--- 1/draft-ietf-ace-usecases-01.txt 2015-02-05 02:14:58.665586877 -0800 +++ 2/draft-ietf-ace-usecases-02.txt 2015-02-05 02:14:58.721588271 -0800 @@ -1,25 +1,25 @@ ACE Working Group L. Seitz, Ed. Internet-Draft SICS Swedish ICT AB Intended status: Informational S. Gerdes, Ed. -Expires: July 17, 2015 Universitaet Bremen TZI +Expires: August 9, 2015 Universitaet Bremen TZI G. Selander Ericsson M. Mani Itron S. Kumar Philips Research - January 13, 2015 + February 05, 2015 ACE use cases - draft-ietf-ace-usecases-01 + draft-ietf-ace-usecases-02 Abstract Constrained devices are nodes with limited processing power, storage space and transmission capacities. These devices in many cases do not provide user interfaces and are often intended to interact without human intervention. This document comprises a collection of representative use cases for the application of authentication and authorization in constrained @@ -41,21 +41,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on July 17, 2015. + This Internet-Draft will expire on August 9, 2015. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -71,35 +71,35 @@ 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Container monitoring . . . . . . . . . . . . . . . . . . 4 2.1.1. Bananas for Munich . . . . . . . . . . . . . . . . . 5 2.1.2. Authorization Problems Summary . . . . . . . . . . . 6 2.2. Home Automation . . . . . . . . . . . . . . . . . . . . . 6 2.2.1. Controlling the Smart Home Infrastructure . . . . . . 7 2.2.2. Seamless Authorization . . . . . . . . . . . . . . . 7 2.2.3. Remotely letting in a visitor . . . . . . . . . . . . 7 2.2.4. Authorization Problems Summary . . . . . . . . . . . 8 - 2.3. Personal Health Monitoring . . . . . . . . . . . . . . . 8 + 2.3. Personal Health Monitoring . . . . . . . . . . . . . . . 9 2.3.1. John and the heart rate monitor . . . . . . . . . . . 9 2.3.2. Authorization Problems Summary . . . . . . . . . . . 10 2.4. Building Automation . . . . . . . . . . . . . . . . . . . 11 2.4.1. Device Lifecycle . . . . . . . . . . . . . . . . . . 11 2.4.2. Authorization Problems Summary . . . . . . . . . . . 13 2.5. Smart Metering . . . . . . . . . . . . . . . . . . . . . 14 2.5.1. Drive-by metering . . . . . . . . . . . . . . . . . . 14 2.5.2. Meshed Topology . . . . . . . . . . . . . . . . . . . 15 2.5.3. Advanced Metering Infrastructure . . . . . . . . . . 15 2.5.4. Authorization Problems Summary . . . . . . . . . . . 16 2.6. Sports and Entertainment . . . . . . . . . . . . . . . . 16 2.6.1. Dynamically Connecting Smart Sports Equipment . . . . 17 2.6.2. Authorization Problems Summary . . . . . . . . . . . 17 - 2.7. Industrial Control Systems . . . . . . . . . . . . . . . 17 + 2.7. Industrial Control Systems . . . . . . . . . . . . . . . 18 2.7.1. Oil Platform Control . . . . . . . . . . . . . . . . 18 2.7.2. Authorization Problems Summary . . . . . . . . . . . 18 3. Security Considerations . . . . . . . . . . . . . . . . . . . 19 3.1. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.2. Configuration of Access Permissions . . . . . . . . . . . 20 3.3. Design Considerations for Authorization Solutions . . . . 21 3.4. Proxies . . . . . . . . . . . . . . . . . . . . . . . . . 22 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 22 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 @@ -141,49 +141,50 @@ generic. 1.1. Terminology Readers are required to be familiar with the terms defined in [RFC7228]. In addition, this document uses the following terminology: Resource: An item of interest. - Resource Server: The device which hosts resources the Client wants to - access. Resource Servers might be constrained devices. + Resource Server: The endpoint which hosts resources the Client wants + to access. Resource Servers might be located on constrained + devices. - Client: A device which wants to access a resource on the Resource - Server. This could also be a constrained device. + Client: An endpoint which wants to access a resource on the Resource + Server. This could also be located on a constrained device. - Resource Owner: The subject who owns the resource and controls its - access permissions. + Resource Owner: The subject who controls the access permissions of a + resource. - Device Owner: The subject who owns a certain device and controls its - access permissions. + Client Owner: The subject who controls the access permissions of a + client. - Principal: A subject who is either a resource owner or a device owner - or both. + Principal: A subject who is either a resource owner or a client + owner or both. 2. Use Cases This section lists use cases involving constrained devices with certain authorization problems to be solved. Each use case first presents a general description of the application area, then one or more specific use cases, and finally a summary of the authorization- related problems principals need to be solved. There are various reasons for assigning a function (client or server) to a device, e.g. which device initiates the conversation, how do devices find each other, etc. The definition of the function of a device in a certain use case is not in scope of this document. Readers should be aware that there might be reasons for each setting - and that devices might even have different functions at different + and that endpoints might even have different functions at different times. 