draft-ietf-ace-usecases-03.txt   draft-ietf-ace-usecases-04.txt 
ACE Working Group L. Seitz, Ed. ACE Working Group L. Seitz, Ed.
Internet-Draft SICS Swedish ICT AB Internet-Draft SICS Swedish ICT AB
Intended status: Informational S. Gerdes, Ed. Intended status: Informational S. Gerdes, Ed.
Expires: September 10, 2015 Universitaet Bremen TZI Expires: December 6, 2015 Universitaet Bremen TZI
G. Selander G. Selander
Ericsson Ericsson
M. Mani M. Mani
Itron Itron
S. Kumar S. Kumar
Philips Research Philips Research
March 09, 2015 June 04, 2015
ACE use cases ACE use cases
draft-ietf-ace-usecases-03 draft-ietf-ace-usecases-04
Abstract Abstract
Constrained devices are nodes with limited processing power, storage Constrained devices are nodes with limited processing power, storage
space and transmission capacities. These devices in many cases do space and transmission capacities. These devices in many cases do
not provide user interfaces and are often intended to interact not provide user interfaces and are often intended to interact
without human intervention. without human intervention.
This document comprises a collection of representative use cases for This document comprises a collection of representative use cases for
the application of authentication and authorization in constrained the application of authentication and authorization in constrained
skipping to change at page 2, line 7 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 10, 2015. This Internet-Draft will expire on December 6, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 36 skipping to change at page 2, line 39
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Container monitoring . . . . . . . . . . . . . . . . . . 4 2.1. Container monitoring . . . . . . . . . . . . . . . . . . 4
2.1.1. Bananas for Munich . . . . . . . . . . . . . . . . . 5 2.1.1. Bananas for Munich . . . . . . . . . . . . . . . . . 5
2.1.2. Authorization Problems Summary . . . . . . . . . . . 6 2.1.2. Authorization Problems Summary . . . . . . . . . . . 6
2.2. Home Automation . . . . . . . . . . . . . . . . . . . . . 6 2.2. Home Automation . . . . . . . . . . . . . . . . . . . . . 6
2.2.1. Controlling the Smart Home Infrastructure . . . . . . 7 2.2.1. Controlling the Smart Home Infrastructure . . . . . . 7
2.2.2. Seamless Authorization . . . . . . . . . . . . . . . 7 2.2.2. Seamless Authorization . . . . . . . . . . . . . . . 7
2.2.3. Remotely letting in a visitor . . . . . . . . . . . . 7 2.2.3. Remotely letting in a visitor . . . . . . . . . . . . 7
2.2.4. Authorization Problems Summary . . . . . . . . . . . 8 2.2.4. Selling the house . . . . . . . . . . . . . . . . . . 8
2.2.5. Authorization Problems Summary . . . . . . . . . . . 8
2.3. Personal Health Monitoring . . . . . . . . . . . . . . . 9 2.3. Personal Health Monitoring . . . . . . . . . . . . . . . 9
2.3.1. John and the heart rate monitor . . . . . . . . . . . 9 2.3.1. John and the heart rate monitor . . . . . . . . . . . 10
2.3.2. Authorization Problems Summary . . . . . . . . . . . 10 2.3.2. Authorization Problems Summary . . . . . . . . . . . 11
2.4. Building Automation . . . . . . . . . . . . . . . . . . . 11 2.4. Building Automation . . . . . . . . . . . . . . . . . . . 11
2.4.1. Device Lifecycle . . . . . . . . . . . . . . . . . . 11 2.4.1. Device Lifecycle . . . . . . . . . . . . . . . . . . 12
2.4.2. Authorization Problems Summary . . . . . . . . . . . 13 2.4.2. Authorization Problems Summary . . . . . . . . . . . 14
2.5. Smart Metering . . . . . . . . . . . . . . . . . . . . . 14 2.5. Smart Metering . . . . . . . . . . . . . . . . . . . . . 15
2.5.1. Drive-by metering . . . . . . . . . . . . . . . . . . 14 2.5.1. Drive-by metering . . . . . . . . . . . . . . . . . . 15
2.5.2. Meshed Topology . . . . . . . . . . . . . . . . . . . 15 2.5.2. Meshed Topology . . . . . . . . . . . . . . . . . . . 16
2.5.3. Advanced Metering Infrastructure . . . . . . . . . . 15 2.5.3. Advanced Metering Infrastructure . . . . . . . . . . 16
2.5.4. Authorization Problems Summary . . . . . . . . . . . 16 2.5.4. Authorization Problems Summary . . . . . . . . . . . 16
2.6. Sports and Entertainment . . . . . . . . . . . . . . . . 16 2.6. Sports and Entertainment . . . . . . . . . . . . . . . . 17
2.6.1. Dynamically Connecting Smart Sports Equipment . . . . 17 2.6.1. Dynamically Connecting Smart Sports Equipment . . . . 17
2.6.2. Authorization Problems Summary . . . . . . . . . . . 17 2.6.2. Authorization Problems Summary . . . . . . . . . . . 18
2.7. Industrial Control Systems . . . . . . . . . . . . . . . 18 2.7. Industrial Control Systems . . . . . . . . . . . . . . . 18
2.7.1. Oil Platform Control . . . . . . . . . . . . . . . . 18 2.7.1. Oil Platform Control . . . . . . . . . . . . . . . . 19
2.7.2. Authorization Problems Summary . . . . . . . . . . . 19 2.7.2. Authorization Problems Summary . . . . . . . . . . . 19
3. Security Considerations . . . . . . . . . . . . . . . . . . . 19 3. Security Considerations . . . . . . . . . . . . . . . . . . . 19
3.1. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.1. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2. Configuration of Access Permissions . . . . . . . . . . . 20 3.2. Configuration of Access Permissions . . . . . . . . . . . 21
3.3. Design Considerations for Authorization Solutions . . . . 21 3.3. Design Considerations for Authorization Solutions . . . . 22
3.4. Proxies . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.4. Proxies . . . . . . . . . . . . . . . . . . . . . . . . . 23
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 22 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 23
5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
7. Informative References . . . . . . . . . . . . . . . . . . . 23 7. Informative References . . . . . . . . . . . . . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
Constrained devices [RFC7228] are nodes with limited processing Constrained devices [RFC7228] are nodes with limited processing
power, storage space and transmission capacities. These devices are power, storage space and transmission capacities. These devices are
often battery-powered and in many cases do not provide user often battery-powered and in many cases do not provide user
interfaces. interfaces.
Constrained devices benefit from being interconnected using Internet Constrained devices benefit from being interconnected using Internet
protocols. However, due to the devices' limitations, commonly used protocols. However, due to the devices' limitations, commonly used
skipping to change at page 4, line 50 skipping to change at page 5, line 5
During the shipment to their destination the goods often pass stops During the shipment to their destination the goods often pass stops
where they are transloaded to other means of transportation, e.g. where they are transloaded to other means of transportation, e.g.
from ship transport to road transport. from ship transport to road transport.
The transportation and storage of perishable goods is especially The transportation and storage of perishable goods is especially
challenging since they have to be stored at a constant temperature challenging since they have to be stored at a constant temperature
and with proper ventilation. Additionally, it is very important for and with proper ventilation. Additionally, it is very important for
the vendors to be informed about irregularities in the temperature the vendors to be informed about irregularities in the temperature
and ventilation of fruits to avoid the delivery of decomposed fruits and ventilation of fruits to avoid the delivery of decomposed fruits
to their customers. The need for a constant monitoring of perishable to their customers. The need for a constant monitoring of perishable
goods has led to projects such as The Intelligent Container goods has led to projects such as The Intelligent Container (http://
(http://www.intelligentcontainer.com). www.intelligentcontainer.com).
