DPWSec: The Devices Profile for Web Services Security

Name: DPWSec: The Devices Profile for Web Services Security
Uploaded: 2017-12-23T10:03:19+00:00
Duration: PTM30S11
Channel: Bennett Harrell
Description: DPWSec: The Devices Profile for Web Services Security

DPWSec: The Devices Profile for Web Services Security
Sebastian Unger Dirk Timmermann University of Rostock, Germany MuSAMA DFG Graduate Programme -- Name Sebastian Unger -- Arbeite als Doktorand im Graduiertenkolleg MuSAMA -- am Insitut für angewandte Mikroelektronik und Daten Technik bei Prof. Dirk Timmermann -- Teil der WS4D Arbeitsgruppe, die sich mit spontaner ad-hoc-Vernetzung von Geräten befasst -- Ich beschäftige mich dabei damit, wie Geräte sicher (z.B. verschlüsselt und authentifiziert) miteinander kommunizieren können

Basic Principles & Related Work Requirements Methodology
Agenda Motivation Basic Principles & Related Work Requirements Methodology Features of DPWSec Conclusion & Outlook Worum geht es? -- Was passiert um uns rum? -- -- Wir werden sehen, dass unsere -- Was bedeutet das für den Alltag einer Klinik, eines Arztes © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

AI AAL IoT Motivation What it is about
Motivation: Viele kleine Geräte  IoT, AAL, WoO,…  Security © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Motivation Real-Life Threats I Funkschnittstelle Herzschrittmacher
Source: © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Motivation Real-Life Threats II Attackers love the IoT
Botnetz Attackers love the IoT Once eradicated security flaws come back  Botnet from fridges © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Ambient Assisted Living
Motivation The Challenge Internet of Things Ambient Assisted Living Pervasive Computing Motivation: Viele kleine Geräte  IoT, AAL, WoO,…  Security Web of Things Ambient Intelligence © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Device Profile for Web Services
Motivation The Goal DPWS Device Profile for Web Services This work: Security scheme for DPWS based on Web Services Security Specification Suite  Devices Profile for WS Security (DPWSec) Ich Teil von WS4D: Interessengruppe, die u.a. die Verwendung von DPWS promoted Daher nehmen wir schon mal DPWS Auf Basis der WS-Security-Spezifikationssuite soll eine Sicherheitsprofil für DPWS entwickelt werden Requirements + Methodology  DPWSec This presentation: Requirements analysis Developed methodology DPWSec’s functionality © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Basic Principles & Related Work
DPWS: the Devices Profile for Web Services DPWS is a communication standard for distributed embedded devices DPWS = Web Services for resource-constrained devices + Dynamic Discovery (bootstrap w/o central instance) + Eventing (asynchronous messaging) Originally designed for integration of e.g. printers into enterprise networks Grundlagen: DPWS Was ist das? Was macht das? Verwendung für Medical und WSN, nicht nur Drucker Ggf. Verweis auf Guidos Sachen Found use in WSN Medical devices Automotive Building automation Industrial domain Internet of things © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Security in DPWS: Profile Mechanism Security in DPWS is covered by a flexible profile mechanism. A profile is a set of rules and assumptions, two devices agree on before communicating for the first time. Free choice of security profiles. © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Security in DPWS: Default Profile DPWS specification provides optional default profile Authentication: X.509 – certificates Secure channels: SSL/TLS Secure UDP traffic: Compact XML-Signature format optional “secure interoperability guideline” X.509 & TLS not ideal for embedded devices No designated way to exchange or authenticate certificates Authorization requires username and password © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Security in DPWS: Related Work Muller et al: [1] Vulnerable against MITM-Attack Hernández et al: [2] Vulnerable against Replay-Attack Martínez et al: [3] Large office spaces X.509 certificates, PKI Does not consider res.-constrained devices Bekannte Profile Unger et al: [4] Automotive, few devices X.509 certificates Does not consider res.-constrained devices © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Web Service Security Specification Suite Trust brokering Authorization brokering WS-Federation WS-Trust WS-Policy WS-SecureConversation Bekannte Profile WS-Security WS-Security ∈ WS Security Suite Centralized authentication © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Requirements from literature
Three-tiered Requirements Analysis Attacker models Requirements list Requirements from literature Scenario 1 Smart Home / AAL Scenario requirements Scenario 2 … Smart Office Angreifermodelle Abstrakt formulierte Anforderungen aus der Literatur Szenarien konsolidiert und Anforderungen abgeleitet Scenario n © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Basic security requirements
Three-tiered Requirements List Basic security requirements Requirements list Special requirements for intelligent environments Allgemeine Sicherheitsanforderung Spezielle Eigenheiten von intelligenten Umgebungen UND: Interoperabilität Requirements on interoperability © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Dolev-Yao-attacker model Secure external communication
Requirements Basic security-related Requirements Dolev-Yao-attacker model Secure external communication Flexible support for different authorization concepts Avoid single points of failures Possibility to form organizational groups Different levels of security Secure continuous deployment Scalable Ease of use w/o impact on security Support of secure data persistence Die interessantesten herausstellen © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Protect remaining network when member is lost / stolen
Requirements Special Requirements for intelligent Environments Protect remaining network when member is lost / stolen Focus on devices, not users Consider heterogeneity of resources Coordinated sign-out Consider heterogeneity of user interfaces Consider maintenance by experts and end users Disburden constrained devices Delegation of access rights Die interessantesten herausstellen © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Use a widely-deployed, well-accepted technology
Requirements Special Requirements on Interoperability Use a widely-deployed, well-accepted technology Secure protocol interoperability Secure manufacturer interoperability Interoperable end-2-end-security Die interessantesten herausstellen © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Methodology Two Major Design Goals Offload resource-intensive tasks
Restrict generality Auslagern von Aufwänden Einschränken der Spezifikationen © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Tasks to be offloaded mostly concern secure connection establishment
Methodology Offloading Efforts Tasks to be offloaded mostly concern secure connection establishment Retrieving target’s metadata Parsing policies and matching connection parameters Authentication methods Encryption algorithms Support in direct authentication Offer brokered authentication Offer (semi)centralized authorization Auslagern von Aufwänden Einschränken der Spezifikationen © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Original specifications are very flexible Offer lots of design choices
Methodology Eliminating Specification Parts Original specifications are very flexible Offer lots of design choices  After all: designed for desktop PCs and server machines Elimination of “unnecessary” or “unsuitable” parts: Some parts are simply not necessary (according to requirements) Other restrictions follow patterns: Trade statelessness for simplicity Respect communication model of DPWS Respect architecture of DPWS No extended multihop security Auslagern von Aufwänden Einschränken der Spezifikationen © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Encrypt SOAP-Payload only, sign complete envelope
Features of DPWSec Compact Message Security Scheme Securing single messages using a compact security scheme on message level proposed earlier [5] Encrypt SOAP-Payload only, sign complete envelope Performs similar to Record Protocol of TLS (no sever performance drawback) Ablauf für zwei kleine Geräte, direkte Authentifizierung © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Two authentication approaches
Features of DPWSec Authentication Two authentication approaches Direct authentication based on OOB PIN exchange conduct authenticated Elliptic-Curve-Diffie-Hellman Optionally employ MM-devices to translate OOB channels [6] Brokered authentication between devices Optionally offered by “strong” participants Heavily disburdens “weak” as it relies on trust chains and does not require cryptographic hand shakes Ablauf für zwei kleine Geräte, direkte Authentifizierung © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Authorization is special, as it requires no cryptography
Features of DPWSec Authorization Authorization is special, as it requires no cryptography Instead, it is about making decisions and communicating them DPWSec focuses on infrastructural part only How to ask for permission and how to deliver the decision Proposed a complementary authorization concept Strong participants offer themselves as synchronous authorizers If the can’t make a decision, they ask the user asynchronously using e.g. their smart phones Ablauf für zwei kleine Geräte, direkte Authentifizierung © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

