Download presentation
Presentation is loading. Please wait.
Published byTracy Boone Modified over 8 years ago
1
Consideration Security Issues on Registration Group Name: WG4 (SEC) Source: Shingo Fujimoto, FUJITSU, shingo_fujimoto@jp.fujitsu.com Meeting Date: 2014-01-15 Agenda Item: Security TS © 2013 oneM2M Partners -SEC-2014-0012-Issues_on_Registration
2
© 2013 oneM2M Partners -SEC-2014-0012-Issues_on_Registration Introduction Security procedure on Registration is introduced as SEC-2014-0009. Contributor felt the need to share some thoughts on security issues behind procedure. 2
3
© 2013 oneM2M Partners -SEC-2014-0012-Issues_on_Registration Registration General Concept – Registration (REG) CSF is responsible for handling an Application or another CSE to register with a CSE in order to allow the registered entities to use the services offered by the registered-with CSE. The REG CSF handles registration of a Device also, so as to allow registration of Device's properties/attributes with the CSE. 3
4
© 2013 oneM2M Partners -SEC-2014-0012-Issues_on_Registration Who can use ‘service’ ? Subscriber who own the resource (management purpose) Application owned by Subscriber (=Device?) Application used by Subscriber Application authorized to access the resource which is owned by Subscriber Note: ownership can be given by M2M service provider with limited scope 4
5
© 2013 oneM2M Partners -SEC-2014-0012-Issues_on_Registration Issues regarding Registration Trust on non-infrastructure node is limited Sharing master credential between non- infrastructure nodes may cause secret leakage. API calls should be session-less to enable scale out (=parallel processing with multiple servers) 5
6
© 2013 oneM2M Partners -SEC-2014-0012-Issues_on_Registration Possible Solution (using token) 1.Application request Infrastructure node to issue the token for API calls (ex. for uploading measured data to be stored on hosting CSE) 2.Infrastructure node will return the token information for both hosting CSE and Application. 3.Application provides issued token along with the request message for API call 6
7
© 2013 oneM2M Partners -SEC-2014-0012-Issues_on_Registration Registration Before/After M2M App Trust M2M App Trust Routing Information Shared credentials Access Policy Provides resource Before After Trust UPDATE NOTIFY Registration Shared credential Provides resource CSEs are registered to communicate each other Applications are registered to use service on specific CSE (=hosting CSE) NOTIFY Application Node Infrastructure Node 7
8
© 2013 oneM2M Partners -SEC-2014-0012-Issues_on_Registration Token delivery patterns 1.Receiving as response to the authorization request 2.Receiving as redirected request (OAuth 2.x method) 3.Delivered from Service Provider (provisioning) 4.Delivered from Subscriber (enabling service) 8
9
© 2013 oneM2M Partners -SEC-2014-0012-Issues_on_Registration Potential Requirements Issuing token associated with Role (single point management at infrastructure node) Accepting token information as local access policy Handing expiration of token, and triggering to update invalidated token 9
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.