2.1.1. Bananas for Munich 2.1.1. Bananas for Munich
A fruit vendor grows bananas in Costa Rica for the German market. It A fruit vendor grows bananas in Costa Rica for the German market. It
instructs a transport company to deliver the goods via ship to instructs a transport company to deliver the goods via ship to
Rotterdam where they are picked up by trucks and transported to a Rotterdam where they are picked up by trucks and transported to a
ripening facility. A Munich supermarket chain buys ripened bananas ripening facility. A Munich supermarket chain buys ripened bananas
from the fruit vendor and transports them from the ripening facility from the fruit vendor and transports them from the ripening facility
to the individual markets with their own company trucks. to the individual markets with their own company trucks.
The fruit vendor's quality management wants to assure the quality of The fruit vendor's quality management wants to assure the quality of
their products and thus equips the banana boxes with sensors. The their products and thus equips the banana boxes with sensors. The
state of the goods is monitored consistently during shipment and state of the goods is monitored consistently during shipment and
ripening and abnormal sensor values are recorded. Additionally, the ripening and abnormal sensor values are recorded (U1.2).
sensor values are used to control the climate within the cargo Additionally, the sensor values are used to control the climate
containers. The sensors therefore need to communicate with the within the cargo containers (U1.1, U1.5, U1.7). The sensors
climate control system. Since a wrong sensor value leads to a wrong therefore need to communicate with the climate control system. Since
temperature and thus to spoiled goods, the integrity of the sensor a wrong sensor value leads to a wrong temperature and thus to spoiled
data must be assured. The banana boxes within a container will in goods, the integrity of the sensor data must be assured (U1.2, U1.3).
most cases belong to the same owner. Adjacent containers might The banana boxes within a container will in most cases belong to the
contain goods and sensors of different owners. same owner. Adjacent containers might contain goods and sensors of
different owners (U1.1).
The personnel that transloads the goods must be able to locate the The personnel that transloads the goods must be able to locate the
goods meant for a specific customer. However the fruit vendor does goods meant for a specific customer (U1.1, U1.6, U1.7). However the
not want to disclose sensor information pertaining to the condition fruit vendor does not want to disclose sensor information pertaining
of the goods to other companies and therefore wants to assure the to the condition of the goods to other companies and therefore wants
confidentiality of this data. Thus, the transloading personnel is to assure the confidentiality of this data (U1.4). Thus, the
only allowed to access logistic information. Moreover, the transloading personnel is only allowed to access logistic information
transloading personnel is only allowed to access the data for the (U1.1). Moreover, the transloading personnel is only allowed to
time of the transloading. access the data for the time of the transloading (U1.8).
Due to the high water content of the fruits, the propagation of radio Due to the high water content of the fruits, the propagation of radio
waves is hindered, thus often inhibiting direct communication between waves is hindered, thus often inhibiting direct communication between
nodes [Jedermann14]. Instead, messages are forwarded over multiple nodes [Jedermann14]. Instead, messages are forwarded over multiple
hops. The sensors in the banana boxes cannot always reach the hops (U1.9). The sensors in the banana boxes cannot always reach the
Internet during the journey. Internet during the journey (U1.10).
In the ripening facility bananas are stored until they are ready for In the ripening facility bananas are stored until they are ready for
selling. The banana box sensors are used to control the ventilation selling. The banana box sensors are used to control the ventilation
system and to monitor the degree of ripeness of the bananas. Ripe system and to monitor the degree of ripeness of the bananas. Ripe
bananas need to be identified and sold before they spoil. bananas need to be identified and sold before they spoil (U1.2,
U1.8).
The supermarket chain gains ownership of the banana boxes when the The supermarket chain gains ownership of the banana boxes when the
bananas have ripened and are ready to leave the ripening facility. bananas have ripened and are ready to leave the ripening facility.
2.1.2. Authorization Problems Summary 2.1.2. Authorization Problems Summary
o U1.1 Fruit vendors, transloading personnel and container owners o U1.1 Fruit vendors, transloading personnel and container owners
want to grant different authorizations for their resources and/or want to grant different authorizations for their resources and/or
endpoints to different parties. endpoints to different parties.
o U1.2 The fruit vendor requires the integrity of the sensor data o U1.2 The fruit vendor requires the integrity of the sensor data
that pertains the state of the goods for climate control and to that pertains the state of the goods for climate control and to
ensure the quality of the monitored recordings. ensure the quality of the monitored recordings.
o U1.3 The container owner requires the integrity of the sensor data o U1.3 The container owner requires the integrity of the sensor data
that is used for climate control. that is used for climate control.
o U1.4 The fruit vendor requires the confidentiality of the sensor o U1.4 The fruit vendor requires the confidentiality of the sensor
data that pertains the state of the goods. data that pertains the state of the goods and the confidentiality
of location data, e.g., to protect them from targeted attacks from
competitors.
o U1.5 The fruit vendor may have several types of data that may be o U1.5 The fruit vendor may have several types of data that may be
controlled by the same endpoint, e.g., sensor data and the data controlled by the same endpoint, e.g., sensor data and the data
used for logistics. used for logistics.
o U1.6 The fruit vendor requires the confidentiality of the data o U1.6 The fruit vendor and the transloading personnel require the
that is used to locate the goods. integrity of the data that is used to locate the goods, in order
to ensure that the good are correctly treated and delivered.
o U1.7 The fruit vendor requires the integrity of the data that is
used to locate the goods.
o U1.8 The transloading personnel requires the integrity of the data
that is used to locate the goods.
o U1.9 The container owner and the fruit vendor may not be present o U1.7 The container owner and the fruit vendor may not be present
at the time of access and cannot manually intervene in the at the time of access and cannot manually intervene in the
authorization process. authorization process.
o U1.10 The fruit vendor, container owner and transloading company o U1.8 The fruit vendor, container owner and transloading company
want to grant temporary access permissions to a party. want to grant temporary access permissions to a party, in order to
avoid giving permanent access to parties that are no longer
involved in processing the bananas.
o U1.11 Messages between client and resource server might need to be o U1.9 Messages between client and resource server might need to be
forwarded over multiple hops. forwarded over multiple hops.
o U1.12 The constrained devices might not always be able to reach o U1.10 The constrained devices might not always be able to reach
the Internet. the Internet.
2.2. Home Automation 2.2. Home Automation
Automation of the home has the potential to become a big future Automation of the home has the potential to become a big future
market for the Internet of Things. A home automation system connects market for the Internet of Things. One function of a home automation
devices in a house to the Internet and thus makes them accessible and system can be to connect devices in a house to the Internet and thus
manageable remotely. Such devices might control for example heating, make them accessible and manageable remotely. Such devices might
ventilation, lighting, home entertainment or home security. control for example heating, ventilation, lighting, home
entertainment or home security.
Such a system needs to accommodate a number of regular users Such a system needs to accommodate a number of regular users
(inhabitants, close friends, cleaning personnel) as well as a (inhabitants, close friends, cleaning personnel) as well as a
heterogeneous group of dynamically varying users (visitors, heterogeneous group of dynamically varying users (visitors,
repairmen, delivery men). repairmen, delivery men).
As the users are not typically trained in security (or even computer As the users are not typically trained in security (or even computer
use), the configuration must use secure default settings, and the use), the configuration must use secure default settings, and the
interface must be well adapted to novice users. interface must be well adapted to novice users.
2.2.1. Controlling the Smart Home Infrastructure 2.2.1. Controlling the Smart Home Infrastructure
Alice and her husband Bob own a flat which is equipped with home Alice and her husband Bob own a flat which is equipped with home
automation devices such as HVAC and shutter control, and they have a automation devices such as HVAC and shutter control, and they have a
motion sensor in the corridor which controls the light bulbs there. motion sensor in the corridor which controls the light bulbs there
(U2.5).
