w3c web of things
play

W3C Web of Things Plugfest Security Review Michael McCool W3C WoT - PowerPoint PPT Presentation

Dec 05, 2022 •9 likes •109 views

W3C Web of Things Plugfest Security Review Michael McCool W3C WoT WG Security and Privacy TF Bundang, July 2018 Outline Who tried what Intel, Panasonic, Smart Things, Siemens, EURECOM, others? HTTPS (direct and via proxy), Auth

  1. W3C Web of Things Plugfest Security Review Michael McCool W3C WoT WG Security and Privacy TF Bundang, July 2018

  2. Outline • Who tried what • Intel, Panasonic, Smart Things, Siemens, EURECOM, others? • HTTPS (direct and via proxy), Auth (basic, digest, bearer tokens, psk) • Issues Arising • Security Metadata Structure • Definitions, multiple levels (2? 3?) • Security Metadata Content • Schemes, scheme parameters, vocabulary • Interactions with Architecture • Proxies • TO DO • Online and plugfest • Security testing and validation

  3. • Secured services Intel • Thing Directories (cloud and gateway) • Auth • Thing Playground (cloud) • OCF-WoT metadata bridge (gateway) • HTTP Basic • CoAP/HTTP bridge (gateway) • HTTP Digest • OCF devices (via CoAP/HTTP bridge) • Encryption • Simple-webcam (native web service) • HTTPS Proxy endpoint, Let's Encrypt certs • Other notes • Running in cloud service • Two cloud servers • Transparent proxy (endpoint wrapper) • Two separate local networks behind NATs • Both cloud and reverse tunneled HTTP services • Direct HTTPS with Let's Encrypt certs • TDs with multiple forms (different endpoints) with different security for the • Running on local device; reverse tunneled out same physical device and exposed on cloud endpoint • Challenges with port 22 being blocked… • Certificate valid for cloud endpoint; but TLS managed by device (end-to-end security) • Direct HTTPS with self-signed certs • For local devices • Client must accept self-signed cert

  4. Siemens • Auth • HTTP basic • JWT bearer tokens • Encryption • HTTPS • Other • HTTP proxy support: • Both forward proxies and reverse proxies (things only reachable through proxies) • Used with Oracle instance • Bearer tokens with Fujitsu beacon light

  5. Panasonic: Implementation 1 • Bearer authentication using "bearer" security In forms for interactions that did not use security, used this: scheme "forms": [ • Indicated authorization Url … {"href": "operationStatus", • But actually formed a bearer token manually "mediaType": "application/json"}, • Specified security in TD by default {"href ": "https://…/operationStatus", • Indicated no authentication is required using "security": [] override. "mediaType": "application/json", At top level, used this: "subProtocol": "LongPoll", "security": [{ "rel": "observeProperty", "scheme": "bearer", "security": [] "format": "jwt", }, "alg": "ES256", {"href": "wss ://…./ operationStatus", "authorizationUrl": "…" "mediaType": "application/json", }], "rel": "observeProperty", "security": [] } ]

  6. Panasonic: Implementation 2 • Online WoT Server Simulator requires the following HTTP header upon request X-PWOT-TOKEN: <access token> However, the TD is not correct at this moment. Currently we have: "security": [{ "cat": "token:jwt", "alg": "ES256", "as": "https://plugfest.thingweb.io:8443" }], • It should updated to the new TD specs. • It should use "scheme": "apikey". ==> plan to update the TD of Online WoT Server Simulator by the next PlugFest.

  7. Smart Things • Example TDs for CoAP devices using PSK • Raising need for CoAP-specific security metadata • MQTT metadata can probably reuse existing vocabulary, eg "basic" • An assumption that needs to be tested

  8. Eurecom • Auth: • Bearer tokens • Encryption • HTTPS for both Things and TD service • TDs encrypted and decrypted after download using pre-shared key

  9. Issues Arising • NAT Traversal • Can't depend on port 22 being open… • Pre-shared keys • Is "scheme": "psk" needed? • Self-signed certificates • Need to validate certificate: Onboarding service? Validation service? • Is "scheme": "cert" needed? • Security definitions vs activated security configurations • Multilevel security configurations • Right now can be given at three levels; top, interaction, form • Configurations at lower overrides higher • All three needed? • "Add-on" security configurations • Would be nice to have way to add configs, not just overrides

  10. Next • Implementations/use cases for all existing schemes • New schemes • Local TLS/DTLS • MQTT, CoAP, OCF • Basic auth over HTTPS, Digest over (local) HTTP • Demonstration of at least one scheme using external vocabulary • And maybe move some existing schemes out to external vocabulary…

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Revelation 1:19 Write the things which you have seen, and the things which are, and the

