◮ two new CoAP options: ◮ Authorization : convery authorization information ◮ Authorization-Format : allow for future extensions 17 / 18

  18. DCAF-COSE vs. OSCOAP DCAF-COSE OSCOAP invent "Secure Message format" Changes use COSE as is (-06) (COSE-profile in Appendix A) to COSE no changes required invent "COSE Optimizations" that are not COSE- compatible (new message types, remove unprot- ected header, alg ...) use parameter kid (identifies invent new parameter cid (identifies cipher suite, Security keys, alg-specific parameters, different for client auth info and session key) Context and server: "typically identifies the sending party") invent new parameter seq (-> sequence number, use parameter nonce Replay no freshness information) (-> local time) protection Server sends SAM Re-key "out of scope" (Section 7.1) Information Message Signaling use existing payload types implicit, new payload type two new options (not critical due to usual content-format new critical option handling) Handling COSE extension parameter not supported of unknown to signal required options options RFC 7252, 7641 options needs more work in CoRE WG block-wise 18 / 18

Recommend

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance Synchronization Robustness Lecture 13 CS 111 Page 1 Summer 2013 Authorization and Authentication Authorization is determined if someone

886 views • 41 slides
A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle University, UK HANNES TSCHOFENIG, Arm Limited, UK As our daily lives become ever more connected, the need for security becomes more important. This

164 views • 13 slides
Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords Identification, Authentication, and Authorization Identification: You give your name Authentication: Youve proven that its really you.

486 views • 31 slides
Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director

Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director

Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director Platform Engineering @ Sixt @nathariel September 2019 Our Focus Today ? Authenticate Key patterns for authentication & Authorize and

510 views • 38 slides
Delegated Authenticated Authorization for Constrained Environments Stefanie Gerdes, Olaf Bergmann

Delegated Authenticated Authorization for Constrained Environments Stefanie Gerdes, Olaf Bergmann

Delegated Authenticated Authorization for Constrained Environments Stefanie Gerdes, Olaf Bergmann , Carsten Bormann { gerdes | bergmann | cabo } @tzi.org Universit at Bremen NPSec14, 2014-10-21 Motivation Smart objects small

466 views • 27 slides
Co CoAP an and d MQTT TT Antonio Lin Colina, Zolertia

Co CoAP an and d MQTT TT Antonio Lin Colina, Zolertia

Co CoAP an and d MQTT TT Antonio Lin Colina, Zolertia http://electronicdesign.com/iot/mqtt-and-coap-underlying-protocols-iot 03 03-coap coap UDP- reliable (confirmable), SMS supported CoRE Link-format (GET /.well known/core

1.09k views • 42 slides
Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

IETF94 2 Nov. 2015 Yokohama SDNRG WG Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee Ietf{at}rozanak.com Motivation Problem: secure SDN authentication,

546 views • 10 slides
Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie

Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie

Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie Gerdes, Olaf Bergmann, Carsten Bormann { gerdes | bergmann | cabo } @tzi.org IETF-94, ACE Meeting, 2015-11-02 1 / 27 Review Comments Renzo:

750 views • 27 slides
When HTTPS Meets CDN A Case of Authentication in Delegated Service Liang, J., Jiang, J., Duan,

When HTTPS Meets CDN A Case of Authentication in Delegated Service Liang, J., Jiang, J., Duan,

When HTTPS Meets CDN A Case of Authentication in Delegated Service Liang, J., Jiang, J., Duan, H., Li, K., Wan, T., & Wu, J 2014 IEEE Symposium on Security and Privacy Web Traffic Needs Security! Goals = CIA triad Confidentiality

192 views • 18 slides
CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web

CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web

CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web Data Engineering Access Control Mechanisms Declarative Authorization using Realms The expression of app security external to the app

540 views • 26 slides
Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum,

Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum,

Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum, Hyperledger Fabric and Corda Marie-Jeanne Lagarde, Master's thesis 2018-2019 Agenda Introduction Motivation 1. Scope 2. Research Questions 3.