Alice and Bob can control the shutters and the temperature in each Alice and Bob can control the shutters and the temperature in each
room using either wall-mounted touch panels or an internet connected room using either wall-mounted touch panels or an internet connected
device (e.g. a smartphone). Since Alice and Bob both have a full- device (e.g. a smartphone). Since Alice and Bob both have a full-
time job, they want to be able to change settings remotely, e.g. turn time job, they want to be able to change settings remotely, e.g. turn
up the heating on a cold day if they will be home earlier than up the heating on a cold day if they will be home earlier than
expected. expected (U2.5).
The couple does not want people in radio range of their devices, e.g. The couple does not want people in radio range of their devices, e.g.
their neighbors, to be able to control them without authorization. their neighbors, to be able to control them without authorization.
Moreover, they don't want burglars to be able to deduce behavioral Moreover, they don't want burglars to be able to deduce behavioral
patterns from eavesdropping on the network. patterns from eavesdropping on the network (U2.8).
2.2.2. Seamless Authorization 2.2.2. Seamless Authorization
Alice buys a new light bulb for the corridor and integrates it into Alice buys a new light bulb for the corridor and integrates it into
the home network, i.e. makes resources known to other devices in the the home network, i.e. makes resources known to other devices in the
network. Alice makes sure that the new light bulb and her other network. Alice makes sure that the new light bulb and her other
devices in the network get to know the authorization policies for the devices in the network get to know the authorization policies for the
new device. Bob is not at home, but Alice wants him to be able to new device. Bob is not at home, but Alice wants him to be able to
control the new device with his devices (e.g. his smartphone) without control the new device with his devices (e.g. his smartphone) without
the need for additional administration effort. She provides the the need for additional administration effort (U2.7). She provides
necessary configurations for that. the necessary configurations for that (U2.9, U2.10).
2.2.3. Remotely letting in a visitor 2.2.3. Remotely letting in a visitor
Alice and Bob have equipped their home with automated connected door- Alice and Bob have equipped their home with automated connected door-
locks and an alarm system at the door and the windows. The couple locks and an alarm system at the door and the windows. The couple
can control this system remotely. can control this system remotely.
Alice and Bob have invited Alice's parents over for dinner, but are Alice and Bob have invited Alice's parents over for dinner, but are
stuck in traffic and cannot arrive in time, while Alice's parents who stuck in traffic and cannot arrive in time, while Alice's parents who
use the subway will arrive punctually. Alice calls her parents and use the subway will arrive punctually. Alice calls her parents and
offers to let them in remotely, so they can make themselves offers to let them in remotely, so they can make themselves
comfortable while waiting. Then Alice sets temporary permissions comfortable while waiting (U2.1, U2.6). Then Alice sets temporary
that allow them to open the door, and shut down the alarm. She wants permissions that allow them to open the door, and shut down the alarm
these permissions to be only valid for the evening since she does not (U2.2). She wants these permissions to be only valid for the evening
like it if her parents are able to enter the house as they see fit. since she does not like it if her parents are able to enter the house
as they see fit (U2.3, U2.4).
When Alice's parents arrive at Alice's and Bob's home, they use their When Alice's parents arrive at Alice's and Bob's home, they use their
smartphone to communicate with the door-lock and alarm system. smartphone to communicate with the door-lock and alarm system (U2.5,
U2.9).
2.2.4. Authorization Problems Summary 2.2.4. Selling the house
Alice and Bob have to move because Alice is starting a new job. They
therefore decide to sell the house, and transfer control of all
automated services to the new owners(U2.11). Before doing that they
want to erase privacy relevant data from the logs of the automated
systems, while the new owner is interested to keep some historic data
e.g. pertaining to the behavior of the heating system (U2.12).
2.2.5. Authorization Problems Summary
o U2.1 A home owner (Alice and Bob in the example above) wants to o U2.1 A home owner (Alice and Bob in the example above) wants to
spontaneously provision authorization means to visitors. spontaneously provision authorization means to visitors.
o U2.2 A home owner wants to spontaneously change the home's access o U2.2 A home owner wants to spontaneously change the home's access
control policies. control policies.
o U2.3 A home owner wants to apply different access rights for o U2.3 A home owner wants to apply different access rights for
different users. different users.
skipping to change at page 9, line 9 skipping to change at page 9, line 22
o U2.9 Usability is particularly important in this scenario since o U2.9 Usability is particularly important in this scenario since
the necessary authorization related tasks in the lifecycle of the the necessary authorization related tasks in the lifecycle of the
device (commissioning, operation, maintenance and decommissioning) device (commissioning, operation, maintenance and decommissioning)
likely need to be performed by the home owners who in most cases likely need to be performed by the home owners who in most cases
have little knowledge of security. have little knowledge of security.
o U2.10 Home Owners want their devices to seamlessly (and in some o U2.10 Home Owners want their devices to seamlessly (and in some
cases even unnoticeably) fulfill their purpose. The cases even unnoticeably) fulfill their purpose. The
administration effort needs to be kept at a minimum. administration effort needs to be kept at a minimum.
o U2.11 Home Owners want to be able to transfer ownership of their
automated systems when they sell the house.
o U2.12 Home Owners want to be able to sanitize the logs of the
automated systems, when transferring ownership, without deleting
important operational data.
2.3. Personal Health Monitoring 2.3. Personal Health Monitoring
The use of wearable health monitoring technology is expected to grow The use of wearable health monitoring technology is expected to grow
strongly, as a multitude of novel devices are developed and marketed. strongly, as a multitude of novel devices are developed and marketed.
The need for open industry standards to ensure interoperability The need for open industry standards to ensure interoperability
between products has lead to initiatives such as Continua Alliance between products has lead to initiatives such as Continua Alliance
(continuaalliance.org) and Personal Connected Health Alliance (continuaalliance.org) and Personal Connected Health Alliance
(pchalliance.org). Personal health devices are typically battery (pchalliance.org). Personal health devices are typically battery
driven, and located physically on the user. They monitor some bodily driven, and located physically on the user. They monitor some bodily
function, such as e.g. temperature, blood pressure, or pulse. They function, such as e.g. temperature, blood pressure, or pulse. They
skipping to change at page 9, line 41 skipping to change at page 10, line 12
Since the users are not typically trained in security (or even Since the users are not typically trained in security (or even
computer use), the configuration must use secure default settings, computer use), the configuration must use secure default settings,
and the interface must be well adapted to novice users. Parts of the and the interface must be well adapted to novice users. Parts of the
system must operate with minimal maintenance. Especially frequent system must operate with minimal maintenance. Especially frequent
changes of battery are unacceptable. changes of battery are unacceptable.
2.3.1. John and the heart rate monitor 2.3.1. John and the heart rate monitor
John has a heart condition, that can result in sudden cardiac John has a heart condition, that can result in sudden cardiac
arrests. He therefore uses a device called HeartGuard that monitors arrests. He therefore uses a device called HeartGuard that monitors
his heart rate and his position. In case of a cardiac arrest it his heart rate and his position (U3.7). In case of a cardiac arrest
automatically sends an alarm to an emergency service, transmitting it automatically sends an alarm to an emergency service, transmitting
John's current location. This requires the device to be close to a John's current location (U3.1). This requires the device to be close
wireless access point, in order to be able to get an Internet to a wireless access point, in order to be able to get an Internet
connection (e.g. John's smartphone). connection (e.g. John's smartphone). To ensure Johns safety, the
device is expected to be in constant operation (U3.3, U3.6).