Revelation 1:19 Write the things which you have seen, and the things which are, and the

Revelation 1:19 Write the things which you have seen, and the things which are, and the things which will take place after this. Revelation 4:1 After these things I looked, and behold, a door standing open in heaven. And the

438 views • 30 slides
Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT)

Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT)

Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT) Incompatible standards, platforms, technologies World Wide Web Consortium (W3C) is in a unique position to create the royalty-free and

273 views • 15 slides
Hebrews 6:9, But, beloved, we are confident of better things concerning you yes things of

Hebrews 6:9, But, beloved, we are confident of better things concerning you yes things of

Hebrews 6:9, But, beloved, we are confident of better things concerning you yes things of better things concerning you, yes, things that accompany salvation, though we speak in this manner. Hebrews 6:10, For God is not unjust to forget

739 views • 41 slides
9/6/20 Exceptions: What to do when things go bad IO: Where things often go bad 1 An exception

9/6/20 Exceptions: What to do when things go bad IO: Where things often go bad 1 An exception

9/6/20 Exceptions: What to do when things go bad IO: Where things often go bad 1 An exception is an object describing unusual or erroneous situation Division by 0 in computing expression (ArithmeticException) Array index out of bounds

371 views • 8 slides
Getting Things Done Der Antiverpeil Talk 2007-12-29, Berlin Getting Things Done Overview

Getting Things Done Der Antiverpeil Talk 2007-12-29, Berlin Getting Things Done Overview

Getting Things Done Der Antiverpeil Talk 2007-12-29, Berlin Getting Things Done Overview Introduction The Problem: Why Things Are on your Mind The Idea: Outsource your Brain Methodologies Tools Getting started Chaos

451 views • 23 slides
Introduction to The Web of Things Niels Olof Bouvin 1 Overview What is the Internet of Things?

Introduction to The Web of Things Niels Olof Bouvin 1 Overview What is the Internet of Things?

Introduction to The Web of Things Niels Olof Bouvin 1 Overview What is the Internet of Things? The vision Domains of the Internet of Things The challenges The Proto Web of Things The Raspberry Pi as a WoT platform The challenge of the

1.21k views • 63 slides
6. (3 pts) What three things form the deadly triad the three things that cannot be

6. (3 pts) What three things form the deadly triad the three things that cannot be

6. (3 pts) What three things form the deadly triad the three things that cannot be combined in the same learning situation without risking divergence? (circle three) (a) eligibility traces (b) bootstrapping (c) sample backups (d)

146 views • 14 slides
What are IoTs? 2 More Than The Sum Of Its Things SEC 20 What are IoT Middlewares? 3 More

What are IoTs? 2 More Than The Sum Of Its Things SEC 20 What are IoT Middlewares? 3 More

More Than The Sum Of Its Things SEC 20 What are IoTs? 2 More Than The Sum Of Its Things SEC 20 What are IoT Middlewares? 3 More Than The Sum Of Its Things SEC 20 IoT Middleware M Abdur Razzaque, M Milojevic-Jevric, A. Palade and

602 views • 32 slides
WWW.TOTW.ORG By Kenneth M Hoeck Finally, brethren, whatsoever things are true, whatsoever things

WWW.TOTW.ORG By Kenneth M Hoeck Finally, brethren, whatsoever things are true, whatsoever things

WWW.TOTW.ORG By Kenneth M Hoeck Finally, brethren, whatsoever things are true, whatsoever things are honest, whatsoever things are just, whatsoever things are pure, whatsoever things are lovely, whatsoever things are of good report; if there be

1.16k views • 55 slides
Isa 42:9 Behold, the former things have come to pass, Now I declare new things; Before

Isa 42:9 Behold, the former things have come to pass, Now I declare new things; Before

Pathway of Responsibility Isa 42:9 Behold, the former things have come to pass, Now I declare new things; Before they spring forth I proclaim them to you . God has never changed but if we engage Him intimately He will reveal

1.04k views • 81 slides
Isa 42:9 Behold, the former things have come to pass, Now I declare new things; We are

Isa 42:9 Behold, the former things have come to pass, Now I declare new things; We are

New Versus Old Isa 42:9 Behold, the former things have come to pass, Now I declare new things; We are experiencing God, who never changes, in new ways and our minds are being deconstructed and renewed by our encounters with Him New

672 views • 50 slides
Isa 42:9 Behold, the former things have come to pass, Now I declare new things; Before

Isa 42:9 Behold, the former things have come to pass, Now I declare new things; Before

Pathway of Responsibility Isa 42:9 Behold, the former things have come to pass, Now I declare new things; Before they spring forth I proclaim them to you . God has never changed but if we engage Him intimately how we know Him will

996 views • 67 slides
The Internet of Things Niels Olof Bouvin 1 Overview What is the Internet of Things? The vision