467 views • 35 slides
EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos

EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos

EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos Nicolas Liampotis - GRNET WP3 Meeting - 2017.03.24 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union

352 views • 14 slides
http://xkcd.com/932/ Homework 2 Review CS 166: Information Security Authorization: Part 1 Prof.

http://xkcd.com/932/ Homework 2 Review CS 166: Information Security Authorization: Part 1 Prof.

http://xkcd.com/932/ Homework 2 Review CS 166: Information Security Authorization: Part 1 Prof. Tom Austin San Jos State University Authentication vs Authorization Authentication Are you who you say you are? Restrictions on who

1.14k views • 79 slides
Apache Airavata Security Manager Authentication & Authorization Im Implementation for a

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a Multi- Tenant e-Science Framework Supun Nakandala, Hasini Gunasinghe, Suresh Marru and Marlon Pierce Science Gateways Research Center Indiana

695 views • 33 slides
Unified Authentication, Authorization, and User Administration An Open Source Approach Ted

Unified Authentication, Authorization, and User Administration An Open Source Approach Ted

Unified Authentication, Authorization, and User Administration An Open Source Approach Ted C. Cheng, Howard Chu, Matthew Hardin Symas Corporation Outline Evolution of Related Technologies Unified AAA Architecture Provisioning AAA

396 views • 27 slides
Energy Efficient Authentication and Authorization for Multi-node Cooperative Connectivity and

Energy Efficient Authentication and Authorization for Multi-node Cooperative Connectivity and

Energy Efficient Authentication and Authorization for Multi-node Cooperative Connectivity and Reliability PhD Candidate Vandana Rohokale (vmr@es.aau.dk) Supervisor Prof. Ramjee Prasad CTIF, Aalborg, Denmark Co-supervisors Assoc. Prof. Horia

372 views • 13 slides
Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis

Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis Final talk Karthik Mathiazhagan

735 views • 18 slides
Authentication in Drupal DrupalCamp Spain 2014 About me, @juampy72 Drupal 7 and 8 module

Authentication in Drupal DrupalCamp Spain 2014 About me, @juampy72 Drupal 7 and 8 module

Juampy Novillo Requena Authentication in Drupal DrupalCamp Spain 2014 About me, @juampy72 Drupal 7 and 8 module Developer at Lullabot maintainer and core developer Let's start by defining Authentication and Authorization Authentication

909 views • 32 slides
CoAP usages for Device Management Jaime Jimnez jaime.jimenez@ericsson.com Managing Networks

CoAP usages for Device Management Jaime Jimnez jaime.jimenez@ericsson.com Managing Networks

CoAP usages for Device Management Jaime Jimnez jaime.jimenez@ericsson.com Managing Networks of Things workshop draft-jimenez-t2trg-coap-functionality-lwm2m @jaim - jaimejim.github.io Constrained Application Protocol (CoAP) It is a

375 views • 16 slides
Pseudonymous Authentication and Authorization enhancing ubiquitous Identity Management Thomas

Pseudonymous Authentication and Authorization enhancing ubiquitous Identity Management Thomas

Pseudonymous Authentication and Authorization enhancing ubiquitous Identity Management Thomas Hildmann hildmann@prz.tu-berlin.de Berlin University of Technology (TUB) Content Motivation Advantages of pseudonymous A+A

733 views • 14 slides
Authentication, Authorisation and Accounting(AAA) Framework (RFC 2904) Vedavyas Duggirala

Authentication, Authorisation and Accounting(AAA) Framework (RFC 2904) Vedavyas Duggirala

Authentication, Authorisation and Accounting(AAA) Framework (RFC 2904) Vedavyas Duggirala (vyas@vt.edu) CS 6204, Spring 2005 1 Background Not a standard. Establishes requirements for Authentication, Authorization & Accounting(AAA)

617 views • 19 slides
NDN, CoAP, and MQTT: A Comparative Measurement Study in the IoT ACM ICN 2018, Boston Cenk

NDN, CoAP, and MQTT: A Comparative Measurement Study in the IoT ACM ICN 2018, Boston Cenk

NDN, CoAP, and MQTT: A Comparative Measurement Study in the IoT ACM ICN 2018, Boston Cenk Gndoan 1 Peter Kietzmann 1 Martine Lenders 2 Hauke Petersen 2 Thomas C. Schmidt 1 Matthias Whlisch 2 1 HAW Hamburg 2 Freie Universitt Berlin CoAP

1.12k views • 56 slides
Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2 What is OAuth? Your Valet Key for the Web Delegated Authentication Protocol 2 What is OAuth? Your Valet Key for the Web Delegated Authentication

357 views • 33 slides

More recommend