Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eat-out, put-together or cook

Published byReginald Allen Modified over 6 years ago

Similar presentations

Presentation on theme: "Eat-out, put-together or cook"— Presentation transcript:

1 Eat-out, put-together or cook
Web standards for IoT Security Bhuvana Ramkumar Staff Software Engineer, Application Security Team, Predix, GE Digital 11:18 AM

2 11:18 AM

3 Intent Take a look at web security standards
Take a look at the IoT land Compare and contrast security concerns across these two worlds Reinvent ? Reengineer ? Recombine ? 11:18 AM

4 11:18 AM

5 What to expect from the session ?
Gain an overall perspective of security protocols Explore unique security requirements of IoT landscape Focus on Layer 7 protocols with details of Layer 6 and 5 i.e : Application, Presentation and Session layers 11:18 AM

6 Focus SASL : MQTT : AMQP : Brief overview Security considerations
Brokers Workarounds Benefits 11:18 AM

7 What is SASL ? Authentication mechanism/framework
Independent of Application protocols Inbuilt support for integrity (message digest) Inbuilt support for confidentiality (SCRAM, hashing, encryption) Support for proxy authorization Users can assume authentication credentials Can work complementary to TLS 11:18 AM

8 Benefits of SASL Abstracts away security implementation details
Inbuilt support for network encryption No hard requirement for choice of protocols Simple handshake mechanism between parties Support for a range of options during connection establishment Negotiated challenge response based protection. OAUTHBEARER support : SASL profile combined with OAuth token Supported by AMQP Not supported by MQTT 11:18 AM

9 MQTT : Brief Overview Source : MQTT, A practical protocol for the Internet of Things, Bryan Boyd, IBM 11:18 AM

10 AMQP : Brief Overview 11:18 AM Source : AMQP and Rabbit MQ, Intro and Messaging patterns, Javier Arias Losada, Telefonica

11 Authentication , Authorization and Access Control : AMQP
Authentication in AMQP : OAuth plugins SASL certificates Authorization in AMQP : vhost level Broker level support, for example, RabbitMQ supports : Per operation (read, write, configure) per resource (queue, exchange) rabbitmqctl set_permissions -p /myvhost tonyg "^tonyg-.*" ".*" ".*” ACL’s cached on per-connection or per-channel basis. Reconnect request needed for effecting operational changes. Operations on resources restricted by ACL’s 11:18 AM

12 Authentication , Authorization and Access Control : MQTT
Authentication in MQTT : Username and Password fields in CONNECT message Client Identifier X.509 certificate Authorization in MQTT : Broker level support, for example, HiveMQ supports : Topic permissions Allowed topic Allowed operation Allowed QOS tunability OpenSource Plugin support : OnAuth Callback 11:18 AM

13 BasicAuth (MQTT) vs OAuth (AMQP)
Username and password, standard HTTP headers, Base64 encoding No encryption, no hashing Single point of failure if server gets compromised, replay attacks No cached session or cookies, no token management Password or key rotation helps Scheduling, configuring and management of key rotation Rotation over a deployment of 1K-1M devices 11:18 AM

14 BasicAuth vs OAuth : Continued
Private key never leaves the host No single point of failure Attack surface is significantly minimized Access token as bearer in Auth header Token management with TTL, grant types Configurable scopes 11:18 AM

15 Connected Cars & OAuth Dynamic scope configuration
Run time access control Privilege management 11:18 AM Source : UIEvolution & Wikipedia

16 OAuth : Limitations OAuth is a big step in IoT
Lack of anonymity : single sign-on across devices Limited spread of OAuth client support Grant bearer token : abstract concept Web, enterprise and IoT worlds. OAuth itself is not sufficient (for fine grained ACL’s ?) OAuth + ACS ? 11:18 AM

17 MQTT vs AMQP MQTT is still very popular
Low foot print : simple pub-sub model Low power draw Light on network bandwidth Ideal for embedded devices and hence for IoT 3 QoS levels : Fire and forget At least once Exactly once 11:18 AM

18 Fine-grained access control
Application level support for finer control Desired degree of configurability ? Role based access control Policy based access control Operational requirements based access control Inheritance of access privileges Proxy and sharing of access control Example : Predix ACS 11:18 AM

19 Security considerations :
Pluggable backend for authorization and authentication Cost of a redirect loop to such backend systems Elliptical crypto support PKI support Interoperability of plugins Order of evaluation Ease of deployment and management Ease of run time changes to settings 11:18 AM

20 Web vs IoT Security Web security standard : IoT security :
HTTPS + OAuth + OpenIDConnect + Application (ACS) IoT security : SASL + OAuth + ? 11:18 AM

21 Questions ? 11:18 AM

Download ppt "Eat-out, put-together or cook"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Prabath Siriwardena | Johann Nallathamby.

Prabath Siriwardena | Johann Nallathamby.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.

The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.

Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23, 2014 1.

ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23,
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

Similar presentations

Ads by Google