draft-ietf-ace-usecases-06.txt   draft-ietf-ace-usecases-07.txt 
ACE Working Group L. Seitz, Ed. ACE Working Group L. Seitz, Ed.
Internet-Draft SICS Swedish ICT AB Internet-Draft SICS Swedish ICT AB
Intended status: Informational S. Gerdes, Ed. Intended status: Informational S. Gerdes, Ed.
Expires: March 26, 2016 Universitaet Bremen TZI Expires: April 4, 2016 Universitaet Bremen TZI
G. Selander G. Selander
Ericsson Ericsson
M. Mani M. Mani
Itron Itron
S. Kumar S. Kumar
Philips Research Philips Research
September 23, 2015 October 02, 2015
ACE use cases ACE use cases
draft-ietf-ace-usecases-06 draft-ietf-ace-usecases-07
Abstract Abstract
Constrained devices are nodes with limited processing power, storage Constrained devices are nodes with limited processing power, storage
space and transmission capacities. These devices in many cases do space and transmission capacities. These devices in many cases do
not provide user interfaces and are often intended to interact not provide user interfaces and are often intended to interact
without human intervention. without human intervention.
This document comprises a collection of representative use cases for This document includes a collection of representative use cases for
the application of authentication and authorization in constrained authentication and authorization in constrained environments. These
environments. These use cases aim at identifying authorization use cases aim at identifying authorization problems that arise during
problems that arise during the lifecycle of a constrained device and the lifecycle of a constrained device and are intended to provide a
are intended to provide a guideline for developing a comprehensive guideline for developing a comprehensive authentication and
authentication and authorization solution for this class of authorization solution for this class of scenarios.
scenarios.
Where specific details are relevant, it is assumed that the devices Where specific details are relevant, it is assumed that the devices
use the Constrained Application Protocol (CoAP) as communication use the Constrained Application Protocol (CoAP) as communication
protocol, however most conclusions apply generally. protocol, however most conclusions apply generally.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 4, 2016.
This Internet-Draft will expire on March 26, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Container monitoring . . . . . . . . . . . . . . . . . . 4 2.1. Container monitoring . . . . . . . . . . . . . . . . . . 4
2.1.1. Bananas for Munich . . . . . . . . . . . . . . . . . 5 2.1.1. Bananas for Munich . . . . . . . . . . . . . . . . . 5
2.1.2. Authorization Problems Summary . . . . . . . . . . . 6 2.1.2. Authorization Problems Summary . . . . . . . . . . . 6
2.2. Home Automation . . . . . . . . . . . . . . . . . . . . . 7 2.2. Home Automation . . . . . . . . . . . . . . . . . . . . . 7
2.2.1. Controlling the Smart Home Infrastructure . . . . . . 7 2.2.1. Controlling the Smart Home Infrastructure . . . . . . 7
2.2.2. Seamless Authorization . . . . . . . . . . . . . . . 8 2.2.2. Seamless Authorization . . . . . . . . . . . . . . . 7
2.2.3. Remotely letting in a visitor . . . . . . . . . . . . 8 2.2.3. Remotely letting in a visitor . . . . . . . . . . . . 7
2.2.4. Selling the house . . . . . . . . . . . . . . . . . . 8 2.2.4. Selling the house . . . . . . . . . . . . . . . . . . 8
2.2.5. Authorization Problems Summary . . . . . . . . . . . 8 2.2.5. Authorization Problems Summary . . . . . . . . . . . 8
2.3. Personal Health Monitoring . . . . . . . . . . . . . . . 9 2.3. Personal Health Monitoring . . . . . . . . . . . . . . . 9
2.3.1. John and the heart rate monitor . . . . . . . . . . . 10 2.3.1. John and the heart rate monitor . . . . . . . . . . . 10
2.3.2. Authorization Problems Summary . . . . . . . . . . . 11 2.3.2. Authorization Problems Summary . . . . . . . . . . . 11
2.4. Building Automation . . . . . . . . . . . . . . . . . . . 11 2.4. Building Automation . . . . . . . . . . . . . . . . . . . 12
2.4.1. Device Lifecycle . . . . . . . . . . . . . . . . . . 12 2.4.1. Device Lifecycle . . . . . . . . . . . . . . . . . . 12
2.4.2. Public Safety . . . . . . . . . . . . . . . . . . . . 14 2.4.2. Public Safety . . . . . . . . . . . . . . . . . . . . 14
2.4.3. Authorization Problems Summary . . . . . . . . . . . 15 2.4.3. Authorization Problems Summary . . . . . . . . . . . 15
2.5. Smart Metering . . . . . . . . . . . . . . . . . . . . . 15 2.5. Smart Metering . . . . . . . . . . . . . . . . . . . . . 16
2.5.1. Drive-by metering . . . . . . . . . . . . . . . . . . 16 2.5.1. Drive-by metering . . . . . . . . . . . . . . . . . . 16
2.5.2. Meshed Topology . . . . . . . . . . . . . . . . . . . 16 2.5.2. Meshed Topology . . . . . . . . . . . . . . . . . . . 17
2.5.3. Advanced Metering Infrastructure . . . . . . . . . . 17 2.5.3. Advanced Metering Infrastructure . . . . . . . . . . 17
2.5.4. Authorization Problems Summary . . . . . . . . . . . 17 2.5.4. Authorization Problems Summary . . . . . . . . . . . 18
2.6. Sports and Entertainment . . . . . . . . . . . . . . . . 18 2.6. Sports and Entertainment . . . . . . . . . . . . . . . . 18
2.6.1. Dynamically Connecting Smart Sports Equipment . . . . 19 2.6.1. Dynamically Connecting Smart Sports Equipment . . . . 19
2.6.2. Authorization Problems Summary . . . . . . . . . . . 19 2.6.2. Authorization Problems Summary . . . . . . . . . . . 19
2.7. Industrial Control Systems . . . . . . . . . . . . . . . 19 2.7. Industrial Control Systems . . . . . . . . . . . . . . . 20
2.7.1. Oil Platform Control . . . . . . . . . . . . . . . . 20 2.7.1. Oil Platform Control . . . . . . . . . . . . . . . . 20
2.7.2. Authorization Problems Summary . . . . . . . . . . . 20 2.7.2. Authorization Problems Summary . . . . . . . . . . . 21
3. Security Considerations . . . . . . . . . . . . . . . . . . . 21 3. Security Considerations . . . . . . . . . . . . . . . . . . . 21
3.1. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.1. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2. Configuration of Access Permissions . . . . . . . . . . . 22 3.2. Configuration of Access Permissions . . . . . . . . . . . 23
3.3. Authorization Considerations . . . . . . . . . . . . . . 23 3.3. Authorization Considerations . . . . . . . . . . . . . . 23
3.4. Proxies . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.4. Proxies . . . . . . . . . . . . . . . . . . . . . . . . . 24
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 24 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 24
5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 25
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25
7. Informative References . . . . . . . . . . . . . . . . . . . 25 7. Informative References . . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26
1. Introduction 1. Introduction
Constrained devices [RFC7228] are nodes with limited processing Constrained devices [RFC7228] are nodes with limited processing
power, storage space and transmission capacities. These devices are power, storage space and transmission capacities. These devices are
often battery-powered and in many cases do not provide user often battery-powered and in many cases do not provide user
interfaces. interfaces.
