using the delegated coap authentication and authorization
play

Using The Delegated CoAP Authentication and Authorization Framework - PowerPoint PPT Presentation

Oct 10, 2023 •311 likes •502 views

Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded Message Syntax draft-bergmann-ace-dcaf-cose Olaf Bergmann, Stefanie Gerdes { gerdes | bergmann } @tzi.org Presented by Carsten Bormann cabo@tzi.org

  1. Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded Message Syntax draft-bergmann-ace-dcaf-cose Olaf Bergmann, Stefanie Gerdes { gerdes | bergmann } @tzi.org Presented by Carsten Bormann cabo@tzi.org IETF-94, ACE Meeting, 2015-11-02 1 / 18

  2. Motivation ◮ draft-gerdes-ace-dcaf-authorize ◮ Secure exchange of authorization information. ◮ Establish DTLS channel between constrained nodes. ◮ Support of class-1 devices (RFC 7228). ◮ Support cross-domain, multi-owner scenarios. ◮ draft-bergmann-ace-dcaf-cose ◮ Re-use light-weight DCAF messaging ◮ Support for application-level security using COSE objects ◮ Enable piggybacked protected content use-case 2 / 18

  3. Observation: DCAF Messages are not tied to DTLS Access Request CAM SAM Access Ticket C S 3 / 18

  4. Nor is the Ticket Data Access Request CAM SAM Face: Access Ticket [server authorization info] nonce [lifetime] Client Information: C S veri fi er (session key) [client authorization info, nonce] [lifetime] 4 / 18

  5. DCAF-Messages can be protected with COSE Example: Access Request POST /client-authorize Content-Format: application/cose+cbor [ h'a1031862', # protected { content_type: application/dcaf+cbor } { alg: AES-CCM-16-64-128 # unprotected nonce: h'd6150b90e6f0eb5be42164062c', # nonce }, h'{encrypted payload w/ tag}', # encrypted DCAF payload # recipients: [ [ h'', # protected (absent for AE algorithm) { alg: A128KW, # unprotected kid: h'383261622e6161733432' # context identifier: "82ab.aas42" }, h'52ff9ed52d...' # encrypted session key ] ] ] 5 / 18

  6. DCAF-Messages can be protected with COSE Example: Access Request POST /client-authorize Content-Format: application/cose+cbor [ h'a1031862', # protected { content_type: application/dcaf+cbor } { alg: AES-CCM-16-64-128 # unprotected nonce: h'd6150b90e6f0eb5be42164062c', # nonce }, h'{encrypted payload w/ tag}', # encrypted DCAF payload # recipients: [ [ h'', # protected (absent for AE algorithm) { alg: A128KW, # unprotected kid: h'383261622e6161733432' # context identifier: "82ab.aas42" }, h'52ff9ed52d...' # encrypted session key ] ] ] 6 / 18

  7. Key Derivation CAM SAM Security Association transfer Ticket Face during setup C S derive session key use session key from Ticket Face and from Veri fi er (direct K S,SAM or derived) 7 / 18

  8. Convey Ticket Face from C to S POST /authorize Content-Format: application/cose+cbor [ h'a1031862', # protected { content_type: application/dcaf+cbor } { alg: HMAC 256/256 }, # unprotected h'{ SAI: [ "/s/tempC" ... }', # DCAF payload wrapped in CBOR binary h'....', # tag: HMAC(options+protected+payload, secret) [ [ h'', {}, h'' ] ] # recipients ] 8 / 18

  9. Convey Ticket Face from C to S POST /authorize Content-Format: application/cose+cbor [ h'a1031862', # protected { content_type: application/dcaf+cbor } { alg: HMAC 256/256 }, # unprotected h'{ SAI: [ "/s/tempC" ... }', # DCAF payload wrapped in CBOR binary h'....', # tag: HMAC(options+protected+payload, secret) [ [ h'', {}, h'' ] ] # recipients ] 9 / 18

  10. Creation of Security Context POST /authorize Content-Format: application/cose+cbor [ h'a1031862', # protected { content_type: application/dcaf+cbor } { alg: HMAC 256/256 }, # unprotected h'{ SAI: [ "/s/tempC" ... }', # DCAF payload wrapped in CBOR binary h'....', # tag: HMAC(options+protected+payload, secret) [ [ h'', {}, h'' ] ] # recipients ] 2.01 Created Content-Format: application/cose+cbor Location-Path: 238dsa29 Authorization: [ h'a1031862', # protected { alg: HMAC 256/256 }, # unprotected h'', # empty payload h'....', # tag: HMAC(options+protected, secret) [ [ h'', {}, h'' ] ] # recipients ] 10 / 18