The device includes some authentication mechanism, in order to The device includes some authentication mechanism, in order to
prevent other persons who get physical access to it from acting as prevent other persons who get physical access to it from acting as
the owner and messing up the access control and security settings. the owner and messing up the access control and security settings
(U3.8).
John can configure additional persons that get notified in an John can configure additional persons that get notified in an
emergency, for example his daughter Jill. Furthermore the device emergency, for example his daughter Jill. Furthermore the device
stores data on John's heart rate, which can later be accessed by a stores data on John's heart rate, which can later be accessed by a
physician to assess the condition of John's heart. physician to assess the condition of John's heart (U3.2).
However John is a privacy conscious person, and is worried that Jill However John is a privacy conscious person, and is worried that Jill
might use HeartGuard to monitor his location while there is no might use HeartGuard to monitor his location while there is no
emergency. Furthermore he doesn't want his health insurance to get emergency. Furthermore he doesn't want his health insurance to get
access to the HeartGuard data, or even to the fact that he is wearing access to the HeartGuard data, or even to the fact that he is wearing
a HeartGuard, since they might refuse to renew his insurance if they a HeartGuard, since they might refuse to renew his insurance if they
decided he was too big a risk for them. decided he was too big a risk for them (U3.8).
Finally John, while being comfortable with modern technology and able Finally John, while being comfortable with modern technology and able
to operate it reasonably well, is not trained in computer security. to operate it reasonably well, is not trained in computer security.
He therefore needs an interface for the configuration of the He therefore needs an interface for the configuration of the
HeartGuard security that is easy to understand and use. If John does HeartGuard security that is easy to understand and use (U3.5). If
not understand the meaning of a setting, he tends to leave it alone, John does not understand the meaning of a setting, he tends to leave
assuming that the manufacturer has initialized the device to secure it alone, assuming that the manufacturer has initialized the device
settings. to secure settings (U3.4).
NOTE: Monitoring of some state parameter (e.g. an alarm button) and NOTE: Monitoring of some state parameter (e.g. an alarm button) and
the position of a person also fits well into an elderly care service. the position of a person also fits well into an elderly care service.
This is particularly useful for people suffering from dementia, where This is particularly useful for people suffering from dementia, where
the relatives or caregivers need to be notified of the whereabouts of the relatives or caregivers need to be notified of the whereabouts of
the person under certain conditions. In this case it is not the the person under certain conditions. In this case it is not the
patient that decides about access. patient that decides about access.
2.3.2. Authorization Problems Summary 2.3.2. Authorization Problems Summary
skipping to change at page 10, line 50 skipping to change at page 11, line 26
o U3.4 Devices are often used with default access control settings. o U3.4 Devices are often used with default access control settings.
o U3.5 Wearers of eHealth devices are often not trained in computer o U3.5 Wearers of eHealth devices are often not trained in computer
use, and especially computer security. use, and especially computer security.
o U3.6 Security mechanisms themselves could provide opportunities o U3.6 Security mechanisms themselves could provide opportunities
for denial of service attacks on the device. for denial of service attacks on the device.
o U3.7 The device provides a service that can be fatal for the o U3.7 The device provides a service that can be fatal for the
wearer if it fails. Accordingly, the wearer wants a security wearer if it fails. Accordingly, the wearer wants the device to
mechanism to provide a high level of security. have a high degree of resistance against attacks that may cause
the device to fail to operate partially or completely.
o U3.8 The wearer of an eHealth device requires the integrity and
confidentiality of the data measured by the device.
2.4. Building Automation 2.4. Building Automation
Buildings for commercial use such as shopping malls or office Buildings for commercial use such as shopping malls or office
buildings nowadays are equipped increasingly with semi-automatic buildings nowadays are equipped increasingly with semi-automatic
components to enhance the overall living quality and to save energy components to enhance the overall living quality and to save energy
where possible. This includes for example heating, ventilation and where possible. This includes for example heating, ventilation and
air condition (HVAC) as well as illumination and security systems air condition (HVAC) as well as illumination and security systems
such as fire alarms. such as fire alarms.
skipping to change at page 11, line 41 skipping to change at page 12, line 22
spread out across the building. It also has automated HVAC, lighting spread out across the building. It also has automated HVAC, lighting
and physical access control systems. and physical access control systems.
A vacant area of the building has been recently leased to company A. A vacant area of the building has been recently leased to company A.
Before moving into its new office, Company A wishes to replace the Before moving into its new office, Company A wishes to replace the
lighting with a more energy efficient and a better light quality lighting with a more energy efficient and a better light quality
luminaries. They hire an installation and commissioning company C to luminaries. They hire an installation and commissioning company C to
redo the illumination. Company C is instructed to integrate the new redo the illumination. Company C is instructed to integrate the new
lighting devices, which may be from multiple manufacturers, into the lighting devices, which may be from multiple manufacturers, into the
existing lighting infrastructure of the building which includes existing lighting infrastructure of the building which includes
presence sensors, switches, controllers etc. presence sensors, switches, controllers etc (U4.1).
Company C gets the necessary authorization from the service company Company C gets the necessary authorization from the service company
to interact with the existing Building and Lighting Management System to interact with the existing Building and Lighting Management System
(BLMS). To prevent disturbance to other occupants of the building, (BLMS) (U4.4). To prevent disturbance to other occupants of the
Company C is provided authorization to perform the commissioning only building, Company C is provided authorization to perform the
during non-office hours and only to modify configuration on devices commissioning only during non-office hours and only to modify
belonging to the domain of Company A's space. After installation configuration on devices belonging to the domain of Company A's space
(wiring) of the new lighting devices, the commissioner adds the (U4.5). After installation (wiring) of the new lighting devices, the
devices into the company A's lighting domain. commissioner adds the devices into the company A's lighting domain.
Once the devices are in the correct domain, the commissioner Once the devices are in the correct domain, the commissioner
authorizes the interaction rules between the new lighting devices and authorizes the interaction rules between the new lighting devices and
existing devices like presence sensors. For this, the commissioner existing devices like presence sensors (U4.7). For this, the
creates the authorization rules on the BLMS which define which lights commissioner creates the authorization rules on the BLMS which define
form a group and which sensors/switches/controllers are allowed to which lights form a group and which sensors/switches/controllers are
control which groups. These authorization rules may be context based allowed to control which groups (U4.8). These authorization rules
like time of the day (office or non-office hours) or location of the may be context based like time of the day (office or non-office
handheld lighting controller etc. hours) or location of the handheld lighting controller etc (U4.5).
2.4.1.2. Operational 2.4.1.2. Operational
Company A's staff move into the newly furnished office space. Most Company A's staff move into the newly furnished office space. Most
lighting is controlled by presence sensors which control the lighting lighting is controlled by presence sensors which control the lighting
of specific group of lights based on the authorization rules in the of specific group of lights based on the authorization rules in the
BLMS. Additionally employees are allowed to manually override the BLMS. Additionally employees are allowed to manually override the
lighting brightness and color in their office by using the switches lighting brightness and color in their office by using the switches
or handheld controllers. Such changes are allowed only if the or handheld controllers. Such changes are allowed only if the
authorization rules exist in the BLMS. For example lighting in the authorization rules exist in the BLMS. For example lighting in the
corridors may not be manually adjustable. corridors may not be manually adjustable.
At the end of the day, lighting is dimmed down or switched off if no At the end of the day, lighting is dimmed down or switched off if no
occupancy is detected even if manually overridden during the day. occupancy is detected even if manually overridden during the day.
