Internet DRAFT - draft-hao-physical-layer-fingerprint-interface
draft-hao-physical-layer-fingerprint-interface
Southeast University, Upsec Inc. H. Fang
Internet-Draft Upsec Inc.
Intended status: Standards Track H. Fu
Expires: 14 October 2022 Southeast University
L. Jin
Upsec Inc.
Y. Jiang
A. Hu
Southeast University
12 April 2022
Interface specification for physical layer fingerprint access
authentication framework of IoT devices
draft-hao-physical-layer-fingerprint-interface-00
Abstract
This document is for access authentication framework of Internet of
Things (IoT) devices using physical layer fingerprint. This document
specifies the interface functions of the authentication framework.
This document applies to the construction and management of secure
access at the edge of the IoT. This document assumes that the reader
is familiar with the concepts of physical layer fingerprint
technique.
Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 14 October 2022.
Fang, et al. Expires 14 October 2022 [Page 1]
�
Internet-Draft RFF ACCESS April 2022
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Objectives of physical layer fingerprint access authentication
framework . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Functional objectives . . . . . . . . . . . . . . . . . . 4
3.2. Non-functional objectives . . . . . . . . . . . . . . . . 4
4. Physical layer fingerprint access authentication framework . 5
4.1. Structure of the Physical layer fingerprint access
authentication framework . . . . . . . . . . . . . . . . 5
4.2. Interface functions for physical layer fingerprint access
authentication . . . . . . . . . . . . . . . . . . . . . 6
4.2.1. Full whitelist request . . . . . . . . . . . . . . . 6
4.2.2. Incremental whitelist request . . . . . . . . . . . . 6
4.2.3. Blacklisting . . . . . . . . . . . . . . . . . . . . 7
4.2.4. Unblacklisting . . . . . . . . . . . . . . . . . . . 7
5. Interface Specification . . . . . . . . . . . . . . . . . . . 7
5.1. Full whitelist request interface . . . . . . . . . . . . 7
5.2. Incremental whitelist request interface . . . . . . . . . 8
5.3. Blacklisting interface . . . . . . . . . . . . . . . . . 8
5.4. Unblacklisting interface . . . . . . . . . . . . . . . . 9
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
7. Security Considerations . . . . . . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.1. Normative References . . . . . . . . . . . . . . . . . . 10
8.2. Informative References . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
Fang, et al. Expires 14 October 2022 [Page 2]
�
Internet-Draft RFF ACCESS April 2022
1. Introduction
Device authentication is important to ensure the security of Internet
of Things (IoT). The classical device authentication techniques are
based on MAC address, preshared key or digital certificate
[I-D.linning-authentication-physical-layer]. However, MAC address
can be imitated. As the IoT becomes more diverse and pervasive, the
implementation of the pre-shared key and digital certificate becomes
increasingly complex.
Physical layer fingerprint is a promising technique for IoT device
authentication[Ref_1]. It corresponds to extract the inherent
physical layer features of the device from the received signal.
These physical layer features have shown uniqueness and persistence,
hence can be used for device authentication.
Because that the physical layer fingerprint access authentication
requires only the signal received from the IoT device, a suitable
access authentication framework needs to be defined. An
authentication framework has been proposed in
[I-D.dawei-access-authentication-physical-layer], with the basic
functions of the framework, specification of fingerprint expression
and control message. In this document, based on the same access
authentication model, the objectives of the access authentication
framework and interface specifications have been proposed, to ensure
the effectiveness and facilitate the integration of the access
authentication framework with the existing IoT network.
2. Glossary
IoT Device Access Gateway
A device works for network connection, control and management,
deployed at the boundary between the perception layer and the
network layer of the IoT. It realizes the communication between
the IoT devices and the network layer.
Physical layer fingerprint authentication device
A device works for training, identifying and authenticating IoT
devices.