Constrained devices benefit from being interconnected using Internet Constrained devices benefit from being interconnected using Internet
protocols. However, due to the devices' limitations, commonly used protocols. However, deploying common security protocols can
security protocols are not always easily applicable. As the devices sometimes be difficult because of device or network limitations.
are expected to be integrated in all aspects of everyday life, the Regardless, adequate security mechanisms are required to protect
application of adequate security mechanisms is required to prevent these constrained devices, which are expected to be integrated in all
attackers from gaining control over data or functions important to aspects of everyday life, from attackers wishing to gain control over
our lives. the device's data or functions.
This document comprises a collection of representative use cases for This document comprises a collection of representative use cases for
the application of authentication and authorization in constrained the application of authentication and authorization in constrained
environments. These use cases aim at identifying authorization environments. These use cases aim at identifying authorization
problems that arise during the lifecycle of a constrained device. problems that arise during the lifecycle of a constrained device.
Note that this document does not aim at collecting all possible use Note that this document does not aim at collecting all possible use
cases. cases.
We assume that the communication between the devices is based on the We assume a scenario where one device acts as a server that offers
Representational State Transfer (REST) architectural style, i.e. a resources such as sensor data and actuator settings. The resources
device acts as a server that offers resources such as sensor data and can be accessed by clients, sometimes without human intervention i.e.
actuators. The resources can be accessed by clients, sometimes machine-to-machine (M2M).
without human intervention (M2M). In some situations the In some situations the communication will happen through
communication will happen through intermediaries (e.g. gateways, intermediaries (e.g. gateways, proxies).
proxies).
Where specific detail is necessary it is assumed that the devices Where specific detail is necessary it is assumed that the devices
communicate using CoAP [RFC7252], although most conclusions are communicate using CoAP [RFC7252], although most conclusions are
generic. generic.
1.1. Terminology 1.1. Terminology
Readers are required to be familiar with the terms defined in Readers are required to be familiar with the terms defined in
[RFC7228]. In addition, this document uses the following [RFC7228].
terminology:
2. Use Cases 2. Use Cases
This section lists use cases involving constrained devices with This section includes the use cases; each use case first presents a
certain authorization problems to be solved. Each use case first general description of the application environment, than one or more
presents a general description of the application area, then one or specific use cases, and finally a summary of the authorization-
more specific use cases, and finally a summary of the authorization- related problems to be solved.
related problems users need to be solved.
There are various reasons for assigning a function (client or server) There are various reasons for assigning a function (client or server)
to a device, e.g. which device initiates the conversation, how do to a device, e.g. which device initiates the conversation, how do
devices find each other, etc. The definition of the function of a devices find each other, etc. The definition of the function of a
device in a certain use case is not in scope of this document. device in a certain use case is not in scope of this document.
Readers should be aware that there might be reasons for each setting Readers should be aware that there might be reasons for each setting
and that endpoints might even have different functions at different and that endpoints might even have different functions at different
times. times.
2.1. Container monitoring 2.1. Container monitoring
The ability of sensors to communicate environmental data wirelessly The ability of sensors to communicate environmental data wirelessly
opens up new application areas. The use of such sensor systems makes opens up new application areas. Sensor systems make it possible to
it possible to continuously track and transmit specific continuously track and transmit characteristics such as temperature,
characteristics such as temperature, humidity and gas content during humidity and gas content while goods are transported and stored.
the transportation and storage of goods.
The proper handling of the sensors in this scenario is not easy to Sensors in this scenario have to be associated to the appropriate
accomplish. They have to be associated to the appropriate pallet of pallet of the respective container. Sensors as well as the goods
the respective container. Moreover, the goods and the corresponding belong to specific customers.
sensors belong to specific customers.
During the shipment to their destination the goods often pass stops While in transit goods often pass stops where they are transloaded to
where they are transloaded to other means of transportation, e.g. other means of transportation, e.g. from ship transport to road
from ship transport to road transport. transport.
The transportation and storage of perishable goods is especially Perishable goods need to be stored at constant temperature and with
challenging since they have to be stored at a constant temperature proper ventilation. Real-time information on the state of the goods
and with proper ventilation. Additionally, it is very important for is needed by both the transporter and the vendor. Transporters want
the vendors to be informed about irregularities in the temperature to prioritize good that will expire soon. Vendors want to react when
and ventilation of fruits to avoid the delivery of decomposed fruits goods are spoiled to continue to fulfill delivery obligations.
to their customers. Real-time information on the state of the goods
is needed for the transporter in order to prioritize goods that will
expire soon. Furthermore the vendor also wants this type of
information in real-time, in order to be able to react when goods are
spoiled and to be able to still fulfill delivery obligations.
The need for a constant monitoring of perishable goods has led to The Intelligent Container (http://www.intelligentcontainer.com) is an
projects such as The Intelligent Container (http:// example project that explores solutions to continuously monitor
www.intelligentcontainer.com). perishable goods.
2.1.1. Bananas for Munich 2.1.1. Bananas for Munich
A fruit vendor grows bananas in Costa Rica for the German market. It A fruit vendor grows bananas in Costa Rica for the German market. It
instructs a transport company to deliver the goods via ship to instructs a transport company to deliver the goods via ship to
Rotterdam where they are picked up by trucks and transported to a Rotterdam where they are picked up by trucks and transported to a
ripening facility. A Munich supermarket chain buys ripened bananas ripening facility. A Munich supermarket chain buys ripened bananas
from the fruit vendor and transports them from the ripening facility from the fruit vendor and transports them from the ripening facility
to the individual markets with their own company trucks. to the individual markets with their own company trucks.
skipping to change at page 6, line 5 skipping to change at page 5, line 44
access the data for the time of the transloading (U1.8). access the data for the time of the transloading (U1.8).
Due to the high water content of the fruits, the propagation of radio Due to the high water content of the fruits, the propagation of radio
waves is hindered, thus often inhibiting direct communication between waves is hindered, thus often inhibiting direct communication between
nodes [Jedermann14]. Instead, messages are forwarded over multiple nodes [Jedermann14]. Instead, messages are forwarded over multiple
hops (U1.9). The sensors in the banana boxes cannot always reach the hops (U1.9). The sensors in the banana boxes cannot always reach the
Internet during the journey (U1.10). Sensors may need to use relay Internet during the journey (U1.10). Sensors may need to use relay
stations owned by the transport company to connect to endpoints in stations owned by the transport company to connect to endpoints in
the Internet. the Internet.
In the ripening facility bananas are stored until they are ready for In the ripening facility bananas are stored until they are ready to
selling. The banana box sensors are used to control the ventilation be sold. The banana box sensors are used to control the ventilation
system and to monitor the degree of ripeness of the bananas. Ripe system and to monitor the degree of ripeness of the bananas. Ripe
bananas need to be identified and sold before they spoil (U1.2, bananas need to be identified and sold before they spoil (U1.2,
U1.8). U1.8).
The supermarket chain gains ownership of the banana boxes when the The supermarket chain gains ownership of the banana boxes when the
bananas have ripened and are ready to leave the ripening facility. bananas have ripened and are ready to leave the ripening facility.
