We believe that we are on the verge of the Internet of Things - - PowerPoint PPT Presentation
We believe that we are on the verge of the Internet of Things explosion. Now is the time to make sure that IoT incorporates everything weve learned about digital security and infrastructure resiliency over the last 20 years of the Internet.
We believe that we are on the verge of the Internet of Things explosion. Now is the time to make sure that IoT incorporates everything we’ve learned about digital security and infrastructure resiliency over the last 20 years of the Internet.
1
User name and password
Smartcard
Biometrics
Certificate
API KEY AE5021 B3209A FEA409
TRUST
TRUST
APPLYING THESE MECHANISMS TO IOT AND M2M
AE5021 B3209A FEA409
PROGRAMMATIC PHYSICAL
AE5021 B3209A FEA409
PROGRAMMATIC PHYSICAL
PUBLIC KEY INFRASTRUCTURE (PKI)
l Trusted and well established technology l Allows for mutual authentication l Can be used for message signing COST
$$$$$ $$$$$ $$$$$
COST
$$$$$ $$$$$ $$$$$
SECURITY
SECURITY
Certificate Revocation List Online Certificate Status Protocol
CERTIFICATE AUTHORITY
SECURITY
Certificate Revocation List Online Certificate Status Protocol
CERTIFICATE AUTHORITY
SECURITY
Certificate Revocation List Online Certificate Status Protocol
CERTIFICATE AUTHORITY
SECURITY
CERTIFICATE AUTHORITY
SECURITY
CERTIFICATE AUTHORITIES
SECURITY
CERTIFICATE AUTHORITIES
device123.example.com device123.example.com Certificate Authority A Certificate Authority B
MANAGEMENT
INTEROPERABILITY
FOO.COM CERTIFICATE AUTHORITY BAR.COM CERTIFICATE AUTHORITY
INTEROPERABILITY
FOO.COM CERTIFICATE AUTHORITY BAR.COM CERTIFICATE AUTHORITY
How do we deploy PKI at Internet of Things scale.
l Keep cost low l Be interoperable l Deploy at scale l Improve security Provides a secure global registry
l Highly scalable Provides a secure global registry
l Highly scalable l Globally distributed Provides a secure global registry
l Highly scalable l Globally distributed l Resilient Provides a secure global registry
l Highly scalable l Globally distributed l Resilient l Standards based Provides a secure global registry
l Highly scalable l Globally distributed l Resilient l Standards based l Ubiquitous Provides a secure global registry
l Highly scalable l Globally distributed l Resilient l Standards based l Ubiquitous l Secure Provides a secure global registry
l Secure l Cryptographically signed l Supports delegation. root key .com key .example.com key
zone.example.com
….... ….... …....
RFC 6698 - establishes new record types for DNS Allows publishing of certificate data in DNS Data integrity validated by cryptographic signature
zone.example.com ….... ….... …....
RFC 6698 - establishes new record types for DNS
l Effectively replaces local CA store as means of validating certificates l Allows records to be queried in real time l Allows records to be cached for specific amount of time l Removes the need for CRLs and OCSP l Can work with CA issued certificates or self signed certificates Sensor
Keys
DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com deviceX.example.com …....Device provisioning
Public key is published in DNS Device creates public/private keypair
Sensor
Keys
DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com deviceX.example.com …....DNS “TLSA” record maps device name to public key Device only needs name does not need published IP address
Sensor
Keys
DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com deviceX.example.com …....IoT Platform
Sensor initiates TLS connection to IoT Platform
Sensor
Keys
DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com deviceX.example.com …....IoT Platform
TLS handshake includes device name and public key
Sensor
Keys
IoT Platform DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com deviceX.example.com …....Recursive DNS Server IoT Platform queries secure DNS for public key for device
Sensor
Keys
IoT Platform DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com deviceX.example.com …....Recursive DNS Server IoT Platform retrieves public key from secure DNS Server
Sensor
Keys
DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com deviceX.example.com …....IoT Platform compares device's published key with the key used during negotiation
= ?
Sensor
Keys
DNS Registry
device1.example.com device2.example.com device3.example.com device4.example.com device5.example.com deviceX.example.com …....The keys match so the client certificate is validated
Advantages of DANE
l Highly scalable l Economically viable l Highly secure l Limited scope of trust l Instant revocation l Transparency WHAT NOW ?
50
COMMUNITY ENGAGEMENT
Working with the community on DANE enablement across the stack including crypto libraries and common runtime frameworks.
FEEDBACK
We'd love to talk! email us at iot@verisign.com