Presentation is loading. Please wait.

Presentation is loading. Please wait.

[authenticationProfile] <mgmtObj> specialization

Published byClara Rich Modified over 6 years ago

Similar presentations

Presentation on theme: "[authenticationProfile] <mgmtObj> specialization"— Presentation transcript:

1 [authenticationProfile] <mgmtObj> specialization
Group Name: SEC WG Source: Qualcomm Inc., Phil Hawkes, Wolfgang Granzow Meeting Date: SEC#25.1/MAS, Agenda Item: Device Configuration

2 Device Configuration and Security
TS-0022 Device configuration defines the [registration] <mgmtObj> specialization Initial proposal was to include the security credentials in [registration] SEC participants objected, since TS-0003 defines (or is in the process of defining) other procedures for provisioning credentials, … …and are reluctant to use device management servers for this purpose without further investigation.

3 Current [registration]
Attribute Name Request Optionality Data Type Default Value and Constraints Create Update Universal attributes, and following <mgmtObj> attributes not shown: mgmtDefinition, objectID, objectPaths, description originatorID O m2m:ID AE-ID or CSE-ID to be used on registration request. If the setting is for CSE, then this attribute shall be present. poA M Xs:anyURI The URI for point of acess address of registrar CSE. Protocol binding is determined from the protol in this URI. resourcePath The path of <CSEBase> resource to create <AE> or <remoteCSE> resource.

4 Proposed [registration]
Attribute Name Request Optionality Data Type Default Value and Constraints Create Update Universal attributes, and following <mgmtObj> attributes not shown: mgmtDefinition, objectID, objectPaths, description originatorID O m2m:ID AE-ID or CSE-ID to be used on registration request. If the setting is for CSE, then this attribute shall be present. poA M xs:anyURI The URI for point of acess address of registrar CSE. Protocol binding is determined from the protol in this URI. resourcePath The path of <CSEBase> resource to create <AE> or <remoteCSE> resource. authProfileRef m2m:mgmtLinkRef Link to the [authenticationProfile] to be used for mutual authentication for this registration

5 Proposed [authenticationProfile]
Attribute Name Request Optionality Data Type Notes Create Update Universal attributes, and following <mgmtObj> attributes not shown: mgmtDefinition, objectID, objectPaths, description symmKeyID O sec:credentialID Present when-Provisioned Symmetric Key SAEF is to be used with pre-provisioning mef sec:tefKeyRegCfg Present when Provisioned Symmetric Key SAEF is to be used with remote provisioning maf Used when MAF-based SAEF is to be used cert sec:certAuthnProfile (To be defined, see next slide) Present when Certificate-based SAEF is to be used Add attributes for domain/scope/usage. NOTE 1: Exactly one of the symmKeyID, mef, maf or cert elements shall be present Note: Can be extended to end-to-end security of primitives (ESPrim) with change to description

6 sec:certAuthnProfile
Element Path Element Data Type Multiplicity Note deviceCertHash or deviceCertCredID xs:base64binary or sec:credentialID 0..1 SHA-256 hash of a DER-encoded certificate of the management target. Used when there is more than one certificate on the device. peerCertHash xs:base64binary SHA-256 hash of the DER-encoded certificate of the intended peer See Note. trustAnchor (anonymous) 0..n Present when a CA-issued certificate is used by peer. See Note. trustAnchor/hash 1 SHA-256 hash of the CA Certificate trustAnchor/uri URI URI from which the certificate can be retrieved by the management target NOTE: Either exactly one peerCertHash element is present, or at least one trustAnchor element is present. In the former case, the peer must present a certificate which hashes to the peerCertHash. In the latter case, the peer must present a certificate chain to one of the identified trust anchors Note: designed to be used for hop-by-hop security and end-to-end security of primitives (ESPrim)

7 Device credentials not included
The [AuthenticationProfile] does not provision credentials authenticating the device. symmKeyID identifies a symmetric key, BUT assumes that symmetric key is already provisioned. mef (sec:tefKeyRegCfg) Details for requesting remote security provisioning by a MEF, BUT details for mutual authentication with MEF are expected to be configured separately. maf (sec:tefKeyRegCfg) Details for requesting MAF facilitates authentication BUT details for mutual authentication with MAF are expected to be configured separately. cert (sec:certAuthnProfile) Identifies a certificate of the Registree – but assumes it is already provisioned. Configures details for validating certificate of the Registrar (peer) We will continue working on the “other details”

8 Next Steps Configuring Credentials to Field Domain using Device Management Symmetric key Device/Node/AE/CSE Certificate Roots of trust for certificates? Agreement Security parameters in a separate MO, with link to that MO MAS would like to finalize TS-0022 at next F2F

Download ppt "[authenticationProfile] <mgmtObj> specialization"

Similar presentations

CMDH Refinement Contribution: oneM2M-ARC-0397

CMDH Refinement Contribution: oneM2M-ARC-0397
Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014.