3. Objectives of physical layer fingerprint access authentication
framework
Fang, et al. Expires 14 October 2022 [Page 3]
�
Internet-Draft RFF ACCESS April 2022
3.1. Functional objectives
The physical layer fingerprint access authentication framework should
achieve the following functional objectives:
a) The physical layer fingerprint access authentication framework
shall be independent of the application system, to help establish a
trust relationship between the application system and IoT devices and
provide prerequisites for further determining whether the IoT devices
can access the main network of the application system.
b) The physical layer fingerprint access authentication framework
should be independent of the specific physical layer communication
protocols of IoT devices, and can support all possible physical layer
communication protocols.
c) The physical layer fingerprint access authentication framework
should maintain the accuracy of the used physical layer fingerprint
extraction and identification mechanism.
d) The interface defined by the physical layer fingerprint access
authentication framework should not require the IoT device access
gateway of the original application system to give additional
physical layer configuration parameters.
3.2. Non-functional objectives
The physical layer fingerprint access authentication framework should
achieve the following non-functional objectives:
a) The physical layer fingerprint access authentication framework
does not specify a specific physical layer fingerprint extraction and
identification mechanism.
b) The interface defined by the physical layer fingerprint access
authentication framework does not specify a specific interface access
authentication mechanism, but to avoid abuse of the defined
interface, the necessary security authentication shall exist between
the physical layer fingerprint access authentication device and the
IoT device access gateway of the application system.
c) The physical layer fingerprint access authentication framework is
independent of the specific operating system or platform, but the
implementation of the physical layer fingerprint access
authentication device may be relevant to a specific operating system
or platform.
Fang, et al. Expires 14 October 2022 [Page 4]
�
Internet-Draft RFF ACCESS April 2022
d) The interfaces defined by the physical layer fingerprint access
authentication framework should enable integration with legacy
systems.
4. Physical layer fingerprint access authentication framework
4.1. Structure of the Physical layer fingerprint access authentication
framework
The structure of the physical layer fingerprint access authentication
framework is shown in Fig. 1. The physical layer fingerprint access
authentication is composed of two parts: the physical layer
fingerprint authentication device and the IoT device access gateway.
The physical layer fingerprint authentication device adopts a
distributed architecture and can simultaneously serve multiple IoT
devices to access the gateway.
+----------------+ +----------------+ +------------+
| | | IoT device | | |
| IoT device | <----> | access gateway | <----> | Intranet |
|(Claiming party)| | (Relying party)| | |
| | | | | |
+----------------+ +----------------+ +------------+
^ ^
| | -Full whitelist request
| | -Incremental whitelist request
| | -Blacklisting
| | -Unblacklisting
| v
| +------------------------------+
+-----> | |
| Physical layer fingerprint |
| authentication device |
| (Verifier) |
| |
+------------------------------+
Figure 1: Structure of the physical layer fingerprint access
authentication framework
The main function of the physical layer fingerprint authentication
device is to complete the extraction and authentication of the
fingerprint of the IoT device through a certain identity
authentication mechanism, and to submit the authentication result in
the form of assertion to the IoT device access gateway. The physical
layer fingerprint authentication device does not limit the specific
identity authentication mechanism, but only provides a unified
interface, and the specific authentication interaction process with
Fang, et al. Expires 14 October 2022 [Page 5]
�
Internet-Draft RFF ACCESS April 2022
the IoT device is completed by the implementation of each
authentication mechanism itself. The physical layer fingerprint
authentication device corresponds to the verifier in the
authentication model of
[I-D.dawei-access-authentication-physical-layer].
The IoT device access gateway interacts with the physical layer
fingerprint authentication device to assist in the authentication
process of the IoT device accessing the main network of the
application system. The IoT device access gateway and the
application system together correspond to the relying party in the
authentication model of
[I-D.dawei-access-authentication-physical-layer].
