Presentation is loading. Please wait.

Presentation is loading. Please wait.

Comments on Procedures for RBAC (doc#0056) Group Name: WG4(SEC), WG2(ARC) and WG5(MAS) Source: Suresh Nair, Alcatel-Lucent,

Published byAron Simon Modified over 9 years ago

Similar presentations

Presentation on theme: "Comments on Procedures for RBAC (doc#0056) Group Name: WG4(SEC), WG2(ARC) and WG5(MAS) Source: Suresh Nair, Alcatel-Lucent,"— Presentation transcript:

1 Comments on Procedures for RBAC (doc#0056) Group Name: WG4(SEC), WG2(ARC) and WG5(MAS) Source: Suresh Nair, Alcatel-Lucent, suresh.p.nair@alcatel-lucent.com Meeting Date: 2013-11-26 Agenda Item: RBAC

2 ALU Comments- Scheme Frame work using OAuth looks OK. It releases the burden of Application Server owners having to maintain subscription accounts with different roles/service eligibility. ‘Principals’ wanting to access the resources gets the credentials (Tokens) by offline means. Access Request is made using these Tokens to the Application Server. Application Server, looks at the Token+Access rights and makes a permission based on the Token. Application Server keeps the token for their assigned validity, if for one time use, Token becomes invalid after the one time usage. Roles/Access Rights are based on the token. © 2013 oneM2M Partners 2

3 ALU Comments- Security issues 1 App Server allocates the Tokens to the App User (based on App User ID – AUID) according to a subscription to an Application. The Tokens are distributed in bulk over an alternate distribution media, e.g. OMA DM. The User Device M2M ID is opaque to the App Server. The Token is mapped to the AUID.

4 ALU Comments- Security issues 2 Once the Tokens are distributed, the User App picks an available Token from the unused pool, and sends it via M2M Server to the App Server. – The M2M Server authenticates the User Device using M2M ID and credentials. – The AUID and Token are Opaque to the M2M Server.

5 ALU Comments- Security issues 3 – Once the M2M credentials are authenticated, the AUID and Token are sent to the App Server for Authorization. – The App Server checks if the Token is not yet used, and is associated with the AUID. If so, it authorized the use of Resource.

6 ALU Comments- Security threats 1.Security Threat: An Attacker may block or disturb the communications between OneM2M and App Server when victim requests the Resource, and then masquerade as a victim AUID and present an intercepted Token. The resource will be authorized for an Attacker instead of Victim. 2.Security Threat: An Attacker may masquerade as a Victim and present Tokens that has been intercepted, trying to get authorization for Resource.

7 ALU Comments- Security threats 3. Security Threat: An Attacker may present used-up or invalid Tokens for a Victim’s AUID, overloading the App Server, causing distribution of new Tokens to the Victim, loading the Token Distribution system i.e. OMA DM, making current Victim’s Tokens invalid, and thus keeping the Victim unable to use the Resource.

8 Security Requirements The App Server needs to maintain mapping of the AUID of the User with the M2M ID of the User’s Device, so when AUID with Token is presented to the App Server, it has to be presented with the AUTHENTICATED OneM2M ID of the Device that made an Access. The Token Distribution must be secure, protected from eavesdropping and manipulation, i.e. Confidentiality and Integrity protected. If IP/TCP/HTTP is used, the HTTPS is the right security tool for this distribution. If IP/UDP is used, DTLS is the right security tool.

Download ppt "Comments on Procedures for RBAC (doc#0056) Group Name: WG4(SEC), WG2(ARC) and WG5(MAS) Source: Suresh Nair, Alcatel-Lucent,"

Similar presentations

© 2013 Marcin Nagy & N. Asokan & Jörg Ott 1 PeerShare: A System for Secure Distribution of Sensitive Data among Social Contacts Marcin Nagy, N. Asokan,

© 2013 Marcin Nagy & N. Asokan & Jörg Ott 1 PeerShare: A System for Secure Distribution of Sensitive Data among Social Contacts Marcin Nagy, N. Asokan,
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Confidential 1 Electronic Prescribing of Controlled Substances: Prescriber Identity Proofing and Credentialing Part 2 of a 3 Part Series Chuck Klein, Ph.D.

Confidential 1 Electronic Prescribing of Controlled Substances: Prescriber Identity Proofing and Credentialing Part 2 of a 3 Part Series Chuck Klein, Ph.D.
Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.

Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
1 Kyung Hee University Prof. Choong Seon HONG Network Control.

1 Kyung Hee University Prof. Choong Seon HONG Network Control.
OneM2M-ARC-2013-0365-Service_examples_and_evolution Service examples and evolution Group Name: WG2 Source: Philip Jacobs, Cisco Systems,

OneM2M-ARC Service_examples_and_evolution Service examples and evolution Group Name: WG2 Source: Philip Jacobs, Cisco Systems,
Proposal for App Id and Service Provider Id registration Group Name: Shelby Kiewel Source: Shelby Kiewel, iconectiv / Ericsson,

Proposal for App Id and Service Provider Id registration Group Name: Shelby Kiewel Source: Shelby Kiewel, iconectiv / Ericsson,
RoA and SoA Integration for Message Brokers Group Name: WG2-ARC Source: ALU Meeting Date: 2013-10-21 Agenda Item:

RoA and SoA Integration for Message Brokers Group Name: WG2-ARC Source: ALU Meeting Date: Agenda Item:
W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.

W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.
1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.

1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.

Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Similar presentations

Ads by Google