Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure and sMARrter ciTIes Data ManagEment

Published byElfrieda Evans Modified over 7 years ago

Similar presentations

Presentation on theme: "Secure and sMARrter ciTIes Data ManagEment"— Presentation transcript:

1 Secure and sMARrter ciTIes Data ManagEment
A secure IoT integrating platform for data dissemination will benefit all stakeholders and citizens of Smart Cities Secure and sMARrter ciTIes Data ManagEment A European Project

2 Outline Introduction to SMARTIE SMARTIE authorization perspective
Conclusions

3 IoT for Smarter Cities Future technology ecosystem Challenging
Big scale Security Interoperability

4 SMARTIE Project’s perspective
Privacy Trust and Security User-centric privacy & security for keeping citizens‘ trust on the IoT Security poorly applied Lack of interoperability

5 SMARTIE Project’s perspective
For the incoming era of Fog/Edge computing, interoperability and (interoperable) security is one of the key enablers From “Edge-centric computing: Vision and Challanges”, ACM SIGCOMM Computer Communication Review, Oct. 2015 18/11/2015

6 SMARTIE Project’s perspective
Prototype, integrating platform for efficient and secure dissemination of city data Lightweight security ECC, PANA Decentralized authorization models User-centric policies Secure data storage Architecture generated under the guidelines of the IoT Arquitecture Reference Model (IoT-ARM) SMARTIE Promote interoperation between IoT services because in fact it servers as a integrating platform where application-levels can be plug in.

7 SMARTIE Consortium World-wide telco (64%, 19% and 17% of PT Innovaçao market set in Europe, Southamerica and Africa, respectively), based in Lisbon World-wide research center (Europe, North America and Asia). In Heidelberg (Germany), more than 100 employees, focus on security and IoT Research center based in Frankfurt (Oder) Startup for ITS solutions, funded in 1998, based in Frankfurt (Oder) Startup establish in Serbia (Novi Sad) in 2006, around 40 employees, focused on research on IoT Public University in the Region of Murcia, founded in 1272 Governmental institution for the development of Region of Murcia

8 Outline Introduction to SMARTIE SMARTIE authorization perspective
Conclusions

9 IoT Access Control Typical IoT communication relies on cloud services and application-level GWs Lack of standardization and research on decentralized access control IoT providers generally rely on Access Control Lists Flexible solutions are necessary for device-to-device interoperation RFC 7452: Architectural Considerations in Smart Object Networking

10 IoT Access Control Massive scale of smart cities require decentralized access control Scalability, constrained devices Standardization will promote interoperation Separation between the application logic (done by less-constrained servers) and access control (done by more-constrained devices) Assurance of security If an attacker makes belive the rS that is has been legitimaly authuorized, it does not matter if you apply dtls SMARTIE aims at deeply analyzing the impact of access control Implementation of token-based decentralized access for CoAP Encryption-based access control

11 IoT Delegated Authorization
Device-to-device access control with security… Client authentication is essential for the IoT Bearer tokens must be avoided It relies on the confidentiality of cryptographic material between clients, RSs, and ASs. Application-level authentication is gaining ground

12 IoT Delegated authorization
Cryptograhpic identities pre-configured at the RS AS-to-All model Clients sign the request to the RS Public or symmetric key Client identities are not known in advance AS-to-client model Client’s symmetric key derived from the AS-RS shared secret Decryption-based authorization RS does not verify authorization Group communciation

13 IoT Delegated Authorization
IETF proposal for Authentication and Authorization for Constrained devices (ACE) Based on Proof-of-Possession (PoP) tokens Improve client authentication in OAuth (bearer tokens) by adding proof-of-possession OAuth: Delegated Authorization for the Web Extensively used as authentication protocol for Web Single Sign On (SSO) Still, a generic delegated authorization protocol Access token for resource retrieval Bearer token approach  only possession of the access token is enough to grant the holder access Authorization pass Authorization pass

14 IoT Delegated Authorization
IETF proposals: Self-contained authorization pass consumed by the RS With the client’s symmetric key Encrypted with the AS-RS secret key With the client’s public key Signed by the AS’s public key Client proves possesion of the token’s key DTLS Object security Introspection method when the RS is not able to evaluate the token

15 Client Authentication in IoT access control
Relevant security features should be considered Authorization scope limitation AS should be able to limit the scope of authorization grants The RS should be able to verify the grant scope Access revocation AS should be able to revoke a client’s authorization grant Secure access when the AS is offline may be a requirement (offline AS-RS and offline AS-client) Scope limitation Authoriz. Revocation Offline AS-RS Offline AS- client Authorization pass OK After pass’ lifetime During pass’ lifetime AS-to-client Client request X Content decryption Key scope Group key update AS-to-All (ACL) OK if no auth. changes Introspection During token lifetime

16 Server Authentication in IoT access control
Server authentication is mainly done by proof-of-possession of a private key Public key Decryption-based Key-possession

17 SMARTIE authorization & authentication
Pass-based delegated authorization With fine-grained rules, validity period. Implicit authorization for highly-efficient data dissemination CP-ABE encryption for notifying (delay intolerant) data consumers Data is encrypted with specific attributes that have been associated to the consumers Only consumers holding the correct attributes can decrypt the data Sub/pub through the IoT broker Decryption keys are delivered to subscribers when they ask for authorization (i.e., they get a capability token) IoT broker and AS synchronize encryption attributes IoT broker receives data from sensors and encrypts it with the appropriate attributes before notifying consumers Very efficient for data distribution to groups No need for individual authorization, the IoT broker does not consume capability tokens IoT broker releases sensors from the dury of encrypting information. Sensors send the information to the broker through dtls and the broker will disseminate the data to all subscribers (after encypting the data with the attributes of each one) This subscription model is a combination of pass-based authorization and decryption-based authorization. The former for the client to subscribe to the broker, and the second for the client to be able to decrypt the broker’s notifications.

18 Outline Introduction to SMARTIE SMARTIE authorization perspective
Conclusions

19 Conclusions SMARTIE is an integrating platform for secure data dissemination Developed under the guidelines of the IoT-ARM Scalable decentralized authorization models The best delegated access control method depends on the system’s needs Further analysis of the methods’ overhead on IoT devices is needed The next step will be to analyze inter-domain authorization

20 13/06/2016

Download ppt "Secure and sMARrter ciTIes Data ManagEment"

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P1619.3 April 11, 2007 Andrea Doherty.

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
SCSC 455 Computer Security

SCSC 455 Computer Security
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Security Management.

Security Management.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
Wireless and Email Security CSCI 5857: Encoding and Encryption.

Wireless and Security CSCI 5857: Encoding and Encryption.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.

1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Presence Networking: XMPP and Jabber Joe Hildebrand Chief Architect Jabber, Inc. Networld+Interop 1 May 2003.

Presence Networking: XMPP and Jabber Joe Hildebrand Chief Architect Jabber, Inc. Networld+Interop 1 May 2003.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

Similar presentations

Ads by Google