  11. Creation of Security Context POST /authorize Content-Format: application/cose+cbor [ h'a1031862', # protected { content_type: application/dcaf+cbor } { alg: HMAC 256/256 }, # unprotected h'{ SAI: [ "/s/tempC" ... }', # DCAF payload wrapped in CBOR binary h'....', # tag: HMAC(options+protected+payload, secret) [ [ h'', {}, h'' ] ] # recipients ] used as security context identifier 2.01 Created Content-Format: application/cose+cbor derived from Location-Path: 238dsa29 Ticket Face and Authorization: [ h'a1031862', # protected K S,SAM { alg: HMAC 256/256 }, # unprotected h'', # empty payload new option h'....', # tag: HMAC(options+protected, secret) [ [ h'', {}, h'' ] ] # recipients ] 11 / 18

  12. Usage of Security Context without payload GET /r Authorization: [ h'', # protected (empty) { alg: HMAC 256/256, # unprotected kid: h'3233386473613239' # context identifier: "238dsa29" }, nil, # payload (empty) h'....', # tag: HMAC(options+protected, secret) [ [ h'', {}, h'' ] ] # recipients ] 12 / 18

  13. Usage of Security Context without payload GET /r as returned in Authorization: [ h'', # protected (empty) Location-Path { alg: HMAC 256/256, # unprotected kid: h'3233386473613239' # context identifier: "238dsa29" }, nil, # payload (empty) h'....', # tag: HMAC(options+protected, secret) [ [ h'', {}, h'' ] ] # recipients ] 13 / 18

  14. Usage of Security Context with payload GET /r as returned in Authorization: [ h'', # protected (empty) Location-Path { alg: HMAC 256/256, # unprotected kid: h'3233386473613239' # context identifier: "238dsa29" }, nil, # payload (empty) h'....', # tag: HMAC(options+protected, secret) [ [ h'', {}, h'' ] ] # recipients ] PUT /r Content-Format: application/cose+cbor [ h'a10300', # protected { content_type: text/plain } { alg: HMAC 256/256, # unprotected kid: h'3233386473613239' # context identifier: "238dsa29" }, h'48656c6c6f20576f726c6421', # payload: "Hello World!\n" h'....', # tag: HMAC(options+protected+payload, secret) [ [ h'', {}, h'' ] ] # recipients ] 14 / 18

  15. Usage of Security Context with payload GET /r as returned in Authorization: [ h'', # protected (empty) Location-Path { alg: HMAC 256/256, # unprotected kid: h'3233386473613239' # context identifier: "238dsa29" }, nil, # payload (empty) h'....', # tag: HMAC(options+protected, secret) [ [ h'', {}, h'' ] ] # recipients ] PUT /r Content-Format: application/cose+cbor [ h'a10300', # protected { content_type: text/plain } { alg: HMAC 256/256, # unprotected kid: h'3233386473613239' # context identifier: "238dsa29" }, h'48656c6c6f20576f726c6421', # payload: "Hello World!\n" h'....', # tag: HMAC(options+protected+payload, secret) [ [ h'', {}, h'' ] ] # recipients ] 15 / 18

  16. Open Issues ◮ protection of changeable CoAP options (- > CoRE WG) ◮ describe how to apply key derivation methods from draft-ietf-cose-msg 16 / 18

  17. Summary ◮ DCAF-COSE supports application-level security using COSE objects ◮ use plain COSE as described in draft-ietf-cose-msg ◮ two new CoAP options: ◮ Authorization : convery authorization information ◮ Authorization-Format : allow for future extensions 17 / 18