2.1.2. Authorization Problems Summary 2.1.2. Authorization Problems Summary
o U1.1 Fruit vendors and container owners want to grant different o U1.1 Fruit vendors and container owners want to grant different
skipping to change at page 6, line 32 skipping to change at page 6, line 23
control and to ensure the quality of the monitored recordings. control and to ensure the quality of the monitored recordings.
o U1.3 The container owner requires the integrity and authenticity o U1.3 The container owner requires the integrity and authenticity
of the sensor data that is used for climate control. of the sensor data that is used for climate control.
o U1.4 The fruit vendor requires the confidentiality of the sensor o U1.4 The fruit vendor requires the confidentiality of the sensor
data that pertains the state of the goods and the confidentiality data that pertains the state of the goods and the confidentiality
of location data, e.g., to protect them from targeted attacks from of location data, e.g., to protect them from targeted attacks from
competitors. competitors.
o U1.5 The fruit vendor may have several types of data that may be o U1.5 The fruit vendor may need different protection for several
controlled by the same endpoint, e.g., sensor data and the data different types of data on the same endpoint, e.g., sensor data
used for logistics. and the data used for logistics.
o U1.6 The fruit vendor and the transloading personnel require the o U1.6 The fruit vendor and the transloading personnel require the
authenticity and integrity of the data that is used to locate the authenticity and integrity of the data that is used to locate the
goods, in order to ensure that the good are correctly treated and goods, in order to ensure that the goods are correctly treated and
delivered. delivered.
o U1.7 The container owner and the fruit vendor may not be present o U1.7 The container owner and the fruit vendor may not be present
at the time of access and cannot manually intervene in the at the time of access and cannot manually intervene in the
authorization process. authorization process.
o U1.8 The fruit vendor, container owner and transloading company o U1.8 The fruit vendor, container owner and transloading company
want to grant temporary access permissions to a party, in order to want to grant temporary access permissions to a party, in order to
avoid giving permanent access to parties that are no longer avoid giving permanent access to parties that are no longer
involved in processing the bananas. involved in processing the bananas.
skipping to change at page 7, line 19 skipping to change at page 7, line 7
o U1.10 The constrained devices might not always be able to reach o U1.10 The constrained devices might not always be able to reach
the Internet but still need to enact the authorization policies of the Internet but still need to enact the authorization policies of
their principals. their principals.
o U1.11 Fruit vendors and container owners want to be able to revoke o U1.11 Fruit vendors and container owners want to be able to revoke
authorization on a malfunctioning sensor. authorization on a malfunctioning sensor.
2.2. Home Automation 2.2. Home Automation
Automation of the home has the potential to become a big future One application of the Internet of Things is home automation systems.
market for the Internet of Things. One function of a home automation Such a system can connect household devices that control, for example
system can be to connect devices in a house to the Internet and thus heating, ventilation, lighting, home entertainment, and home security
make them accessible and manageable remotely. Such devices might to the Internet making them remotely accessible and manageable.
control for example heating, ventilation, lighting, home
entertainment or home security.
Such a system needs to accommodate a number of regular users Such a system needs to accommodate a number of regular users
(inhabitants, close friends, cleaning personnel) as well as a (inhabitants, close friends, cleaning personnel) as well as a
heterogeneous group of dynamically varying users (visitors, heterogeneous group of dynamically varying users (visitors,
repairmen, delivery men). repairmen, delivery men).
As the users are not typically trained in security (or even computer As the users are not typically trained in security (or even computer
use), the configuration must use secure default settings, and the use), the configuration must use secure default settings, and the
interface must be well adapted to novice users. interface must be well adapted to novice users.
2.2.1. Controlling the Smart Home Infrastructure 2.2.1. Controlling the Smart Home Infrastructure
Alice and her husband Bob own a flat which is equipped with home Alice and Bob own a flat which is equipped with home automation
automation devices such as HVAC and shutter control, and they have a devices such as HVAC and shutter control, and they have a motion
motion sensor in the corridor which controls the light bulbs there sensor in the corridor which controls the light bulbs there (U2.5).
(U2.5).
Alice and Bob can control the shutters and the temperature in each Alice and Bob can control the shutters and the temperature in each
room using either wall-mounted touch panels or an internet connected room using either wall-mounted touch panels or an internet connected
device (e.g. a smartphone). Since Alice and Bob both have a full- device (e.g. a smartphone). Since Alice and Bob both have a full-
time job, they want to be able to change settings remotely, e.g. turn time job, they want to be able to change settings remotely, e.g. turn
up the heating on a cold day if they will be home earlier than up the heating on a cold day if they will be home earlier than
expected (U2.5). expected (U2.5).
The couple does not want people in radio range of their devices, e.g. The couple does not want people in radio range of their devices, e.g.
their neighbors, to be able to control them without authorization. their neighbors, to be able to control them without authorization.
skipping to change at page 8, line 34 skipping to change at page 8, line 20
use the subway will arrive punctually. Alice calls her parents and use the subway will arrive punctually. Alice calls her parents and
offers to let them in remotely, so they can make themselves offers to let them in remotely, so they can make themselves
comfortable while waiting (U2.1, U2.6). Then Alice sets temporary comfortable while waiting (U2.1, U2.6). Then Alice sets temporary
permissions that allow them to open the door, and shut down the alarm permissions that allow them to open the door, and shut down the alarm
(U2.2). She wants these permissions to be only valid for the evening (U2.2). She wants these permissions to be only valid for the evening
since she does not like it if her parents are able to enter the house since she does not like it if her parents are able to enter the house
as they see fit (U2.3, U2.4). as they see fit (U2.3, U2.4).
When Alice's parents arrive at Alice's and Bob's home, they use their When Alice's parents arrive at Alice's and Bob's home, they use their
smartphone to communicate with the door-lock and alarm system (U2.5, smartphone to communicate with the door-lock and alarm system (U2.5,
U2.9). U2.9). The permissions Alice issued to her parents only allow
limited access to the house (e.g. opening the door, turning on the
lights). Certain other functions, such as checking the footage from
the surveillance cameras is not accessible to them (U2.3).
Alice and Bob also issue similarly restricted permissions to e.g.
cleaners, repairmen or their nanny (U2.3).
2.2.4. Selling the house 2.2.4. Selling the house
Alice and Bob have to move because Alice is starting a new job. They Alice and Bob have to move because Alice is starting a new job. They
therefore decide to sell the house, and transfer control of all therefore decide to sell the house, and transfer control of all
automated services to the new owners (U2.11). Before doing that they automated services to the new owners (U2.11). Before doing that they
want to erase privacy relevant data from the logs of the automated want to erase privacy relevant data from the logs of the automated
systems, while the new owner is interested to keep some historic data systems, while the new owner is interested to keep some historic data
e.g. pertaining to the behavior of the heating system (U2.12). e.g. pertaining to the behavior of the heating system (U2.12). At
the time of transfer of the house, the new owners also wants make
sure that permissions issued by the previous owners to access the
house or connected devices (in the case where device management may
have separate permissions from house access) are no longer valid
(U2.13).
