IoT Security in Action
The Success Story of Everyware Device Cloud by
Eurotech, secured with
DNSSEC and DANE
Andrea Ceiner, Eurotech
Andrew Cathrow, Verisign
IoT Security – Boston, September 2015
This presentation has been prepared by Eurotech S.p.A. (or “Eurotech”).
The information contained in this presentation does nor purport to be comprehensive. Neither Eurotech nor any of its officers, employees, advisers or agents accepts any responsibility for/or makes any representation or warranty, express or implied, as to the truth, fullness, accuracy or completeness of the information in this presentation (or whether any information has been omitted from the presentation) or any other information relating to Eurotech, its subsidiaries or associated companies, whether written, oral or in a visual or electric form, transmitted or made available.
The distribution of this document in other jurisdictions may be restricted by law, and persons into whose possession this document comes should inform themselves about, and observe, any such restrictions.
No reliance may be placed for any purposes whatsoever on the information contained in this document or any other material discussed during this presentation, or on its completeness, accuracy or fairness.
The information in this document and any other material discussed at this presentation is subject to verification, completion and change.
The information and opinions contained in this document are provided as at the date of the presentation and are subject to change without notice.
Some of the information is still in draft form and will only be finalized.
By attending the presentation you agree to be bound by the foregoing terms.
Trademarks or Registered Trademarks are the property of their respective owners.
Disclaimer
• 1.Security
• 2.Enterprise
• 3.Consumer Privacy.
• 4.Data
• 5.Storage Management
• 6.Server Technologies
• 7.Data Center Network
Gartner’s Seven Potential IoT Challenges
Enemies Everywhere, Many Reasons … Attackers / Hackers Targets Reasons…
•Financial
•Business
•Political
•Intangible
Attackers Profiles:
• Hackers
• Cracker/Criminals
• Script Kiddies
• Competitors
•Organizations/Govs
Targets
• Quality, Performance, Availability
• Reputation
• Know-How, Intellectual Property
• Resources
Anatomy of an IoT Solution Transforming Bits of Data at the Edge of the Network into
Actionable Information in the Business Users’ Hands
@
Things Gateways /
Smart Devices
IoT / OT
Platform Application
Requirements for IoT SECURITY at SCALE
Efficiently Managed
Low Cost
Increased Trust
Globally Interoperable
M2M / IoT Security Security Focus Points – Extension with Verisign
IoT Device Cloud Security • Authentication
• PKI Management
• Trusted execution environment
• Network security / Firewall
• Access Control
IoT Device Security • Certified Identity
• Service discovery
• Trusted execution environment
• Network security / Firewall
• Secure Boot
IoT / OT
Platform Things Application
Gateways /
Smart Devices
Communication Security • Authentication
• Encryption
• Man-in-the-middle Protection
• Message Integrity
M2M / IoT Security Strong Authentication / Trust Anchors / Verification
@
Things Gateways /
Smart Devices
IoT / OT
Platform Application
Global DNS
IoT Security: ineffective implementation Why use PKI for Device Identification & Authentication
API keys as
credential
MAC address as
identifier
Device ID hardcoded on
device or configuration file
Trusted Authentication Why PKI based Authentication using DNS ?
Public Key Infrastruture (PKI)
• Trusted and well established technology
• But the scale of IoT introduces new problems and
amplifies old issues
Managability at scale
$$$$$$
$$$$$$
$$$$$$ Cost of Certificates
Security Revocation and reissuance
“Too many CAs” problem
Trusted Authentication Why PKI based Authentication using DNS ?
