Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,

Published byRuby McDaniel Modified over 9 years ago

Similar presentations

Presentation on theme: "On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,"— Presentation transcript:

1 On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), phawkes@qti.qualcomm.comphawkes@qti.qualcomm.com Francois Ennesser, Gemalto NV, Francois.Ennesser@gemalto.comFrancois.Ennesser@gemalto.com Meeting Date: 2014-09-10 Agenda Item: TBD

2 Overview Background: What information matters when an AE/CSE asks “which AE will receive this data” or “which AE sent this data”? Problem: CSE-relative AE-ID might change even though (from perspective of other AEs/CSEs) this is still “the same AE” Proposal: – Persistent AE Identifiers, – Mapping from AE-ID to persistent AE Identifiers stored in m2mServiceSubscription. – Credential Ids are a special type of persistent AE Identifier 2

3 Interactions with an AE Interaction Mechanisms (aside from Registration) – AE initiates CRUD Ops on resources on various CSE – CSEs send notifications to AE Other AEs and CSEs use these mechanisms to exchange data with an AE An AE/CSE may need to know – Which AE will receive data sent by the AE/CSE – Which AE provided the data received by the AE/CSE A CSE also needs to know which AE originated a CRUD request - for accessControlPolicy processing 3

4 What information matters? When an AE/CSE asks “Which AE will receive this data”, what information does it really care about? Alternatively, if – At time T1, the AE receiving the data fits description A – At time T2, the AE receiving the data fits description B what changes between descriptions A and B are important to the AE/CSE asking the question? The answer probably changes from one deployment to another!!! – Even worse – two AE/CSEs in a single deployment might care about different information about the AE!!!!! Note: same for “Which AE provided data…?” 4

5 Examples of information that matters Topological description: e.g. who is Registrar CSE? MN? AE Implementation/execution description – Machine within which AE SW is executing (real, virtual, cloud) – SW implementing the AE functionality – AE-specific state context where single SW instance is used for multiple AEs Deployment-specific description e.g. purpose, room location GPS coordinates of device hosting AE or Registrar CSE Other? Combinations of above! Note: Description could mean an ID and/or human-readable description and/or machine readable description 5

6 Currently Defined AE-IDs AE registers with Registrar CSE to obtain an CSE-relative-AE- ID that lasts for multiple primitive exchanges. Registrations expire if not renewed – SP-relative AE-ID is concatenation of CSE-relative-AE-ID and CSE- IDs on path SP-relative AE-ID might change even though (from perspective of other AEs/CSEs) this is still “the same AE”. – CSE-relative-AE-ID may change Registration may expire, new CSE-relative AE-ID assigned on new- registration. Registrar CSE may be replaced. AE is replaced. – CSE-ID of Registrar CSE may change Existing Registrar may have its CSE-ID changed. Registrar CSE may be replaced. – Combinations of above 6

7 Inconvenience when AE-ID changes but this is “the same AE” Following resources require updating with new AE-ID if they included old AE-ID: – – (for notifications) – (e.g. for fan-out) – The Registrar CSE’s security “database” needs to be updated so that credential associated with old AE-ID is associated with new AE-ID – This would be required anyway when replacing AE. But this is an inconvenience if registration had simply expired. 7

8 Persistent AE Identifiers Suppose AE could be assigned one or more persistent identifier unique within scope of M2M SP Mapping persistent identifiers  current AE-ID of AEs could be provided in resource – Interaction with registration resource is updated with current AE-ID following registration of AE Subscriber may be contacted to verify which persistent identifiers should be associated with the AE-ID. Persistent identifier may have been pre-assigned or generated as needed. Managed by M2M SP. Registrar CSE is provided with appropriate service subscription info (e.g. persistent AE identifiers and roles) – Authorized CSEs/AEs can query resource to find this mapping 8

9 How would persistent AE Identifiers be used? Where primitives (e.g. to/fr) and common resource attributes of resources currently use AE-ID, they can continue to use AE-ID – AE/CSE can query to determine mapping between AE-ID and persistent AE identifiers In addition to,the following resources can use persistent identifiers – – (for notifications) – (e.g. for fan-out) More details in back-up slides 9

10 Aside: Does AE have to authenticate? Eventually, we need to choose one of the following positions 1. “AE shall have credentials. AEs that do not have credentials will be granted no access to a oneM2M system” 2.“It is acceptable for AE to not have credentials. It is up to deployments to decide what access is granted to un-authenticated AE”. It is probably OK to defer that discussion to another meeting. Following discussion considers only those AEs with credentials. 10

