Eat-out, put-together or cook

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Internet Protocol Security (IP Sec)
Enabling Secure Internet Access with ISA Server
Akshat Sharma Samarth Shah
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Prabath Siriwardena | Johann Nallathamby.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Introduction To Windows NT ® Server And Internet Information Server.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23,
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
Session 11: Security with ASP.NET
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
POSTER TEMPLATE BY: Whitewater HTTP Vulnerabilities Nick Berry, Joe Joyce, & Kevin Vaccaro. Syntax & Routing Attempt to capture.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
LDAP Directory Services: Security. Directory Security Syllabus  Brief Review of Directories and LDAP  Brief Review of Security  Basic Security Concepts.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
MWIF Confidential MWIF-Arch Security Task Force Task 5: Security for Signaling July 11, 2001 Baba, Shinichi Ready for MWIF Kansas.
SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.
The Secure Sockets Layer (SSL) Protocol
Web Security CS-431.
Web Applications Security Cryptography 1
MQTT-255 Support alternate authenticaion mechanisms
Microsoft Windows NT 4.0 Authentication Protocols
Enabling Secure Internet Access with TMG
OAuth WG Conference Call, 11th Jan. 2013
Application Layer Security Mike Pajevski (NASA/JPL) April 2009
Secure Sockets Layer (SSL)
Configuring and Troubleshooting Routing and Remote Access
REST/SOAP Security A Brief Introduction.
Web Services Security.
PPP – Point to Point Protocol
Module 8: Securing Network Traffic by Using IPSec and Certificates
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
IBM Certified WAS 8.5 Administrator
The Internet of Things (IoT)
The Secure Sockets Layer (SSL) Protocol
OAuth Design Team Call 11th February 2013.
Platform Architecture
Module 8: Securing Network Traffic by Using IPSec and Certificates
Introduction to Network Security
Chinese wall model in the internet Environment
Unit 8 Network Security.
Advanced Computer Networks
Electronic Payment Security Technologies
Presentation transcript:

Eat-out, put-together or cook Web standards for IoT Security Bhuvana Ramkumar Staff Software Engineer, Application Security Team, Predix, GE Digital 11:18 AM

11:18 AM

Intent Take a look at web security standards Take a look at the IoT land Compare and contrast security concerns across these two worlds Reinvent ? Reengineer ? Recombine ? 11:18 AM

11:18 AM

What to expect from the session ? Gain an overall perspective of security protocols Explore unique security requirements of IoT landscape Focus on Layer 7 protocols with details of Layer 6 and 5 i.e : Application, Presentation and Session layers 11:18 AM

Focus SASL : MQTT : AMQP : Brief overview Security considerations Brokers Workarounds Benefits 11:18 AM

What is SASL ? Authentication mechanism/framework Independent of Application protocols Inbuilt support for integrity (message digest) Inbuilt support for confidentiality (SCRAM, hashing, encryption) Support for proxy authorization Users can assume authentication credentials Can work complementary to TLS 11:18 AM

Benefits of SASL Abstracts away security implementation details Inbuilt support for network encryption No hard requirement for choice of protocols Simple handshake mechanism between parties Support for a range of options during connection establishment Negotiated challenge response based protection. OAUTHBEARER support : SASL profile combined with OAuth token Supported by AMQP Not supported by MQTT 11:18 AM

MQTT : Brief Overview Source : MQTT, A practical protocol for the Internet of Things, Bryan Boyd, IBM 11:18 AM

AMQP : Brief Overview 11:18 AM Source : AMQP and Rabbit MQ, Intro and Messaging patterns, Javier Arias Losada, Telefonica

Authentication , Authorization and Access Control : AMQP Authentication in AMQP : OAuth plugins SASL certificates Authorization in AMQP : vhost level Broker level support, for example, RabbitMQ supports : Per operation (read, write, configure) per resource (queue, exchange) rabbitmqctl set_permissions -p /myvhost tonyg "^tonyg-.*" ".*" ".*” ACL’s cached on per-connection or per-channel basis. Reconnect request needed for effecting operational changes. Operations on resources restricted by ACL’s 11:18 AM

Authentication , Authorization and Access Control : MQTT Authentication in MQTT : Username and Password fields in CONNECT message Client Identifier X.509 certificate Authorization in MQTT : Broker level support, for example, HiveMQ supports : Topic permissions Allowed topic Allowed operation Allowed QOS tunability OpenSource Plugin support : OnAuth Callback 11:18 AM

BasicAuth (MQTT) vs OAuth (AMQP) Username and password, standard HTTP headers, Base64 encoding No encryption, no hashing Single point of failure if server gets compromised, replay attacks No cached session or cookies, no token management Password or key rotation helps Scheduling, configuring and management of key rotation Rotation over a deployment of 1K-1M devices 11:18 AM

BasicAuth vs OAuth : Continued Private key never leaves the host No single point of failure Attack surface is significantly minimized Access token as bearer in Auth header Token management with TTL, grant types Configurable scopes 11:18 AM

Connected Cars & OAuth Dynamic scope configuration Run time access control Privilege management 11:18 AM Source : UIEvolution & Wikipedia

OAuth : Limitations OAuth is a big step in IoT Lack of anonymity : single sign-on across devices Limited spread of OAuth client support Grant bearer token : abstract concept Web, enterprise and IoT worlds. OAuth itself is not sufficient (for fine grained ACL’s ?) OAuth + ACS ? https://github.com/predix/acs 11:18 AM

MQTT vs AMQP MQTT is still very popular Low foot print : simple pub-sub model Low power draw Light on network bandwidth Ideal for embedded devices and hence for IoT 3 QoS levels : Fire and forget At least once Exactly once 11:18 AM

Fine-grained access control Application level support for finer control Desired degree of configurability ? Role based access control Policy based access control Operational requirements based access control Inheritance of access privileges Proxy and sharing of access control Example : Predix ACS https://github.com/predix/acs 11:18 AM

Security considerations : Pluggable backend for authorization and authentication Cost of a redirect loop to such backend systems Elliptical crypto support PKI support Interoperability of plugins Order of evaluation Ease of deployment and management Ease of run time changes to settings 11:18 AM

Web vs IoT Security Web security standard : IoT security : HTTPS + OAuth + OpenIDConnect + Application (ACS) IoT security : SASL + OAuth + ? 11:18 AM

Questions ? 11:18 AM

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.