Comments on Procedures for RBAC (doc#0056) Group Name: WG4(SEC), WG2(ARC) and WG5(MAS) Source: Suresh Nair, Alcatel-Lucent,

Slides:



Advertisements
Similar presentations
© 2013 Marcin Nagy & N. Asokan & Jörg Ott 1 PeerShare: A System for Secure Distribution of Sensitive Data among Social Contacts Marcin Nagy, N. Asokan,
Advertisements

FI-WARE Testbed Access Control temporary solution.
Secure Lync mobile Authentication
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Confidential 1 Electronic Prescribing of Controlled Substances: Prescriber Identity Proofing and Credentialing Part 2 of a 3 Part Series Chuck Klein, Ph.D.
Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
1 Kyung Hee University Prof. Choong Seon HONG Network Control.
OneM2M-ARC Service_examples_and_evolution Service examples and evolution Group Name: WG2 Source: Philip Jacobs, Cisco Systems,
Proposal for App Id and Service Provider Id registration Group Name: Shelby Kiewel Source: Shelby Kiewel, iconectiv / Ericsson,
RoA and SoA Integration for Message Brokers Group Name: WG2-ARC Source: ALU Meeting Date: Agenda Item:
W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.
1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Identity on Force.com & Benefits of SSO Nick Simha.
Authorization for IoT Group Name: oneM2M SEC WG Source: Francois Ennesser, Gemalto NV Meeting Date: Agenda Item:
ArcGIS Server for Administrators
EVALUATING SECURITY OF SMART PHONE MESSAGING APPLICATIONS PRESENTED BY SUDHEER AKURATHI.
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
All Rights Reserved © Alcatel-Lucent 2007, ##### 1 | Presentation Title | January 2007 UMB Security Evolution Proposal Abstract: This contribution proposes.
Session 1 Introduction  What is RADE  Technology  Palette  Tools  Template  Combined Example  How to get RADE  Questions? RADE Applications EN-ICE-MTA.
Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:
Status Report on Access TP8 Group Name: WG2 Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Information Security in Distributed Systems Distributed Systems1.
Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:
Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.
Role Based Access Control In oneM2m
M2M Service Subscription Profile Discussion Group Name: oneM2M TP #19.2 Source: LG Electronics Meeting Date: Agenda Item:
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
Security Considerations
Doc.: IEEE /xxxxr0 July 2011 Padam Kafle, Nokia Submission Simplification of Enablement Procedure for TVWS Authors: Date: July 18, 2011 NameCompanyAddressPhone .
Threats and Solutions of Information Security - Confidentiality, Integrity and Availability Hyunsung Kim.
Security API discussion Group Name: SEC Source: Shingo Fujimoto, FUJITSU Meeting Date: Agenda Item: Security API.
M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:
ATS code development workflow Group Name: TST WG Source: Mahdi Ben Alaya, TST WG vice chair, SENSINOV, Miguel.
SEC #11 WG4 Status & Release 1 Outlook Group Name: Source:,, Meeting Date: Agenda Item:
ATS code development workflow Group Name: TST WG Source: Mahdi Ben Alaya, TST WG vice chair, SENSINOV, Meeting Date: TST #21 Document.
Web Login, Cookies Web Login | Old way HTML
Doc.: IEEE /0098r0 Submission July 2010 Alex Reznik, et. al. (InterDigital)Slide Security Procedures Notice: This document has been.
Draft way Forward on Access Control Model and associated Terminology Group Name: SEC Source: Dragan Vujcic, Oberthur Technologies,
P2P Streaming Protocol (PPSP) Requirements draft-zong-ppsp-reqs-02 Ning Zong Yunfei Zhang Victor Pascual Carl Williams.
Consideration Security Issues on Registration Group Name: WG4 (SEC) Source: Shingo Fujimoto, FUJITSU, Meeting Date:
ATS code development workflow Group Name: TST WG Source: Mahdi Ben Alaya, TST WG vice chair, SENSINOV, Miguel.
Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.
1 (c) 2013 FabSoft. MOST Cloud Service What is a Cloud Service? A cloud service is internet-based, meaning that MOST is hosted on a server farm on the.
Industrial Control Engineering Session 1 Introduction  What is RADE  Technology  Palette  Tools  Template  Combined Example  How to get RADE 
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
DM Collaboration – OMA & BBF: Deployment Scenarios Group Name: WG5 - MAS Source: Tim Carey, ALU, Meeting Date:
Methods of Tracking Position i Pod Touch – Wi-Fi used to find location by detecting known hotspots. iPhone – Cellular triangulation uses the mobile communication.
Directions for Release 3 Group Name: SEC Source: NEC Europe Ltd. Meeting Date: SEC22, Agenda Item: Discuss directions.
1 Managing Security Additional notes. 2 Intercepting confidential messages Attacker Taps into the Conversation: Tries to Read Messages Client PC Server.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Database and Cloud Security
WMarket For Developers API && Authorization.
Grid Security.
3GPP Interworking Abstraction
Radius, LDAP, Radius used in Authenticating Users
Considering issues regarding handling token
MAC Address Hijacking Problem
What is OAuth and Why?.
Agenda OAuth Concepts Programming OAuth.
CID#89-Directed Multicast Service (DMS)
Presentation transcript:

Comments on Procedures for RBAC (doc#0056) Group Name: WG4(SEC), WG2(ARC) and WG5(MAS) Source: Suresh Nair, Alcatel-Lucent, Meeting Date: Agenda Item: RBAC

ALU Comments- Scheme Frame work using OAuth looks OK. It releases the burden of Application Server owners having to maintain subscription accounts with different roles/service eligibility. ‘Principals’ wanting to access the resources gets the credentials (Tokens) by offline means. Access Request is made using these Tokens to the Application Server. Application Server, looks at the Token+Access rights and makes a permission based on the Token. Application Server keeps the token for their assigned validity, if for one time use, Token becomes invalid after the one time usage. Roles/Access Rights are based on the token. © 2013 oneM2M Partners 2

ALU Comments- Security issues 1 App Server allocates the Tokens to the App User (based on App User ID – AUID) according to a subscription to an Application. The Tokens are distributed in bulk over an alternate distribution media, e.g. OMA DM. The User Device M2M ID is opaque to the App Server. The Token is mapped to the AUID.

ALU Comments- Security issues 2 Once the Tokens are distributed, the User App picks an available Token from the unused pool, and sends it via M2M Server to the App Server. – The M2M Server authenticates the User Device using M2M ID and credentials. – The AUID and Token are Opaque to the M2M Server.

ALU Comments- Security issues 3 – Once the M2M credentials are authenticated, the AUID and Token are sent to the App Server for Authorization. – The App Server checks if the Token is not yet used, and is associated with the AUID. If so, it authorized the use of Resource.

ALU Comments- Security threats 1.Security Threat: An Attacker may block or disturb the communications between OneM2M and App Server when victim requests the Resource, and then masquerade as a victim AUID and present an intercepted Token. The resource will be authorized for an Attacker instead of Victim. 2.Security Threat: An Attacker may masquerade as a Victim and present Tokens that has been intercepted, trying to get authorization for Resource.

ALU Comments- Security threats 3. Security Threat: An Attacker may present used-up or invalid Tokens for a Victim’s AUID, overloading the App Server, causing distribution of new Tokens to the Victim, loading the Token Distribution system i.e. OMA DM, making current Victim’s Tokens invalid, and thus keeping the Victim unable to use the Resource.

Security Requirements The App Server needs to maintain mapping of the AUID of the User with the M2M ID of the User’s Device, so when AUID with Token is presented to the App Server, it has to be presented with the AUTHENTICATED OneM2M ID of the Device that made an Access. The Token Distribution must be secure, protected from eavesdropping and manipulation, i.e. Confidentiality and Integrity protected. If IP/TCP/HTTP is used, the HTTPS is the right security tool for this distribution. If IP/UDP is used, DTLS is the right security tool.