11 Authentication & Identification When Registrar CSE establishes an authenticated TLS session with an AE using a credential and issues an AE-ID,… …then Registrar CSE needs to update the AE-ID in the appropriate at IN- CSE – Challenge: How does Registrar CSE tell IN-CSE which and which AE in that should be associated with this AE-ID? Authentication mechanisms include credential IDs which are a special kind of persistent AE Identifier 11

12 Authentication and Credential IDs Provisioned Key (Kpsa): – Registrar provisioned with Kpsa and KpsaID = xyz. – During auth’n, AE  Registrar: KpsaID = xyz MAF-based – During auth’n, MAF  Registrar: key, KmID = xyz. GBA-based – During auth’n, BSF  Registrar: key, HLR/HSS =abc, persistent id =xyz (previously configured to HLR/HSS by 3GPP/3GPP2 subscriber RawPublicKey certificate – During auth’n AE  Registrar: RawPublicKey Other Certificate: – Certificate contains somw identifier = xyz, and chains to trust anchor = abc. More discussion here in backup slides.here Presume M2M Service Subscriber knows which AE has these credential identifiers More discussion on credential identifiers here in backup slideshere 12

13 Proposal Allow persistent AE Identifiers – resource and processing needs updating – Process for other CSE & AE to obtain mapping between AE- ID and persistent AE Identifiers –,, updated to allow persistent AEs. Allow credential IDs – resource and processing needs updating There are probably open issues – but this seems a good step forward! 13

14 BACKUP SLIDES 14

15 Using AE-ID & Persistent AE-ID (1) Update AE-ID in at IN-CSE – Registrar CSE updates IN-CSE with AE-ID Identification of AE in AE-originated CRUD requests, so other entities know who generated data. – CRUD Requests use AE-ID – Registrar verifies AE-ID before forwarding/processing CRUD Requests – Other entities synch w/ IN-CSE for mapping AE-ID  persistent IDs Identification of AE in CRUD responses, so other entities know that their data was sent to the correct AE – CRUD Responses use AE-ID – Other entities synch w/ IN-CSE for mapping persistent IDs  AE-ID – All entities deliver according to AE-ID, Delivery fails if AE-ID expired 15

16 Using AE-ID & Persistent AE-ID (2) With (for notification) and resources for (fan-out and fan-in). – and can include persistent IDs and/or AE-IDs – Host CSE synch w/ IN-CSE for mapping persistent IDs  AE-ID – CRUD(N) Requests/responses use AE-ID. – All entities deliver according to AE-ID. Delivery fails if AE-ID expired (ACP) processing – ACP resource may use a persistent ID and/or AE-ID – ACP host CSE receives CRUDN Requests using AE-ID – ACP host CSE synch w/ IN-CSE for mapping AE-ID  persistent IDs, – ACP host CSE apply processing using AE- ID and persistent IDs 16

17 Certificate Chain Examples Device Certificate: – Certificate contains hardware instance identifier = xyz, and chains to trust anchor = abc. Whether used for single AE or multiple AE is for another discussion. – Registrar may provide the entire certificate chain or just summary Presume Subscriber knows which device has hardware instance identifier = xyz (FFS) Persistent AE Identifier Certificate (issued by M2M SP) – Certificate contains persistent AE identifier = xyz and chains to trust anchor = M2M SP Presume Subscriber knows which AE has persistent AE identifier = xyz – Note: currently defined AE-ID Certificate with non-persistent AE-ID won’t work 17

18 Credential Identifiers A credential identifiers in last two slides are persistent AE ID associated with execution context that knows credential secret: e.g – a machine or – a combination of machine + AE SW or – a combination of machine, AE SW and AE-specific state context. Other Persistent IDs associated with a specific machine etc. would typically have a permanent “binding” to the credential ID. Some other Persistent IDs might be associated with more temporary aspects of the AE (e.g. “the AE in a device closest to my car”). – These persistent IDs will have a temporary “bindings” to a sequence of credential IDs (assuming those AEs have credentials) Other information associated with the AE (e.g. see information that matters ) are obtained through other channelsinformation that matters – Some info might be configured by the Subscriber – Some info (e.g. location) might be provided via Mcn – Some info might be synchronized with remote entity management 18