2.1. Container monitoring The ability of sensors to communicate environmental data wirelessly opens up new application areas. The use of such sensor systems makes it possible to continuously track and transmit specific characteristics such as temperature, humidity and gas content during the transportation and storage of goods. @@ -195,22 +196,22 @@ During the shipment to their destination the goods often pass stops where they are transloaded to other means of transportation, e.g. from ship transport to road transport. The transportation and storage of perishable goods is especially challenging since they have to be stored at a constant temperature and with proper ventilation. Additionally, it is very important for the vendors to be informed about irregularities in the temperature and ventilation of fruits to avoid the delivery of decomposed fruits to their customers. The need for a constant monitoring of perishable - goods has led to projects such as The Intelligent Container (http:// - www.intelligentcontainer.com). + goods has led to projects such as The Intelligent Container + (http://www.intelligentcontainer.com). 2.1.1. Bananas for Munich A fruit vendor grows bananas in Costa Rica for the German market. It instructs a transport company to deliver the goods via ship to Rotterdam where they are picked up by trucks and transported to a ripening facility. A Munich supermarket chain buys ripened bananas from the fruit vendor and transports them from the ripening facility to the individual markets with their own company trucks. @@ -246,25 +247,26 @@ system and to monitor the degree of ripeness of the bananas. Ripe bananas need to be identified and sold before they spoil. The supermarket chain gains ownership of the banana boxes when the bananas have ripened and are ready to leave the ripening facility. 2.1.2. Authorization Problems Summary o U1.1 Principals such as the fruit vendor, the transloading personnel or the container owners want to grant different access - rights for their resource to different parties and want to control - which devices are allowed to present data to their devices. + rights for their resources to different parties and want to + control which resource servers are allowed to present data to + their clients. o U1.2 Principals want to grant different access rights for - different resources on a device. + different resources on an endpoint. o U1.3 The principals require the integrity of sensor data. o U1.4 The principals require the confidentiality of sensor data. o U1.5 The principals are not always present at the time of access and cannot manually intervene in the authorization process. o U1.6 The principals want to grant temporary access permissions to a party. @@ -292,25 +294,25 @@ use), the configuration must use secure default settings, and the interface must be well adapted to novice users. 2.2.1. Controlling the Smart Home Infrastructure Alice and her husband Bob own a flat which is equipped with home automation devices such as HVAC and shutter control, and they have a motion sensor in the corridor which controls the light bulbs there. Alice and Bob can control the shutters and the temperature in each - room using either wall-mounted touch panels or with an internet - connected device (e.g. a smartphone). Since Alice and Bob both have - a full-time job, they want to be able to change settings remotely, - e.g. turn up the heating on a cold day if they will be home earlier - than expected. + room using either wall-mounted touch panels or an internet connected + device (e.g. a smartphone). Since Alice and Bob both have a full- + time job, they want to be able to change settings remotely, e.g. turn + up the heating on a cold day if they will be home earlier than + expected. The couple does not want people in radio range of their devices, e.g. their neighbors, to be able to control them without authorization. Moreover, they don't want burglars to be able to deduce behavioral patterns from eavesdropping on the network. 2.2.2. Seamless Authorization Alice buys a new light bulb for the corridor and integrates it into the home network, i.e. makes resources known to other devices in the @@ -321,23 +323,23 @@ the need for additional administration effort. She provides the necessary configurations for that. 2.2.3. Remotely letting in a visitor Alice and Bob have equipped their home with automated connected door- locks and an alarm system at the door and the windows. The couple can control this system remotely. Alice and Bob have invited Alice's parents over for dinner, but are - stuck in traffic and can not arrive in time, while Alice's parents - who use the subway will arrive punctually. Alice calls her parents - and offers to let them in remotely, so they can make themselves + stuck in traffic and cannot arrive in time, while Alice's parents who + use the subway will arrive punctually. Alice calls her parents and + offers to let them in remotely, so they can make themselves comfortable while waiting. Then Alice sets temporary permissions that allow them to open the door, and shut down the alarm. She wants these permissions to be only valid for the evening since she does not like it if her parents are able to enter the house as they see fit. When Alice's parents arrive at Alice's and Bob's home, they use their smartphone to communicate with the door-lock and alarm system. 