2.2.5. Authorization Problems Summary 2.2.5. Authorization Problems Summary
o U2.1 A home owner (Alice and Bob in the example above) wants to o U2.1 A home owner (Alice and Bob in the example above) wants to
spontaneously provision authorization means to visitors. spontaneously provision authorization means to visitors.
o U2.2 A home owner wants to spontaneously change the home's access o U2.2 A home owner wants to spontaneously change the home's access
control policies. control policies.
o U2.3 A home owner wants to apply different access rights for o U2.3 A home owner wants to apply different access rights for
different users. different users (including other inhabitants).
o U2.4 The home owners want to grant access permissions to a party o U2.4 The home owners want to grant access permissions to a someone
for a specified time frame. during a specified time frame.
o U2.5 The smart home devices need to be able to communicate with o U2.5 The smart home devices need to be able to securely
different control devices (e.g. wall-mounted touch panels, communicate with different control devices (e.g. wall-mounted
smartphones, electronic key fobs, device gateways). touch panels, smartphones, electronic key fobs, device gateways).
o U2.6 The home owner wants to be able to configure authorization o U2.6 The home owner wants to be able to configure authorization
policies remotely. policies remotely.
o U2.7 Authorized Users want to be able to obtain access with little o U2.7 Authorized Users want to be able to obtain access with little
effort. effort.
o U2.8 The owners of the automated home want to prevent unauthorized o U2.8 The owners of the automated home want to prevent unauthorized
entities from being able to deduce behavioral profiles from entities from being able to deduce behavioral profiles from
devices in the home network. devices in the home network.
o U2.9 Usability is particularly important in this scenario since o U2.9 Usability is particularly important in this scenario since
the necessary authorization related tasks in the lifecycle of the the necessary authorization related tasks in the lifecycle of the
device (commissioning, operation, maintenance and decommissioning) device (commissioning, operation, maintenance and decommissioning)
likely need to be performed by the home owners who in most cases likely need to be performed by the home owners who in most cases
have little knowledge of security. have little knowledge of security.
o U2.10 Home Owners want their devices to seamlessly (and in some o U2.10 Home Owners want their devices to seamlessly (and in some
cases even unnoticeably) fulfill their purpose. The cases even unnoticeably) fulfill their purpose. Therefore the
administration effort needs to be kept at a minimum. authorization administration effort needs to be kept at a minimum.
o U2.11 Home Owners want to be able to transfer ownership of their o U2.11 Home Owners want to be able to transfer ownership of their
automated systems when they sell the house. automated systems when they sell the house.
o U2.12 Home Owners want to be able to sanitize the logs of the o U2.12 Home Owners want to be able to sanitize the logs of the
automated systems, when transferring ownership, without deleting automated systems, when transferring ownership, without deleting
important operational data. important operational data.
o U2.13 When a transfer of ownership occurs, the new owner wants to
make sure that access rights created by the previous owner are no
longer valid.
2.3. Personal Health Monitoring 2.3. Personal Health Monitoring
The use of wearable health monitoring technology is expected to grow Personal health monitoring devices, i.e. eHealth devices, are
strongly, as a multitude of novel devices are developed and marketed. typically battery driven and located physically on or in the user to
The need for open industry standards to ensure interoperability monitor some bodily function, such as temperature, blood pressure, or
between products has lead to initiatives such as Continua Alliance pulse rate. These devices typically connect to the Internet through
(continuaalliance.org) and Personal Connected Health Alliance an intermediary base-station, using wireless technologies and through
(pchalliance.org). Personal health devices are typically battery this connection they report the monitored data to some entity, which
driven, and located physically on, or in, the user. They monitor may either be the user, or a medical cargiver.
some bodily function, such as e.g. temperature, blood pressure, or
pulse. They are connected to the Internet through an intermediary
base-station, using wireless technologies. Through this connection
they report the monitored data to some entity, which may either be
the user herself, or some medical personnel in charge of the user.
Medical data has always been considered as very sensitive, and Medical data has always been considered as very sensitive, and
therefore requires good protection against unauthorized disclosure. therefore requires good protection against unauthorized disclosure.
A frequent, conflicting requirement is the capability for medical A frequent, conflicting requirement is the capability for medical
personnel to gain emergency access, even if no specific access rights personnel to gain emergency access, even if no specific access rights
exist. As a result, the importance of secure audit logs increases in exist. As a result, the importance of secure audit logs increases in
such scenarios. such scenarios.
Since the users are not typically trained in security (or even Since the users are not typically trained in security (or even
computer use), the configuration must use secure default settings, computer use), the configuration must use secure default settings,
and the interface must be well adapted to novice users. Parts of the and the interface must be well adapted to novice users. Parts of the
system must operate with minimal maintenance. Especially frequent system must operate with minimal maintenance. Especially frequent
changes of battery are unacceptable. changes of battery are unacceptable.
There is a plethora of wearable health monitoring technology and the
need for open industry standards to ensure interoperability between
products has lead to initiatives such as Continua Alliance
(continuaalliance.org) and Personal Connected Health Alliance
(pchalliance.org).
2.3.1. John and the heart rate monitor 2.3.1. John and the heart rate monitor
John has a heart condition, that can result in sudden cardiac John has a heart condition, that can result in sudden cardiac
arrests. He therefore uses a device called HeartGuard that monitors arrests. He therefore uses a device called HeartGuard that monitors
his heart rate and his location (U3.7). In case of a cardiac arrest his heart rate and his location (U3.7). In case of a cardiac arrest
it automatically sends an alarm to an emergency service, transmitting it automatically sends an alarm to an emergency service, transmitting
John's current location (U3.1). Either the device has long range John's current location (U3.1). Either the device has long range
connectivity itself (e.g. via GSM) or it uses some intermediary, connectivity itself (e.g. via GSM) or it uses some intermediary,
nearby device (e.g. John's smartphone) to transmit such an alarm. To nearby device (e.g. John's smartphone) to transmit such an alarm. To
ensure Johns safety, the device is expected to be in constant ensure Johns safety, the device is expected to be in constant
operation (U3.3, U3.6). operation (U3.3, U3.6).
The device includes some authentication mechanism, in order to The device includes an authentication mechanism, in order to prevent
prevent other persons who get physical access to it from acting as other persons who get physical access to it from acting as the owner
the owner and messing up the access control and security settings and altering the access control and security settings (U3.8).
(U3.8).
John can configure additional persons that get notified in an John can configure additional persons that get notified in an
emergency, for example his daughter Jill. Furthermore the device emergency, for example his daughter Jill. Furthermore the device
stores data on John's heart rate, which can later be accessed by a stores data on John's heart rate, which can later be accessed by a
physician to assess the condition of John's heart (U3.2). physician to assess the condition of John's heart (U3.2).
However John is a privacy conscious person, and is worried that Jill However John is a privacy conscious person, and is worried that Jill
might use HeartGuard to monitor his location while there is no might use HeartGuard to monitor his location while there is no
emergency. Furthermore he doesn't want his health insurance to get emergency. Furthermore he doesn't want his health insurance to get
access to the HeartGuard data, or even to the fact that he is wearing access to the HeartGuard data, or even to the fact that he is wearing
skipping to change at page 11, line 27 skipping to change at page 11, line 29
2.3.2. Authorization Problems Summary 2.3.2. Authorization Problems Summary
o U3.1 The wearer of an eHealth device (John in the example above) o U3.1 The wearer of an eHealth device (John in the example above)
wants to pre-configure special access rights in the context of an wants to pre-configure special access rights in the context of an
emergency. emergency.
o U3.2 The wearer of an eHealth device wants to selectively allow o U3.2 The wearer of an eHealth device wants to selectively allow
different persons or groups access to medical data. different persons or groups access to medical data.
o U3.3 The Security measures could affect battery lifetime of the o U3.3 Battery changes are very inconvenient and sometimes
device and changing the battery is very inconvenient. impractical, so battery life impacts of the authorization
mechanisms need to be minimized.