DNS-based Authentication of Named Entities
(DANE): public standard (IETF RFC 6698)
Key/certificate management and revocation:
effective and easier
Compatible with IoT scale and costs
Based on Open Standards and Open Source
No Lock-in
Authentication & Authorization Everyware Device Cloud integrated with DNSSEC/DANE
Ship the Devices towards their final destination 3.Shipment
over-the-air
DISCOVERY PROVISION A&A 4.Power ON
the Device
realtime metrics, events and remotely management within a
secure always-on session
5.Device &
Data
Management
Registering Broker Services (Provisioning and Messaging)
into the Authoritative DNS 1.Cloud Setup
First gateway/device initialization by Manufacturer 2.Gateway
(ESF) Setup
4. Power ON the Device Over-the-air DISCOVERY PROVISION A&A
Here I am, this is my ID … Authenticate me and
Authorize me please !
A&A
(Birth)
WHO IS MY BROKER ? Broker
Discovery
GIVE ME MY CONFIGURATION PLEASE ! Device
Provision
STEP 1 - Cloud Services Setup Registering Broker Services onto Authoritative DNS
Secure DNS provisioning API
- Authoritative DNS
- Validating Recursive DNS
HTTPS POST
Provisioning & Messaging Broker
Services
1
2
Broker Service: PROVISIONING
Broker Service: MESSAGING
STEP 2 – M2M Gateway (ESF) Setup First gateway/device initialization by Manufacturer
HTTPS + 2FA login
2
1
Gateway (ESF) SetUP •Network configuration
•Domain Name
•Broker Services (Provisioning; Messaging)
•Validating Recursive DNS Server
•Internal temporary Credentials
Create a Provision Request
(Pending)
STEP 3 - Shipment Ship Devices to Customer
Device
Manufacturer Customer
STEP 4 – Power ON the device 4.1 Broker Services DISCOVERY
Tiaki
1
HTTPS:
DISCOVERY (lookup
PTR and associated SRV
and TXT Resource Records
within a DNS zone)
2 PTR & SRV for Provisioning &
Messaging Broker Services
Broker Service: PROVISIONING
Broker Service: MESSAGING
Switch ON
the Device
Secure DNS Query
- Authoritative DNS
- Validating Recursive DNS
STEP 4 – Power ON the device 4.2 Device Provision
2
1
MQTTS:
CONNECT with
INTERNAL
credentials
Internal Authentication &
Procesing only if there is a
Pending Provision Request
for that Device
Provision Request Pending
3
4 MQTTS: DEV ID (CN)
5
6
HTTPS: GET DEV ID (CN)
Secure DNS provisioning API
- Authoritative DNS
- Validating Recursive DNS
Generates
Certificate (with
DEV ID CN) &
Publish it to
Cloud
HTTPS: Propagate Self-
signed Certificate
STEP 4 – Power ON the device 4.3 Device Authentication & Authorization (BIRTH event)
2
1
MQTTS: publish
TLS+Self-Signed
Certificate
3
Authorize the Device
Secure DNS Queries
- Authoritative DNS
- Validating Recursive DNS
HTTPS get
authentication
STEP 5 – Device & Data Management MQTT+SSL bidirectional messages over TLS Session
MQTTS: publish
device events
and data-metrics
MQTTS: publish SW
Updates, Device
Commands, Device
Configuration, …
Always-on
session
STEP 4 – Power ON the device 4.4 Device Revoke
HTTPS Remove
Certificate & Propagate NOT Authenticated
3
HTTPS: DISABLE Device
5 1
Block messages from device 4
2 mailto/twitter/sms: NOTIFY
Unauthenticated Device
- Authoritative DNS
- Validating Recursive DNS
Secure DNS provisioning API Secure DNS Queries
M2M / IoT Security Holistic Approach is required…
The confidentiality, integrity, and availability of our customers’ data and IoT
infrastructure is of the utmost importance to Eurotech, as it is maintaining
our customers’ trust and confidence. That’s why we make M2M/IoT
communications SECURE and RELIABLE over INSECURE and UNRELIABLE
NETWORKS & MALICIOUS environment.
M2M
Communication
Infrastructure
Device Firmware /
Application
Business
Application
Sensors &
Device
Hardware
Business
Application
Integration
1 2
3 4
5
6
7 8
8
8
Thank You