Understanding IoT Security Standards and Protocols

Explore the world of IoT security through the eyes of Bhuvana Ramkumar, a Staff Software Engineer at GE Digital. Gain insights into web security standards, compare IoT security concerns, and dive into Layer 7 protocols. Learn about authentication mechanisms like SASL, MQTT, AMQP, and the benefits they offer for securing IoT landscapes.

• IoT Security
• Web Standards
• Layer 7 Protocols
• SASL
• MQTT

pandora Follow

Uploaded on Aug 22, 2024 | 5 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Eat-out, put-together or cook Web standards for IoTSecurity Bhuvana Ramkumar Staff Software Engineer, Application Security Team, Predix, GE Digital 9:20 AM 1

2. oT_Community_Grand_Slam_16 9:20 AM 2

3. Intent Take a look at web security standards Take a look at the IoT land Compare and contrast security concerns across these two worlds Reinvent ? Reengineer ? Recombine ? 9:20 AM 3

4. 9:20 AM 4

5. What to expect from the session ? Gain an overall perspective of security protocols Explore unique security requirements of IoTlandscape Focus on Layer 7 protocols with details of Layer 6 and 5 i.e: Application, Presentation and Session layers 9:20 AM 5

6. Focus SASL : MQTT : AMQP : Brief overview Security considerations Brokers Workarounds Benefits 9:20 AM 6

7. What is SASL ? Authentication mechanism/framework Independent of Application protocols Inbuilt support for integrity (message digest) Inbuilt support for confidentiality (SCRAM, hashing, encryption) Support for proxy authorization Users can assume authentication credentials Can work complementary to TLS 9:20 AM 7

8. Benefits of SASL Abstracts away security implementation details Inbuilt support for network encryption No hard requirement for choice of protocols Simple handshake mechanism between parties Support for a range of options during connection establishment Negotiated challenge response based protection. OAUTHBEARER support : SASL profile combined with OAuth token Supported by AMQP Not supported by MQTT 9:20 AM 8

9. MQTT : Brief Overview Source : MQTT, A practical protocol for the Internet of Things, Bryan Boyd, IBM 9:20 AM 9

10. AMQP : Brief Overview Source : AMQP and Rabbit MQ, Intro and Messaging patterns, Javier Arias Losada, Telefonica 9:20 AM 10

11. Authentication , Authorization and Access Control : AMQP Authentication in AMQP : OAuth plugins SASL certificates Authorization in AMQP : vhost level Broker level support, for example, RabbitMQ supports : Per operation (read, write, configure) per resource (queue, exchange) rabbitmqctl set_permissions-p /myvhosttonyg"^tonyg-.*" ".*" ".* ACL s cached on per-connection or per-channel basis. Reconnect request needed for effecting operational changes. Operations on resources restricted by ACL s 9:20 AM 11

12. Authentication , Authorization and Access Control : MQTT Authentication in MQTT : Username and Password fields in CONNECT message Client Identifier X.509 certificate Authorization in MQTT : Broker level support, for example, HiveMQ supports : Topic permissions Allowed topic Allowed operation Allowed QOS tunability OpenSourcePlugin support : OnAuthCallback 9:20 AM 12

13. BasicAuth (MQTT) vs OAuth (AMQP) BasicAuth : Username and password, standard HTTP headers, Base64 encoding No encryption, no hashing Single point of failure if server gets compromised, replay attacks No cached session or cookies, no token management Password or key rotation helps Scheduling, configuring and management of key rotation Rotation over a deployment of 1K-1M devices 9:20 AM 13

14. BasicAuthvs OAuth : Continued OAuth : Private key never leaves the host No single point of failure Attack surface is significantly minimized Access token as bearer in Authheader Token management with TTL, grant types Configurable scopes 9:20 AM 14

15. Connected Cars & OAuth Dynamic scope configuration Run time access control Privilege management 9:20 AM 15 Source : UIEvolution & Wikipedia

16. OAuth : Limitations OAuth is a big step in IoT Lack of anonymity : single sign-on across devices Limited spread of OAuth client support Grant bearer token : abstract concept Web, enterprise and IoTworlds. OAuth itself is not sufficient (for fine grained ACL s ?) OAuth + ACS ? https://github.com/predix/acs 9:20 AM 16

17. MQTT vs AMQP MQTT is still very popular Low foot print : simple pub-sub model Low power draw Light on network bandwidth Ideal for embedded devices and hence for IoT 3 QoS levels : Fire and forget At least once Exactly once 9:20 AM 17

18. Fine-grained access control Application level support for finer control Desired degree of configurability ? Role based access control Policy based access control Operational requirements based access control Inheritance of access privileges Proxy and sharing of access control Example : PredixACS https://github.com/predix/acs 9:20 AM 18

19. Security considerations : Pluggable backend for authorization and authentication Cost of a redirect loop to such backend systems Elliptical crypto support PKI support Interoperability of plugins Order of evaluation Ease of deployment and management Ease of run time changes to settings 9:20 AM 19

20. Web vs IoTSecurity Web security standard : HTTPS + OAuth + OpenIDConnect + Application (ACS) IoTsecurity : SASL + OAuth + ? 9:20 AM 20

21. Questions ? 9:20 AM 21