o U3.4 Devices are often used with default access control settings o U3.4 Devices are often used with default access control settings
which might threaten the security objectives of the device's which might threaten the security objectives of the device's
users. users.
o U3.5 Wearers of eHealth devices are often not trained in computer o U3.5 Wearers of eHealth devices are often not trained in computer
use, and especially computer security. use, and especially computer security.
o U3.6 Security mechanisms themselves could provide opportunities o U3.6 Security mechanisms themselves could provide opportunities
for denial of service attacks, especially on the constrained for denial of service attacks, especially on the constrained
skipping to change at page 14, line 23 skipping to change at page 14, line 26
The fire department requires that as part of the building safety The fire department requires that as part of the building safety
code, that the building have sensors that sense the level of smoke, code, that the building have sensors that sense the level of smoke,
heat, etc., when a fire breaks out. These sensors report metrics heat, etc., when a fire breaks out. These sensors report metrics
which are then used by a back-end server to map safe areas and un- which are then used by a back-end server to map safe areas and un-
safe areas within a building and also possibly the structural safe areas within a building and also possibly the structural
integrity of the building before fire-fighters may enter it. integrity of the building before fire-fighters may enter it.
Sensors may also be used to track where human/animal activity is Sensors may also be used to track where human/animal activity is
within the building. This will allow people stuck within the within the building. This will allow people stuck within the
building to be guided to safer areas and suggest possible actions building to be guided to safer areas and suggest possible actions
that they make take (e.g. using a client application on their phones, that they may take (e.g. using a client application on their phones,
or loudspeaker directions) in order to bring them to safety. In or loudspeaker directions) in order to bring them to safety. In
certain cases, other organizations such as the Police, Ambulance, and certain cases, other organizations such as the Police, Ambulance, and
federal organizations are also involved and therefore the co- federal organizations are also involved and therefore the co-
ordination of tasks between the various entities have to be carried ordination of tasks between the various entities have to be carried
out using efficient messaging and authorization mechanisms. out using efficient messaging and authorization mechanisms.
2.4.2.1. A fire breaks out 2.4.2.1. A fire breaks out
On a really hot day James who works for company A turns on the air On a really hot day James who works for company A turns on the air
condition in his office. Lucy who works for company B wants to make condition in his office. Lucy who works for company B wants to make
skipping to change at page 14, line 50 skipping to change at page 15, line 6
Alarm sirens throughout the building are switched on simultaneously Alarm sirens throughout the building are switched on simultaneously
(using a group communication scheme) to alert the staff of both (using a group communication scheme) to alert the staff of both
companies (U4.8). Additionally, the ventilation system of the whole companies (U4.8). Additionally, the ventilation system of the whole
building is closed off to prevent the smoke from spreading and to building is closed off to prevent the smoke from spreading and to
withdraw oxygen from the fire. The smoke cannot get into James' withdraw oxygen from the fire. The smoke cannot get into James'
office although he turned on his air condition because the fire alarm office although he turned on his air condition because the fire alarm
overrides the manual setting by sending commands (using group overrides the manual setting by sending commands (using group
communication) to switch off all the air conditioning (U4.10). communication) to switch off all the air conditioning (U4.10).
The fire department is notified of the fire automatically and arrives The fire department is notified of the fire automatically and arrives
within a short time. After inspecting the damage and extinguishing within a short time. They automatically get access to all parts of
the smoldering fire a fire fighter resets the fire alarm because only the building according to an emergency authorization policy (U4.4,
the fire department is authorized to do that (U4.4, U4.5, U4.11). U4.5). After inspecting the damage and extinguishing the smoldering
fire a fire fighter resets the fire alarm because only the fire
department is authorized to do that (U4.4, U4.11).
2.4.3. Authorization Problems Summary 2.4.3. Authorization Problems Summary
o U4.1 The building owner and the companies want to be able to add o U4.1 During commissioning, the building owner or the companies add
new devices to their administrative domain (commissioning). new devices to their administrative domain. Access control should
then apply to these devices seamlessly.
o U4.2 The building owner and the companies want to be able to o U4.2 During a handover, the building owner or the companies
integrate a device that formerly belonged to a different integrate devices that formerly belonged to a different
administrative domain to their own administrative domain administrative domain to their own administrative domain. Access
(handover). control of the old domain should then cease to apply, with access
control of the new domain taking over.
o U4.3 The building owner and the companies want to be able to o U4.3 During decommissioning, the building owner or the companies
remove a device from their administrative domain remove devices from their administrative domain. Access control
(decommissioning). should cease to apply to these devices and relevant credentials
need to be erased from the devices.
o U4.4 The building owner and the companies want to be able to o U4.4 The building owner and the companies want to be able to
delegate selected administration tasks for their devices to delegate specific access rights for their devices to others.
others.
o U4.5 The building owner and the companies want to be able to o U4.5 The building owner and the companies want to be able to
define context-based authorization rules. define context-based authorization rules.
o U4.6 The building owner and the companies want to be able to o U4.6 The building owner and the companies want to be able to
revoke granted permissions and delegations. revoke granted permissions and delegations.
o U4.7 The building owner and the companies want to allow authorized o U4.7 The building owner and the companies want to allow authorized
entities to send data to their endpoints (default deny). entities to send data to their endpoints (default deny).
skipping to change at page 15, line 45 skipping to change at page 16, line 5
o U4.9 The companies want to be able to interconnect their own o U4.9 The companies want to be able to interconnect their own
subsystems with those from a different operational domain while subsystems with those from a different operational domain while
keeping the control over the authorizations (e.g. granting and keeping the control over the authorizations (e.g. granting and
revoking permissions) for their endpoints and devices. revoking permissions) for their endpoints and devices.
o U4.10 The authorization mechanisms must be able to cope with o U4.10 The authorization mechanisms must be able to cope with
extremely time-sensitive operations which have to be carried out extremely time-sensitive operations which have to be carried out
in a quick manner. in a quick manner.
o U4.11 The building owner and the public authorities want to be o U4.11 The building owner and the public safety authorities want to
able to be able to perform data origin authentication on messages be able to perform data origin authentication on messages sent and
sent and received by some of the systems in the building. received by some of the systems in the building.
2.5. Smart Metering 2.5. Smart Metering
Automated measuring of customer consumption is an established Automated measuring of customer consumption is an established
technology for electricity, water, and gas providers. Increasingly technology for electricity, water, and gas providers. Increasingly
these systems also feature networking capability to allow for remote these systems also feature networking capability to allow for remote
management. Such systems are in use for commercial, industrial and management. Such systems are in use for commercial, industrial and
residential customers and require a certain level of security, in residential customers and require a certain level of security, in
order to avoid economic loss to the providers, vulnerability of the order to avoid economic loss to the providers, vulnerability of the
distribution system, as well as disruption of services for the distribution system, as well as disruption of services for the
skipping to change at page 16, line 47 skipping to change at page 17, line 7
utility company, they can also be used to shut off the water if the utility company, they can also be used to shut off the water if the
bills are not paid (U5.1, U5.3). The meters do so by sending and bills are not paid (U5.1, U5.3). The meters do so by sending and
receiving data to and from a base station (U5.2). Several base receiving data to and from a base station (U5.2). Several base
stations are installed around the city to collect the metering data. stations are installed around the city to collect the metering data.
