Consideration Security Issues on Registration Group Name: WG4 (SEC) Source: Shingo Fujimoto, FUJITSU, Meeting Date: 2014-01-15.

Slides:

Advertisements

Similar presentations

Access Control Mechanism Discussion

Advertisements

CMDH Refinement Contribution: oneM2M-ARC-0397

SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:

Summary on the M2M CMDH Policies Management Object (MCMDHMO)

Is a Node or not Node? ARC Node_resolution Group Name: ARC Source: Barbara Pareglio, NEC, Meeting Date: ARC#9.1 Agenda.

Problem of Current Notification Group Name: ARC WG Source: Heedong Choi, LG Electronics, Meeting Date: ARC 9.0 Agenda Item: TBD.

Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.

Service Layer Session Management Group Name: WG2-ARC Source: IDCC, LGE, ZTE Meeting Date: TP16 Agenda Item:

App-ID Ad-Hoc Technical Issues TP AppID R02 Group Name: App-ID Ad-Hoc Group Source: Darold Hemphill, iconectiv,

Device Management using mgmtCmd resource Group Name: WG2/WG5 Source: InterDigital Communications Meeting Date: Agenda Item: TBD.

OneM2M-ARC Service_examples_and_evolution Service examples and evolution Group Name: WG2 Source: Philip Jacobs, Cisco Systems,

RoA and SoA Integration for Message Brokers Group Name: WG2-ARC Source: ALU Meeting Date: Agenda Item:

Mechanism to support establishment of charging policies Group Name: WG2-ARC Source: InterDigital Meeting Date: TP8 Agenda Item:

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.

Common Service Entities

Focus on developing RESTful API Group Name: TP Source: Shingo Fujimoto, FUJITSU (TTC), Meeting Date: Agenda Item:

An Operators Input for oneM2M Baseline  Group name: TP#2/WG1  Source: DTAG, Vodafone Group  Meeting Date:  Agenda Item: WG1 agenda item.

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:

Certificate Enrolment STEs Group Name: SEC#17.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:

Introduction of PRO WG activities Group Name: TP Source: Shingo Fujimoto, FUJITSU, Meeting Date: Agenda Item:

End-to-End security definition Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting Date:

PRO R01-URI_mapping_discussion Discussion on URI mapping in protocol context Group Name: PRO and ARC Source: Shingo Fujimoto, FUJITSU,

Authorization for IoT Group Name: oneM2M SEC WG Source: Francois Ennesser, Gemalto NV Meeting Date: Agenda Item:

3GPP Rel-13 Interworking discussions

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:

Answer the Questions Regarding Pending Issues on Access Control Group Name: WG4 SEC Source: LG Electronics Meeting Date: Agenda Item: SEC#11.4.

Usage Scenarios for CSE Group Name: WG2(ARC-WG) Source: Shingo Meeting Date: Agenda Item: Message.

Discussion on the problem of non- Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.2.

Supporting long polling Group Name: ARC WG Source: SeungMyeong, LG Electronics, Meeting Date: x-xx Agenda Item: TBD.

Proposal for WG3 & WG5 work area split

Architectural Principles for Services Group Name: WG2- ARC Source: Tim Carey, ALU, Meeting Date: Agenda Item:

Customized Resource Types MAS Group Name: MAS + ARC + PRO WGs Source: Wolfgang Granzow, Qualcomm Inc., Meeting Date:

Discussion on the problem of non- Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.2.

Step by step approach Group Name: WG2 Source: Michael hs. Yang, LG uplus, Jaeseung Song, NEC Europe, Meeting.

Status Report on Access TP8 Group Name: WG2 Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:

Primitive End-to-End Security Requirements Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting.

Introducing concept of M2M-application data modeling Group Name: MAS Source: FUJITSU Meeting Date: Agenda Item: Semantics and Device Configuration.

Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.2,

Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:

M2M Service Session Management (SSM) CSF

Routing Problem of the Current Architecture Group Name: ARC Source: Hongbeom Ahn, LG Electronics, Meeting Date: Agenda.

Comments on Procedures for RBAC (doc#0056) Group Name: WG4(SEC), WG2(ARC) and WG5(MAS) Source: Suresh Nair, Alcatel-Lucent,

M2M Service Subscription Profile Discussion Group Name: oneM2M TP #19.2 Source: LG Electronics Meeting Date: Agenda Item:

Realizing Ms Interface with OMA DM Group Name: MAS WG Source: Seungkyu Park, LG Meeting Date:

Introducing Event handler Group Name: SEC & ARC Source: FUJITSU Meeting Date: Agenda Item: Device Configuration.

Discussion about RESTful Admin API Group Name: SEC & ARC Source: FUJITSU Meeting Date: Agenda Item: Device Configuration.

