Download
1 / 9
90 likes | 201 Vues
The Smart Object Security Workshop held on March 23, 2012, in Paris, gathered influential figures in the field, including Hannes Tschofenig, Jari Arkko, and others. The workshop aimed to address security issues for smart object networks, gathering experiences from implementations and exploring the unique challenges and requirements in varying application domains. Discussions encompassed credential provisioning, authorization policies, and practical implementation strategies using existing cryptographic protocols. As the field evolves, the workshop emphasized the need for ongoing research and standardized solutions in smart object security.
E N D
Report from the “Smart Object Security Workshop23rd March 2012, Paris” Presenter: Hannes Tschofenig
Workshop Organizers • Hannes Tschofenig • JariArkko • Carsten Bormann • Peter Friess • Cullen Jennings • Antonio Skarmeta • Zach Shelby Thomas Heide Clausen (Host)
Workshop Info • Webpage: http://www.lix.polytechnique.fr/hipercom/SmartObjectSecurity/ • Papers and slides will be copied to this website after the meeting. Currently, they are temporarily here: • Position papers: http://www.tschofenig.priv.at/sos-papers/PositionPapers.htm • Agenda & slides: http://www.tschofenig.priv.at/wp/?p=874
Workshop Goals Wehad a gutfeelingthatwemighthaveproblemswithsecuringsmartobjectnetworks. Hadreceived input already in the March 2011 Prague IAB SmartObject workshop. Bringtogetherimplementationexperience, applicationrequirements, and researchers and protocoldesigners Whatdeploymentexperience is there? Whatcredentialtypesaremost common? Whatimplementationtechniquesmakeitpossible to use Internet securitytechnology in thesedevices? Whatare the challenges?
Requirements for eachapplicationdomaindiffer alsodrivenby the business models and number of devicesthatneed to beprovisioned Understanding of threatsdiffersbetween the differentcommunities: Attacksarenot just fromneighbor'skids Also, e.g., taking-the-grid-downattacks Installationbyregularpeople Requirements& Economics
Wethinkwecanuse the existingcryptoalgorithms Weprobablycanuse the existingprotocols (delta a fewminorextensions). Lots of implementationworkbeingdoneby the participants(e.g., TLS, DTLS, PANA, EAP, HIP) butstillmoreinvestigationsneeded. Importantaspect: Focus on the system! Look at the codesize of the entiresystem (includingprovisioning, authorization, config) Focus on what to optimize for variousamong the differentdeployments Energy consumption, codesize, main memorysize, over-the-wirebandwidth ImplementationExperiences
Manyquestionswereraised, for example: Whichdevice is authorized to talkwowhichotherdevice? What is the role of the human? Where is the policydecisionpoint and the policyenforcementpoint in the network? What is the granularity of the authorizationdecision? Whatneeds to bestandardized? Seems to be the mostchallengingaspect. Notclearwhetherthere is any IETF standardsworkneeded? AuthorizationDiscussion
There is a limited set of solutions Based on the hardware support of devices: buttonsvs. labels vs. LEDs, multicastdiscovery, onlinenetworkavailability, ... Again, the threatassumptionsmatter and who is supposed to do the credentialprovisioning. A funarea to design protocolsin Detaileddiscussionabout a specificproposalfromCullenJennings. http://www.tschofenig.priv.at/sos-papers/CullenJennings.pdf ImprintingDiscussion
Document the implementationexperience in the LWIG group. A fewalreadyongoingsecuritystandardsactivities (e.g., TLS rawpublickeys, JOSE on JSON encryption and signing). Maybediscussionsaroundimprintingprotocols in the IETF in the future. There is no single securityarchitecture for smartobjects (noteven a smallnumber of them). NextSteps