However in the denser urban areas, the base stations would have to be However in the denser urban areas, the base stations would have to be
installed very close to the meters. This would require a high number installed very close to the meters. This would require a high number
of base stations and expose this more expensive equipment to of base stations and expose this more expensive equipment to
manipulation or sabotage. The service operator has therefore chosen manipulation or sabotage. The service operator has therefore chosen
another approach, which is to drive around with a mobile base-station another approach, which is to drive around with a mobile base-station
and let the meters connect to that in regular intervals in order to and let the meters connect to that in regular intervals in order to
gather metering data (U5.4, U5.5, U5.7). gather metering data (U5.4, U5.6, U5.8).
2.5.2. Meshed Topology 2.5.2. Meshed Topology
In another deployment, the water meters are installed in a building In another deployment, the water meters are installed in a building
that already has power meters installed, the latter are mains that already has power meters installed, the latter are mains
powered, and are therefore not subject to the same power saving powered, and are therefore not subject to the same power saving
restrictions. The water meters can therefore use the power meters as restrictions. The water meters can therefore use the power meters as
proxies, in order to achieve better connectivity. This requires the proxies, in order to achieve better connectivity. This requires the
security measures on the water meters to work through intermediaries security measures on the water meters to work through intermediaries
(U5.8). (U5.9).
2.5.3. Advanced Metering Infrastructure 2.5.3. Advanced Metering Infrastructure
A utility company is updating its old utility distribution network A utility company is updating its old utility distribution network
with advanced meters and new communication systems, known as an with advanced meters and new communication systems, known as an
Advanced Metering Infrastructure (AMI). AMI refers to a system that Advanced Metering Infrastructure (AMI). AMI refers to a system that
measures, collects and analyzes usage, and interacts with metering measures, collects and analyzes usage, and interacts with metering
devices such as electricity meters, gas meters, heat meters, and devices such as electricity meters, gas meters, heat meters, and
water meters, through various communication media either on request water meters, through various communication media either on request
(on-demand) or on pre-defined schedules. Based on this technology, (on-demand) or on pre-defined schedules. Based on this technology,
new services make it possible for consumers to control their utility new services make it possible for consumers to control their utility
consumption (U5.2, U5.6) and reduce costs by supporting new tariff consumption (U5.2, U5.7) and reduce costs by supporting new tariff
models from utility companies, and more accurate and billing. models from utility companies, and more accurate and timely billing.
However the fine-grained measurement of consumption data may induce However the end-consumers do not want unauthorized persons to gain
privacy concerns for the end-customers, since it may allow others to access to this data. Furthermore, the fine-grained measurement of
create behavioral profiles (U5.9). consumption data may induce privacy concerns, since it may allow
others to create behavioral profiles (U5.5, U5.10).
The technical solution is based on levels of data aggregation between The technical solution is based on levels of data aggregation between
smart meters located at the consumer premises and the Meter Data smart meters located at the consumer premises and the Meter Data
Management (MDM) system located at the utility company (U5.8). For Management (MDM) system located at the utility company (U5.9). For
reasons of efficiency and cost, end-to-end connectivity is not always reasons of efficiency and cost, end-to-end connectivity is not always
feasible, so metering data is stored and aggregated in various feasible, so metering data is stored and aggregated in various
intermediate devices before being forwarded to the utility company, intermediate devices before being forwarded to the utility company,
and in turn accessed by the MDM. The intermediate devices may be and in turn accessed by the MDM. The intermediate devices may be
operated by a third party service operator on behalf of the utility operated by a third party service operator on behalf of the utility
company (U5.6). One responsibility of the service operator is to company (U5.7). One responsibility of the service operator is to
make sure that meter readings are performed and delivered in a make sure that meter readings are performed and delivered in a
regular, timely manner. An example of a Service Level Agreement regular, timely manner. An example of a Service Level Agreement
between the service operator and the utility company is e.g. "at between the service operator and the utility company is e.g. "at
least 95 % of the meters have readings recorded during the last 72 least 95 % of the meters have readings recorded during the last 72
hours". hours".
2.5.4. Authorization Problems Summary 2.5.4. Authorization Problems Summary
o U5.1 Devices are installed in hostile environments where they are o U5.1 Devices are installed in hostile environments where they are
physically accessible by attackers (including dishonest physically accessible by attackers (including dishonest
skipping to change at page 18, line 14 skipping to change at page 18, line 22
o U5.2 The utility company wants to control which entities are o U5.2 The utility company wants to control which entities are
allowed to send data to, and read data from their endpoints. allowed to send data to, and read data from their endpoints.
o U5.3 The utility company wants to ensure the integrity of the data o U5.3 The utility company wants to ensure the integrity of the data
stored on their endpoints. stored on their endpoints.
o U5.4 The utility company wants to protect such data transfers to o U5.4 The utility company wants to protect such data transfers to
and from their endpoints. and from their endpoints.
o U5.5 The devices may have intermittent Internet connectivity but o U5.5 Consumers want to access their own usage information and also
prevent unauthorized access by others.
o U5.6 The devices may have intermittent Internet connectivity but
still need to enact the authorization policies of their still need to enact the authorization policies of their
principals. principals.
o U5.6 Neither the service operator nor the utility company are o U5.7 Neither the service operator nor the utility company are
always present at the time of access and cannot manually intervene always present at the time of access and cannot manually intervene
in the authorization process. in the authorization process.
o U5.7 When authorization policies are updated it is impossible, or o U5.8 When authorization policies are updated it is impossible, or
at least very inefficient to contact all affected endpoints at least very inefficient to contact all affected endpoints
directly. directly.
o U5.8 Authorization and authentication must work even if messages o U5.9 Authorization and authentication must work even if messages
between endpoints are stored and forwarded over multiple nodes. between endpoints are stored and forwarded over multiple nodes.
o U5.9 Consumers may not want the Service Operator, the Utility o U5.10 Consumers may not want the Service Operator, the Utility
company or others to be able to have access to a fine-grained company or others to have access to a fine-grained level of
level of consumption data that allows the creation of behavioral consumption data that allows the creation of behavioral profiles.
profiles.
2.6. Sports and Entertainment 2.6. Sports and Entertainment
In the area of leisure time activities, applications can benefit from In the area of leisure time activities, applications can benefit from
the small size and weight of constrained devices. Sensors and the small size and weight of constrained devices. Sensors and
actuators with various functions can be integrated into fitness actuators with various functions can be integrated into fitness
equipment, games and even clothes. Users can carry their devices equipment, games and even clothes. Users can carry their devices
around with them at all times. around with them at all times.
Usability is especially important in this area since users will often Usability is especially important in this area since users will often
want to spontaneously interconnect their devices with others. want to spontaneously interconnect their devices with others.
Therefore the configuration of access permissions must be simple and Therefore the configuration of access permissions must be simple and
fast and not require much effort at the time of access (preferably fast and not require much effort at the time of access.
none at all).
The required level of security will in most cases be low since Continuously monitoring allows authorized users to create behavioral
security breaches will likely have less severe consequences. The or movement profiles, which corresponds on the devices intended use,
continuous monitoring of data might however enable an attacker to and unauthorized access to the collected data would allow an attacker
create behavioral or movement profiles. Moreover, the aggregation of to create the same profiles.
data can seriously increase the impact on the privacy of the users. Moreover, the aggregation of data can seriously increase the impact
on the privacy of the users.