2.2.4. Authorization Problems Summary @@ -423,25 +426,25 @@ stores data on John's heart rate, which can later be accessed by a physician to assess the condition of John's heart. However John is a privacy conscious person, and is worried that Jill might use HeartGuard to monitor his location while there is no emergency. Furthermore he doesn't want his health insurance to get access to the HeartGuard data, or even to the fact that he is wearing a HeartGuard, since they might refuse to renew his insurance if they decided he was too big a risk for them. - Finally John, while being comfortable with modern technology and able - to operate it reasonably well, is not trained in computer security. - He therefore need an interface for the configuration of the - HeartGuard security that is easy to understand and use. If John does - not understand the meaning of some setting, he tends to leave it + Finally John, while being comfortable with modern technology, and + able to operate it reasonably well, is not trained in computer + security. He therefore needs an interface for the configuration of + the HeartGuard security that is easy to understand and use. If John + does not understand the meaning of a setting, he tends to leave it alone, assuming that the manufacturer has initialized the device to secure settings. NOTE: Monitoring of some state parameter (e.g. an alarm button) and the position of a person also fits well into an elderly care service. This is particularly useful for people suffering from dementia, where the relatives or caregivers need to be notified of the whereabouts of the person under certain conditions. In this case it is not the patient that decides about access. @@ -543,27 +546,27 @@ shares some of the common spaces with company A. On a really hot day James who works for company A turns on the air condition in his office. Lucy who works for company B wants to make tea using an electric kettle. After she turned it on she goes outside to talk to a colleague until the water is boiling. Unfortunately, her kettle has a malfunction which causes overheating and results in a smoldering fire of the kettle's plastic case. Due to the smoke coming from the kettle the fire alarm is triggered. Alarm sirens throughout the building are switched on simultaneously - (using a broadcast or multicast) to alert the staff of both - companies. Additionally, the ventilation system of the whole - building is closed off to prevent the smoke from spreading and to - withdraw oxygen from the fire. The smoke cannot get into James' - office although he turned on his air condition because the fire alarm - overrides the manual setting by sending commands (broadcast or - multicast) to switch off all the air conditioning. + (using a broadcastor multicast) to alert the staff of both companies. + Additionally, the ventilation system of the whole building is closed + off to prevent the smoke from spreading and to withdraw oxygen from + the fire. The smoke cannot get into James' office although he turned + on his air condition because the fire alarm overrides the manual + setting by sending commands (broadcast or multicast) to switch off + all the air conditioning. The fire department is notified of the fire automatically and arrives within a short time. After inspecting the damage and extinguishing the smoldering fire a fire fighter resets the fire alarm because only the fire department is authorized to do that. 2.4.1.3. Maintenance Company A's staff are annoyed that the lights switch off too often in their rooms if they work silently in front of their computer. @@ -599,37 +602,37 @@ o U4.2 Principals want to be able to integrate a device that formerly belonged to a different administrative domain to their own administrative domain (handover). o U4.3 Principal want to be able to remove a device from their administrative domain (decomissioning). o U4.4 Principals want to be able to delegate selected administration tasks for their devices to others. - o U4.5 The device owner wants to be able to define context-based + o U4.5 The principal wants to be able to define context-based Authorization rules. - o U4.6 The device owner wants to be able to revoke granted - permissions and delegations. + o U4.6 The principal wants to be able to revoke granted permissions + and delegations. - o U4.7 The device owner wants to allow only authorized access to - device resources (default deny). + o U4.7 The principal wants to allow authorized entities to send data + to their endpoints (default deny). - o U4.8 The device owner wants to be able to authorize a device to + o U4.8 The principal wants to be able to authorize a device to control several devices at the same time using a multicast protocol. o U4.9 Principals want to be able to interconnect their own subsystems with those from a different operational domain while keeping the control over the authorizations (e.g. granting and - revoking permissions) for their devices. + revoking permissions) for their endpoints and devices. 