Secure Network Bootstrapping Infrastructure May 15, 2014.
SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: 2014-05-07 Discussion  Source: OBERTHUR Technologies Information  Contact:

SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Is a Node or not Node? ARC-2014-1194-Node_resolution Group Name: ARC Source: Barbara Pareglio, NEC, Meeting Date: ARC#9.1 Agenda.

Is a Node or not Node? ARC Node_resolution Group Name: ARC Source: Barbara Pareglio, NEC, Meeting Date: ARC#9.1 Agenda.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Facing the Challenges of M2M Security and Privacy

Facing the Challenges of M2M Security and Privacy
Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2014-12-18.

Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,

On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,
Certificate Enrolment STEs Group Name: SEC#17.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2015-07-08.

Certificate Enrolment STEs Group Name: SEC#17.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
Announcement Resources ARC-2014-1255-Announcement_Issues Group Name: WG2 Source: Barbara Pareglio, NEC Meeting Date: 2014-04-07 Agenda Item: Input Contribution.

Announcement Resources ARC Announcement_Issues Group Name: WG2 Source: Barbara Pareglio, NEC Meeting Date: Agenda Item: Input Contribution.
End-to-End security definition Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting Date: 2015-05-18.

End-to-End security definition Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting Date:
PRO-2014-0516R01-URI_mapping_discussion Discussion on URI mapping in protocol context Group Name: PRO and ARC Source: Shingo Fujimoto, FUJITSU,

PRO R01-URI_mapping_discussion Discussion on URI mapping in protocol context Group Name: PRO and ARC Source: Shingo Fujimoto, FUJITSU,
CP-a060003 Emergency call stage 2 requirements - A presentation of the requirements from 3GPP TS 23.167 Keith Drage.

CP-a Emergency call stage 2 requirements - A presentation of the requirements from 3GPP TS Keith Drage.
Answer the Questions Regarding Pending Issues on Access Control Group Name: WG4 SEC Source: LG Electronics Meeting Date: 2014-07-15 Agenda Item: SEC#11.4.

Answer the Questions Regarding Pending Issues on Access Control Group Name: WG4 SEC Source: LG Electronics Meeting Date: Agenda Item: SEC#11.4.
Management of CMDH Policies Group Name: WG5-MAS Source: Wolfgang Granzow, Qualcomm, Meeting Date: 2014-04-07 Agenda Item: Management.

Management of CMDH Policies Group Name: WG5-MAS Source: Wolfgang Granzow, Qualcomm, Meeting Date: Agenda Item: Management.
TS0001 Identifiers way forward Group Name: WG2 Source: Elloumi, Foti, Scarrone, Lu (tbc), Jeong (tbc) Meeting Date: 2014-06-07 Agenda Item: ARC11/PRO11.

TS0001 Identifiers way forward Group Name: WG2 Source: Elloumi, Foti, Scarrone, Lu (tbc), Jeong (tbc) Meeting Date: Agenda Item: ARC11/PRO11.
Usage Scenarios for CSE Group Name: WG2(ARC-WG) Source: Shingo Meeting Date: 2013-09-19 Agenda Item: Message.

Usage Scenarios for CSE Group Name: WG2(ARC-WG) Source: Shingo Meeting Date: Agenda Item: Message.
SEC-2014-0417-Identity_of_registrar_CSE Identity of Registrar CSE Group Name: SEC, ARC and PRO Source:FUJITSU Meeting Date: 2014-09-18 Agenda Item: Authentication.

SEC Identity_of_registrar_CSE Identity of Registrar CSE Group Name: SEC, ARC and PRO Source:FUJITSU Meeting Date: Agenda Item: Authentication.
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
Certificate Enrolment STEs Group Name: SEC#17.3 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2015-07-15.

Certificate Enrolment STEs Group Name: SEC#17.3 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:

Similar presentations

Ads by Google