The Internet of Things Niels Olof Bouvin 1 Overview What is the Internet of Things? The vision

The Internet of Things Niels Olof Bouvin 1 Overview What is the Internet of Things? The vision Domains of the Internet of Things The challenges RFID 2 What is the Internet of Things? (CERP-IoT 2009): Internet of Things (IoT) is an

813 views • 33 slides
Architecture A discussion, not a deck IoT architectures Mesh-of-things--things talk to other

Architecture A discussion, not a deck IoT architectures Mesh-of-things--things talk to other

Architecture A discussion, not a deck IoT architectures Mesh-of-things--things talk to other things, without intermediaries. Thing-hub-cloud --things talk to a hub, which talks back to them and to the cloud. Theres a spectrum of emphasis on

480 views • 6 slides
The Internet of Things Afloat by Digital Yacht What is the Internet of Things ? The

The Internet of Things Afloat by Digital Yacht What is the Internet of Things ? The

The Internet of Things Afloat by Digital Yacht What is the Internet of Things ? The Internet of Things (IoT ). A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send

575 views • 24 slides
These things says the Son of God, who has eyes like a flame of fire, and His feet like fine

These things says the Son of God, who has eyes like a flame of fire, and His feet like fine

These things says the Son of God, who has eyes like a flame of fire, and His feet like fine brass: Outline of Revelation the things which you have seen Rev. 1 the things FUTURE which are. . . PAST Rev. 422 the things which will

626 views • 50 slides
Health and Safety Grant Program Febru ruar ary 26, 20 , 2020 AGENDA ENDA Introductions

Health and Safety Grant Program Febru ruar ary 26, 20 , 2020 AGENDA ENDA Introductions

Proposition 64 Public Health and Safety Grant Program Febru ruar ary 26, 20 , 2020 AGENDA ENDA Introductions Overview of the BSCC and the Executive Steering Committee (ESC) Grant Summary &amp; Instructions Applicant

934 views • 45 slides
Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew

Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew

1 of 24 slides Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, and Xin Zheng; 2007 Department of Computer Science Cornell University Ivan Hristov

450 views • 28 slides
Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development

Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development

Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development Many different platforms: Android, IPhone, Symbian, Windows Phone/ Mobile, MeeGo (only a few of them) Reasons for mobile web development

435 views • 31 slides
VERB Web App / Framework View, Edit, and Run (your code) in the Browser An IDE Companion Remote

VERB Web App / Framework View, Edit, and Run (your code) in the Browser An IDE Companion Remote

VERB Web App / Framework View, Edit, and Run (your code) in the Browser An IDE Companion Remote Mobile Lightweight Quick Fully-Featured Text Editor Possible Features SCM Integration Sharing ... Kellen Donohue (kellend@{cs,uw}) , Zach

380 views • 3 slides
USING VBA REFERENCING WHOAREWE Aviv Grafi Amit Dori CEO, Votiro Security Researcher, Votiro

USING VBA REFERENCING WHOAREWE Aviv Grafi Amit Dori CEO, Votiro Security Researcher, Votiro

REFERENCE THIS: SANDBOX EVASION USING VBA REFERENCING WHOAREWE Aviv Grafi Amit Dori CEO, Votiro Security Researcher, Votiro Graduate of Israeli Army s elite 28 years old from Tel-Aviv. 8200 intelligence unit. BSC in

1.05k views • 45 slides
Privacy-Enhanced Sharing of Personal Content on the Web Mohammad Mannan and P . C. van Oorschot

Privacy-Enhanced Sharing of Personal Content on the Web Mohammad Mannan and P . C. van Oorschot

IMPECS WWW Presentation- April 24, 2008 Privacy-Enhanced Sharing of Personal Content on the Web Mohammad Mannan and P . C. van Oorschot Carleton University, Canada M. Mannan April 24, 2008 1 IMPECS The need for sharing is real People

422 views • 19 slides
Ronny Krashinsky and Hari Balakrishnan MIT Laboratory for Computer Science {ronny,

Ronny Krashinsky and Hari Balakrishnan MIT Laboratory for Computer Science {ronny,

Ronny Krashinsky and Hari Balakrishnan MIT Laboratory

357 views • 20 slides
A Privacy Awareness System for Ubicomp Marc Langheinrich ETH Zurich, Switzerland Motivation !

A Privacy Awareness System for Ubicomp Marc Langheinrich ETH Zurich, Switzerland Motivation !

A Privacy Awareness System for Ubicomp Marc Langheinrich ETH Zurich, Switzerland Motivation ! Ubicomp features real-world electronic services, often without user interface Privacy Awareness System ! Automated data transfer facilitates

593 views • 10 slides

More recommend