2.5. Smart Metering Automated measuring of customer consumption is an established technology for electricity, water, and gas providers. Increasingly these systems also feature networking capability to allow for remote management. Such systems are in use for commercial, industrial and residential customers and require a certain level of security, in order to avoid economic loss to the providers, vulnerability of the distribution system, as well as disruption of services for the @@ -712,37 +715,37 @@ during the last 72 hours". 2.5.4. Authorization Problems Summary o U5.1 Devices are installed in hostile environments where they are physically accessible by attackers. Principals want to make sure that an attacker cannot use a captured device to attack other parts of their infrastructure. o U5.2 Principals want to restrict which entities are allowed to - write data to the devices and thus ensure the integrity of the - data on their devices. + send data to their resources and endpoints and thus ensure the + integrity of the data on their endpoints. o U5.3 The principal wants to control which entities are allowed to - read data on the devices and protect such data in transfer. + read data on their resources and protect such data in transfer. o U5.4 The devices may have intermittent Internet connectivity. o U5.5 The principal is not always present at the time of access and cannot manually intervene in the authorization process. o U5.6 When authorization policies are updated it is impossible, or - at least very inefficient to contact all affected devices + at least very inefficient to contact all affected endpoints directly. - o U5.7 Messages between a client and the device may need to be - stored and forwarded over multiple nodes. + o U5.7 Messages between a client and a resource server may need to + be stored and forwarded over multiple nodes. 2.6. Sports and Entertainment In the area of leisure time activities, applications can benefit from the small size and weight of constrained devices. Sensors and actuators with various functionalities can be integrated into fitness equipment, games and even clothes. Principals can carry their devices around with them at all times. Usability is especially important in this area since principals will @@ -784,22 +787,22 @@ 2.6.2. Authorization Problems Summary o U6.1 The principal wants to be able to grant access rights dynamically when needed. o U6.2 The principle wants the configuration of access rights to work with very little effort. o U6.3 The principal wants to be able to preconfigure access - policies that grant certain access permissions to devices with - certain attributes (e.g. devices of a certain user) without + policies that grant certain access permissions to endpoints with + certain attributes (e.g. endpoints of a certain user) without additional configuration effort at the time of access. o U6.4 Principals wants to protect the confidentiality of their data for privacy reasons. o U6.5 Devices might not have an Internet connection at the time of access. 2.7. Industrial Control Systems @@ -813,22 +816,22 @@ general public how vulnerable this kind of systems are, especially when connected to the Internet. The severity of these vulnerabilities are exacerbated by the fact that many ICS are used to control critical public infrastructure, such as power, water treatment of traffic control. Nevertheless the economical advantages of connecting such systems to the Internet can be significant if appropriate security measures are put in place. 2.7.1. Oil Platform Control - An oil platform uses an industrial control system to monitor data and - control equipment. The purpose of this system is to gather and + An oil platform uses an industrical control system to monitor data + and control equipment. The purpose of this system is to gather and process data from a large number of sensors, and control actuators such as valves and switches to steer the oil extraction process on the platform. Raw data, alarms, reports and other information are also available to the operators, who can intervene with manual commands. Many of the sensors are connected to the controlling units by direct wire, but the operator is slowly replacing these units by wireless ones, since this makes maintenance easier. The controlling units are connected to the Internet, to allow for remote administration, since it is expensive and inconvenient to fly @@ -846,40 +849,39 @@ 2.7.2. Authorization Problems Summary o U7.1 The principal wants to ensure that only authorized clients can read data from sensors and sent commands to actuators. o U7.2 The principal wants to ensure that data coming from sensors and commands sent to actuators are authentic. o U7.3 Some devices do not have direct Internet connection. - o U7.4 Some devices have wired connection while other use wireless. + o U7.4 Some devices have wired connection while others use wireless. o U7.5 The execution of unauthorized commands in an ICS can lead to significant financial damage, and threaten the availability of critical infrastructure services. Accordingly, the principal wants a security solution that provides a very high level of security. 