End-to-End Security for Primitives

Slides:



Advertisements
Similar presentations
Access Control Mechanism Discussion
Advertisements

Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.
On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,
Resource Announcement Procedures Group Name: WG2 Source: Rajesh Bhalla, Hao Wu - ZTE Meeting Date: Agenda Item: TBD.
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Certificate Enrolment STEs Group Name: SEC#17.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
Announcement Resources ARC Announcement_Issues Group Name: WG2 Source: Barbara Pareglio, NEC Meeting Date: Agenda Item: Input Contribution.
End-to-End security definition Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting Date:
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Answer the Questions Regarding Pending Issues on Access Control Group Name: WG4 SEC Source: LG Electronics Meeting Date: Agenda Item: SEC#11.4.
Management of CMDH Policies Group Name: WG5-MAS Source: Wolfgang Granzow, Qualcomm, Meeting Date: Agenda Item: Management.
Discussion on the problem of non- Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.2.
Supporting long polling Group Name: ARC WG Source: SeungMyeong, LG Electronics, Meeting Date: x-xx Agenda Item: TBD.
Certificate Enrolment STEs Group Name: SEC#17.3 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
Customized Resource Types MAS Group Name: MAS + ARC + PRO WGs Source: Wolfgang Granzow, Qualcomm Inc., Meeting Date:
Discussion on the problem of non- Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.2.
Status Report on Access TP8 Group Name: WG2 Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Primitive End-to-End Security Requirements Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting.
Certificate Enrolment STEs Group Name: SEC#18 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
Introducing XLink and XPointer ©NIITeXtensible Markup Language/Lesson 10/Slide 1 of 23 Objectives In this lesson, you will learn to: * Identify the types.
Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.2,
1. How to handle Request-ID? oneM2M joint WG2 & WG3 discussion PRO Josef Blanz July 2 nd, 2014.
E2EKey Resource Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.3, Agenda Item: End-to-End Security.
ARC R02 Modelling operations – problem statement and proposal Group Name: ARC#19.3 Source: Joerg Swetina, NEC,
PRO/ARC and TST/PRO joint sessions at TP20 Group Name: oneM2M TP20 Source: Peter Niblett, IBM Meeting Date:
App and Management End- to-End Security Requirements Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm,
OIC INTERWORKING Resource mapping
Security API discussion Group Name: SEC Source: Shingo Fujimoto, FUJITSU Meeting Date: Agenda Item: Security API.
Protocol Issues related to Plugtest Group Name: TST Source: Wolfgang Granzow, Qualcomm Inc., Meeting Date: Agenda.
App End-to-End Security Requirements Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting Date:
M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:
End-to-End Primitive Security: Challenges and Suggestions Group Name: SEC WG Source: Qualcomm Inc., Phil Hawkes, Wolfgang Granzow, Josef Blanz Meeting.
Clarification of Access Control Mechanism on Rel-1 & Rel-2 Group Name: SEC ( ARC & PRO for information) Source: FUJITSU Meeting Date: Agenda.
Group Name: oneM2M WG1 Requirements Source: Phil Hawkes, Rapporteur “Benefits of oneM2M technology” TR,
Adding Non-blocking Requests Contribution: oneM2M-ARC-0441R01R01 Source: Josef Blanz, Qualcomm UK, Meeting Date: ARC 7.0,
Authorization Architecture Discussion Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: 28 MAY, 2014 Agenda.
Subscription and Notification Issue Group Name: WG2 Source: Qi Yu, Mitch Tseng- Huawei Technologies, Co. LTD. Meeting Date: ~23 Agenda Item:
Consideration Security Issues on Registration Group Name: WG4 (SEC) Source: Shingo Fujimoto, FUJITSU, Meeting Date:
DM Execute Group Name: WG2/WG5 Source: Jiaxin Yin, Huawei Technologies Co., Ltd., Meeting Date: Agenda Item: TBD.
On-Boarding and Enrolment Group Name: SEC WG Source: Qualcomm Inc., Phil Hawkes, Wolfgang Granzow, Josef Blanz Meeting Date: SEC#22, Agenda.
Discussion about Interoperability (&versioning) Group Name: PRO & ARC Source: FUJITSU Meeting Date: Agenda Item: TS-0004.
PRESENTATION ON SECURE SOCKET LAYER (SSL) BY: ARZOO THAKUR M.E. C.S.E (REGULAR) BATCH
Specifying the Address of Management Client of Managed Entity Group Name: ARC Source: Hongbeom Ahn, SK Telecom, Meeting Date: TP#21 Agenda.
Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.1,
[authenticationProfile] <mgmtObj> specialization
oneM2M interop 3 issues and optimizations
CSE Retargeting to AE, IPE, and NoDN Hosted Resources
CSE Retargeting to AE, IPE, and NoDN Hosted Resources
Service Enabled AE (SAE)
Group multicast fanOut Procedure
2nd Interoperability testing issues
Issues of <locationPolicy> Discussion
draft-ietf-simple-message-sessions-00 Ben Campbell
NIDD Discussion Points
Proposed design principles for modelling interworked devices
oneM2M Service Layer Protocol Version Handling
MAF&MEF Interface Specification discussion of the next steps
Proximal IoT Interworking solution discussion
Discussion to clarify online/offline behavior
3GPP Interworking Abstraction
oneM2M Versioning Next Steps
Overview of E2E Security CRs
Summary of Access Control Rules Processing
CMDH Refinement Contribution: oneM2M-ARC-0397R01
Discussion on XSD open issues
Service Layer Dynamic Authorization [SLDA]
3GPP Interworking and use of <schedule> resource
Summary of the MAF and MEF Interface Specification TS-0032
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
The devil is in the details
Presentation transcript:

End-to-End Security for Primitives Group Name: ARCWG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: ARC20.4 (joint with SEC), 2016-01-06 Agenda Item: End-to-End Security and Group Authentication

Introduction This presentation is a based on SEC-2015-0678-E2E_Primitive_Security, Tailored for an ARC audience Some changes in details based on Qualcomm internal discussions SEC-2015-0678 has not been treated by SEC yet. Purpose of End-to End Security for Primitives Securing oneM2M primitives (e.g. Originator-to-Hosting CSE) High Level View/Requirements End-to-End Encryption and Integrity protection of entire Primitive Similar options as for hop-by-hop security association establishment PSK, MAF, certificate Reuse Remote Security Provisioning Framework specified for hop-by-hop

High Level View: Request Originator Hosting CSE 1. Form inner request primitive JSON/XML serialization 2. Apply JWE/XML-ENC processing to inner request primitive, resulting in JWE/XML-ENC object 3. Form outer request primitive To: <e2ESecurityExchange>, Op =to be determined, Content = JWE/XML-ENC object, etc. 4. Send outer request primitive <e2ESecurityExchange> 5. Extract Content = JWE/XML-ENC object. 6. Apply JWE/XML-ENC processing to JWE/XML-ENC object, resulting in JSON/XML serialization of inner request primitive 7. Process inner request primitive NOTE: Blocking mode shown.

High Level View: Response Originator Hosting CSE 8. Form inner response primitive JSON/XML serialization 9. Apply JWE/XML-ENC processing to inner response primitive, resulting in JWE/XML-ENC object 10. Form outer response primitive Content = JWE/XML-ENC object, etc. 11. Send outer response primitive 12. Extract Content = JWE/XML-ENC object. 13. Apply JWE/XML-ENC processing to JWE/XML-ENC object, resulting in JSON/XML serialization of inner response primitive 14. Process inner response primitive NOTE: Blocking mode shown. In non-blocking mode, step 11 looks a little different

Aspect Solution ARC Impact Transport Content param of primitive acting on <e2ESecuredExchange> High Primitive protection Encryption + integrity protection using XML Enecryption or JSON Web Encryption (JWE) with symmetric key1 Low Freshness See slides 11-14 in SEC-2015-0678. Requires adding optional latestE2ERand attribute to <remoteCSE> def’n for including latest random value provided by corresponding HCSE. 1 Med <e2EKey> resource Enables two end-points (CSE+CSE, AE+AE, CSE+AE) to establish symmetric key using certificates (see ARC-2016-0003-e2EKey_resource). Efficiency advantages.1 Rules for E2E primitive security Orig or HCSE can insist on E2E Primitive security Once initiated, both must use E2E primitive security e2ePrimitivePolicy: “all” or list of specific end-points 1. Not discussed further in this presentation

Transport <e2ESecuredExchange> resource: Purpose: receiving for secured requests and returning secured responses <e2ESecuredExchange> request Content contains the secured request To: resource-ID of the default <e2ESecuredExchange> resource on HCSE All other usual parameters. RequestId seems to serve no purpose in the outer primitive, since the requestId in the inner primitive will be correlated. One suggestion is to use a reserved requestId – to increase the difficulty of correlating requests and responses. <e2ESecuredExchange> response Content contains the secured response All usual parameters

<e2ESecuredExchange> Options Resource “nature” Virtual (no defined attributes): Recommended Non-Virtual (defined attributes) Multiplicity Single <e2ESecuredExchange> resource on HCSE. All Originators address this single resource. Only allow one of CREATE or UPDATE This option recommended since no need for multiple A new <e2ESecuredExchange> resource is created for each secured request. Use <CSEBase> as parent? Only allow CREATE only Single option recommended since no need for reference to the exchange instance outside the request/response exchange.

(ARC Impact) Rules for E2E primitive security Originators and HCSE need to know whether (in a multi-hop communication) E2E Primitive security to be applied. For Release 2, keep things as simple as possible Principles Either Originator or HCSE can initiate E2E primitive security Once E2E primitive security initiated, both ends must apply E2E primitive security until “session” expires – that is, unsecured primitives in either direction will be rejected. CSEs configured with [e2ePrimitiveSecurityPolicy], specialization of <mgmtObj>, that says when CSE must insist on E2E primitive security [e2ePrimitiveSecurityPolicy] contains either “all”: indicating, for all other entities, the entity (Originator/HCSE) must insist on e2e primitive security for multi-hop communication A list of CSE-IDs, AE-IDs or links to <group> resources for which the entity (Originator/HCSE) must insist on e2e primitive security for multi-hop communication Impact on TS-0001: Defining [e2EPrimitiveSecurityPolicy] resource Suggested Authors: Qualcomm introduce TS-0001 text, and later corresponding TS-0004 text

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.