On a later date company B also moves into the same building, and On a later date company B also moves into the same building, and
shares some of the common spaces with company A. On a really hot day shares some of the common spaces with company A (U4.2, U4.9). On a
James who works for company A turns on the air condition in his really hot day James who works for company A turns on the air
office. Lucy who works for company B wants to make tea using an condition in his office. Lucy who works for company B wants to make
electric kettle. After she turned it on she goes outside to talk to tea using an electric kettle. After she turned it on she goes
a colleague until the water is boiling. Unfortunately, her kettle outside to talk to a colleague until the water is boiling.
has a malfunction which causes overheating and results in a Unfortunately, her kettle has a malfunction which causes overheating
smoldering fire of the kettle's plastic case. and results in a smoldering fire of the kettle's plastic case.
Due to the smoke coming from the kettle the fire alarm is triggered. Due to the smoke coming from the kettle the fire alarm is triggered.
Alarm sirens throughout the building are switched on simultaneously Alarm sirens throughout the building are switched on simultaneously
(using a broadcast or multicast) to alert the staff of both (using a broadcast or multicast) to alert the staff of both companies
companies. Additionally, the ventilation system of the whole (U4.8). Additionally, the ventilation system of the whole building
building is closed off to prevent the smoke from spreading and to is closed off to prevent the smoke from spreading and to withdraw
withdraw oxygen from the fire. The smoke cannot get into James' oxygen from the fire. The smoke cannot get into James' office
office although he turned on his air condition because the fire alarm although he turned on his air condition because the fire alarm
overrides the manual setting by sending commands (broadcast or overrides the manual setting by sending commands (broadcast or
multicast) to switch off all the air conditioning. multicast) to switch off all the air conditioning.
The fire department is notified of the fire automatically and arrives The fire department is notified of the fire automatically and arrives
within a short time. After inspecting the damage and extinguishing within a short time. After inspecting the damage and extinguishing
the smoldering fire a fire fighter resets the fire alarm because only the smoldering fire a fire fighter resets the fire alarm because only
the fire department is authorized to do that. the fire department is authorized to do that (U4.4, U4.5).
2.4.1.3. Maintenance 2.4.1.3. Maintenance
Company A's staff are annoyed that the lights switch off too often in Company A's staff are annoyed that the lights switch off too often in
their rooms if they work silently in front of their computer. their rooms if they work silently in front of their computer.
Company A notifies the commissioning Company C about the issue and Company A notifies the commissioning Company C about the issue and
asks them to increase the delay before lights switch off. asks them to increase the delay before lights switch off (U4.4).
Company C again gets the necessary authorization from the service Company C again gets the necessary authorization from the service
company to interact with the BLMS. The commissioner's tool gets the company to interact with the BLMS. The commissioner's tool gets the
necessary authorization from BMLS to send a configuration change to necessary authorization from BMLS to send a configuration change to
all lighting devices in Company A's offices to increase their delay all lighting devices in Company A's offices to increase their delay
before they switch off. before they switch off.
2.4.1.4. Decommissioning At some point the service company wants to update the firmware of
lighting devices in order to eliminate software bugs. Before
accepting the new firmware, each device checks the authorization of
the service company to perform this update.
2.4.1.4. Decommissioning
Company A has noticed that the handheld controllers are often Company A has noticed that the handheld controllers are often
misplaced and hard to find when needed. So most of the time staff misplaced and hard to find when needed. So most of the time staff
use the existing wall switches for manual control. Company A decides use the existing wall switches for manual control. Company A decides
it would be better to completely remove handheld controllers and asks it would be better to completely remove handheld controllers and asks
Company C to decommission them from the lighting system. Company C to decommission them from the lighting system (U4.4).
Company C again gets the necessary authorization from the service Company C again gets the necessary authorization from the service
company to interact with the BLMS. The commissioner now deletes any company to interact with the BLMS. The commissioner now deletes any
rules that allowed handheld controllers authorization to control the rules that allowed handheld controllers authorization to control the
lighting. Additionally the commissioner instructs the BLMS to push lighting (U4.3, U4.6). Additionally the commissioner instructs the
these new rules to prevent cached rules at the end devices from being BLMS to push these new rules to prevent cached rules at the end
used. devices from being used.
2.4.2. Authorization Problems Summary 2.4.2. Authorization Problems Summary
o U4.1 The building owner and the companies want to be able to add o U4.1 The building owner and the companies want to be able to add
new devices to their administrative domain (commissioning). new devices to their administrative domain (commissioning).
o U4.2 The building owner and the companies want to be able to o U4.2 The building owner and the companies want to be able to
integrate a device that formerly belonged to a different integrate a device that formerly belonged to a different
administrative domain to their own administrative domain administrative domain to their own administrative domain
(handover). (handover).
o U4.3 The building owner and the companies want to be able to o U4.3 The building owner and the companies want to be able to
remove a device from their administrative domain (decomissioning). remove a device from their administrative domain
(decommissioning).
o U4.4 The building owner and the companies want to be able to o U4.4 The building owner and the companies want to be able to
delegate selected administration tasks for their devices to delegate selected administration tasks for their devices to
others. others.
o U4.5 The building owner and the companies want to be able to o U4.5 The building owner and the companies want to be able to
define context-based authorization rules. define context-based authorization rules.
o U4.6 The building owner and the companies want to be able to o U4.6 The building owner and the companies want to be able to
revoke granted permissions and delegations. revoke granted permissions and delegations.
skipping to change at page 14, line 51 skipping to change at page 15, line 36
information. Drive-By metering is one of the most current solutions information. Drive-By metering is one of the most current solutions
deployed for collection of gas and water meters. deployed for collection of gas and water meters.
2.5.1. Drive-by metering 2.5.1. Drive-by metering
A service operator offers smart metering infrastructures and related A service operator offers smart metering infrastructures and related
services to various utility companies. Among these is a water services to various utility companies. Among these is a water
provider, who in turn supplies several residential complexes in a provider, who in turn supplies several residential complexes in a
city. The smart meters are installed in the end customer's homes to city. The smart meters are installed in the end customer's homes to
measure water consumption and thus generate billing data for the measure water consumption and thus generate billing data for the
utility company. The meters do so by sending data to a base station. utility company, they can also be used to shut off the water if the
Several base stations are installed around the city to collect the bills are not paid (U5.1, U5.3). The meters do so by sending and
metering data. However in the denser urban areas, the base stations receiving data to and from a base station (U5.2). Several base
would have to be installed very close to the meters. This would stations are installed around the city to collect the metering data.
require a high number of base stations and expose this more expensive However in the denser urban areas, the base stations would have to be
equipment to manipulation or sabotage. The service operator has installed very close to the meters. This would require a high number
therefore chosen another approach, which is to drive around with a of base stations and expose this more expensive equipment to
mobile base-station and let the meters connect to that in regular manipulation or sabotage. The service operator has therefore chosen
intervals in order to gather metering data. another approach, which is to drive around with a mobile base-station
and let the meters connect to that in regular intervals in order to
gather metering data (U5.4, U5.5, U5.7).
2.5.2. Meshed Topology 2.5.2. Meshed Topology
In another deployment, the water meters are installed in a building In another deployment, the water meters are installed in a building
that already has power meters installed, the latter are mains that already has power meters installed, the latter are mains
powered, and are therefore not subject to the same power saving powered, and are therefore not subject to the same power saving
restrictions. The water meters can therefore use the power meters as restrictions. The water meters can therefore use the power meters as
proxies, in order to achieve better connectivity. This requires the proxies, in order to achieve better connectivity. This requires the
security measures on the water meters to work through intermediaries. security measures on the water meters to work through intermediaries
(U5.8).