  18. DCAF-COSE vs. OSCOAP DCAF-COSE OSCOAP invent "Secure Message format" Changes use COSE as is (-06) (COSE-profile in Appendix A) to COSE no changes required invent "COSE Optimizations" that are not COSE- compatible (new message types, remove unprot- ected header, alg ...) use parameter kid (identifies invent new parameter cid (identifies cipher suite, Security keys, alg-specific parameters, different for client auth info and session key) Context and server: "typically identifies the sending party") invent new parameter seq (-> sequence number, use parameter nonce Replay no freshness information) (-> local time) protection Server sends SAM Re-key "out of scope" (Section 7.1) Information Message Signaling use existing payload types implicit, new payload type two new options (not critical due to usual content-format new critical option handling) Handling COSE extension parameter not supported of unknown to signal required options options RFC 7252, 7641 options needs more work in CoRE WG block-wise 18 / 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance Synchronization Robustness Lecture 13 CS 111 Page 1 Summer 2013 Authorization and Authentication Authorization is determined if someone

886 views • 41 slides
A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle University, UK HANNES TSCHOFENIG, Arm Limited, UK As our daily lives become ever more connected, the need for security becomes more important. This

164 views • 13 slides
Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords Identification, Authentication, and Authorization Identification: You give your name Authentication: Youve proven that its really you.

486 views • 31 slides
Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director

Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director

Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director Platform Engineering @ Sixt @nathariel September 2019 Our Focus Today ? Authenticate Key patterns for authentication & Authorize and

510 views • 38 slides
Delegated Authenticated Authorization for Constrained Environments Stefanie Gerdes, Olaf Bergmann

Delegated Authenticated Authorization for Constrained Environments Stefanie Gerdes, Olaf Bergmann

Delegated Authenticated Authorization for Constrained Environments Stefanie Gerdes, Olaf Bergmann , Carsten Bormann { gerdes | bergmann | cabo } @tzi.org Universit at Bremen NPSec14, 2014-10-21 Motivation Smart objects small

466 views • 27 slides
Co CoAP an and d MQTT TT Antonio Lin Colina, Zolertia

Co CoAP an and d MQTT TT Antonio Lin Colina, Zolertia

Co CoAP an and d MQTT TT Antonio Lin Colina, Zolertia http://electronicdesign.com/iot/mqtt-and-coap-underlying-protocols-iot 03 03-coap coap UDP- reliable (confirmable), SMS supported CoRE Link-format (GET /.well known/core

1.09k views • 42 slides
Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

IETF94 2 Nov. 2015 Yokohama SDNRG WG Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee Ietf{at}rozanak.com Motivation Problem: secure SDN authentication,

546 views • 10 slides
Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie

Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie

Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie Gerdes, Olaf Bergmann, Carsten Bormann { gerdes | bergmann | cabo } @tzi.org IETF-94, ACE Meeting, 2015-11-02 1 / 27 Review Comments Renzo:

750 views • 27 slides
When HTTPS Meets CDN A Case of Authentication in Delegated Service Liang, J., Jiang, J., Duan,

When HTTPS Meets CDN A Case of Authentication in Delegated Service Liang, J., Jiang, J., Duan,

When HTTPS Meets CDN A Case of Authentication in Delegated Service Liang, J., Jiang, J., Duan, H., Li, K., Wan, T., & Wu, J 2014 IEEE Symposium on Security and Privacy Web Traffic Needs Security! Goals = CIA triad Confidentiality

192 views • 18 slides
CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web

CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web

CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web Data Engineering Access Control Mechanisms Declarative Authorization using Realms The expression of app security external to the app

540 views • 26 slides
Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum,

Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum,

Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum, Hyperledger Fabric and Corda Marie-Jeanne Lagarde, Master's thesis 2018-2019 Agenda Introduction Motivation 1. Scope 2. Research Questions 3.

467 views • 35 slides
EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos

EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos

EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos Nicolas Liampotis - GRNET WP3 Meeting - 2017.03.24 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union

352 views • 14 slides
http://xkcd.com/932/ Homework 2 Review CS 166: Information Security Authorization: Part 1 Prof.

http://xkcd.com/932/ Homework 2 Review CS 166: Information Security Authorization: Part 1 Prof.

http://xkcd.com/932/ Homework 2 Review CS 166: Information Security Authorization: Part 1 Prof. Tom Austin San Jos State University Authentication vs Authorization Authentication Are you who you say you are? Restrictions on who

1.14k views • 79 slides
Apache Airavata Security Manager Authentication & Authorization Im Implementation for a

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a Multi- Tenant e-Science Framework Supun Nakandala, Hasini Gunasinghe, Suresh Marru and Marlon Pierce Science Gateways Research Center Indiana