It works. Prototype implementation available open source [7]
Conclusion Evaluation It works. Prototype implementation available open source [7] Dolev-Yao-attacker model Secure external communication Flexible support for different authorization concepts Avoid single points of failures Possibility to form organizational groups Different Levels of Security Secure continuous deployment Scalable Ease of use w/o impact on security Support of secure data persistence Consider heterogeneity of resources Focus on devices, not users Protect remaining network when member is lost / stolen Disburden constrained devices Coordinated sign-out Consider maintenance by experts and end users Consider heterogeneity of user interfaces Delegation of Access rights Use a widely-deployed, well-accepted technology Secure protocol interoperability Secure manufacturer interoperability Interoperable end-2-end-security Implementierung als Proof-of-Concept (runterladbar) Anforderungsanalyse überall check marks Überall? Nicht ganz. Almost every requirement met. Every requirement met. © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Security infrastructure for distributed embedded devices
Outlook Towards an Infrastructure for intelligent Environments Security infrastructure for distributed embedded devices Incarnation Incarnation Incarnation DPWSec Tech2Sec TechnSec DPWS Technology 2 Technology n Kandidat der Wahl: WS Security und DPWS -> Anforderungsanalyse -> Methodology  DPWSec Adapter 1 Adapter 2 Adapter3 Intelligent environment Secure protocol interoperability incl. interoperable E2E-security © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Near future: Second technology next to DPWS Isolate requirements
Future Work Adapt to second Base Technology Near future: Second technology next to DPWS Isolate requirements Actually port DPWSec Far future: Research secure protocol interoperability Employ adapter / translator concept Research emerging issues esp. regarding interoperable E2E-security Idee ist, eine Sicherheitsinfrastruktur für verschiedene dienstorientierte Basistechnologien zu schaffen, um sichere Übersetzung zu ermöglichen © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

Bibliography [1] A. Muller et al., “An assisted device registration and service access system for future home networks,” in Wireless Days (WD), ndIFIP, Dezember 2009, p. 5. [2] V. Hernández et al., “Security Framework for DPWS Compliant Devices,” Third International Conference on Emerging Security Information, Systems and Technologies, 2009. [3] J.-F. Martínez et al., “A security architectural approach for DPWS-based devices,” CollECTeR Iberoamérica, 2008. [4] S. Unger et al., “Extending the devices profile for web services for secure mobile device communication,” in Internet of Things Conference - TIoPTS Workshop, 2010. [5] S. Unger, S. Pfeiffer, and D. Timmermann, “Dethroning transport layer security in the embedded world,” in 5th International Conference on New Technologies, Mobility and Security (NTMS), 2012. [6] S. Unger and D. Timmermann, “Bridging the gap for authentication in smart environments,” in Computers and Communications (IEEE ISCC 2014), 19th IEEE Symposium on, Funchal, [7]

Any questions? Thank you very much for your attention! Thank you!
Sebastian Unger Institute for Applied Microelectronics and Computer Engineering, University of Rostock, Germany © UNIVERSITÄT ROSTOCK | S.Unger: „DPWSec: Devices Profile for Web Services Security“

DPWSec: The Devices Profile for Web Services Security

Similar presentations

Presentation on theme: "DPWSec: The Devices Profile for Web Services Security"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

DPWSec: The Devices Profile for Web Services Security

Similar presentations

Presentation on theme: "DPWSec: The Devices Profile for Web Services Security"— Presentation transcript:

Similar presentations

About project

Feedback