19 Pre- and Post- authorization Registrar CSE might know credential identifier and associated service subscription information before authentication – E.g. credentials were pre-provisioned to Registrar CSE or configured manually or configured using remote entity management – Registrar allows registration and passes credential ID and assigned CSE- relative AE-ID to IN-CSE. – AE has rights associated with service subscription info (e.g. rights associated with persistent AE IDs and roles) Also OK for Registrar to obtain credential identifier during authentication and service subscription info after authentication – Registrar receives credential identifier during authentication (e.g. using GBA, MAF or a certificate) – Registrar allows registration and passes credential ID and assigned CSE- relative AE-ID to IN-CSE. – AE has only minimal rights until IN-CSE responds with service Subscription Information for that credential ID. – When service subscription info is received by Registrar, then AE receives associated rights (see above) 19

Download ppt "On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,"

Similar presentations

CMDH Refinement Contribution: oneM2M-ARC-0397

CMDH Refinement Contribution: oneM2M-ARC-0397
SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: 2014-05-07 Discussion  Source: OBERTHUR Technologies Information  Contact:

SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Is a Node or not Node? ARC-2014-1194-Node_resolution Group Name: ARC Source: Barbara Pareglio, NEC, Meeting Date: ARC#9.1 Agenda.

Is a Node or not Node? ARC Node_resolution Group Name: ARC Source: Barbara Pareglio, NEC, Meeting Date: ARC#9.1 Agenda.
Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.

Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.
Service Layer Session Management Group Name: WG2-ARC Source: IDCC, LGE, ZTE Meeting Date: TP16 Agenda Item:

Service Layer Session Management Group Name: WG2-ARC Source: IDCC, LGE, ZTE Meeting Date: TP16 Agenda Item:
Facing the Challenges of M2M Security and Privacy

Facing the Challenges of M2M Security and Privacy
Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2014-12-18.

Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
App-ID Ad-Hoc Technical Issues TP AppID-2014-0003R02 Group Name: App-ID Ad-Hoc Group Source: Darold Hemphill, iconectiv,

App-ID Ad-Hoc Technical Issues TP AppID R02 Group Name: App-ID Ad-Hoc Group Source: Darold Hemphill, iconectiv,
Proposed High Level Solution for Device Binding 3GPP2 TSG-SX WG4 SX40-20130501-001 Source: Qualcomm Incorporated and Alcatel-Lucent Contact(s): Anand Palanigounder,

Proposed High Level Solution for Device Binding 3GPP2 TSG-SX WG4 SX Source: Qualcomm Incorporated and Alcatel-Lucent Contact(s): Anand Palanigounder,
2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.

2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.
App-ID Use Cases, Syntax and Attributes SEC-2015-0508-App-ID_Use_Cases,_Syntax_and_Attributes Group Name: Architecture Source: Darold Hemphill, iconectiv,

App-ID Use Cases, Syntax and Attributes SEC App-ID_Use_Cases,_Syntax_and_Attributes Group Name: Architecture Source: Darold Hemphill, iconectiv,
Distributed systems – Part 2  Bluetooth 4 Anila Mjeda.

Distributed systems – Part 2  Bluetooth 4 Anila Mjeda.
Revised Solution for Device Binding Revised from S40-20121003-001 3GPP2 TSG-SX WG4 SX40-20130321-002 Source: Qualcomm Incorporated Contact(s): Anand Palanigounder,

Revised Solution for Device Binding Revised from S GPP2 TSG-SX WG4 SX Source: Qualcomm Incorporated Contact(s): Anand Palanigounder,
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: 2013-11-19 Agenda Item:

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Certificate Enrolment STEs Group Name: SEC#17.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2015-07-08.

Certificate Enrolment STEs Group Name: SEC#17.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
Secure Credential Manager Claes Nilsson - Sony Ericsson 2009-12-15.

Secure Credential Manager Claes Nilsson - Sony Ericsson
End-to-End security definition Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting Date: 2015-05-18.

End-to-End security definition Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting Date:
Authorization for IoT Group Name: oneM2M SEC WG Source: Francois Ennesser, Gemalto NV Meeting Date: 2014-09-03 Agenda Item:

Authorization for IoT Group Name: oneM2M SEC WG Source: Francois Ennesser, Gemalto NV Meeting Date: Agenda Item:
CP-a060003 Emergency call stage 2 requirements - A presentation of the requirements from 3GPP TS 23.167 Keith Drage.

CP-a Emergency call stage 2 requirements - A presentation of the requirements from 3GPP TS Keith Drage.
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: 2013-11-26 Agenda Item:

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:

Similar presentations

Ads by Google