695 views • 33 slides
Unified Authentication, Authorization, and User Administration An Open Source Approach Ted

Unified Authentication, Authorization, and User Administration An Open Source Approach Ted

Unified Authentication, Authorization, and User Administration An Open Source Approach Ted C. Cheng, Howard Chu, Matthew Hardin Symas Corporation Outline Evolution of Related Technologies Unified AAA Architecture Provisioning AAA

396 views • 27 slides
In Defense of a Morphous Morphology Eullia Bonet Universitat Autnoma de Barcelona (Centre de

In Defense of a Morphous Morphology Eullia Bonet Universitat Autnoma de Barcelona (Centre de

Network Core Mechanisms of Exponence Universitt Leipzig, January 11-12, 2008 In Defense of a Morphous Morphology Eullia Bonet Universitat Autnoma de Barcelona (Centre de Lingstica Terica) 1. Preliminaries (1) If we accept the

283 views • 9 slides
The OpencomRTOS HUB Result of formal modeling Events, semaphores, FIFOs, Ports,

The OpencomRTOS HUB Result of formal modeling Events, semaphores, FIFOs, Ports,

"Multicore programming" No m ore com m unication in your program , the key to m ulti-core and distributed program m ing. Eric.Verhulst@OpenLicenseSociety.org Com m ercialised by: w w w .OpenLicenseSociety.org 1 2 6 / 0 5 / 2 0 0 8

412 views • 16 slides
TREC Deep Learning Track Nick Craswell (Microsoft), Bhaskar Mitra (Microsoft and UCL), Emine Yilmaz

TREC Deep Learning Track Nick Craswell (Microsoft), Bhaskar Mitra (Microsoft and UCL), Emine Yilmaz

TREC Deep Learning Track Nick Craswell (Microsoft), Bhaskar Mitra (Microsoft and UCL), Emine Yilmaz (UCL), Daniel Campos (Microsoft and UW) Deep Learning Track Deep models learn an intricate representation of a large-scale dataset Here:

443 views • 12 slides
W.A.L. to write a newspaper report Today we are going to write the first half our newspaper report

W.A.L. to write a newspaper report Today we are going to write the first half our newspaper report

Tues write a newspaper report.notebook October 19, 2020 W.A.L. to write a newspaper report Today we are going to write the first half our newspaper report about the incident which happened to Auggie at the Nature Reserve. Words you may need

247 views • 3 slides
Python Cam Allen cam@cs.duke.edu Based on slides by Zhenyu Zhou, Richard Guo What is Python?

Python Cam Allen cam@cs.duke.edu Based on slides by Zhenyu Zhou, Richard Guo What is Python?

Python Cam Allen cam@cs.duke.edu Based on slides by Zhenyu Zhou, Richard Guo What is Python? Language Principles Beautiful is better than ugly Explicit is better than implicit Simple is better than complex Complex is better than

631 views • 23 slides
6: Uncertainty and Human Agreement Machine Learning and Real-world Data Simone Teufel and Ann

6: Uncertainty and Human Agreement Machine Learning and Real-world Data Simone Teufel and Ann

6: Uncertainty and Human Agreement Machine Learning and Real-world Data Simone Teufel and Ann Copestake Computer Laboratory University of Cambridge Lent 2017 Last session: Overtraining and cross-validation Your system is now quite

472 views • 22 slides
OLPC System Architecture Mark J. Foster VP Engineering/Chief Architect One Laptop Per Child

OLPC System Architecture Mark J. Foster VP Engineering/Chief Architect One Laptop Per Child

OLPC System Architecture Mark J. Foster VP Engineering/Chief Architect One Laptop Per Child October 4, 2006 ONE LAPTOP PER CHILD Agenda Introduction Core Architecture Mechanical Design Power System Design ASIC Architecture

366 views • 22 slides
CS 220: Discrete Structures and their Applications Counting: the bijection rule zybooks 7.3

CS 220: Discrete Structures and their Applications Counting: the bijection rule zybooks 7.3

CS 220: Discrete Structures and their Applications Counting: the bijection rule zybooks 7.3 http://www.xkcd.com/936/ counting subsets Show that the number of different subsets of a finite set X is 2 |X| counting subsets Show that the number

148 views • 10 slides

More recommend