2.6.1. Dynamically Connecting Smart Sports Equipment 2.6.1. Dynamically Connecting Smart Sports Equipment
Jody is a an enthusiastic runner. To keep track of her training Jody is a an enthusiastic runner. To keep track of her training
progress, she has smart running shoes that measure the pressure at progress, she has smart running shoes that measure the pressure at
various points beneath her feet to count her steps, detect various points beneath her feet to count her steps, detect
irregularities in her stride and help her to improve her posture and irregularities in her stride and help her to improve her posture and
running style. On a sunny afternoon, she goes to the Finnbahn track running style. On a sunny afternoon, she goes to the Finnbahn track
near her home to work out. She meets her friend Lynn who shows her near her home to work out. She meets her friend Lynn who shows her
the smart fitness watch she bought a few days ago. The watch can the smart fitness watch she bought a few days ago. The watch can
skipping to change at page 20, line 9 skipping to change at page 20, line 22
2.7. Industrial Control Systems 2.7. Industrial Control Systems
Industrial control systems (ICS) and especially supervisory control Industrial control systems (ICS) and especially supervisory control
and data acquisition systems (SCADA) use a multitude of sensors and and data acquisition systems (SCADA) use a multitude of sensors and
actuators in order to monitor and control industrial processes in the actuators in order to monitor and control industrial processes in the
physical world. Example processes include manufacturing, power physical world. Example processes include manufacturing, power
generation, and refining of raw materials. generation, and refining of raw materials.
Since the advent of the Stuxnet worm it has become obvious to the Since the advent of the Stuxnet worm it has become obvious to the
general public how vulnerable this kind of systems are, especially general public how vulnerable these kind of systems are, especially
when connected to the Internet. The severity of these when connected to the Internet. The severity of these
vulnerabilities are exacerbated by the fact that many ICS are used to vulnerabilities are exacerbated by the fact that many ICS are used to
control critical public infrastructure, such as power, water control critical public infrastructure, such as nuclear power, water
treatment of traffic control. Nevertheless the economical advantages treatment of traffic control. Nevertheless the economical advantages
of connecting such systems to the Internet can be significant if of connecting such systems to the Internet can be significant if
appropriate security measures are put in place (U7.5). appropriate security measures are put in place (U7.5).
2.7.1. Oil Platform Control 2.7.1. Oil Platform Control
An oil platform uses an industrial control system to monitor data and An oil platform uses an industrial control system to monitor data and
control equipment. The purpose of this system is to gather and control equipment. The purpose of this system is to gather and
process data from a large number of sensors, and control actuators process data from a large number of sensors, and control actuators
such as valves and switches to steer the oil extraction process on such as valves and switches to steer the oil extraction process on
skipping to change at page 20, line 41 skipping to change at page 21, line 5
fly in a technician to the platform (U7.3). fly in a technician to the platform (U7.3).
The main interest of the operator is to ensure the integrity of The main interest of the operator is to ensure the integrity of
control messages and sensor readings (U7.1). Access in some cases control messages and sensor readings (U7.1). Access in some cases
needs to be restricted, e.g. the operator wants wireless actuators needs to be restricted, e.g. the operator wants wireless actuators
only to accept commands by authorized control units (U7.2). only to accept commands by authorized control units (U7.2).
The owner of the platform also wants to collect auditing information The owner of the platform also wants to collect auditing information
for liability reasons (U7.1). for liability reasons (U7.1).
Different levels of access apply e.g. for regular operators, vs.
maintenance technician, vs. auditors of the platform (U7.6)
2.7.2. Authorization Problems Summary 2.7.2. Authorization Problems Summary
o U7.1 The operator of the platform wants to ensure the integrity o U7.1 The operator of the platform wants to ensure the integrity
and confidentiality of sensor and actuator data. and confidentiality of sensor and actuator data.
o U7.2 The operator wants to ensure that data coming from sensors o U7.2 The operator wants to ensure that data coming from sensors
and commands sent to actuators are authentic. and commands sent to actuators are authentic.
o U7.3 Some devices do not have direct Internet connection, but o U7.3 Some devices do not have direct Internet connection, but
still need to implement current authorization policies. still need to implement current authorization policies.
skipping to change at page 21, line 15 skipping to change at page 21, line 29
o U7.4 Devices need to authenticate the controlling units, o U7.4 Devices need to authenticate the controlling units,
especially those using a wireless connection. especially those using a wireless connection.
o U7.5 The execution of unauthorized commands or the failure to o U7.5 The execution of unauthorized commands or the failure to
execute an authorized command in an ICS can lead to significant execute an authorized command in an ICS can lead to significant
financial damage, and threaten the availability of critical financial damage, and threaten the availability of critical
infrastructure services. Accordingly, the operator wants a infrastructure services. Accordingly, the operator wants a
authentication and authorization mechanisms that provide a very authentication and authorization mechanisms that provide a very
high level of security. high level of security.
o U7.6 Different users should have different levels of access to the
control system (e.g. operator vs. auditor).
3. Security Considerations 3. Security Considerations
As the use cases listed in this document demonstrate, constrained As the use cases listed in this document demonstrate, constrained
devices are used in various application areas. The appeal of these devices are used in various environments. These devices are small
devices is that they are small and inexpensive. That makes it easy and inexpensive and this makes it easy to integrate them into many
to integrate them into many aspects of everyday life. Therefore such aspects of everyday life. With access to vast amounts of valuable
devices will see vast amounts of valuable data passing through and data and possibly control of important functions these devices need
might even be in control of important functions. These assets need to be protected from unauthorized access. Protecting seemingly
to be protected from unauthorized access. Even seemingly innocuous innocuous data and functions will lessen the possible effects of
data and functions should be protected due to possible effects of aggregation; attackers collecting data or functions from several
aggregation: By collecting data or functions from several sources, sources can gain insights or a level of control not immediately
attackers might be able to gain insights or a level of control not obvious from each of these sources on its own.
immediately obvious from each of these sources on its own.
Not only the data on the constrained devices themselves is Not only the data on the constrained devices themselves is
threatened, the devices might also be abused as an intrusion point to threatened, the devices might also be abused as an intrusion point to
infiltrate a network. Once an attacker gained control over the infiltrate a network. Once an attacker gains control over the
device, it can be used to attack other devices as well. Due to their device, it can be used to attack other devices as well. Due to their
limited capabilities, constrained devices appear as the weakest link limited capabilities, constrained devices appear as the weakest link
in the network and hence pose an attractive target for attackers. in the network and hence pose an attractive target for attackers.
This section summarizes the security problems highlighted by the use This section summarizes the security problems highlighted by the use
cases above and provides guidelines for the design of protocols for cases above and provides guidelines for the design of protocols for
authentication and authorization in constrained RESTful environments. authentication and authorization in constrained RESTful environments.
3.1. Attacks 3.1. Attacks
This document lists security problems that users of constrained This document lists security problems that users of constrained
devices want to solve. Further analysis of attack scenarios is not devices want to solve. Further analysis of attack scenarios is not
in scope of the document. However, there are attacks that must be in scope of the document. However, there are attacks that must be
considered by solution developers. considered by solution developers.
Because of the expected large number of devices and their ubiquity, Because of the expected large number of devices and their ubiquity,
constrained devices increase the danger from Pervasive Monitoring constrained devices increase the danger from Pervasive Monitoring
[RFC7258] attacks. [RFC7258] attacks.