2.5.3. Advanced Metering Infrastructure 2.5.3. Advanced Metering Infrastructure
A utility company is updating its old utility distribution network A utility company is updating its old utility distribution network
with advanced meters and new communication systems, known as an with advanced meters and new communication systems, known as an
Advanced Metering Infrastructure (AMI). AMI refers to a system that Advanced Metering Infrastructure (AMI). AMI refers to a system that
measures, collects and analyzes usage, and interacts with metering measures, collects and analyzes usage, and interacts with metering
devices such as electricity meters, gas meters, heat meters, and devices such as electricity meters, gas meters, heat meters, and
water meters, through various communication media either on request water meters, through various communication media either on request
(on-demand) or on pre-defined schedules. Based on this technology, (on-demand) or on pre-defined schedules. Based on this technology,
new services make it possible for consumers to control their utility new services make it possible for consumers to control their utility
consumption and reduce costs by supporting new tariff models from consumption (U5.2, U5.6) and reduce costs by supporting new tariff
utility companies, and more accurate and timely billing. models from utility companies, and more accurate and timely billing.
The technical solution is based on levels of data aggregation between The technical solution is based on levels of data aggregation between
smart meters located at the consumer premises and the Meter Data smart meters located at the consumer premises and the Meter Data
Management (MDM) system located at the utility company. Two possible Management (MDM) system located at the utility company (U5.8). For
intermediate levels are: reasons of efficiency and cost, end-to-end connectivity is not always
feasible, so metering data is stored and aggregated in various
o Head-End System (HES) which is hardware and software that receives intermediate devices before being forwarded to the utility company,
the stream of meter data and exposes an interface to the MDM. and in turn accessed by the MDM. The intermediate devices may be
operated by a third party service operator on behalf of the utility
o Data Collection (DC) units located in a local network company (U5.6). One responsibility of the service operator is to
communicating with a number of smart meters and with a backhaul make sure that meter readings are performed and delivered in a
interface communicating with the HES, e.g. using cellular regular, timely manner. An example of a Service Level Agreement
communication. between the service operator and the utility company is e.g. "at
least 95 % of the meters have readings recorded during the last 72
For reasons of efficiency and cost end-to-end connectivity is not hours".
always feasible, so metering data is stored in batches in DC for some
time before being forwarded to the HES, and in turn accessed by the
MDM. The HES and the DC units may be operated by a third party
service operator on behalf of the utility company. One
responsibility of the service operator is to make sure that meter
readings are performed and delivered to the HES. An example of a
Service Level Agreement between the service operator and the utility
company is e.g. "at least 95 % of the meters have readings recorded
during the last 72 hours".
2.5.4. Authorization Problems Summary 2.5.4. Authorization Problems Summary
o U5.1 Devices are installed in hostile environments where they are o U5.1 Devices are installed in hostile environments where they are
physically accessible by attackers. The service operator and the physically accessible by attackers (including dishonest
utility company want to make sure that an attacker cannot use a customers). The service operator and the utility company want to
captured device to attack other parts of their infrastructure. make sure that an attacker cannot use data from a captured device
to attack other parts of their infrastructure.
o U5.2 The utility company wants to restrict which entities are o U5.2 The utility company wants to control which entities are
allowed to send data to their endpoints and to ensure the allowed to send data to, and read data from their endpoints.
integrity of the data on their endpoints.
o U5.3 The utility company wants to control which entities are o U5.3 The utility company wants to ensure the integrity of the data
allowed to read data on their endpoints and protect such data in stored on their endpoints.
transfer.
o U5.4 The devices may have intermittent Internet connectivity. o U5.4 The utility company wants to protect such data transfers to
and from their endpoints.
o U5.5 Neither the service operator nor the utility company are o U5.5 The devices may have intermittent Internet connectivity.
o U5.6 Neither the service operator nor the utility company are
always present at the time of access and cannot manually intervene always present at the time of access and cannot manually intervene
in the authorization process. in the authorization process.
o U5.6 When authorization policies are updated it is impossible, or o U5.7 When authorization policies are updated it is impossible, or
at least very inefficient to contact all affected endpoints at least very inefficient to contact all affected endpoints
directly. directly.
o U5.7 Messages between endpoints may need to be stored and o U5.8 Messages between endpoints may need to be stored and
forwarded over multiple nodes. forwarded over multiple nodes.
2.6. Sports and Entertainment 2.6. Sports and Entertainment
In the area of leisure time activities, applications can benefit from In the area of leisure time activities, applications can benefit from
the small size and weight of constrained devices. Sensors and the small size and weight of constrained devices. Sensors and
actuators with various functionalities can be integrated into fitness actuators with various functions can be integrated into fitness
equipment, games and even clothes. Users can carry their devices equipment, games and even clothes. Users can carry their devices
around with them at all times. around with them at all times.
Usability is especially important in this area since users will often Usability is especially important in this area since users will often
want to spontaneously interconnect their devices with others. want to spontaneously interconnect their devices with others.
Therefore the configuration of access permissions must be simple and Therefore the configuration of access permissions must be simple and
fast and not require much effort at the time of access (preferably fast and not require much effort at the time of access (preferably
none at all). none at all).
The required level of security will in most cases be low since The required level of security will in most cases be low since
skipping to change at page 17, line 27 skipping to change at page 18, line 11
running style. On a sunny afternoon, she goes to the Finnbahn track running style. On a sunny afternoon, she goes to the Finnbahn track
near her home to work out. She meets her friend Lynn who shows her near her home to work out. She meets her friend Lynn who shows her
the smart fitness watch she bought a few days ago. The watch can the smart fitness watch she bought a few days ago. The watch can
measure the wearer's pulse, show speed and distance, and keep track measure the wearer's pulse, show speed and distance, and keep track
of the configured training program. The girls detect that the watch of the configured training program. The girls detect that the watch
can be connected with Jody's shoes and then can additionally display can be connected with Jody's shoes and then can additionally display
the information the shoes provide. the information the shoes provide.
Jody asks Lynn to let her try the watch and lend it to her for the Jody asks Lynn to let her try the watch and lend it to her for the
afternoon. Lynn agrees but doesn't want Jody to access her training afternoon. Lynn agrees but doesn't want Jody to access her training
plan. She configures the access policies for the watch so that plan (U6.4). She configures the access policies for the watch so
Jody's shoes are allowed to access the display and measuring features that Jody's shoes are allowed to access the display and measuring
but cannot read or add training data. Jody's shoes connect to Lynn's features but cannot read or add training data (U6.1, U6.2). Jody's
watch after only a press of a button because Jody already configured shoes connect to Lynn's watch after only a press of a button because
access rights for devices that belong to Lynn a while ago. Jody already configured access rights for devices that belong to Lynn
a while ago (U6.3). Jody wants the device to report the data back to
her fitness account while she borrows it, so she allows it to access
her account temporarily.
After an hour, Jody gives the watch back and both girls terminate the After an hour, Jody gives the watch back and both girls terminate the
connection between their devices. connection between their devices.
2.6.2. Authorization Problems Summary 2.6.2. Authorization Problems Summary
o U6.1 Sports equipment owners want to be able to grant access o U6.1 Sports equipment owners want to be able to grant access
rights dynamically when needed. rights dynamically when needed.
o U6.2 Sports equipment owners want the configuration of access o U6.2 Sports equipment owners want the configuration of access
rights to work with very little effort. rights to work with very little effort.
o U6.3 Sports equipment owners want to be able to preconfigure o U6.3 Sports equipment owners want to be able to pre-configure
access policies that grant certain access permissions to endpoints access policies that grant certain access permissions to endpoints
with certain attributes (e.g. endpoints of a certain user) without with certain attributes (e.g. endpoints of a certain user) without
additional configuration effort at the time of access. additional configuration effort at the time of access.
o U6.4 Sports equipment owners to protect the confidentiality of o U6.4 Sports equipment owners to protect the confidentiality of
their data for privacy reasons. their data for privacy reasons.
o U6.5 Devices might not have an Internet connection at the time of
access.
