IoT Security in Action

The Success Story of Everyware Device Cloud by

Eurotech, secured with

DNSSEC and DANE

Andrea Ceiner, Eurotech

Andrew Cathrow, Verisign

IoT Security – Boston, September 2015

This presentation has been prepared by Eurotech S.p.A. (or “Eurotech”).

The information contained in this presentation does nor purport to be comprehensive. Neither Eurotech nor any of its officers, employees, advisers or agents accepts any responsibility for/or makes any representation or warranty, express or implied, as to the truth, fullness, accuracy or completeness of the information in this presentation (or whether any information has been omitted from the presentation) or any other information relating to Eurotech, its subsidiaries or associated companies, whether written, oral or in a visual or electric form, transmitted or made available.

The distribution of this document in other jurisdictions may be restricted by law, and persons into whose possession this document comes should inform themselves about, and observe, any such restrictions.

No reliance may be placed for any purposes whatsoever on the information contained in this document or any other material discussed during this presentation, or on its completeness, accuracy or fairness.

The information in this document and any other material discussed at this presentation is subject to verification, completion and change.

The information and opinions contained in this document are provided as at the date of the presentation and are subject to change without notice.

Some of the information is still in draft form and will only be finalized.

By attending the presentation you agree to be bound by the foregoing terms.

Trademarks or Registered Trademarks are the property of their respective owners.

Disclaimer

• 1.Security

• 2.Enterprise

• 3.Consumer Privacy.

• 4.Data

• 5.Storage Management

• 6.Server Technologies

• 7.Data Center Network

Gartner’s Seven Potential IoT Challenges

Enemies Everywhere, Many Reasons … Attackers / Hackers Targets Reasons…

•Financial

•Business

•Political

•Intangible

Attackers Profiles:

• Hackers

• Cracker/Criminals

• Script Kiddies

• Competitors

•Organizations/Govs

Targets

• Quality, Performance, Availability

• Reputation

• Know-How, Intellectual Property

• Resources

Anatomy of an IoT Solution Transforming Bits of Data at the Edge of the Network into

Actionable Information in the Business Users’ Hands

@

Things Gateways /

Smart Devices

IoT / OT

Platform Application

Requirements for IoT SECURITY at SCALE

Efficiently Managed

Low Cost

Increased Trust

Globally Interoperable

M2M / IoT Security Security Focus Points – Extension with Verisign

IoT Device Cloud Security • Authentication

• PKI Management

• Trusted execution environment

• Network security / Firewall

• Access Control

IoT Device Security • Certified Identity

• Service discovery

• Trusted execution environment

• Network security / Firewall

• Secure Boot

IoT / OT

Platform Things Application

Gateways /

Smart Devices

Communication Security • Authentication

• Encryption

• Man-in-the-middle Protection

• Message Integrity

M2M / IoT Security Strong Authentication / Trust Anchors / Verification

@

Things Gateways /

Smart Devices

IoT / OT

Platform Application

Global DNS

IoT Security: ineffective implementation Why use PKI for Device Identification & Authentication

API keys as

credential

MAC address as

identifier

Device ID hardcoded on

device or configuration file

Trusted Authentication Why PKI based Authentication using DNS ?

Public Key Infrastruture (PKI)

• Trusted and well established technology

• But the scale of IoT introduces new problems and

amplifies old issues

Managability at scale

$$$$$$

$$$$$$

$$$$$$ Cost of Certificates

Security Revocation and reissuance

“Too many CAs” problem

Trusted Authentication Why PKI based Authentication using DNS ?

