Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Principles of IoT Security A Hands-on Course

Published byBruce Green Modified over 6 years ago

Similar presentations

Presentation on theme: "The Principles of IoT Security A Hands-on Course"— Presentation transcript:

1 The Principles of IoT Security A Hands-on Course
Class 4 : Network Security February 2, 2017 Charles J. Lord, PE President, Consultant, Trainer Blue Ridge Advanced Design and Automation

2 This Week’s Agenda 1/30 Intro to IoT Security 1/31 Hardware Security Challenges 2/1 Data Security 2/2 Network Security 2/3 Other Security Issues in the IoT

3 This Week’s Agenda 1/30 Intro to IoT Security 1/31 Hardware Security Challenges 2/1 Data Security 2/2 Network Security 2/3 Other Security Issues in the IoT

4 HTTP, FTP, SMTP, SSH, TELNET 6. Presentation HTML, CSS, GIF 5. Session
ISO / OSI Model Layer Data unit Examples Host layers 7. Application Data HTTP, FTP, SMTP, SSH, TELNET 6. Presentation HTML, CSS, GIF 5. Session RPC, PAP, SSL, SQL 4. Transport Segments TCP, UDP, NETBEUI Media layers 3. Network Packet IPv4, IPv6, IPsec, AppleTalk, ICMP 2. Data link Bit/Frame PPP, IEEE 802.2, L2TP, MAC, DHCP, LLDP 1. Physical Bit Ethernet physical layer, DSL, USB, ISDN, DOCSIS

5 IoT Network Security Commissioning and decommissioning
Device Authentication Network Authentication Channel Security IPsec SSL, SSH WEP / WPA Others

6 Commissioning Depending on the protocol used, commissioning can be one of the ‘big challenges’ of IoT nodes Many approaches Manual configuration Hardwired NFC or BT commissioning Wired (typically USB)

7 Manual configuration Network ID set by dip switches or pin jumpers
X-10 Garage Door Openers Expensive to make Failure prone Mechanical failure / contamination User failure Question 1 - Other devices that used dip switches for configuration?

8 Hardwired Cheapest to make – device has a hardwired ID
Typically based on the MAC address Gateway or local network controller must be programmed to accept this new ID in network Easy to clone, particularly in x WIFI access point example

9 NFC or BT commissioning
“ease of use” There’s an app for that Great way to sell NFC hardware BT has to be distance sensitive Can be easy to clone, depending on security of commissioning app

10 Wired Plugs into PC (or tablet with correct cable)
Can use sophisticated authentication (or not) Requires USB port Drivers can be an issue A lot of PC / MAC / Linux / iOS / Android to maintain USB ports are notorious dirt magnets

11 Decommissioning Network alarms on device disappearance
In mesh networks – what if device was a router? How does the absence affect the network? Alarm sensor Temp sensor for thermostat Medical sensor How to remove network memory from device

12 Device Authentication
ACL (access control list) – ‘login’ Network ID Known to network? Multi-level authentication ACL plus a challenge key Fixed vs dynamic network configuration Must guard against cloning or spoofing Question 2 – Other ways a device may authenticate?

13 Network Authentication
“Am I in the right place?” Anti-spoofing or anti-phishing PKI certificate authority RSA Reverse ACL

14 Channel Security How do we protect our data packets? IPsec SSL SSH TLS
DTLS Tunneling / Encapsulation

15 IPsec Internet Protocol Security Operates at the Network layer (#3)
Authenticates and encrypts each IP packet Establishes mutual authentication between agents at the beginning of the session Negotiates cryptographic keys to be used during the session.

16 Authentication Header

17 Encapsulating Security Payload

18 More on IPsec Crypto includes: Typically works in “Transport Mode”
Hashing, including SHA-1 and SHA-2 AES-CBC AES-GCM 3DES Typically works in “Transport Mode” Payload is encrypted Routing is not encrypted, but Authentication Header keeps from being mis-routed (e.g. port change)

19 SSL Secure Sockets Layer Works at the Session Layer (#5)
Establishes a secure link between two points in a network Public Key Certificates Incorporated in and replaced by TLS

20 SSH Secure Shell Works at the Application Layer Origin in BSD Unix
Encrypts application – level data throughout all layers from point to point Often used for login to remote systems Typically uses TCP port 22

21 TLS Replacement of SSL Covers both transport and session layers
Current version 1.2 (RFC 5246) Supports many public key standards from basic AES through 3DES and many ellipticals Supports both block cipher and stream cipher Works with TCP

22 DTLS Datagram Transport Level Security
Can cover from transport to application levels Derived from TLS streaming mode Supports UDP packets Less overhead than TLS while providing protection for the payload (datagram) Popular in IoT with CoAP Question 3 – CoAP stands for? And does what?

23 Tunneling / Encapsulation
Can be part of IPsec Both payload and routing headers are encrypted and are the new payload Can support one protocol over another (IPv6 over IPv4, IPv6 over PAN, etc) Basic mechanism for VPNs

24 What to Use? Tomorrow – we sum it all up!
Again, the security level will dictate, as well as the topology and exposure to attack or eavesdropping Does the discovery of who is talking to whom matter? How secure does the data have to be? What algorithms are Available as either software or hardwired Within the processor’s abilities? Tomorrow – we sum it all up!

25 This Week’s Agenda 1/30 Intro to IoT Security 1/31 Hardware Security Challenges 2/1 Data Security 2/2 Network Security 2/3 Other Security Issues in the IoT

26 Please stick around as I answer your questions!
Please give me a moment to scroll back through the chat window to find your questions I will stay on chat as long as it takes to answer! I am available to answer simple questions or to consult (or offer in-house training for your company)

Download ppt "The Principles of IoT Security A Hands-on Course"

Similar presentations

Network Security.

Network Security.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
October 22, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint, Part II SOEN321-Information-Systems Security.

October 22, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint, Part II SOEN321-Information-Systems Security.
Virtual Private Networks and IPSec

Virtual Private Networks and IPSec
7.3 Network Security Controls 1Network Security / G.Steffen.

7.3 Network Security Controls 1Network Security / G.Steffen.
OSI Reference Model An overview. Standards and the internet International Organization for Standardization ISO 70’s.

OSI Reference Model An overview. Standards and the internet International Organization for Standardization ISO 70’s.
Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
VPN TUNNELING PROTOCOLS PPTP, L2TP, L2TP/IPsec Ashkan Yousefpour Amirkabir University of Technology.

VPN TUNNELING PROTOCOLS PPTP, L2TP, L2TP/IPsec Ashkan Yousefpour Amirkabir University of Technology.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
1/28/2010 Network Plus Security Review Identify and Describe Security Risks People –Phishing –Passwords Transmissions –Man in middle –Packet sniffing.

1/28/2010 Network Plus Security Review Identify and Describe Security Risks People –Phishing –Passwords Transmissions –Man in middle –Packet sniffing.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.

12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
Network Admin Course Plan Accede Institute Of Science & Technology.

Network Admin Course Plan Accede Institute Of Science & Technology.
11 SECURING COMMUNICATIONS Chapter 7. Chapter 7: SECURING COMMUNICATIONS2 CHAPTER OBJECTIVES  Explain how to secure remote connections.  Describe how.

11 SECURING COMMUNICATIONS Chapter 7. Chapter 7: SECURING COMMUNICATIONS2 CHAPTER OBJECTIVES  Explain how to secure remote connections.  Describe how.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

Similar presentations

Ads by Google