2.7. Industrial Control Systems 2.7. Industrial Control Systems
Industrial control systems (ICS) and especially supervisory control Industrial control systems (ICS) and especially supervisory control
and data acquisition systems (SCADA) use a multitude of sensors and and data acquisition systems (SCADA) use a multitude of sensors and
actuators in order to monitor and control industrial processes in the actuators in order to monitor and control industrial processes in the
physical world. Example processes include manufacturing, power physical world. Example processes include manufacturing, power
generation, and refining of raw materials. generation, and refining of raw materials.
Since the advent of the Stuxnet worm it has become obvious to the Since the advent of the Stuxnet worm it has become obvious to the
general public how vulnerable this kind of systems are, especially general public how vulnerable this kind of systems are, especially
when connected to the Internet. The severity of these when connected to the Internet. The severity of these
vulnerabilities are exacerbated by the fact that many ICS are used to vulnerabilities are exacerbated by the fact that many ICS are used to
control critical public infrastructure, such as power, water control critical public infrastructure, such as power, water
treatment of traffic control. Nevertheless the economical advantages treatment of traffic control. Nevertheless the economical advantages
of connecting such systems to the Internet can be significant if of connecting such systems to the Internet can be significant if
appropriate security measures are put in place. appropriate security measures are put in place (U7.5).
2.7.1. Oil Platform Control 2.7.1. Oil Platform Control
An oil platform uses an industrial control system to monitor data and An oil platform uses an industrial control system to monitor data and
control equipment. The purpose of this system is to gather and control equipment. The purpose of this system is to gather and
process data from a large number of sensors, and control actuators process data from a large number of sensors, and control actuators
such as valves and switches to steer the oil extraction process on such as valves and switches to steer the oil extraction process on
the platform. Raw data, alarms, reports and other information are the platform. Raw data, alarms, reports and other information are
also available to the operators, who can intervene with manual also available to the operators, who can intervene with manual
commands. Many of the sensors are connected to the controlling units commands. Many of the sensors are connected to the controlling units
by direct wire, but the operator is slowly replacing these units by by direct wire, but the operator is slowly replacing these units by
wireless ones, since this makes maintenance easier. wireless ones, since this makes maintenance easier (U7.4).
The controlling units are connected to the Internet, to allow for Some of the controlling units are connected to the Internet, to allow
remote administration, since it is expensive and inconvenient to fly for remote administration, since it is expensive and inconvenient to
in a technician to the platform. fly in a technician to the platform (U7.3).
The main interest of the operator is to ensure the integrity of The main interest of the operator is to ensure the integrity of
control messages and sensor readings. Access in some cases needs to control messages and sensor readings (U7.1). Access in some cases
be restricted, e.g. the operator wants wireless actuators only to needs to be restricted, e.g. the operator wants wireless actuators
accept commands by authorized control units. only to accept commands by authorized control units (U7.2).
The owner of the platform also wants to collect auditing information The owner of the platform also wants to collect auditing information
for liability reasons. for liability reasons (U7.1).
2.7.2. Authorization Problems Summary 2.7.2. Authorization Problems Summary
o U7.1 The operator of the platform wants to ensure the o U7.1 The operator of the platform wants to ensure the integrity
confidentiality of sensor data and the integrity of actuator data. and confidentiality of sensor and actuator data.
o U7.2 The operator wants to ensure that data coming from sensors o U7.2 The operator wants to ensure that data coming from sensors
and commands sent to actuators are authentic. and commands sent to actuators are authentic.
o U7.3 Some devices do not have direct Internet connection. o U7.3 Some devices do not have direct Internet connection.
o U7.4 Some devices have wired connection while others use wireless. o U7.4 Some devices have wired connection while others use wireless.
o U7.5 The execution of unauthorized commands in an ICS can lead to o U7.5 The execution of unauthorized commands in an ICS can lead to
significant financial damage, and threaten the availability of significant financial damage, and threaten the availability of
skipping to change at page 19, line 23 skipping to change at page 20, line 4
o U7.3 Some devices do not have direct Internet connection. o U7.3 Some devices do not have direct Internet connection.
o U7.4 Some devices have wired connection while others use wireless. o U7.4 Some devices have wired connection while others use wireless.
o U7.5 The execution of unauthorized commands in an ICS can lead to o U7.5 The execution of unauthorized commands in an ICS can lead to
significant financial damage, and threaten the availability of significant financial damage, and threaten the availability of
critical infrastructure services. Accordingly, the operator wants critical infrastructure services. Accordingly, the operator wants
a security solution that provides a very high level of security. a security solution that provides a very high level of security.
3. Security Considerations 3. Security Considerations
As the use cases listed in this document demonstrate, constrained As the use cases listed in this document demonstrate, constrained
devices are used in various application areas. The appeal of these devices are used in various application areas. The appeal of these
devices is that they are small and inexpensive. That makes it easy devices is that they are small and inexpensive. That makes it easy
to integrate them into many aspects of everyday life. Therefore, the to integrate them into many aspects of everyday life. Therefore such
devices will be entrusted with vast amounts of valuable data or even devices will see vast amounts of valuable data passing through and
control functions, that need to be protected from unauthorized might even be in control of important functions. These assets need
access. Moreover, the aggregation of data must be considered: to be protected from unauthorized access. Even seemingly innocuous
attackers might not only collect data from a single device but from data and functions should be protected due to possible effects of
many devices, thus increasing the potential damage. aggregation: By collecting data or functions from several sources,
attackers might be able to gain insights or a level of control not
immediately obvious from each of these sources on its own.
Not only the data on the constrained devices themselves is Not only the data on the constrained devices themselves is
threatened, the devices might also be abused as an intrusion point to threatened, the devices might also be abused as an intrusion point to
infiltrate a network. Once an attacker gained control over the infiltrate a network. Once an attacker gained control over the
device, it can be used to attack other devices as well. Due to their device, it can be used to attack other devices as well. Due to their
limited capabilities, constrained devices appear as the weakest link limited capabilities, constrained devices appear as the weakest link
in the network and hence pose an attractive target for attackers. in the network and hence pose an attractive target for attackers.
This section summarizes the security problems highlighted by the use This section summarizes the security problems highlighted by the use
cases above and provides guidelines for the design of protocols for cases above and provides guidelines for the design of protocols for
skipping to change at page 20, line 17 skipping to change at page 20, line 46
[RFC7258] attacks. [RFC7258] attacks.
As some of the use cases indicate, constrained devices may be As some of the use cases indicate, constrained devices may be
installed in hostile environments where they are physically installed in hostile environments where they are physically
accessible (see Section 2.5). Protection from physical attacks is accessible (see Section 2.5). Protection from physical attacks is
not in the scope of ACE, but should be kept in mind by developers of not in the scope of ACE, but should be kept in mind by developers of
authorization solutions. authorization solutions.