Security API discussion Group Name: SEC Source: Shingo Fujimoto, FUJITSU Meeting Date: Agenda Item: Security API.

Admin API for Secure Environment Group Name: SEC Source: Giesecke & Devrient Meeting Date:

SEC #11 WG4 Status & Release 1 Outlook Group Name: Source:,, Meeting Date: Agenda Item:

Issue regarding authentication at MN-CSE Group Name: ARC & SEC Source: FUJITSU Meeting Date: Agenda Item: Security Admin API.

M2M Service Session Management (SSM) CSF Group Name: WG2-ARC Source: IDCC, LGE, ZTE Meeting Date: TP8 Agenda Item:

Adding Non-blocking Requests Contribution: oneM2M-ARC-0441R01R01 Source: Josef Blanz, Qualcomm UK, Meeting Date: ARC 7.0,

Authorization Architecture Discussion Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: 28 MAY, 2014 Agenda.

Subscription and Notification Issue Group Name: WG2 Source: Qi Yu, Mitch Tseng- Huawei Technologies, Co. LTD. Meeting Date: ~23 Agenda Item:

Introducing concept of M2M-application data modeling Group Name: MAS Source: FUJITSU Meeting Date: Agenda Item: Semantics and Device Configuration.

Introduction to Service Session Management Group Name: WG2-ARC Source: IDCC, LGE, ZTE Meeting Date: TP8 Agenda Item:

Introducing User’s Role concept Group Name: WG2(ARC) and WG4(SEC) Source: Shingo Fujimoto, FUJITSU, Meeting Date:

Provisional Architecture for oneM2M

3GPP interworking in R3 Group Name: ARC

Discussion about Use Case and Architecture in Developer Guide

MAF&MEF Interface Specification discussion of the next steps

3GPP Rel-13 Interworking discussions

Discussion to clarify online/offline behavior

3GPP Interworking Abstraction

OAuth2 SCIM Client Registration & Software Statement Exchange

Considering issues regarding handling token

CMDH Refinement Contribution: oneM2M-ARC-0397R01

Service Layer Dynamic Authorization [SLDA]

3GPP V2X Interworking Potential Impact

Presentation transcript:

Consideration Security Issues on Registration Group Name: WG4 (SEC) Source: Shingo Fujimoto, FUJITSU, Meeting Date: Agenda Item: Security TS © 2013 oneM2M Partners -SEC Issues_on_Registration

© 2013 oneM2M Partners -SEC Issues_on_Registration Introduction Security procedure on Registration is introduced as SEC Contributor felt the need to share some thoughts on security issues behind procedure. 2

© 2013 oneM2M Partners -SEC Issues_on_Registration Registration General Concept – Registration (REG) CSF is responsible for handling an Application or another CSE to register with a CSE in order to allow the registered entities to use the services offered by the registered-with CSE. The REG CSF handles registration of a Device also, so as to allow registration of Device's properties/attributes with the CSE. 3

© 2013 oneM2M Partners -SEC Issues_on_Registration Who can use ‘service’ ? Subscriber who own the resource (management purpose) Application owned by Subscriber (=Device?) Application used by Subscriber Application authorized to access the resource which is owned by Subscriber Note: ownership can be given by M2M service provider with limited scope 4

© 2013 oneM2M Partners -SEC Issues_on_Registration Issues regarding Registration Trust on non-infrastructure node is limited Sharing master credential between non- infrastructure nodes may cause secret leakage. API calls should be session-less to enable scale out (=parallel processing with multiple servers) 5

© 2013 oneM2M Partners -SEC Issues_on_Registration Possible Solution (using token) 1.Application request Infrastructure node to issue the token for API calls (ex. for uploading measured data to be stored on hosting CSE) 2.Infrastructure node will return the token information for both hosting CSE and Application. 3.Application provides issued token along with the request message for API call 6

© 2013 oneM2M Partners -SEC Issues_on_Registration Registration Before/After M2M App Trust M2M App Trust Routing Information Shared credentials Access Policy Provides resource Before After Trust UPDATE NOTIFY Registration Shared credential Provides resource CSEs are registered to communicate each other Applications are registered to use service on specific CSE (=hosting CSE) NOTIFY Application Node Infrastructure Node 7

© 2013 oneM2M Partners -SEC Issues_on_Registration Token delivery patterns 1.Receiving as response to the authorization request 2.Receiving as redirected request (OAuth 2.x method) 3.Delivered from Service Provider (provisioning) 4.Delivered from Subscriber (enabling service) 8

© 2013 oneM2M Partners -SEC Issues_on_Registration Potential Requirements Issuing token associated with Role (single point management at infrastructure node) Accepting token information as local access policy Handing expiration of token, and triggering to update invalidated token 9