Attacks aim at altering data in transit (e.g. to perpetrate fraud)
are a problem that is addressed in many web security protocols such
as TLS or IPSec.
Developers need to consider this type of attacks, and make sure that
the protection measures they implement are adapted to the constrained
environment.
As some of the use cases indicate, constrained devices may be As some of the use cases indicate, constrained devices may be
installed in hostile environments where they are physically installed in hostile environments where they are physically
accessible (see Section 2.5). Protection from physical attacks is accessible (see Section 2.5). Protection from physical attacks is
not in the scope of ACE, but should be kept in mind by developers of not in the scope of this document, but should be kept in mind by
authorization solutions. developers of authorization solutions.
Denial of service (DoS) attacks threaten the availability of services Denial of service (DoS) attacks threaten the availability of services
a device provides. E.g., an attacker can induce a device to perform a device provides and constrained devices are especially vulnerable
steps of a heavy weight security protocol (e.g. Datagram Transport to these types of attacks because of their limitations. Attackers
Layer Security (DTLS) [RFC6347]) before authentication and can illicit a temporary or, if the battery is drained, permanent
authorization can be verified, thus exhausting the device's system failure in a service simply by repeatedly flooding the device with
resources. This leads to a temporary or - e.g. if the batteries are connection attempts; for some services (see section Section 2.3),
drained - permanent failure of the service. For some services of availability is especially important.
constrained devices, availability is especially important (see Solution designers must be particularly careful to consider the
Section 2.3). Because of their limitations, constrained devices are following limitations in every part of the authorization solution:
especially vulnerable to denial of service attacks. Solution
designers must be particularly careful to consider these limitations
in every part of the protocol. This includes:
o Battery usage o Battery usage
o Number of message exchanges required by security measures o Number of required message exchanges
o Size of data that is transmitted (e.g. authentication and access o Size of data that is transmitted (e.g. authentication and access
control data) control data)
o Size of code required to run the protocol o Size of code required to run the protocols
o Size of RAM memory and stack required to run the protocol o Size of RAM memory and stack required to run the protocols
o Timers for transaction processing
Another category of attacks that needs to be considered by solution Solution developers also need to consider whether the session should
developers is session interception and hijacking. be protected from information disclosure and tampering.
3.2. Configuration of Access Permissions 3.2. Configuration of Access Permissions
o The access control policies need to be enforced (all use cases): o The access control policies need to be enforced (all use cases):
The information that is needed to implement the access control The information that is needed to implement the access control
policies needs to be provided to the device that enforces the policies needs to be provided to the device that enforces the
authorization and applied to every incoming request. authorization and applied to every incoming request.
o A single resource might have different access rights for different o A single resource might have different access rights for different
requesting entities (all use cases). requesting entities (all use cases).
Rationale: In some cases different types of users need different Rationale: In some cases different types of users need different
access rights, as opposed to a binary approach where the same access rights, as opposed to a binary approach where the same
access permissions are granted to all authenticated users. access permissions are granted to all authenticated users.
o A device might host several resources where each resource has its o A device might host several resources where each resource has its
own access control policy (all use cases). own access control policy (all use cases).
o The device that makes the policy decisions should be able to o The device that makes the policy decisions should be able to
evaluate context-based permissions such as location or time of evaluate context-based permissions such as location or time of
access (see e.g. Section 2.2, Section 2.3, Section 2.4). Access access (see Section 2.2, Section 2.3, Section 2.4). Access may
may depend on local conditions, e.g. access to health data in an depend on local conditions, e.g. access to health data in an
emergency. The device that makes the policy decisions should be emergency. The device that makes the policy decisions should be
able to take such conditions into account. able to take such conditions into account.
3.3. Authorization Considerations 3.3. Authorization Considerations
o Devices need to be enabled to enforce authorization policies o Devices need to be enabled to enforce authorization policies
without human intervention at the time of the access request (see without human intervention at the time of the access request (see
e.g. Section 2.1, Section 2.2, Section 2.4, Section 2.5). Section 2.1, Section 2.2, Section 2.4, Section 2.5).
o Authorization solutions need to consider that constrained devices o Authorization solutions need to consider that constrained devices
might not have internet access at the time of the access request might not have internet access at the time of the access request
(see e.g. Section 2.1, Section 2.3, Section 2.5, Section 2.6). (see Section 2.1, Section 2.3, Section 2.5, Section 2.6).
o It should be possible to update access control policies without o It should be possible to update access control policies without
manually re-provisioning individual devices (see e.g. Section 2.2, manually re-provisioning individual devices (see Section 2.2,
Section 2.3, Section 2.5, Section 2.6). Section 2.3, Section 2.5, Section 2.6).
Rationale: Peers can change rapidly which makes manual re- Rationale: Peers can change rapidly which makes manual re-
provisioning unreasonably expensive. provisioning unreasonably expensive.
o Authorization policies may be defined to apply to a large number o Authorization policies may be defined to apply to a large number
of devices that might only have intermittent connectivity. of devices that might only have intermittent connectivity.
Distributing policy updates to every device for every update might Distributing policy updates to every device for every update might
not be a feasible solution (see e.g. Section 2.5). not be a feasible solution (see Section 2.5).
o It must be possible to dynamically revoke authorizations (see e.g. o It must be possible to dynamically revoke authorizations (see e.g.
Section 2.4). Section 2.4).
o The authentication and access control protocol can put undue o The authentication and access control protocol can put undue
burden on the constrained system resources of a device burden on the constrained system resources of a device
participating in the protocol. An authorization solutions must participating in the protocol. An authorization solutions must
take the limitations of the constrained devices into account (all take the limitations of the constrained devices into account (all
use cases, see also Section 3.1). use cases, see also Section 3.1).
skipping to change at page 24, line 8 skipping to change at page 24, line 31
experience shows that default settings are frequently left experience shows that default settings are frequently left
unchanged by the end users. unchanged by the end users.
o Access to resources on other devices should only be permitted if a o Access to resources on other devices should only be permitted if a
rule exists that explicitly allows this access (default deny) (see rule exists that explicitly allows this access (default deny) (see
e.g. Section 2.4). e.g. Section 2.4).
o Usability is important for all use cases. The configuration of o Usability is important for all use cases. The configuration of
authorization policies as well as the gaining access to devices authorization policies as well as the gaining access to devices
must be simple for the users of the devices. Special care needs must be simple for the users of the devices. Special care needs
to be taken for home scenarios where access control policies have to be taken for scenarios where access control policies have to be
to be configured by users that are typically not trained in configured by users that are typically not trained in security
security (see Section 2.2, Section 2.3, Section 2.6). (see Section 2.2, Section 2.3, Section 2.6).
3.4. Proxies 3.4. Proxies
In some cases, the traffic between endpoints might go through In some cases, the traffic between endpoints might go through
intermediary nodes (e.g. proxies, gateways). This might affect the intermediary nodes (e.g. proxies, gateways). This might affect the
function or the security model of authentication and access control function or the security model of authentication and access control
protocols e.g. end-to-end security between endpoints with DTLS might protocols e.g. end-to-end security between endpoints with DTLS might
not be possible (see Section 2.5). not be possible (see Section 2.5).
4. Privacy Considerations 4. Privacy Considerations
 End of changes. 82 change blocks. 
198 lines changed or deleted 216 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/