The communication between the IoT device access gateway and the
physical layer fingerprint authentication device is by default
protected by a trusted channel. If the application system and the
physical layer fingerprint authentication device are integrated
together, i.e., the verifier and the relying party are unified
entities, this trusted channel becomes the internal data transmission
in the system. If the application system and the physical layer
fingerprint authentication device are located in different systems
and need to communicate with each other remotely, this trusted
channel is an encrypted channel between them.
4.2. Interface functions for physical layer fingerprint access
authentication
4.2.1. Full whitelist request
The physical layer fingerprint authentication device requests the
full whitelist of IoT devices from the IoT device access gateway
through this interface. Based on the full whitelist, the physical
layer fingerprint authentication device performs fingerprint
extraction and authentication for all whitelisted devices.
4.2.2. Incremental whitelist request
The physical layer fingerprint authentication device requests the IoT
device whitelist incremental list from the IoT device access gateway
through this interface, and based on the whitelist incremental list,
the physical layer fingerprint authentication device performs
fingerprint extraction and authentication for the added whitelist
devices.
Fang, et al. Expires 14 October 2022 [Page 6]
�
Internet-Draft RFF ACCESS April 2022
4.2.3. Blacklisting
When the physical layer fingerprint authentication device identifies
that the status of one device in the whitelist has been changed from
legal to illegal, this authentication result should be submitted to
the IoT device access gateway, and at the same time, the IoT device
access gateway adds this device to the blacklist and intercepts it.
4.2.4. Unblacklisting
When the physical layer fingerprint authentication device identifies
that the status of one device in the whitelist has changed from
illegal to legal, this authentication result should be submitted to
the IoT device access gateway, and at the same time, the IoT device
access gateway withdraws this device from the interception blacklist.
5. Interface Specification
5.1. Full whitelist request interface
This interface needs to provide the following requests and responses:
Requests:
a) Protocol version
The version of the protocol between the physical layer fingerprint
authentication device and the IoT device access gateway.
b) Gateway identifier
The unique identifier of the IoT device access gateway for use when
the physical layer fingerprint authentication device interacts with
the IoT device access gateway for information.
Responses:
a) Full whitelist
The full amount of data of the whitelisted IoT devices set in the IoT
device access gateway, generally including the following parts:
device MAC address, IP address, etc.
b) Policy expiration time
Fang, et al. Expires 14 October 2022 [Page 7]
�
Internet-Draft RFF ACCESS April 2022
The policy expiration time specifies the valid time of the whitelist,
and the physical layer fingerprint authentication device identifies
and authenticates the current whitelisted device within this valid
time.
5.2. Incremental whitelist request interface
This interface needs to provide the following requests and responses:
Requests:
a) Protocol version
The version of the protocol between the physical layer fingerprint
authentication device and the IoT device access gateway.
b) Gateway identifier
The unique identifier of the IoT device access gateway for use when
the physical layer fingerprint authentication device interacts with
the IoT device access gateway for information.
Responses:
a) Incremental whitelist
The incremental whitelist data of IoT devices set in the IoT device
access gateway, generally including the following parts: device MAC
address, IP address, etc.
b) Policy expiration time
The policy expiration time specifies the valid time of the whitelist,
and the physical layer fingerprint authentication device identifies
and authenticates the current whitelisted device within this valid
time.
5.3. Blacklisting interface
This interface needs to provide the following requests and responses:
Requests:
a) Protocol version
The version of the protocol between the physical layer fingerprint
authentication device and the IoT device access gateway.
Fang, et al. Expires 14 October 2022 [Page 8]
�
Internet-Draft RFF ACCESS April 2022
b) Gateway identifier
The unique identifier of the IoT device access gateway for use when
the physical layer fingerprint authentication device interacts with
the IoT device access gateway for information.
c) Device information
Information of device to be blacklisted, generally including the
following parts: device MAC address, IP address, etc.
d) Authentication result
The current authenticatin result.