3. Security Considerations As the use cases listed in this document demonstrate, constrained devices are used in various application areas. The appeal of these devices is that they are small and inexpensive. That makes it easy to integrate them into many aspects of everyday life. Therefore, the devices will be entrusted with vast amounts of valuable data or even control functions, that need to be protected from unauthorized - access. - Moreover, the aggregation of data must be considered: attackers might - not only collect data from a single device but from many devices, - thus increasing the potential damage. + access. Moreover, the aggregation of data must be considered: + attackers might not only collect data from a single device but from + many devices, thus increasing the potential damage. Not only the data on the constrained devices themselves is threatened, the devices might also be abused as an intrusion point to infiltrate a network. Once an attacker gained control over the device, it can be used to attack other devices as well. Due to their limited capabilities, constrained devices appear as the weakest link in the network and hence pose an attractive target for attackers. This section summarizes the security problems highlighted by the use cases above and provides guidelines for the design of protocols for @@ -925,23 +927,24 @@ o Size of code required to run the protocol o Size of RAM memory and stack required to run the protocol Another category of attacks that needs to be considered by solution developers is session interception and hijacking. 3.2. Configuration of Access Permissions o The access control policies of the principals need to be enforced - (all use cases): The access control policies set by the Principals - need to be provisioned to the device that enforces the - authorization and applied to every incoming request. + (all use cases): The information that is needed to implement the + access control policies of the Principals need to be provided to + the device that enforces the authorization and applied to every + incoming request. o A single resource might have different access rights for different requesting entities (all use cases). Rationale: In some cases different types of users need different access rights, as opposed to a binary approach where the same access permissions are granted to all authenticated users. o A device might host several resources where each resource has its own access control policy (all use cases). @@ -958,56 +961,57 @@ o Devices need to be enabled to enforce the principal's authorization policies without the principal's intervention at the time of the access request (see e.g. Section 2.1, Section 2.2, Section 2.4, Section 2.5). o Authorization solutions need to consider that constrained devices might not have internet access at the time of the access request (see e.g. Section 2.1, Section 2.3, Section 2.5, Section 2.6). o It should be possible to update access control policies without - manually re-provisioning individual devices (see e.g. Section 2.2, - Section 2.3, Section 2.5, Section 2.6). + manually re-provisioning individual devices (see e.g. + Section 2.2, Section 2.3, Section 2.5, Section 2.6). Rationale: Peers can change rapidly which makes manual re- provisioning unreasonably expensive. o Principals might define authorization policies for a large number of devices that might only have intermittent connectivity. Distributing policy updates to every device for every update might - not be a feasible solution. + not be a feasible solution (see e.g. Section 2.5). o It must be possible to dynamically revoke authorizations (see e.g. Section 2.4). o The authentication and access control protocol can put undue - burden on the constrained resources of a device participating in - the protocol. An authorization solutions must take the - limitations of the constrained devices into account (see also - Section 3.1). + burden on the constrained system resources of a device + participating in the protocol. An authorization solutions must + take the limitations of the constrained devices into account (all + use cases, see also Section 3.1). o Secure default settings are needed for the initial state of the authentication and authorization protocols (all use cases). Rationale: Many attacks exploit insecure default settings, and experience shows that default settings are frequently left unchanged by the end users. o Access to resources on other devices should only be permitted if a - rule exists that explicitly allows this access (default deny). + rule exists that explicitly allows this access (default deny) (see + e.g. Section 2.4). o Usability is important for all use cases. The configuration of authorization policies as well as the gaining access to devices must be simple for the users of the devices. Special care needs to be taken for home scenarios where access control policies have to be configured by users that are typically not trained in - security (see Section 2.2, Section 2.6). + security (see Section 2.2, Section 2.3, Section 2.6). 3.4. Proxies In some cases, the traffic between Client and Resource Server might go through intermediary nodes (e.g. proxies, gateways). This might affect the function or the security model of authentication and access control protocols e.g. end-to-end security between Client and Resource Server with DTLS might not be possible (see Section 2.5). 4. Privacy Considerations