DNS-based Authentication of Named Entities

(DANE): public standard (IETF RFC 6698)

Key/certificate management and revocation:

effective and easier

Compatible with IoT scale and costs

Based on Open Standards and Open Source

No Lock-in

Authentication & Authorization Everyware Device Cloud integrated with DNSSEC/DANE

Ship the Devices towards their final destination 3.Shipment

over-the-air

DISCOVERY PROVISION A&A 4.Power ON

the Device

realtime metrics, events and remotely management within a

secure always-on session

5.Device &

Data

Management

Registering Broker Services (Provisioning and Messaging)

into the Authoritative DNS 1.Cloud Setup

First gateway/device initialization by Manufacturer 2.Gateway

(ESF) Setup

4. Power ON the Device Over-the-air DISCOVERY PROVISION A&A

Here I am, this is my ID … Authenticate me and

Authorize me please !

A&A

(Birth)

WHO IS MY BROKER ? Broker

Discovery

GIVE ME MY CONFIGURATION PLEASE ! Device

Provision

STEP 1 - Cloud Services Setup Registering Broker Services onto Authoritative DNS

Secure DNS provisioning API

- Authoritative DNS

- Validating Recursive DNS

HTTPS POST

Provisioning & Messaging Broker

Services

1

2

Broker Service: PROVISIONING

Broker Service: MESSAGING

STEP 2 – M2M Gateway (ESF) Setup First gateway/device initialization by Manufacturer

HTTPS + 2FA login

2

1

Gateway (ESF) SetUP •Network configuration

•Domain Name

•Broker Services (Provisioning; Messaging)

•Validating Recursive DNS Server

•Internal temporary Credentials

Create a Provision Request

(Pending)

STEP 3 - Shipment Ship Devices to Customer

Device

Manufacturer Customer

STEP 4 – Power ON the device 4.1 Broker Services DISCOVERY

Tiaki

1

HTTPS:

DISCOVERY (lookup

PTR and associated SRV

and TXT Resource Records

within a DNS zone)

2 PTR & SRV for Provisioning &

Messaging Broker Services

Broker Service: PROVISIONING

Broker Service: MESSAGING

Switch ON

the Device

Secure DNS Query

- Authoritative DNS

- Validating Recursive DNS

STEP 4 – Power ON the device 4.2 Device Provision

2

1

MQTTS:

CONNECT with

INTERNAL

credentials

Internal Authentication &

Procesing only if there is a

Pending Provision Request

for that Device

Provision Request Pending

3

4 MQTTS: DEV ID (CN)

5

6

HTTPS: GET DEV ID (CN)

Secure DNS provisioning API

- Authoritative DNS

- Validating Recursive DNS

Generates

Certificate (with

DEV ID CN) &

Publish it to

Cloud

HTTPS: Propagate Self-

signed Certificate

STEP 4 – Power ON the device 4.3 Device Authentication & Authorization (BIRTH event)

2

1

MQTTS: publish

TLS+Self-Signed

Certificate

3

Authorize the Device

Secure DNS Queries

- Authoritative DNS

- Validating Recursive DNS

HTTPS get

authentication

STEP 5 – Device & Data Management MQTT+SSL bidirectional messages over TLS Session

MQTTS: publish

device events

and data-metrics

MQTTS: publish SW

Updates, Device

Commands, Device

Configuration, …

Always-on

session

STEP 4 – Power ON the device 4.4 Device Revoke

HTTPS Remove

Certificate & Propagate NOT Authenticated

3

HTTPS: DISABLE Device

5 1

Block messages from device 4

2 mailto/twitter/sms: NOTIFY

Unauthenticated Device

- Authoritative DNS

- Validating Recursive DNS

Secure DNS provisioning API Secure DNS Queries

M2M / IoT Security Holistic Approach is required…

The confidentiality, integrity, and availability of our customers’ data and IoT

infrastructure is of the utmost importance to Eurotech, as it is maintaining

our customers’ trust and confidence. That’s why we make M2M/IoT

communications SECURE and RELIABLE over INSECURE and UNRELIABLE

NETWORKS & MALICIOUS environment.

M2M

Communication

Infrastructure

Device Firmware /

Application

Business

Application

Sensors &

Device

Hardware

Business

Application

Integration

1 2

3 4

5

6

7 8

8

8

Thank You