Responses:
a) Gateway identifier
The unique identifier of the IoT device access gateway for use when
the physical layer fingerprint authentication device interacts with
the IoT device access gateway for information.
b) Policy expiration time
The policy expiration time specifies the valid time of the whitelist,
and the physical layer fingerprint authentication device identifies
and authenticates the current whitelisted device within this valid
time.
c) Device information
Information of device just blacklisted, generally including the
following parts: device MAC address, IP address, etc.
5.4. Unblacklisting interface
This interface needs to provide the following requests and responses:
Requests:
a) Protocol version
The version of the protocol between the physical layer fingerprint
authentication device and the IoT device access gateway.
b) Gateway identifier
Fang, et al. Expires 14 October 2022 [Page 9]
�
Internet-Draft RFF ACCESS April 2022
The unique identifier of the IoT device access gateway for use when
the physical layer fingerprint authentication device interacts with
the IoT device access gateway for information.
c) Device information
Information of device to be unblacklisted, generally including the
following parts: device MAC address, IP address, etc.
d) Authentication result
The current authentication result.
Responses:
a) Gateway identifier
The unique identifier of the IoT device access gateway for use when
the physical layer fingerprint authentication device interacts with
the IoT device access gateway for information.
b) Policy expiration time
The policy expiration time specifies the valid time of the whitelist,
and the physical layer fingerprint authentication device identifies
and authenticates the current whitelisted device within this valid
time.
c) Device information
Information of device just un-blacklisted, generally including the
following parts: device MAC address, IP address, etc.
6. IANA Considerations
This document includes no request to IANA.
7. Security Considerations
This section will address only security considerations associated
with the use of physical layer fingerprint access authentication
framework. It is necessary to ensure that the IoT device access
gateway and the physical layer fingerprint authentication device are
in a secure and trusted environment.
8. References
8.1. Normative References
Fang, et al. Expires 14 October 2022 [Page 10]
�
Internet-Draft RFF ACCESS April 2022
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
8.2. Informative References
[I-D.dawei-access-authentication-physical-layer]
Fang, D., Hu, A., FU, H., and Y. Jiang, "IoT Access
Authentication Framework based on Radio Frequency
Fingerprint and Fingerprint Expression Specification",
Work in Progress, Internet-Draft, draft-dawei-access-
authentication-physical-layer-00, 16 February 2022,
<https://www.ietf.org/archive/id/draft-dawei-access-
authentication-physical-layer-00.txt>.
[I-D.linning-authentication-physical-layer]
Peng, L. and A. Hu, "Authentication by Physical Layer
Features", Work in Progress, Internet-Draft, draft-
linning-authentication-physical-layer-00, 8 October 2018,
<http://www.ietf.org/internet-drafts/draft-linning-
authentication-physical-layer-00.txt>.
[Ref_1] Danev, Boris.,
"https://dl.acm.org/doi/10.1145/2379776.2379782", 2012.
Authors' Addresses
Hao Fang
Upsec Inc.
No.9 Mozhou Donglu, Jiangning
Nanjing
JiangSu, 211111
China
Email: fanghao@upsec.cn
Hua Fu
Southeast University
No.2 SiPaiLou
Nanjing
JiangSu, 210096
China
Email: hfu@seu.edu.cn
Fang, et al. Expires 14 October 2022 [Page 11]
�
Internet-Draft RFF ACCESS April 2022
Ling Jin
Upsec Inc.
No.9 Mozhou Donglu, Jiangning
Nanjing
JiangSu, 211111
China
Email: jinling@upsec.cn
Yu Jiang
Southeast University
No.2 SiPaiLou
Nanjing
JiangSu, 210096
China
Email: jiangyu@seu.edu.cn
Aiqun Hu
Southeast University
No.2 SiPaiLou
Nanjing
JiangSu, 210096
China
Email: aqhu@seu.edu.cn
Fang, et al. Expires 14 October 2022 [Page 12]