Denial of service (DoS) attacks threaten the availability of services Denial of service (DoS) attacks threaten the availability of services
a device provides. E.g., an attacker can induce a device to perform a device provides. E.g., an attacker can induce a device to perform
steps of a heavy weight security protocol (e.g. Datagram Transport steps of a heavy weight security protocol (e.g. Datagram Transport
Layer Security (DTLS) [RFC6347]) before authentication and Layer Security (DTLS) [RFC6347]) before authentication and
authorization can be verified, thus exhausting the device's system authorization can be verified, thus exhausting the device's system
resources. This leads to a temporary or - e.g. if the batteries are resources. This leads to a temporary or - e.g. if the batteries are
drained - permanent failure of the service. For some services of drained - permanent failure of the service. For some services of
constrained devices, availability is especially important (see constrained devices, availability is especially important (see
Section 2.3). Because of their limitations, constrained devices are Section 2.3). Because of their limitations, constrained devices are
especially vulnerable to denial of service attacks. Solution especially vulnerable to denial of service attacks. Solution
designers must be particularly careful to consider these limitations designers must be particularly careful to consider these limitations
in every part of the protocol. This includes: in every part of the protocol. This includes:
skipping to change at page 21, line 14 skipping to change at page 21, line 42
Rationale: In some cases different types of users need different Rationale: In some cases different types of users need different
access rights, as opposed to a binary approach where the same access rights, as opposed to a binary approach where the same
access permissions are granted to all authenticated users. access permissions are granted to all authenticated users.
o A device might host several resources where each resource has its o A device might host several resources where each resource has its
own access control policy (all use cases). own access control policy (all use cases).
o The device that makes the policy decisions should be able to o The device that makes the policy decisions should be able to
evaluate context-based permissions such as location or time of evaluate context-based permissions such as location or time of
access (see e.g. Section 2.2, Section 2.3, Section 2.4). Access access (see e.g. Section 2.2, Section 2.3, Section 2.4). Access
may depend on local conditions, e.g. access to health data in an may depend on local conditions, e.g. access to health data in an
emergency. The device that makes the policy decisions should be emergency. The device that makes the policy decisions should be
able to take such conditions into account. able to take such conditions into account.
3.3. Design Considerations for Authorization Solutions 3.3. Design Considerations for Authorization Solutions
o Devices need to be enabled to enforce authorization policies o Devices need to be enabled to enforce authorization policies
without human intervention at the time of the access request (see without human intervention at the time of the access request (see
e.g. Section 2.1, Section 2.2, Section 2.4, Section 2.5). e.g. Section 2.1, Section 2.2, Section 2.4, Section 2.5).
o Authorization solutions need to consider that constrained devices o Authorization solutions need to consider that constrained devices
might not have internet access at the time of the access request might not have internet access at the time of the access request
(see e.g. Section 2.1, Section 2.3, Section 2.5, Section 2.6). (see e.g. Section 2.1, Section 2.3, Section 2.5, Section 2.6).
o It should be possible to update access control policies without o It should be possible to update access control policies without
manually re-provisioning individual devices (see e.g. manually re-provisioning individual devices (see e.g. Section 2.2,
Section 2.2, Section 2.3, Section 2.5, Section 2.6). Section 2.3, Section 2.5, Section 2.6).
Rationale: Peers can change rapidly which makes manual re- Rationale: Peers can change rapidly which makes manual re-
provisioning unreasonably expensive. provisioning unreasonably expensive.
o Authorization policies may be defined to apply to a large number o Authorization policies may be defined to apply to a large number
of devices that might only have intermittent connectivity. of devices that might only have intermittent connectivity.
Distributing policy updates to every device for every update might Distributing policy updates to every device for every update might
not be a feasible solution (see e.g. Section 2.5). not be a feasible solution (see e.g. Section 2.5).
o It must be possible to dynamically revoke authorizations (see e.g. o It must be possible to dynamically revoke authorizations (see e.g.
Section 2.4). Section 2.4).
o The authentication and access control protocol can put undue o The authentication and access control protocol can put undue
burden on the constrained system resources of a device burden on the constrained system resources of a device
participating in the protocol. An authorization solutions must participating in the protocol. An authorization solutions must
take the limitations of the constrained devices into account (all take the limitations of the constrained devices into account (all
use cases, see also Section 3.1). use cases, see also Section 3.1).
o Secure default settings are needed for the initial state of the o Secure default settings are needed for the initial state of the
authentication and authorization protocols (all use cases). authentication and authorization protocols (all use cases).
Rationale: Many attacks exploit insecure default settings, and Rationale: Many attacks exploit insecure default settings, and
experience shows that default settings are frequently left experience shows that default settings are frequently left
unchanged by the end users. unchanged by the end users.
o Access to resources on other devices should only be permitted if a o Access to resources on other devices should only be permitted if a
rule exists that explicitly allows this access (default deny) (see rule exists that explicitly allows this access (default deny) (see
e.g. Section 2.4). e.g. Section 2.4).
o Usability is important for all use cases. The configuration of o Usability is important for all use cases. The configuration of
authorization policies as well as the gaining access to devices authorization policies as well as the gaining access to devices
must be simple for the users of the devices. Special care needs must be simple for the users of the devices. Special care needs
to be taken for home scenarios where access control policies have to be taken for home scenarios where access control policies have
to be configured by users that are typically not trained in to be configured by users that are typically not trained in
security (see Section 2.2, Section 2.3, Section 2.6). security (see Section 2.2, Section 2.3, Section 2.6).
3.4. Proxies 3.4. Proxies
skipping to change at page 22, line 52 skipping to change at page 23, line 37
will learn the content of potentially sensitive messages sent between will learn the content of potentially sensitive messages sent between
endpoints and thereby threaten the privacy of the individual that may endpoints and thereby threaten the privacy of the individual that may
be subject of this data. be subject of this data.
In some cases, even the possession of a certain type of device can be In some cases, even the possession of a certain type of device can be
confidential, e.g. individuals might not want to others to know that confidential, e.g. individuals might not want to others to know that
they are wearing a certain medical device (see Section 2.3). they are wearing a certain medical device (see Section 2.3).
The personal health monitoring use case (see Section 2.3) indicates The personal health monitoring use case (see Section 2.3) indicates
the need for secure audit logs which impose specific requirements on the need for secure audit logs which impose specific requirements on
a solution. Auditing is not in the scope of ACE. However, if an a solution.
authorization solution provides means for audit logs, it must Auditing is not in the scope of ACE. However, if an authorization
consider the impact of logged data for the privacy of all parties solution provides means for audit logs, it must consider the impact
involved. Suitable measures for protecting and purging the logs must of logged data for the privacy of all parties involved. Suitable
be taken during operation, maintenance and decommissioning of the measures for protecting and purging the logs must be taken during
device. operation, maintenance and decommissioning of the device.
5. Acknowledgments 5. Acknowledgments
The authors would like to thank Olaf Bergmann, Sumit Singhal, John The authors would like to thank Olaf Bergmann, Sumit Singhal, John
Mattson, Mohit Sethi, Carsten Bormann, Martin Murillo, Corinna Mattson, Mohit Sethi, Carsten Bormann, Martin Murillo, Corinna
Schmitt, Hannes Tschofenig, Erik Wahlstroem, and Andreas Backman for Schmitt, Hannes Tschofenig, Erik Wahlstroem, Andreas Baeckman, Samuel
reviewing and/or contributing to the document. Also, thanks to Erdtman, Steve Moore, and Thomas Hardjono for reviewing and/or
Markus Becker, Thomas Poetsch and Koojana Kuladinithi for their input contributing to the document. Also, thanks to Markus Becker, Thomas
on the container monitoring use case. Poetsch and Koojana Kuladinithi for their input on the container
monitoring use case.
Ludwig Seitz and Goeran Selander worked on this document as part of Ludwig Seitz and Goeran Selander worked on this document as part of
EIT-ICT Labs activity PST-14056. EIT-ICT Labs activity PST-14056.
6. IANA Considerations 6. IANA Considerations
This document has no IANA actions. This document has no IANA actions.
7. Informative References 7. Informative References
 End of changes. 83 change blocks. 
213 lines changed or deleted 243 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/